2.2.6.2.3 DNS_RPC_SKD_STATE

The DNS_RPC_SKD_STATE structure contains information about the current state of a signing key descriptor.

 typedef struct _DnsRpcSigningKeyDescriptorState {
   DWORD dwRpcStructureVersion;
   DWORD dwReserved0;
   GUID Guid;
   FILETIME ftLastRolloverTime;
   FILETIME ftNextRolloverTime;
   DWORD dwState;
   DWORD dwCurrentRolloverStatus;
   [string] wchar_t* pwszActiveKey;
   [string] wchar_t* pwszStandbyKey;
   [string] wchar_t* pwszNextKey;
   DWORD dwReserved;
 } DNS_RPC_SKD_STATE,
  *PDNS_RPC_SKD_STATE;

dwRpcStructureVersion: The structure version number; this MUST be set to 0x00000001.

dwReserved0: MUST be set to zero when sent and MUST be ignored on receipt.

Guid: A unique identifier for this signing key descriptor.

ftLastRolloverTime: The time at which the last successful rollover event was performed for this signing key descriptor. This value MUST be 0 if no rollover has been performed on this signing key descriptor.

ftNextRolloverTime: The time at which the next rollover for this signing key descriptor is scheduled. This MAY be 0 if no rollover event is scheduled. When the time comes for a key rollover to start, the signing key descriptor is added to the Rollover Queue, and its dwCurrentRolloverStatus is changed to DNS_SKD_STATUS_QUEUED. If another signing key descriptor in the zone is in the process of rolling, ftNextRolloverTime MAY represent a time in the past.

dwState: The current state of this signing key descriptor. This MUST be set to one of the following values.<49>

Value

Meaning

DNS_SKD_STATE_ACTIVE

0x00000000

The signing key descriptor is active and in use for online signing of the zone.

DNS_SKD_STATE_RETIRED

0x00000001

The signing key descriptor is no longer in use for online signing.

dwCurrentRolloverStatus: The current rollover status of this signing key descriptor. This MUST be set to one of the following values, representing the various stages of key rollover as described in [RFC4641] and [RFC5011]:

Value

Meaning

DNS_SKD_STATUS_NOT_ROLLING

0x00000000

The signing key descriptor is not currently in the process of rolling over keys.

DNS_SKD_STATUS_QUEUED

0x00000001

This signing key descriptor is waiting for another rollover to complete before its rollover can begin. After the signing key descriptor reaches the head of the Rollover Queue, the signing key descriptor will move into the DNS_SKD_STATUS_ROLL_STARTED state.

DNS_SKD_STATUS_ROLL_STARTED

0x00000002

This signing key descriptor has begun the process of key rollover. Signing key descriptors representing ZSKs will move from this state to the DNS_SKD_STATUS_ZSK_WAITING_FOR_DNSKEY_TTL state, and signing key descriptors representing KSKs will move from this state to the DNS_SKD_STATUS_KSK_WAITING_FOR_DS_UPDATE state.

DNS_SKD_STATUS_ZSK_WAITING_FOR_DNSKEY_TTL

0x00000003

This ZSK signing key descriptor is waiting for the previous key to expire in all caching resolvers (it is waiting for the DNSKEY TTL to expire). The signing key descriptor will next move into the DNS_SKD_STATUS_ZSK_WAITING_FOR_MAXZONE_TTL state.

DNS_SKD_STATUS_ZSK_WAITING_FOR_MAXZONE_TTL

0x00000004

This ZSK signing key descriptor is waiting for the signatures using the previous key to expire in all caching resolvers (it is waiting for the largest record TTL to expire). This is the final state for ZSK rollovers. The signing key descriptor will move into the DNS_SKD_STATUS_NOT_ROLLING state when this portion of key rollover is complete.

