3.1.1.2.1 DNS Zone Integer Properties
The following properties are 32-bit integers. The term Boolean, as used below, means a 32-bit integer where a value of 0x00000000 indicates that the stated property is false, and any nonzero value indicates that the stated property is true.
"AllowUpdate": The DNS_ZONE_UPDATE (section 2.2.6.1.1) value for the zone. The value for this property is limited to those listed in the table in section 2.2.6.1.1. If this property's value is changed from any value to ZONE_UPDATE_SECURE, the DNS server MUST set the zone's Time Zone Secured (section 3.1.1) property to the current time expressed as the number of seconds since 12:00 A.M. January 1, 1601 Coordinated Universal Time (UTC).
"DsIntegrated": A Boolean indicating whether the zone is stored in the directory server. This property is read-only.
"DsRecordAlgorithms": The value of the cryptographic hash algorithm used to generate DS records written to a file named "dsset-<ZoneName>"<195> when the zone is first signed and whenever the DNSKEY record set for the zone is changed. The value MUST be limited to the values in the following table. The default value MUST be 0x00000003.<196>
|
Value |
Meaning |
|
0x00000000 DNS_ZONE_GENERATE_DS_NONE |
Do not generate DS records. |
|
0x00000001 DNS_ZONE_GENERATE_DS_SHA1 |
Use SHA-1 to generate DS records. |
|
0x00000002 DNS_ZONE_GENERATE_DS_SHA256 |
Use SHA-256 to generate DS records. |
|
0x00000004 DNS_ZONE_GENERATE_DS_SHA384 |
Use SHA-384 to generate DS records. |
"DSRecordSetTTL": The TTL value, in seconds, to assign to any new DS record created for this zone and written to the "dsset-<ZoneName>" file during zone signing or key rollover. The value MUST be limited to the range 0x00000000 to 0x00093A80 (1 week), inclusive. The default value MUST be 0x00000000, and the value zero MUST be allowed and treated as the zone default TTL.<197>
"DNSKEYRecordSetTTL": The TTL value, in seconds, that should be assigned to any new DNSKEY record created for this zone during zone signing or key rollover. The value MUST be limited to the range 0x00000000 to 0x00093A80 (1 week), inclusive. The default value MUST be 0x00000000, and the value zero MUST be allowed and treated as the zone default TTL.<198>
"IsKeymaster": A Boolean indicating whether the DNS server is the key master for this zone. This property can be modified only by using the "TransferKeymasterRole" operation of the R_DnssrvOperation (Opnum 0) (section 3.1.4.1) method call. The default value MUST be 0x00000000.<199>
"IsSigned": A Boolean indicating whether the zone is signed via Online Signing. This property can be modified only by using the "ZoneSign" or "ZoneUnsign" operation of the R_DnssrvOperation (Opnum 0) (section 3.1.4.1) method call. The default value MUST be 0x00000000.<200>
"LogUpdates": A Boolean indicating whether updates on this zone should be logged to permanent storage.
"MaintainTrustAnchor": This property controls how the DNS server maintains the list of forest-wide Trust Anchors as key rollover takes place for signing key descriptors whose "fIsKSK" flag is set. As the rollover progresses, new keys are generated and added to the forest-wide TrustAnchors zone, and old keys are removed. The value's range MUST be limited to the values in the following table. The default for this value SHOULD<201> be 0x00000000.
|
Value |
Meaning |
|
0x00000000 DNS_ZONE_MAINTAIN_TA_NONE |
Trust Anchors are not updated as key rollover proceeds. |
|
0x00000001 DNS_ZONE_MAINTAIN_TA_DNSKEY |
Keys are stored in the forest-wide TrustAnchors zone as DNSKEY records as the key rollover proceeds. |
"NoRefreshInterval": The No Refresh interval value, in hours, for the zone. The value 0x00000000 MUST be treated as a flag value for the value of "DefaultNoRefreshInterval" (section 3.1.1.1.1).
