3.1.1.2.1 DNS Zone Integer Properties

The following properties are 32-bit integers. The term Boolean, as used below, means a 32-bit integer where a value of 0x00000000 indicates that the stated property is false, and any nonzero value indicates that the stated property is TRUE. The server SHOULD<199> support the properties.

AllowUpdate: The DNS_ZONE_UPDATE (section 2.2.6.1.1) value for the zone. The value for this property is limited to those listed in the table in section 2.2.6.1.1. If this property's value is changed from any value to ZONE_UPDATE_SECURE, the DNS server MUST set the zone's Time Zone Secured (section 3.1.1) property to the current time expressed as the number of seconds since 12:00 A.M. January 1, 1601 Coordinated Universal Time (UTC).

DsIntegrated: A Boolean indicating whether the zone is stored in the directory server. This property is read-only.

DsRecordAlgorithms: The value of the cryptographic hash algorithm used to generate DS records written to a file named "dsset-<ZoneName>"<200> when the zone is first signed and whenever the DNSKEY record set for the zone is changed. The value MUST be limited to the values in the following table. The default value MUST be 0x00000003.

Value

Meaning

0x00000000

DNS_ZONE_GENERATE_DS_NONE

Do not generate DS records.

0x00000001

DNS_ZONE_GENERATE_DS_SHA1

Use SHA-1 to generate DS records.

0x00000002

DNS_ZONE_GENERATE_DS_SHA256

Use SHA-256 to generate DS records.

0x00000004

DNS_ZONE_GENERATE_DS_SHA384

Use SHA-384 to generate DS records.

DSRecordSetTTL: The TTL value, in seconds, to assign to any new DS record created for this zone and written to the "dsset-<ZoneName>" file during zone signing or key rollover. The value MUST be limited to the range 0x00000000 to 0x00093A80 (1 week), inclusive. The default value MUST be 0x00000000, and the value zero MUST be allowed and treated as the zone default TTL.

DNSKEYRecordSetTTL: The TTL value, in seconds, that is assigned to any new DNSKEY record created for this zone during zone signing or key rollover. The value MUST be limited to the range 0x00000000 to 0x00093A80 (1 week), inclusive. The default value MUST be 0x00000000, and the value zero MUST be allowed and treated as the zone default TTL.

IsKeymaster: A Boolean indicating whether the DNS server is the key master for this zone. This property can be modified only by using the TransferKeymasterRole operation of the R_DnssrvOperation method (section 3.1.4.1) call. The default value MUST be 0x00000000.

IsSigned: A Boolean indicating whether the zone is signed via Online Signing. This property can be modified only by using the SignZone or UnsignZone operation of the R_DnssrvOperation method (section 3.1.4.1) call. The default value MUST be 0x00000000.

LogUpdates: A Boolean indicating whether updates on this zone are logged to permanent storage.

MaintainTrustAnchor: This property controls how the DNS server maintains the list of forest-wide Trust Anchors (section 2.2.6.2.7) as key rollover takes place for signing key descriptors whose fIsKSK flag is set. As the rollover progresses, new keys are generated and added to the forest-wide TrustAnchors zone, and old keys are removed. The value's range MUST be limited to the values in the following table. The default for this value is 0x00000000.

Value

Meaning

0x00000000

DNS_ZONE_MAINTAIN_TA_NONE

Trust Anchors are not updated as key rollover proceeds.

0x00000001

DNS_ZONE_MAINTAIN_TA_DNSKEY

Keys are stored in the forest-wide TrustAnchors zone as DNSKEY records as the key rollover proceeds.

NoRefreshInterval: The No Refresh interval value, in hours, for the zone. The value 0x00000000 MUST be treated as a flag value for the value of "DefaultNoRefreshInterval" (section 3.1.1.1.1).

NSEC3HashAlgorithm: The algorithm ID used for hashing node owner names in zones signed with NSEC3 as described in [RFC5155] section 3.1.1. The value's range MUST be limited to the values in the following table. The default for this value is 0x00000001.

Value

Meaning

0x00000001

DNS_NSEC3_HASH_ALG_ID_SHA1

Use SHA-1 to hash owner names.

NSEC3Iterations: The number of additional iterations that the hashing function is used when generating hashed owner names for zones signed with NSEC3, as described in [RFC5155] section 3.1.3 and section 5. The value's range MUST be 0x00000000 to 0x000009C4, inclusive. The default value is 0x00000032.

NSEC3OptOut: A Boolean indicating whether NSEC3 records in a zone signed with NSEC3 have their Opt-Out flag set, as described in [RFC5155] section 3.1.2.1. The default value is 0x00000000.

