The following terms are defined in [MS-GLOS]:
Active Directory domain
Coordinated Universal Time (UTC)
distinguished name (DN)
domain controller (DC)
domain name (2), (3)
FSMO role owner
fully qualified domain name (FQDN) (1)
Interface Definition Language (IDL)
Internet Protocol version 4 (IPv4)
Internet Protocol version 6 (IPv6)
Lightweight Directory Access Protocol (LDAP)
naming context root
Network Data Representation (NDR)
read-only domain controller (RODC)
relative distinguished name (RDN) (1), (2)
remote procedure call (RPC)
root directory system agent-specific entry (rootDSE)
RPC protocol sequence
security support provider (SSP)
Security Support Provider Interface (SSPI)
universally unique identifier (UUID)
The following terms are specific to this document:
Active Directory domain controller promotion (DCPROMO): The act of causing a server to become a domain controller (DC).
Active Directory forest: See forest.
active refresh: A self-generated DNS query for the DNSKEY records at a trust point, for the purpose of automatically retrieving new trust anchors and removing revoked trust anchors. See [RFC5011].
aging: A concept in which a DNS server keeps track of time stamps for the last update of individual resource records. Duration from last time stamp to current time is considered as the age of the resource-record and this value is used for scavenging, a process for cleaning out not-recently used records.
application directory partition: An application NC.
authoritative: A DNS server is authoritative for a portion of the DNS namespace if it hosts a primary or secondary zone for that portion of the DNS namespace.
autocreated zone: A zone that is created automatically by a DNS server, such as 0.in-addr.arpa, 127.in-addr.arpa or 255.in-addr.arpa.
cache: When DNS server receives information from other servers, it stores the information for a certain amount of time in its own in-memory zones, also referred to as a DNS cache. This improves performance of domain name resolution and reduces DNS-related query traffic. The cache contains only nodes that have unexpired records and expired but not-yet-freed records.
delegation: A name server (NS) record set in a parent zone that lists the name servers authoritative for a delegated subzone.
directory server: A persistent storage for DNS zones and records. A DNS server can access DNS data stored in a directory server using the LDAP protocol or a similar directory access mechanism.
directory-server-integrated: A DNS Server is directory-server-integrated if a local directory server such as Active Directory resides in the same machine as the DNS Server.
directory server security descriptors: The set of security descriptors read from the directory server, encompassing the DNS Server Configuration Access Control List, Zone Access Control List, and the Application Directory Partition Access Control List.
DNS domain partition: An application directory partition stored in the directory server that is replicated to all DNS servers in the domain.
DNS forest partition: An application directory partition stored in the directory server that is replicated to all DNS servers in the forest.
dynamic update: A mechanism defined in [RFC2136] by which updates for DNS records can be sent to the authoritative DNS server for a zone through the DNS protocol.
expired DNS record: A DNS record stored in the cache whose age is greater than the value of its TTL.
forwarders: A DNS server that is designated to facilitate forwarding of queries for other DNS servers.
full zone transfer (AXFR): A DNS protocol mechanism [RFC1035] through which an entire copy of a DNS zone can be transmitted to a remote DNS server.
global name zone (GNZ): A zone that provides single-label name resolution for large enterprise networks that do not deploy WINS and where using domain name suffixes to provide single-label name resolution is not practical.
glue record: A record of type A or AAAA included in a zone to specify the IP address of a DNS server used in a delegation. The fully qualified domain name of each glue record will match the fully qualified domain name of an authoritative DNS server found in one of the NS records in the delegation.
incremental zone transfer (IXFR): A DNS protocol mechanism [RFC1995] through which a partial copy of a DNS zone can be transmitted to a remote DNS server. An incremental zone transfer, or IXFR, is represented as a sequence of DNS record changes that can be applied to one image of a zone to synchronize it with another image of a zone.
key master: A DNS server that is responsible for generating and maintaining DNSSEC signing keys for one particular zone.
key signing key (KSK): A DNSKEY used to sign only the DNSKEY record set at the root of the zone, as defined in [RFC4641].
lame delegation: A delegation in which none of the name servers listed in the delegation host the delegated subzone or respond to DNS queries.
local directory server: A directory server instance on the same host as the DNS server.
multizone operation: An operation requested to be performed on a set of zones with one or more particular properties, rather than on a single zone.
multizone operation string: A string indicating a property defining a set of zones on which an operation is to be performed.
network mask: A bit vector that, when logically AND-ed with an IP address, indicates the subnet to which an IP address belongs. Also known as net mask.
node: An entry identified by name in a DNS zone. A node contains all of the DNS records sets associated with the name.
nonkey master primary server: In a file-backed signed zone, a nonkey master primary is a server that holds the primary copy of the signed zone. A nonkey master primary server can also do signature refreshes and Zone Signing using Zone Signing Keys but cannot generate or manage keys on its own.
