2.2.6.2.6 DNS_RPC_TRUST_ANCHOR

  • Article

The DNS_RPC_TRUST_ANCHOR structure contains information about a trust anchor.

 typedef struct _DnssrvRpcTrustAnchor {
   DWORD dwRpcStructureVersion;
   DWORD dwReserved0;
   WORD wTrustAnchorType;
   WORD wKeyTag;
   WORD wRRLength;
   TRUSTANCHOR_STATE eTrustAnchorState;
   __int64 i64EnteredStateTime;
   __int64 i64NextStateTime;
   DWORD dwReserved;
   [size_is(wRRLength)] BYTE RRData[];
 } DNS_RPC_TRUST_ANCHOR,
  *PDNS_RPC_TRUST_ANCHOR;

dwRpcStructureVersion: The structure version number; this MUST be set to 0x00000001.

dwReserved0: MUST be set to zero when sent and MUST be ignored on receipt.

wTrustAnchorType: The DNS record type corresponding to the trust anchor. This MUST be set to one of the following values.

Value

Meaning

DNS_TYPE_DS

0x002B

A DS record type [RFC4034].

DNS_TYPE_DNSKEY

0x0030

A DNSKEY record type [RFC4034].

wKeyTag: The DNSSEC key tag for this trust anchor. The key tag for a DS record trust anchor MUST match the value of the record’s "Key Tag" field (see [RFC4034]). The key tag for a DNSKEY record trust anchor MUST match the value calculated for the DNSKEY record (see [RFC4034] Appendix B), with the exception that the REVOKE bit of the DNSKEY flags field MUST be set to zero before the calculation.

wRRLength: The length of the RRData array.

eTrustAnchorState: The current state of the trust anchor. This MUST be one of the following TRUSTANCHOR_STATE enumeration values (section 2.2.1.1.4).

Value

Meaning

TRUSTANCHOR_STATE_DSPENDING

0x00000001

This trust anchor can be replaced with a matching DNSKEY trust anchor when the associated trust point  has had a successful active refresh. If this state is set, wTrustAnchorType MUST be DNS_TYPE_DS.

TRUSTANCHOR_STATE_DSINVALID

0x00000002

The associated trust point has had a successful active refresh, but no DNSKEY record was found that matches this trust anchor. If this state is set, wTrustAnchorType MUST be DNS_TYPE_DS.

TRUSTANCHOR_STATE_ADDPEND

0x00000003

This trust anchor will become valid after the expiration of the RFC 5011 add hold-down time (see [RFC5011]). This corresponds to the "AddPend" state in RFC 5011.

TRUSTANCHOR_STATE_VALID

0x00000004

This trust anchor is trusted for DNSSEC proofs because it was either explicitly added by the administrator or became valid after the expiration of the RFC 5011 add hold-down time (see [RFC5011]). This corresponds to the Valid state in RFC 5011.

TRUSTANCHOR_STATE_MISSING

0x00000005

This trust anchor was in the TRUSTANCHOR_STATE_VALID state but was missing in the last successful active refresh. It is still trusted for DNSSEC proofs. This corresponds to the Valid state in [RFC5011].

TRUSTANCHOR_STATE_REVOKED

0x00000006

This trust anchor has been marked as revoked by the administrator for the trust point's zone. It can never again be trusted for DNSSEC proofs. This corresponds to the Revoked state in [RFC5011].

i64EnteredStateTime: The time at which this trust anchor entered its current state. This is a 64-bit value representing the number of 100-nanosecond intervals since January 1, 1601 (UTC).

i64NextStateTime: The time at which this trust anchor is scheduled to exit the current state. This is a 64-bit value representing the number of 100-nanosecond intervals since January 1, 1601 (UTC). The meaning is dependent on the value of eTrustAnchorState.

Value of eTrustAnchorState

Meaning

TRUSTANCHOR_STATE_DSPENDING

0x00000001

Reserved. The value of i64NextStateTime MUST be set to zero when sent and MUST be ignored on receipt.

TRUSTANCHOR_STATE_DSINVALID

0x00000002

Reserved. The value of i64NextStateTime MUST be set to zero when sent and MUST be ignored on receipt.

TRUSTANCHOR_STATE_ADDPEND

0x00000003

This trust anchor is scheduled to enter the TRUSTANCHOR_STATE_VALID state on or after the value of i64NextStateTime. This MUST be equivalent to the value of i64EnteredStateTime added to the value of the add hold-down time (see [RFC5011]).

TRUSTANCHOR_STATE_VALID

0x00000004

Reserved. The value of i64NextStateTime MUST be set to zero when sent and MUST be ignored on receipt.

TRUSTANCHOR_STATE_MISSING

0x00000005

Reserved. The value of i64NextStateTime MUST be set to zero when sent and MUST be ignored on receipt.

TRUSTANCHOR_STATE_REVOKED

0x00000006

This trust anchor will become eligible for deletion on or after the value of i64NextStateTime. This MUST be equivalent to the value of i64EnteredStateTime added to the value of the remove hold-down time (see [RFC5011]).

dwReserved: MUST be set to zero when sent and MUST be ignored on receipt.

RRData: Binary data in the same format as DNS_RPC_RECORD_DNSKEY (section 2.2.2.2.4.15) if wTrustAnchorType is DNS_TYPE_DNSKEY, or binary data in the same format as DNS_RPC_RECORD_DS (section 2.2.2.2.4.12) if wTrustAnchorType is DNS_TYPE_DS.