2.3.2.19 msDNS-SigningKeyDescriptors
The msDNS-SigningKeyDescriptors attribute is used to store the zone's signing key descriptor list. Each value of this attribute represents a single signing key descriptor and MUST be formatted as follows.
|
|
|
|
|
|
|
|
|
|
1 |
|
|
|
|
|
|
|
|
|
2 |
|
|
|
|
|
|
|
|
|
3 |
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Version |
|||||||||||||||||||||||||||||||
|
fIsKsk |
|||||||||||||||||||||||||||||||
|
Guid (16 bytes) |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
|
pwszKeyStorageProvider (variable) |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
|
bSigningAlgorithm |
|||||||||||||||||||||||||||||||
|
dwKeyLength |
|||||||||||||||||||||||||||||||
|
dwInitialRolloverOffset |
|||||||||||||||||||||||||||||||
|
dwDNSKEYSignatureValidityPeriod |
|||||||||||||||||||||||||||||||
|
dwDSSignatureValidityPeriod |
|||||||||||||||||||||||||||||||
|
dwStandardSignatureValidityPeriod |
|||||||||||||||||||||||||||||||
|
dwRolloverType |
|||||||||||||||||||||||||||||||
|
dwRolloverPeriod |
|||||||||||||||||||||||||||||||
|
dwNextRolloverAction |
|||||||||||||||||||||||||||||||
|
ftLastRolloverTime |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
|
ftNextRolloverTime |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
|
dwState |
|||||||||||||||||||||||||||||||
|
dwCurrentRolloverStatus |
|||||||||||||||||||||||||||||||
|
dwCurrentRollState |
|||||||||||||||||||||||||||||||
|
fManualTrigger |
|||||||||||||||||||||||||||||||
|
dwPreRollEventFired |
|||||||||||||||||||||||||||||||
|
ftNextKeyGenerationTime |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
|
RevokedOrSwappedRecordCount |
|||||||||||||||||||||||||||||||
|
FinalRecordCount |
|||||||||||||||||||||||||||||||
|
pwszActiveKey (variable) |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
|
ActiveKeyScope |
|||||||||||||||||||||||||||||||
|
pwszStandbyKey (variable) |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
|
StandbyKeyScope |
|||||||||||||||||||||||||||||||
|
pwszNextKey (variable) |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
|
NextKeyScope |
|||||||||||||||||||||||||||||||
|
RevokedOrSwappedDnskeys (variable) |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
|
FinalDnskeys (variable) |
|||||||||||||||||||||||||||||||
|
... |
|||||||||||||||||||||||||||||||
Version (4 bytes): This value MUST be 0x00000001.
fIsKsk (4 bytes): The value of this field MUST correspond to the value from the DNS_RPC_SKD (section 2.2.6.2.1) structure for this signing key descriptor.
Guid (16 bytes): The value of this field MUST correspond to the value from the DNS_RPC_SKD (section 2.2.6.2.1) structure for this signing key descriptor.
pwszKeyStorageProvider (variable): The value of this field MUST correspond to the value from the DNS_RPC_SKD (section 2.2.6.2.1) structure for this signing key descriptor.
bSigningAlgorithm (4 bytes): The value of this field MUST correspond to the value from the DNS_RPC_SKD (section 2.2.6.2.1) structure for this signing key descriptor.
dwKeyLength (4 bytes): The value of this field MUST correspond to the value from the DNS_RPC_SKD (section 2.2.6.2.1) structure for this signing key descriptor.
dwInitialRolloverOffset (4 bytes): The value of this field MUST correspond to the value from the DNS_RPC_SKD (section 2.2.6.2.1) structure for this signing key descriptor.
dwDNSKEYSignatureValidityPeriod (4 bytes): The value of this field MUST correspond to the value from the DNS_RPC_SKD (section 2.2.6.2.1) structure for this signing key descriptor.