NoRefresh interval: If an update which does not change the DNS data for a record set is received within the NoRefresh interval then the DNS server will not update the timestamp on the record. This allows the DNS server to avoid unnecessary updates to the data store.
notify: DNS notify [RFC1996] is a mechanism in which the primary DNS server for a zone notifies secondary servers about any changes in the zone.
online signing: Refers to the process of signing and maintaining DNSSEC characteristics of a zone.<1>
primary DNS server: A DNS server that holds a master authoritative copy of a particular zone's data in local persistent storage.
primary zone: A zone for which a master authoritative copy of data is held in persistent local storage or in a locally accessible directory server. A zone stored in a directory server is a primary zone for any DNS server that can retrieve a copy of it from its local directory server.
refresh interval: If the NoRefresh interval for a record has expired and the DNS server receives a DNS update that does not change the record data then the DNS server will commit a new timestamp to the data store. The combination of NoRefresh and Refresh intervals allows a DNS server to maintain a relatively accurate record timestamp without unnecessary updates to the data store.
resource record (RR): A single piece of DNS data. Each resource record consists of a DNS type, a DNS class, a time to live (TTL), and record data (RDATA) appropriate for the resource record's DNS type.
read only domain controller (RODC): A directory server that can be read from but not written to.
root hints: DNS root hints contain host information that is needed to resolve names outside of the authoritative DNS domains. It contains names and addresses of the root DNS servers.
scavenging: A regularly scheduled process on a DNS server during which DNS records that have not been updated within a certain interval may be deleted.
secondary DNS server: A DNS server that holds an authoritative read-only copy of a particular zone's data. The copy is periodically copied from another authoritative DNS server. Each zone can have any number of secondary DNS servers.
secondary zone: A zone for which an authoritative read-only copy of data is hosted by a particular DNS server. The data for a secondary zone is periodically copied from another DNS server that is authoritative for the zone.
secret key transaction authentication (TSIG): An authentication mechanism specified in [RFC2845] for DNS dynamic updates that uses a one-way hashing function to provide a cryptographically secure means of identifying each endpoint.
secure delegation: A delegation in a parent zone (name server (NS) record set), along with a signed delegation signer (DS) record set, signifying a delegation to a signed subzone.
secure dynamic update: A modification of the dynamic update mechanism defined in [RFC3645] by which updates for DNS records can be sent securely to the authoritative DNS server for a zone through the DNS protocol.
security context: The result of a TSIG [RFC2845] security negotiation between the server and a client machine.
serial number: A field in the SOA record [RFC1035] for a zone. This value is used to compare different versions of zone.
signing key descriptor (SKD): A collection of DNSSEC signing key characteristics such as algorithm, key length, and signature validity period that describe how DNSSEC signing keys and corresponding signatures should be generated and maintained by the DNS server.
single-label name: A domain name consisting of exactly one label [for example "contoso." (an absolute name) or "contoso" (a relative name)]. When written in dotted-notation [RFC1034], a single-label name will contain at most one period (".").
start of authority (SOA): Every zone contains a SOA record as defined in [RFC1035] section 3.3.13 and clarified in [RFC2181] section 7 at the beginning of the zone that provides information relevant for a zone.
stub zone: A specialized version of a secondary zone. A stub zone contains only those resource records that are necessary to identify the authoritative DNS server for that zone. A stub zone consists of the zone root SOAresource record[RFC1035] and [RFC2181], zone root NS resource records [RFC1035], and glue resource records for the zone root SOA and NS records.
time stamp: An integer value representing the number of hours that have elapsed since midnight (00:00:00), January 1, 1601 UTC.
tombstone: An inactive DNS node which is not considered to be part of a DNS zone but has not yet been deleted from the zone database in the directory server. Tombstones may be permanently deleted from the zone once they reach a certain age. Tombstones are not used for DNS zones that are not stored in the directory server. A node is a tombstone if its dnsTombstoned attribute has been set to "TRUE".
trust anchor: A DNSKEY (public key) or DS (public key hash) record that is presumed to be authentic (that is trusted); a DNSKEY or DS record that is in the "TrustAnchors" zone. A DS trust anchor cannot be used in a DNSSEC proof, but it can serve as an authentication of a retrieved DNSKEY record, allowing it to become a DNSKEY trust anchor.
trust point: An FQDN that has one or more trust anchors; a point in the DNS namespace from which a DNSSEC proof can begin, via the presumption of trust anchor authenticity; a node in the "TrustAnchors" zone that contains a DS or DNSKEY record.
Windows Internet Name Service Reverse Lookup (WINS-R): A form of reverse lookup performed by the DNS server using NBSTAT [RFC1002] lookups to map IPv4 addresses to single-label names.
zone: A domain namespace is divided up into several sections called zones [RFC1034] and [RFC2181]. A zone represents authority over a portion of the DNS namespace, excluding any subzones that are below delegations.
zone signing key (ZSK): A DNSKEY used to sign all of the records in a zone, as defined in [RFC4641].
zone transfer: A DNS protocol mechanism [RFC1035] by which a full or partial copy of a DNS zone can be transmitted from one DNS server to another.
zone scope: A unique version of a zone that can be created inside an existing zone. Resource records can then be added (and subsequently managed) to the zone scope.
MAY, SHOULD, MUST, SHOULD NOT, MUST NOT: These terms (in all caps) are used as described in [RFC2119]. All statements of optional behavior use either MAY, SHOULD, or SHOULD NOT.