.png){kind=logo}
ZoneHashSigner
The ZoneHashSigner signer has the fully qualified class name: org.signserver.module.dnssec.signer.ZoneHashSigner
Overview
The ZoneHashSigner signer can be used to sign DNS zone zip files using the SignClient in client-side hashing and construction mode, contained in a zip file, using DNS Security Extensions (DNSSEC).
For information on invoking the SignClient, see DNSSEC Signing in Client-Side Hashing.
The signer is designed around a two-stage request-response protocol, see Protocol.
Available Properties
| Property | Description |
|---|---|
| ZSK_KEY_ALIAS_PREFIX | Key alias prefix to use for zone signing. The key used will be based on the prefix with the key sequence number appended. Required. Example: "example.com_Z_". |
| ACTIVE_KSKS | Active key signing keys to use. Must specify exactly 1 or 2 key aliases, comma-separated. Required. Example: "example.com_K_1,example.com_K_2". |
| ZONE_NAME | The name of the top-level zone in the zone file. Required. Example: "example.com.". |
| PUBLISH_PREVIOUS_ZSK | If the previous ZSK (if one) should be kept published. Optional. Example: "false". Default: "true". |
| NSEC3_SALT | Fixed, hex-encoded salt (64-bit value) to use instead of a random salt for testing/troubleshooting purposes. Optional. Example: "6dcd4ce23d88e2ee". |
| DISABLEKEYUSAGECOUNTER | Disables the key usage counter. As the key usage counter is not supported by this signer, if set, only the value "true" is supported. |
| SIGNATUREALGORITHM | Signature algorithm to use for all signatures. Default: "SHA256withRSA". Currently only "SHA256withRSA is supported. All signature algorithms map to DNSSEC algorithms using NSEC3 and the NONEwithRSA algorithm is used for signing the digests. |
| CHECK_ACTIVE_KSKS | True if the keys configured in ACTIVE_KSKS should be checked for existence. Setting CHECK_ACTIVE_KSKS to "false" can improve performance in some environments when listing zone file signers in AdminWeb and when calling health check. Default: "true". |
Request Parameters
| Property | Description |
|---|---|
| ZSK_SEQUENCE_NUMBER | Sequence number to append after key alias prefix. Example: "1". |
| SOA_TTL | Specify the TTL of the SOA (start of authority) record in seconds. This is only used for the pre-request. This property is required when sending the pre-request. |
Protocol
Due to the way DNSSEC zone file signing works, this signer is designed around a two-stage request-response protocol.
In the first request (pre-sign request), the request body is empty (this tells the signer that the request is a pre-request). The request metadata parameters ZSK_SEQUENCE_NUMBER and SOA_TTL are included to indicate the zone signing key sequence number to use and the TTL (Time To Live) of the SOA (Start of Authority) record.
The signer sends back a pre-sign response with DNSKEY records, signature records for the DNSKEY records, and the NSEC3PARAM record. These are encoded in the response in the format of a Java properties file.
The client will then construct the sign request containing the same ZSK_SEQUENCE_NUMBER as in the pre-sign request, the same SIG record data as received from the pre-sign response, and mappings from each RRsetId to hash that should be signed. The hash is calculated using the SIG record data received in the pre-sign response and the RRset. The server verifies that the received footprint is correct (and matches the ZSK_SEQUENCE_NUMBER). The server signs each hash and responds with a sign response containing a mapping from the same ID:s provided in the sign request to the signature values. The response data is formatted as a Java properties file. The receiving client (for example, the SignClient) then constructs each SIG record and inserts the signature received from the server.
Pre-sign request
- Metadata
ZSK_SEQUENCE_NUMBER=1, SOA_TTL=86400
- Request body
<Empty>
Pre-sign response
- Response body
rr.dnskey.z1.expiretime=1577011258284
rr.dnskey.z1.signingtime=1574419258284
rr.dnskey.z1.footprint=11644
rr.dnskey.z1.algorithm=8
rr.dnskey.z0=...base64 of wire format for DNSKEY 256 (if one)...
rr.dnskey.z1=...base64 of wire format for DNSKEY 256... rr.dnskey.z2=...base64 of wire format for DNSKEY 256 (if one)... rr.dnskey.k1=...base64 of wire format for DNSKEY 257... rr.dnskey.k2=...base64 of wire format for DNSKEY 257 (if one)... rr.dnskey.sig.z1=...base64 of wire format for RRSIG with Z1 key... rr.dnskey.sig.k1=...base64 of wire format for RRSIG with K1 key... rr.dnskey.sig.k2=...base64 of wire format for RRSIG with K2 key (if one)... rr.nsec3param=...base64 of wire format for NSEC3PARAM... rr.nsec3param.sig=...base64 of wire format for RRSIG of NSEC3PARAM...
Sign request
- Metadata
ZSK_SEQUENCE_NUMBER=10, rr.dnskey.z1.expiretime=1577011258284, rr.dnskey.z1.signingtime=1574419258284, rr.dnskey.z1.footprint=11644, rr.dnskey.z1.algorithm=8
Request body
hash.1=...base64 of hash or signature input...
hash.2=...
hash.N=...
Sign response
- Response body
sig.1=...base64 of signature of hash.1... sig.2=... sig.N=...