"NSEC3HashAlgorithm": The algorithm ID used for hashing node owner names in zones signed with NSEC3 as described in [RFC5155] section 3.1.1. The value's range MUST be limited to the values in the following table. The default for this value SHOULD<202> be 0x00000001.
|
Value |
Meaning |
|
0x00000001 DNS_NSEC3_HASH_ALG_ID_SHA1 |
Use SHA-1 to hash owner names. |
"NSEC3Iterations": The number of additional iterations that the hashing function is used when generating hashed owner names for zones signed with NSEC3, as described in [RFC5155] section 3.1.3 and section 5. The value's range MUST be 0x00000000 to 0x000009C4, inclusive. The default value SHOULD<203> be 0x00000032.
"NSEC3OptOut": A Boolean indicating whether NSEC3 records in a zone signed with NSEC3 have their "Opt-Out" flag set, as described in [RFC5155] section 3.1.2.1. The default value SHOULD<204> be 0x00000000.
"NSEC3RandomSaltLength": When zones are signed with NSEC3, salt may be applied to the hashing function when hashed owner names are generated, as described in [RFC5155] section 3.1.5 and section 5. The "NSEC3RandomSaltLength" is the length, in octets, of randomly generated salt. The value 0x00000000 MUST be treated as a flag indicating that the DNS server MUST NOT generate salt randomly but MUST use the "NSEC3UserSalt" zone property. For any other value, the DNS server MUST generate a random salt of the specified length to be used when generating hashed owner names. The value's range MUST be 0x00000000 to 0x000000FF, inclusive. The default value SHOULD<205> be 0x00000008.
"NotifyLevel": The DNS_ZONE_NOTIFY_LEVEL (section 2.2.5.1.3) value for the zone. The value for this property is limited to those listed in the table in section 2.2.5.1.3.
"ParentHasSecureDelegation": A Boolean indicating whether this zone has a secure delegation from a parent zone. The default value SHOULD<206> be 0x00000000.
"PropagationTime": The expected time, in seconds, that it takes for zone data changes to propagate to other copies of the zone, whether these copies are hosted as secondary zones or, if the zone is directory server-integrated, are other primary copies on the directory server. For zones that are directory server-integrated, the default value SHOULD be 0x0002A300 (2 days). Otherwise, the default SHOULD be 0x00000000.<207>
"RefreshInterval": The refresh interval value, in hours, for the zone. The value 0x00000000 MUST be treated as a flag value for the value of "DefaultRefreshInterval" (section 3.1.1.1.1).
"RFC5011KeyRollovers": A Boolean indicating whether the zone follows [RFC5011] section 2 as key rollover takes place for signing key descriptors whose "fIsKSK" flag is set. The default value SHOULD be 0x00000000.<208>
"SecureDelegationPollingPeriod": The interval, in seconds, between queries to refresh the set of delegation signer (DS) records in a secure delegation. The value MUST be limited to the range 0x00000E10 (1 hour) to 0x0x00093A80 (1 week), inclusive. The default value SHOULD<209> be 0x0000A8C0 (12 hours).
"SecureSecondaries": The DNS_ZONE_SECONDARY_SECURITY (section 2.2.5.1.2) value for the zone. The value for this property is limited to those listed in the table in section 2.2.5.1.2.
"SignatureInceptionOffset": The interval, in seconds, that the DNS server should subtract from the current time when generating the signature inception field in new RRSIG records ([RFC4034]). The value's range MUST be 0x00000000 to 0x00093A80, inclusive. The default value SHOULD<210> be 0x00000E10.
"SignWithNSEC3": A Boolean indicating whether an online-signed zone should be signed using NSEC3 ([RFC5155]) for denial of existence. A zone not using NSEC3 will use NSEC ([RFC4034]). The default value SHOULD<211> be 0x00000001.
"Type": The DNS_ZONE_TYPE (section 2.2.5.1.1) value for the zone. This property is read-only.
The DNS Server SHOULD support the following properties:
"Aging": A Boolean indicating whether aging is enabled for the zone.<212>
"ForwarderSlave": A Boolean indicating whether normal recursion SHOULD be used to resolve queries if the master servers for the forwarder zone are unreachable.<213>
"ForwarderTimeout": The number of seconds the DNS server SHOULD<214> wait for response for a forwarded query.
"Unicode": The server MUST ignore any value set for this Boolean property.<215>
