The ZoneFileServerSide signer has the fully qualified class name: org.signserver.module.dnssec.signer.ZoneFileServerSideSigner

Overview

The ZoneFileServerSide signer can be used to sign Domain Name System (DNS) zone files using DNS Security Extensions (DNSSEC). The DNSSEC adds a layer of trust on top of DNS by providing authentication.

The input should be an unsigned zone file in text format and a parameter specifying the key sequence number to use. The output will be the zone file with the signatures, keys, and NSEC3 records added and signed by the Zone Signing Key (ZSK) with the specified sequence number and with the public key including the next sequence number (pre-publishing). The Key Signing Keys (KSK) to use are specified in the worker configuration. During KSK rollover, two keys can be specified (double signing).

Available Properties

Property

Description

Required

ZSK_KEY_ALIAS_PREFIX

Key alias prefix to use for zone signing. The key used will be based on the prefix with the key sequence number appended. Required. Example: "example.com_Z_".

(bock)

ACTIVE_KSKS

Active key signing keys to use. Must specify exactly 1 or 2 key aliases, comma-separated. Required. Example: "example.com_K_1,example.com_K_2".

(bock)

ZONE_NAME

The name of the top-level zone in the zone file. Required. Example: "example.com.".

(bock)

PUBLISH_PREVIOUS_ZSK

If the previous ZSK (if one) should be kept published. Optional. Example: "false". Default: "true".


NSEC3_SALT

Fixed, HEX-encoded salt (64-bit value) to use instead of a random salt for testing/troubleshooting purposes. Optional. Example: "6dcd4ce23d88e2ee".


DISABLEKEYUSAGECOUNTER

Disables the key usage counter. As the key usage counter is not supported by this signer, if set, only the value "true" is supported.


SIGNATUREALGORITHM

Signature algorithm to use for all signatures. Default: "SHA256withRSA". Currently, only "SHA1withRSA", "SHA256withRSA" and "SHA512withRSA" are supported. All signature algorithms map to DNSSEC algorithms using NSEC3.


 CHECK_ACTIVE_KSKS

True if the keys configured in ACTIVE_KSKS should be checked for existence. Setting CHECK_ACTIVE_KSKS to "false" can improve performance in some environments when listing zone file signers in AdminWeb and when calling health check. Default: "true".



Request Parameters

Property

Description

ZSK_SEQUENCE_NUMBER

Sequence number to append after key alias prefix. Example: "1".