// signconf.rnc converted to .proto format for protocol buffers

package ods.signconf;

import "xmlext.proto";

message SignerConfigurationDocument {
	required SignerConfiguration signerconfiguration = 1 [(xml).path="SignerConfiguration"]; // root element in a signconf file
}

message SignerConfiguration {
	required Zone zone = 1 [(xml).path="Zone"];
}

message Zone{
	required string name = 1 [(xml).path="@name"];
	required Signatures signatures = 2 [(xml).path="Signatures" ];
	required Denial denial = 3 [(xml).path="Denial" ];
	required Keys keys = 4  [(xml).path="Keys" ];
	required int32 ttl = 5 [(xml).path="SOA/TTL", (xml).type=duration]; // ttl of the soa
	required int32 min = 6 [(xml).path="SOA/Minimum", (xml).type=duration]; // min of the soa
	required serial serial = 7 [(xml).path="SOA/Serial"]; // kind of serial used 
	optional bool audit = 8 [(xml).path="Audit"];
}

message Signatures {
	required int32 resign = 1 [(xml).path="Resign", (xml).type=duration]; // re-signing interval
	required int32 refresh = 2 [(xml).path="Refresh",(xml).type=duration]; // how old a signature may become before it needs to be re-signed
	required int32 valdefault = 3 [(xml).path="Validity/Default",(xml).type=duration]; // signature validity period
	required int32 valdenial = 4 [(xml).path="Validity/Denial",(xml).type=duration]; // nsec(3) validity period
	required int32 jitter = 5 [(xml).path="Jitter",(xml).type=duration]; // jitter to use in signature inception and expiration times
	required int32 inceptionOffset = 6 [(xml).path="InceptionOffset",(xml).type=duration];
}

message Denial {
    //--NOTE that denial contains either nsec or nsec3 not both.
    optional NSEC nsec = 1 [(xml).path="NSEC"]; // nsec version 0
    optional NSEC3 nsec3 = 2 [(xml).path="NSEC3"]; // nsec version 3
}

message NSEC {
}

message NSEC3 {
    optional bool optout = 1 [(xml).path="OptOut"]; // opt out flag for nsec3
    required int32 algorithm = 2 [(xml).path="Hash/Algorithm"]; // nsec3 algorithm [0..255]
    required int32 iterations = 3 [(xml).path="Hash/Iterations"]; //nsec3 iterations [1..65535]
    required string salt = 4 [(xml).path="Hash/Salt"];// nsec3 salt generated by the enforcer e.g. 0438eb9a93a6d6c5
}

message Keys {
	required int32 ttl = 1 [(xml).path="TTL", (xml).type=duration];
	repeated Key keys = 2 [(xml).path="Key"]; // 1 or more keys
}

message Key {
    required uint32 flags = 1 [(xml).path="Flags"]; // DNSKEY flags [0..65535]
    required uint32 algorithm = 2 [(xml).path="Algorithm"]; // DNSKEY algorithm [0..255]
    required string locator = 3 [(xml).path="Locator"]; // The key locator is matched against the PKCS#11 CKA_ID and
                                                        // is specified as a string of hex characters.
                                                        // xsd:hexBinary e.g. bea77e4fb7d276c8fc885443ce2830aa
	optional bool ksk = 4 [(xml).path="KSK"]; // sign all the DNSKEY RRsets with this key ?
	optional bool zsk = 5  [(xml).path="ZSK"]; // sign all non-DNSKEY RRsets with this key ?
    optional bool publish = 6 [(xml).path="Publish"]; // include this key in the zonefile ?
    optional bool deactivate = 7 [(xml).path="Deactivate"]; // deactivate this key (i.e. do not recycle any signatures)
}

enum serial {
    counter = 1; // use an increasing counter (but use the serial from the unsigned zone if possible)
    datecounter = 2; // use increasing counter in YYYYMMDDxx format (xx is incremented within each day)
    unixtime = 3; // the serial number is set to the "Unix time" (seconds since 00:00 on 1 January 1970 (UTC)) at which the signer is run.
    keep = 4; // keep the serial from the unsigned zone (do not resign unless it has been incremented)
}