DNS_SKD_STATUS_KSK_WAITING_FOR_DS_UPDATE

0x00000005

This KSK signing key descriptor is waiting for a DS record corresponding to the new key to appear in the parent zone. If DS records are found in the parent zone, the server MUST set the zone's "ParentHasSecureDelegation" property to 0x00000001 and continue to wait until the parent's DS record set includes the new key, at which point the signing key descriptor will move into the DNS_SKD_STATUS_KSK_WAITING_FOR_DS_TTL state. If no DS records are found in the parent zone, the server MUST set the zone's "ParentHasSecureDelegation" property to 0x00000000 and transition the signing key descriptor into the DNS_SKD_STATUS_KSK_WAITING_FOR_DNSKEY_TTL state. If there is an error or if the presence of a DS record set in the parent zone cannot be determined, the server MUST continue to attempt to query for this record set for up to 15 minutes if the zone's "ParentHasSecureDelegation" property is 0x00000000 or until the PokeZoneKeyRollover command is received if it is 0x00000001.

DNS_SKD_STATUS_KSK_WAITING_FOR_DS_TTL

0x00000006

This KSK signing key descriptor is waiting for the DS record set in the parent zone to expire in all caching resolvers (it is waiting for the parent DS TTL to expire). If the zone's "RFC5011KeyRollovers" property is TRUE, the signing key descriptor will next move into the DNS_SKD_STATUS_WAITING_FOR_5011_REMOVE_HOLD_DOWN state. Otherwise, this is a final state for KSK rollovers, and signing key descriptors will move into the DNS_SKD_STATUS_NOT_ROLLING state when this portion of key rollover is complete.

DNS_SKD_STATUS_KSK_WAITING_FOR_DNSKEY_TTL

0x00000007

This KSK signing key descriptor is waiting for the previous key to expire in all caching resolvers (it is waiting for the DNSKEY TTL to expire). This is a final state for KSK rollovers, and signing key descriptors will move into the DNS_SKD_STATUS_NOT_ROLLING state when this portion of key rollover is complete.

DNS_SKD_STATUS_KSK_WAITING_FOR_5011_REMOVE_HOLD_DOWN

0x00000008

This KSK signing key descriptor is waiting for the RFC5011 remove hold-down time before the revoked previous key can be removed. This is a final state for KSK rollovers, and signing key descriptors will move into the DNS_SKD_STATUS_NOT_ROLLING state when this portion of key rollover is complete.

DNS_SKD_STATUS_ROLL_ERROR

0x00000009

This signing key descriptor experienced an unrecoverable error during the key rollover.

pwszActiveKey: Signing key pointer string for the signing key descriptor's currently active key. This is the key that is currently being used to sign zone records.

pwszStandbyKey: Signing key pointer string for the signing key descriptor's standby key. The key represented by this string has several different roles depending on the associated signing key descriptor's fIsKSK flag and its dwRolloverStatus:

  • If the signing key descriptor's fIsKSK flag is TRUE, pwszStandbyKey represents the "double signature" key as described in [RFC4641] section 4.2.2, also depicted as the "standby" key in [RFC5011] section 6.

  • If the signing key descriptor's fIsKSK flag is FALSE, pwszStandbyKey will generally be NULL unless the SKD is in the process of key rollover:

    • If the signing key descriptor's dwRolloverStatus is DNS_SKD_STATUS_ZSK_WAITING_FOR_DNSKEY_TTL, pwszStandbyKey represents the "pre-publish" key as described in [RFC4641] section 4.2.1.1.

    • If the signing key descriptor's dwRolloverStatus is DNS_SKD_STATUS_ZSK_WAITING_FOR_MAXZONE_TTL, pwszStandbyKey represents the previously active key during the "new RRSIGs" phase of Pre-Publish Key Rollover, as described in [RFC4641] section 4.2.1.1.

pwszNextKey: Signing key pointer string for the signing key descriptor's next key. The key represented by this string has several different roles depending on the associated signing key descriptor's fIsKSK flag:

  • If the signing key descriptor's fIsKSK flag is TRUE, pwszNextKey represents the next key that will be consumed during key rollover. It is not published in the zone and is not used to sign any other records. If the zone's "RFC5011KeyRollovers" property is TRUE, this key becomes the next "standby" key according to [RFC5011]. Otherwise, this key is used as the "double signature" key according to [RFC4641] as the signing key descriptor's key rollover process begins.

  • If the signing key descriptor's fIsKSK flag is FALSE, pwszNextKey represents the "pre-publish" key as described in [RFC4641] section 4.2.1.1. When the SKD is in the process of key rollover, pwszNextKey can be populated with a newly generated post-rollover "pre-publish" key.

dwReserved: MUST be set to zero when sent and MUST be ignored on receipt.