Skip to main content
Skip table of contents

ZoneFileServerSideSigner

The ZoneFileServerSide signer has the fully qualified class name: org.signserver.module.dnssec.signer.ZoneFileServerSideSigner

Overview

The ZoneFileServerSide signer can be used to sign Domain Name System (DNS) zone files using DNS Security Extensions (DNSSEC). The DNSSEC adds a layer of trust on top of DNS by providing authentication.

The input should be an unsigned zone file in text format and a parameter specifying the key sequence number to use. The output is the zone file with the signatures, keys, and NSEC3 records added and signed by the Zone Signing Key (ZSK) with the specified sequence number and with the public key including the next sequence number (pre-publishing). The Key Signing Keys (KSK) to use are specified in the worker configuration. During KSK rollover, two keys can be specified (double signing).

Available Properties

Required Property

Default

Description

ACTIVE_KSKS

None

Specifies the active key signing keys to use. Must specify exactly 1 or 2 key aliases, comma-separated.

Example: example.com_K_1,example.com_K_2

ZONE_NAME

None

Specifies the name of the top-level zone in the zone file.

Example: example.com

ZSK_KEY_ALIAS_PREFIX

None

Specifies the key alias prefix to use for zone signing. The key used is based on the prefix with the key sequence number appended.

Example: example.com_Z_

Property

Default

Description

CHECK_ACTIVE_KSKS

True

True if the keys configured in ACTIVE_KSKS should be checked for existence. Setting CHECK_ACTIVE_KSKS to false can improve performance in some environments when listing zone file signers in AdminWeb and when calling health check.

DISABLEKEYUSAGECOUNTER

True

Disables the key usage counter. As the key usage counter is not supported by this signer, if set, only the value true is supported.

NSEC3_SALT

(Optional) Specifies the fixed, HEX-encoded salt (64-bit value) to use instead of a random salt for testing/troubleshooting purposes.

Example: 6dcd4ce23d88e2ee

PUBLISH_PREVIOUS_ZSK

True

(Optional) Specifies if the previous ZSK (if one) should be kept published.

SIGNATUREALGORITHM

SHA256withRSA

Specifies the signature algorithm to use for all signatures. Only SHA1withRSA, SHA256withRSA, and SHA512withRSA are supported. All signature algorithms map to DNSSEC algorithms using NSEC3.

Request Parameters

Property

Description

ZSK_SEQUENCE_NUMBER

Specifies the sequence number to append after key alias prefix.

Example: 1

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close