dwDSSignatureValidityPeriod (4 bytes): The value of this field MUST correspond to the value from the DNS_RPC_SKD (section 2.2.6.2.1) structure for this signing key descriptor.
dwStandardSignatureValidityPeriod (4 bytes): The value of this field MUST correspond to the value from the DNS_RPC_SKD (section 2.2.6.2.1) structure for this signing key descriptor.
dwRolloverType (4 bytes): The value of this field MUST correspond to the value from the DNS_RPC_SKD (section 2.2.6.2.1) structure for this signing key descriptor.
dwRolloverPeriod (4 bytes): The value of this field MUST correspond to the value from the DNS_RPC_SKD (section 2.2.6.2.1) structure for this signing key descriptor.
dwNextRolloverAction (4 bytes): The value of this field MUST correspond to the value from the DNS_RPC_SKD (section 2.2.6.2.1) structure for this signing key descriptor.
ftLastRolloverTime (8 bytes): This value MUST correspond to the value of ftLastRolloverTime from the DNS_RPC_SKD_STATE (section 2.2.6.2.3) structure for this signing descriptor.
ftNextRolloverTime (8 bytes): This value MUST correspond to the value of ftNextRolloverTime from the DNS_RPC_SKD_STATE (section 2.2.6.2.3) structure for this signing descriptor.
dwState (4 bytes): This value MUST correspond to the value of dwState from the DNS_RPC_SKD_STATE (section 2.2.6.2.3) structure for this signing descriptor.
dwCurrentRolloverStatus (4 bytes): This value MUST correspond to the value of dwCurrentRolloverStatus from the DNS_RPC_SKD_STATE (section 2.2.6.2.3) structure for this signing descriptor.
dwCurrentRollState (4 bytes): This value corresponds to the next step in a signing key descriptor's rollover process and MUST be set to one of the following values.
-
Value
Meaning
DNS_SKD_ROLL_STATE_NOT_STARTED
0x00000000
The signing key descriptor is not currently in the process of rolling over keys.
DNS_SKD_ROLL_STATE_ZSK_SWAP
0x00000001
The next step for a signing key descriptor whose fIsKSK field is 0x00000000 is to move into the "new RRSIGs" phase of the pre-publish key rollover, as described in [RFC4641] section 4.2.1.1.
DNS_SKD_ROLL_STATE_ZSK_FINISH
0x00000002
The next step for a signing key descriptor whose fIsKSK field is 0x00000000 is to move into the "DNSKEY removal" phase of the pre-publish key rollover, as described in [RFC4641] section 4.2.1.1.
DNS_SKD_ROLL_STATE_KSK_DS_WAIT
0x00000003
The next step for a signing key descriptor whose fIsKSK field is 0x00000001 is to wait for the "DS change" step of the "Key Signing Key Rollovers" process, as described in [RFC4641] section 4.2.2.
DNS_SKD_ROLL_STATE_KSK_REVOKE
0x00000004
The next step for a signing key descriptor whose fIsKSK field is 0x00000001 is to revoke a key according to [RFC5011] section 6.3 or 6.5.
DNS_SKD_ROLL_STATE_KSK_FINISH
0x00000005
The next step for a signing key descriptor whose fIsKSK field is 0x00000001 is to move into the "DNSKEY removal" phase of the "Key Signing Key Rollovers" process, as described in [RFC4641] section 4.2.2.
fManualTrigger (4 bytes): This value MUST be set to 0x00000001 in response to a successful ZonePerformKeyRollover operation on a signing key descriptor. When the SKD completes its rollover, this value MUST be set to 0x00000000.
dwPreRollEventFired (4 bytes): This value MUST be set to 0x00000001 when 90 percent of the dwRolloverPeriod for a signing key descriptor whose fIsKSK flag is 0x00000001 has elapsed. It MUST be set to 0x00000002 when 95 percent of this rollover period has elapsed, and it MUST be set to 0x00000003 when there is less than 1 day remaining before such a signing key descriptor begins its key rollover process. Otherwise, this value MUST be 0x00000000.
ftNextKeyGenerationTime (8 bytes): This value represents the time at which the most recent value of the pwszNextKey field of a signing key descriptor whose fIsKSK flag is 0x00000000 was generated.
