Share via

2.2.1.1.4 TRUSTANCHOR_STATE

  • Article

The TRUSTANCHOR_STATE enumeration identifies the current state of the life cycle of a DNSSEC trust anchor. All states other than TRUSTANCHOR_STATE_DSPENDING and TRUSTANCHOR_STATE_DSINVALID correspond to the states given in [RFC5011] section 4.2. Only the TRUSTANCHOR_STATE_VALID and TRUSTANCHOR_STATE_MISSING trust anchors affect the DNS protocol (by acting as a DNSSEC trust anchor). None of the states affect the LDAP protocol [RFC4511].

 typedef enum
 {
     TRUSTANCHOR_STATE_INITIALIZED,
     TRUSTANCHOR_STATE_DSPENDING,
     TRUSTANCHOR_STATE_DSINVALID,
     TRUSTANCHOR_STATE_ADDPEND,
     TRUSTANCHOR_STATE_VALID,
     TRUSTANCHOR_STATE_MISSING,
     TRUSTANCHOR_STATE_REVOKED,
     TRUSTANCHOR_STATE_DELETED
 }
 TRUSTANCHOR_STATE, *PTRUSTANCHOR_STATE;

TRUSTANCHOR_STATE_INITIALIZED: Reserved. MUST NOT be sent by the server, MUST be ignored by the receiver.

TRUSTANCHOR_STATE_DSPENDING: Indicates a DS trust anchor that can be replaced by the DNSKEY trust anchor that matches the hash of the DS trust anchor after the next [RFC5011] active refresh.

TRUSTANCHOR_STATE_DSINVALID: Indicates a DS trust anchor that matches a DNSKEY record that is not valid as a trust anchor because the SEP flag is not set or because the algorithm is unsupported.

TRUSTANCHOR_STATE_ADDPEND: Indicates a DNSKEY trust anchor that has not exceeded the [RFC5011] add-hold-down time. This trust anchor can become a valid trust anchor after the hold-down time has been exceeded.

TRUSTANCHOR_STATE_VALID: Indicates a DNSKEY trust anchor that has exceeded the [RFC5011] add-hold-down time, has been matched to (and has replaced) a DS trust anchor, or has been added by the administrator. This trust anchor is trusted for DNSSEC operations, and a copy exists in the TrustAnchors zone.

TRUSTANCHOR_STATE_MISSING: Indicates a DNSKEY trust anchor that is valid but was not seen in the last [RFC5011] active refresh. This trust anchor is trusted for DNSSEC operations, and a copy exists in the TrustAnchors zone.

TRUSTANCHOR_STATE_REVOKED: Indicates a DNSKEY trust anchor that has been revoked by the authoritative zone administrator according to [RFC5011]. This trust anchor will be deleted when the [RFC5011] remove-hold-down time is exceeded.

TRUSTANCHOR_STATE_DELETED: Reserved. MUST NOT be sent by the server, MUST be ignored by the receiver.