2.2.6.2.6 DNS_RPC_TRUST_ANCHOR
The DNS_RPC_TRUST_ANCHOR structure contains information about a trust anchor.
-
typedef struct _DnssrvRpcTrustAnchor { DWORD dwRpcStructureVersion; DWORD dwReserved0; WORD wTrustAnchorType; WORD wKeyTag; WORD wRRLength; TRUSTANCHOR_STATE eTrustAnchorState; __int64 i64EnteredStateTime; __int64 i64NextStateTime; DWORD dwReserved; [size_is(wRRLength)] BYTE RRData[]; } DNS_RPC_TRUST_ANCHOR, *PDNS_RPC_TRUST_ANCHOR;
dwRpcStructureVersion: The structure version number; this MUST be set to 0x00000001.
dwReserved0: MUST be set to zero when sent and MUST be ignored on receipt.
wTrustAnchorType: The DNS record type corresponding to the trust anchor. This MUST be set to one of the following values.
-
Value
Meaning
DNS_TYPE_DS
0x002B
A DS record type [RFC4034].
DNS_TYPE_DNSKEY
0x0030
A DNSKEY record type [RFC4034].
wKeyTag: The DNSSEC key tag for this trust anchor. The key tag for a DS record trust anchor MUST match the value of the record’s "Key Tag" field (see [RFC4034]). The key tag for a DNSKEY record trust anchor MUST match the value calculated for the DNSKEY record (see [RFC4034] Appendix B), with the exception that the REVOKE bit of the DNSKEY flags field MUST be set to zero before the calculation.
wRRLength: The length of the RRData array.
eTrustAnchorState: The current state of the trust anchor. This MUST be one of the following TRUSTANCHOR_STATE enumeration values (section 2.2.1.1.4).
-
Value
Meaning
TRUSTANCHOR_STATE_DSPENDING
0x00000001
This trust anchor can be replaced with a matching DNSKEY trust anchor when the associated trust point has had a successful active refresh. If this state is set, wTrustAnchorType MUST be DNS_TYPE_DS.
TRUSTANCHOR_STATE_DSINVALID
0x00000002
The associated trust point has had a successful active refresh, but no DNSKEY record was found that matches this trust anchor. If this state is set, wTrustAnchorType MUST be DNS_TYPE_DS.
TRUSTANCHOR_STATE_ADDPEND
0x00000003
This trust anchor will become valid after the expiration of the RFC 5011 add hold-down time (see [RFC5011]). This corresponds to the "AddPend" state in RFC 5011.
TRUSTANCHOR_STATE_VALID
0x00000004
This trust anchor is trusted for DNSSEC proofs because it was either explicitly added by the administrator or became valid after the expiration of the RFC 5011 add hold-down time (see [RFC5011]). This corresponds to the Valid state in RFC 5011.
TRUSTANCHOR_STATE_MISSING
0x00000005
This trust anchor was in the TRUSTANCHOR_STATE_VALID state but was missing in the last successful active refresh. It is still trusted for DNSSEC proofs. This corresponds to the Valid state in [RFC5011].
TRUSTANCHOR_STATE_REVOKED
0x00000006
This trust anchor has been marked as revoked by the administrator for the trust point's zone. It can never again be trusted for DNSSEC proofs. This corresponds to the Revoked state in [RFC5011].
i64EnteredStateTime: The time at which this trust anchor entered its current state. This is a 64-bit value representing the number of 100-nanosecond intervals since January 1, 1601 (UTC).
i64NextStateTime: The time at which this trust anchor is scheduled to exit the current state. This is a 64-bit value representing the number of 100-nanosecond intervals since January 1, 1601 (UTC). The meaning is dependent on the value of eTrustAnchorState.
-
Value of eTrustAnchorState
Meaning
TRUSTANCHOR_STATE_DSPENDING
0x00000001
Reserved. The value of i64NextStateTime MUST be set to zero when sent and MUST be ignored on receipt.
TRUSTANCHOR_STATE_DSINVALID
0x00000002
Reserved. The value of i64NextStateTime MUST be set to zero when sent and MUST be ignored on receipt.
TRUSTANCHOR_STATE_ADDPEND
0x00000003
This trust anchor is scheduled to enter the TRUSTANCHOR_STATE_VALID state on or after the value of i64NextStateTime. This MUST be equivalent to the value of i64EnteredStateTime added to the value of the add hold-down time (see [RFC5011]).
TRUSTANCHOR_STATE_VALID
0x00000004
Reserved. The value of i64NextStateTime MUST be set to zero when sent and MUST be ignored on receipt.
TRUSTANCHOR_STATE_MISSING
0x00000005
Reserved. The value of i64NextStateTime MUST be set to zero when sent and MUST be ignored on receipt.
TRUSTANCHOR_STATE_REVOKED
0x00000006
This trust anchor will become eligible for deletion on or after the value of i64NextStateTime. This MUST be equivalent to the value of i64EnteredStateTime added to the value of the remove hold-down time (see [RFC5011]).
dwReserved: MUST be set to zero when sent and MUST be ignored on receipt.
RRData: Binary data in the same format as DNS_RPC_RECORD_DNSKEY (section 2.2.2.2.4.15) if wTrustAnchorType is DNS_TYPE_DNSKEY, or binary data in the same format as DNS_RPC_RECORD_DS (section 2.2.2.2.4.12) if wTrustAnchorType is DNS_TYPE_DS.