RevokedOrSwappedRecordCount (4 bytes): This value MUST indicate the number of values present in the list of records in the RevokedOrSwappedDnskeys field.
FinalRecordCount (4 bytes): This value MUST indicate the number of values present in the list of records in the FinalRecordCount field.
pwszActiveKey (variable): This value MUST correspond to the value of pwszActiveKey from the DNS_RPC_SKD_STATE (section 2.2.6.2.3) structure for this signing descriptor.
ActiveKeyScope (4 bytes): This value corresponds to the signing scope of pwszActiveKey and MUST be set to one of the following values.
-
Value
Meaning
DNS_SIGN_SCOPE_DEFAULT
0x00000000
The key is used for its default purpose: If the signing key descriptor's fIsKSK field is set to 0x00000001, the key is used to sign only DNSKEY records in the zone. If the signing key descriptor's fIsKSK field is set to 0x00000000, the key is used to sign all records in the zone.
DNS_SIGN_SCOPE_DNSKEY_ONLY
0x00000001
The key is used to sign only DNSKEY records in the zone.
DNS_SIGN_SCOPE_ALL_RECORDS
0x00000002
The key is used to sign all records in the zone.
DNS_SIGN_SCOPE_ADD_ONLY
0x00000003
The key is published as a DNSKEY in the zone, but it is not used to sign any records.
DNS_SIGN_SCOPE_DO_NOT_PUBLISH
0x00000004
The key is not published to the zone and is not used to sign any records.
DNS_SIGN_SCOPE_REVOKED
0x00000005
The key is published as a DNSKEY in the zone with its "Revoked" bit ([RFC5011] section 2.1) set. It is used to sign DNSKEY records.
pwszStandbyKey (variable): This value MUST correspond to the value of pwszStandbyKey from the DNS_RPC_SKD_STATE (section 2.2.6.2.3) structure for this signing descriptor.
StandbyKeyScope (4 bytes): This value corresponds to the signing scope of pwszActiveKey and MUST be set to one of the values previously described for "ActiveKeyScope".
pwszNextKey (variable): This value MUST correspond to the value of pwszNextKey from the DNS_RPC_SKD_STATE (section 2.2.6.2.3) structure for this signing descriptor.
NextKeyScope (4 bytes): This value corresponds to the signing scope of pwszNextKey and MUST be set to one of the values previously described for "ActiveKeyScope".
RevokedOrSwappedDnskeys (variable): This field MUST contain a variable number of DNS records in the same format as the dnsRecord attribute (section 2.3.2.2). The number of records in this list is specified by RevokedOrSwappedRecordCount. If RevokedOrSwappedRecordCount is zero, the length of this field MUST be 0 bytes. The DNS records in this field correspond to a precomputed list of DNSKEY and associated RRSIG records that are published to the zone as the SKD transitions into DNS_SKD_STATUS_ZSK_WAITING_FOR_MAXZONE_TTL status if the signing key descriptor's fIsKSK field is set to 0x00000000, and as the SKD transitions into DKS_SKD_STATUS_KSK_WAITING_FOR_5011_REMOVE_HOLD_DOWN if the signing key descriptor's fIsKSK field is set to 0x00000001.
FinalDnskeys (variable): This field MUST contain a number of DNS records in the same format as the dnsRecord attribute (section 2.3.2.2). The number of records in this list is specified by FinalRecordCount. If FinalRecordCount is zero, the length of this field MUST be 0 bytes. The DNS records in this field correspond to a precomputed list of DNSKEY and associated RRSIG records that are published to the zone as the signing key descriptor's key rollover process concludes.