2.2.6.2.1 DNS_RPC_SKD
The DNS_RPC_SKD structure specifies a signing key descriptor.
-
typedef struct _DnssrvRpcSigningKeyDescriptor { DWORD dwRpcStructureVersion; DWORD dwReserved0; GUID Guid; [string] wchar_t* pwszKeyStorageProvider; BOOL fStoreKeysInDirectory; BOOL fIsKSK; BYTE bSigningAlgorithm; DWORD dwKeyLength; DWORD dwInitialRolloverOffset; DWORD dwDNSKEYSignatureValidityPeriod; DWORD dwDSSignatureValidityPeriod; DWORD dwStandardSignatureValidityPeriod; DWORD dwRolloverType; DWORD dwRolloverPeriod; DWORD dwNextRolloverAction; DWORD dwReserved; } DNS_RPC_SKD, *PDNS_RPC_SKD;
dwRpcStructureVersion: The structure version number; this MUST be set to 0x00000001.
dwReserved0: MUST be set to zero when sent and MUST be ignored on receipt.
Guid: A unique identifier for this signing key descriptor.
pwszKeyStorageProvider: The Key Storage Provider that will be used to generate and store keys for this signing key descriptor.
fStoreKeysInDirectory: A value of 0x00000001 indicates that the DNS server exports keys generated for this signing key descriptor and stores them on the DNS zone object in Active Directory. A value of 0x00000000 indicates that the DNS server stores keys in self-signed certificates in the local machine certificate store.
fIsKSK: A value of 0x00000001 indicates that this signing key descriptor describes a key signing key (KSK); a value of 0x00000000 indicates a zone signing key [RFC4641].
bSigningAlgorithm: The cryptographic algorithm used to generate signing keys. The DNS server SHOULD<48> support all values given by [IANA-DNSSECAN] and [DRAFT-DNSSEC-ECDSA].
dwKeyLength: The length, in bits, of cryptographic signing keys. This value MUST be ignored if the signing algorithm does not have variable key length.
dwInitialRolloverOffset: The amount of time, in seconds, to delay the first scheduled key rollover for this signing key descriptor. The value SHOULD be limited to the range 0x00000000 to 0x00278D00 (30 days), inclusive, but it can be any value. The default value SHOULD be 0x00000000, and the value zero MUST be allowed and treated literally.
dwDNSKEYSignatureValidityPeriod: The number of seconds that signatures covering DNSKEY record sets generated for this signing key descriptor's keys are valid, as defined by [RFC4034] section 3.1.5. The value SHOULD be limited to the range 0x00005460 (6 hours) to 0x00093A80 (7 days), inclusive, but it can be any value. The default value SHOULD be 0x0003F480 (3 days).
dwDSSignatureValidityPeriod: The number of seconds that signatures covering DS record sets generated for this signing key descriptor's keys are valid, as defined by [RFC4034] section 3.1.5. The value SHOULD be limited to the range 0x00005460 (6 hours) to 0x00093A80 (7 days), inclusive, but it can be any value. The default value SHOULD be 0x0003F480 (3 days).
dwStandardSignatureValidityPeriod: The number of seconds that signatures covering record sets not of type DNSKEY or DS generated for this signing key descriptor's keys are valid, as defined by [RFC4034] section 3.1.5. The value SHOULD be limited to the range 0x00005460 (6 hours) to 0x00278D00 (30 days), inclusive, but it can be any value. The default value SHOULD be 0x000D2F00 (10 days).
dwRolloverType: When sent, this value MUST be set to one of the allowed values specified in ZONE_SKD_ROLLOVER_TYPE (section 2.2.5.1.5) as follows: this value MUST be DNS_ROLLOVER_TYPE_PREPUBLISH if fIsKSK is 0x00000000 and MUST be DNS_ROLLOVER_TYPE_DOUBLE_SIGNATURE if fIsKSK is 0x00000001. On receipt, this value MUST be ignored.
dwRolloverPeriod: The number of seconds between scheduled key rollovers, or 0xFFFFFFFF to disable automatic key rollovers. This value SHOULD be limited to the range 0x00093A80 (1 week) to 0x25980600 (20 years), inclusive, in addition to 0xFFFFFFFF, when fIsKSK is 0x00000001, and the range 0x00093A80 (1 week) to 0x09660180 (5 years), inclusive, in addition to 0xFFFFFFFF, when fIsKSK is 0x00000000. The default SHOULD be 0x02022900 (13 months) when fIsKSK is 0x00000001, and 0x0x00278D00 (1 month) when fIsKSK is 0x00000000.
dwNextRolloverAction: This value describes the next key rollover action that the DNS server will take for this signing key descriptor. This value MUST be set to one of the allowed values specified in ZONE_SKD_ROLLOVER_ACTION (section 2.2.5.1.6).
dwReserved: This value MUST be set to 0x00000000 when sent by the client and ignored on receipt by the server.