NSEC3RandomSaltLength: When zones are signed with NSEC3, salt can be applied to the hashing function when hashed owner names are generated, as described in [RFC5155] section 3.1.5 and section 5. The "NSEC3RandomSaltLength" is the length, in octets, of randomly generated salt. The value 0x00000000 MUST be treated as a flag indicating that the DNS server MUST NOT generate salt randomly but MUST use the "NSEC3UserSalt" zone property. For any other value, the DNS server MUST generate a random salt of the specified length to be used when generating hashed owner names. The value's range MUST be 0x00000000 to 0x000000FF, inclusive. The default value is 0x00000008.

NotifyLevel: The DNS_ZONE_NOTIFY_LEVEL (section 2.2.5.1.3) value for the zone. The value for this property is limited to those listed in the table in section 2.2.5.1.3.

ParentHasSecureDelegation: A Boolean indicating whether this zone has a secure delegation from a parent zone. The default value is 0x00000000.

PropagationTime: The expected time, in seconds, that it takes for zone data changes to propagate to other copies of the zone, whether these copies are hosted as secondary zones or, if the zone is directory server-integrated, are other primary copies on the directory server. For zones that are directory server-integrated, the default value SHOULD be 0x0002A300 (2 days). Otherwise, the default is 0x00000000.

RefreshInterval: The refresh interval value, in hours, for the zone. The value 0x00000000 MUST be treated as a flag value for the value of "DefaultRefreshInterval" (section 3.1.1.1.1).

RFC5011KeyRollovers: A Boolean indicating whether the zone follows [RFC5011] section 2 as key rollover takes place for signing key descriptors whose fIsKSK flag is set. The default value is 0x00000000.

SecureDelegationPollingPeriod: The interval, in seconds, between queries to refresh the set of delegation signer (DS) records in a secure delegation. The value MUST be limited to the range 0x00000E10 (1 hour) to 0x0x00093A80 (1 week), inclusive. The default value is 0x0000A8C0 (12 hours).

SecureSecondaries: The DNS_ZONE_SECONDARY_SECURITY (section 2.2.5.1.2) value for the zone. The value for this property is limited to those listed in the table in section 2.2.5.1.2.

SignatureInceptionOffset: The interval, in seconds, that the DNS server subtracts from the current time when generating the signature inception field in new RRSIG records ([RFC4034]). The value's range MUST be 0x00000000 to 0x00093A80, inclusive. The default value is 0x00000E10.

SignWithNSEC3: A Boolean indicating whether an online-signed zone is signed using NSEC3 ([RFC5155]) for denial of existence. A zone not using NSEC3 will use NSEC ([RFC4034]). The default value is 0x00000001.

Type: The DNS_ZONE_TYPE (section 2.2.5.1.1) value for the zone. This property is read-only.

Aging: A Boolean indicating whether aging SHOULD<201> be enabled for the zone.

ForwarderSlave: A Boolean indicating whether normal recursion SHOULD<202> be used to resolve queries if the master servers for the forwarder zone are unreachable.

ForwarderTimeout: The number of seconds the DNS server SHOULD<203> wait for response for a forwarded query.

Unicode: The server SHOULD<204> ignore any value set for this Boolean property.

PluginEnabled: A Boolean indicating whether the zone is configured to use a plugin. If a zone is configured to use a plugin, then incoming queries are forwarded to the plugin for calculation of the appropriate zone scope for query resolution.<205>

EnablePolicies: A Boolean value that indicates whether the DNS Policies on the zone configured on the DNS server are to be applied on DNS Operations. If the value of the property is 0x00000000, then all policies at the zone level are considered disabled and are not applied. Otherwise, the policies are considered enabled. If EnablePolicies (section 3.1.1.1.1) is 0x00000000, then zone-level policies are disabled regardless of the EnablePolicies setting (section 3.1.1.2.1). If the EnablePolicies property value is anything other than 0x00000000, then the EnablePolicies settings apply.

FreezeSOASerialNumber: A Boolean value indicating how a DNS server SHOULD<206> update the SOA serial number field [RFC1035]. If set to TRUE, the DNS server will not allow SOA serial number field to be updated for the zone unless it is updated by the API (see section 3.1.4.5). The value's range MUST be unlimited. The default value MUST be 0x00000000. This setting applies to all zone scopes present on the zone as well. This is not supported for dns zone type DNS_ZONE_TYPE_CACHE (section 2.2.5.1.1) or an Active Directory integrated zone. The property can be set for a signed zone, but the behavior is undefined.