Skip to main content
Skip table of contents

ZoneFileServerSideSigner

The ZoneFileServerSide signer has the fully qualified class name: org.signserver.module.dnssec.signer.ZoneFileServerSideSigner

Overview

The ZoneFileServerSide signer can be used to sign Domain Name System (DNS) zone files using DNS Security Extensions (DNSSEC). The DNSSEC adds a layer of trust on top of DNS by providing authentication.

The input should be an unsigned zone file in text format and a parameter specifying the key sequence number to use. The output will be the zone file with the signatures, keys, and NSEC3 records added and signed by the Zone Signing Key (ZSK) with the specified sequence number and with the public key including the next sequence number (pre-publishing). The Key Signing Keys (KSK) to use are specified in the worker configuration. During KSK rollover, two keys can be specified (double signing).

Available Properties

PropertyDescriptionRequired
ZSK_KEY_ALIAS_PREFIX

Key alias prefix to use for zone signing. The key used will be based on the prefix with the key sequence number appended. Required. Example: "example.com_Z_".

(tick)
ACTIVE_KSKSActive key signing keys to use. Must specify exactly 1 or 2 key aliases, comma-separated. Required. Example: "example.com_K_1,example.com_K_2".(tick)
ZONE_NAMEThe name of the top-level zone in the zone file. Required. Example: "example.com.".(tick)
PUBLISH_PREVIOUS_ZSKIf the previous ZSK (if one) should be kept published. Optional. Example: "false". Default: "true".
NSEC3_SALTFixed, HEX-encoded salt (64-bit value) to use instead of a random salt for testing/troubleshooting purposes. Optional. Example: "6dcd4ce23d88e2ee".
DISABLEKEYUSAGECOUNTERDisables the key usage counter. As the key usage counter is not supported by this signer, if set, only the value "true" is supported.
SIGNATUREALGORITHM

Signature algorithm to use for all signatures. Default: "SHA256withRSA". Currently, only "SHA1withRSA", "SHA256withRSA" and "SHA512withRSA" are supported. All signature algorithms map to DNSSEC algorithms using NSEC3.


 CHECK_ACTIVE_KSKSTrue if the keys configured in ACTIVE_KSKS should be checked for existence. Setting CHECK_ACTIVE_KSKS to "false" can improve performance in some environments when listing zone file signers in AdminWeb and when calling health check. Default: "true".


Request Parameters

PropertyDescription
ZSK_SEQUENCE_NUMBERSequence number to append after key alias prefix. Example: "1".
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.