ZoneFileServerSideSigner
The ZoneFileServerSide signer has the fully qualified class name: org.signserver.module.dnssec.signer.ZoneFileServerSideSigner
Overview
The ZoneFileServerSide signer can be used to sign Domain Name System (DNS) zone files using DNS Security Extensions (DNSSEC). The DNSSEC adds a layer of trust on top of DNS by providing authentication.
The input should be an unsigned zone file in text format and a parameter specifying the key sequence number to use. The output will be the zone file with the signatures, keys, and NSEC3 records added and signed by the Zone Signing Key (ZSK) with the specified sequence number and with the public key including the next sequence number (pre-publishing). The Key Signing Keys (KSK) to use are specified in the worker configuration. During KSK rollover, two keys can be specified (double signing).
Available Properties
Property | Description | Required |
---|---|---|
ZSK_KEY_ALIAS_PREFIX | Key alias prefix to use for zone signing. The key used will be based on the prefix with the key sequence number appended. Required. Example: "example.com_Z_". | |
ACTIVE_KSKS | Active key signing keys to use. Must specify exactly 1 or 2 key aliases, comma-separated. Required. Example: "example.com_K_1,example.com_K_2". | |
ZONE_NAME | The name of the top-level zone in the zone file. Required. Example: "example.com.". | |
PUBLISH_PREVIOUS_ZSK | If the previous ZSK (if one) should be kept published. Optional. Example: "false". Default: "true". | |
NSEC3_SALT | Fixed, HEX-encoded salt (64-bit value) to use instead of a random salt for testing/troubleshooting purposes. Optional. Example: "6dcd4ce23d88e2ee". | |
DISABLEKEYUSAGECOUNTER | Disables the key usage counter. As the key usage counter is not supported by this signer, if set, only the value "true" is supported. | |
SIGNATUREALGORITHM | Signature algorithm to use for all signatures. Default: "SHA256withRSA". Currently, only "SHA1withRSA", "SHA256withRSA" and "SHA512withRSA" are supported. All signature algorithms map to DNSSEC algorithms using NSEC3. | |
CHECK_ACTIVE_KSKS | True if the keys configured in ACTIVE_KSKS should be checked for existence. Setting CHECK_ACTIVE_KSKS to "false" can improve performance in some environments when listing zone file signers in AdminWeb and when calling health check. Default: "true". |
Request Parameters
Property | Description |
---|---|
ZSK_SEQUENCE_NUMBER | Sequence number to append after key alias prefix. Example: "1". |