The ZoneZipFileServerSideSigner signer has the fully qualified class name: org.signserver.module.dnssec.signer.ZoneZipFileServerSideSigner

Overview

The ZoneZipFileServerSideSigner signer can be used to sign a Domain Name System (DNS) zone file contained in a zip file, using DNS Security Extensions (DNSSEC).

The ZoneZipFileServerSideSigner is similar to the ZoneFileServerSideSigner with the difference that this signer uses the input of a zip file containing an unsigned zone file and a previously signed zone file. Depending on the request metadata property FORCE_RESIGN, signatures present in previously signed zone files are reused if they are valid, and only new records are signed. 

Available Properties

Property

Description

ZSK_KEY_ALIAS_PREFIX

Key alias prefix to use for zone signing. The key used will be based on the prefix with the key sequence number appended. Required. Example: "example.com_Z_".

ACTIVE_KSKS

Active key signing keys to use. Must specify exactly 1 or 2 key aliases, comma-separated. Required. Example: "example.com_K_1,example.com_K_2".

ZONE_NAME

The name of the top-level zone in the zone file. Required. Example: "example.com.".

PUBLISH_PREVIOUS_ZSK

If the previous ZSK (if one) should be kept published. Optional. Example: "false". Default: "true".

NSEC3_SALT

Fixed, hex-encoded salt (64-bit value) to use instead of a random salt for testing/troubleshooting purposes. Optional. Example: "6dcd4ce23d88e2ee".

DISABLEKEYUSAGECOUNTER

Disables the key usage counter. As the key usage counter is not supported by this signer, if set, only the value "true" is supported.

SIGNATUREALGORITHM

Signature algorithm to use for all signatures. Default: "SHA256withRSA". Currently, only "SHA1withRSA", "SHA256withRSA" and "SHA512withRSA are supported. All signature algorithms map to DNSSEC algorithms using NSEC3.

Request Parameters

Property

Description

ZSK_SEQUENCE_NUMBER

Sequence number to append after key alias prefix. Example: "1".

FORCE_RESIGN

Specifies whether to resign previously signed records even if their signatures are valid and present in the signed zone file. Default: "FALSE".