ZoneZipFileServerSideSigner
The ZoneZipFileServerSideSigner signer has the fully qualified class name: org.signserver.module.dnssec.signer.ZoneZipFileServerSideSigner
Overview
The ZoneZipFileServerSideSigner signer can be used to sign a Domain Name System (DNS) zone file contained in a zip file, using DNS Security Extensions (DNSSEC).
The ZoneZipFileServerSideSigner is similar to the ZoneFileServerSideSigner with the difference that this signer uses the input of a zip file containing an unsigned zone file and a previously signed zone file. Depending on the request metadata property FORCE_RESIGN, signatures present in previously signed zone files are reused if they are valid, and only new records are signed.
Available Properties
Property | Description |
|---|---|
ZSK_KEY_ALIAS_PREFIX | Key alias prefix to use for zone signing. The key used will be based on the prefix with the key sequence number appended. Required. Example: "example.com_Z_". |
ACTIVE_KSKS | Active key signing keys to use. Must specify exactly 1 or 2 key aliases, comma-separated. Required. Example: "example.com_K_1,example.com_K_2". |
ZONE_NAME | The name of the top-level zone in the zone file. Required. Example: "example.com.". |
PUBLISH_PREVIOUS_ZSK | If the previous ZSK (if one) should be kept published. Optional. Example: "false". Default: "true". |
NSEC3_SALT | Fixed, hex-encoded salt (64-bit value) to use instead of a random salt for testing/troubleshooting purposes. Optional. Example: "6dcd4ce23d88e2ee". |
DISABLEKEYUSAGECOUNTER | Disables the key usage counter. As the key usage counter is not supported by this signer, if set, only the value "true" is supported. |
SIGNATUREALGORITHM | Signature algorithm to use for all signatures. Default: "SHA256withRSA". Currently, only "SHA1withRSA", "SHA256withRSA" and "SHA512withRSA are supported. All signature algorithms map to DNSSEC algorithms using NSEC3. |
Request Parameters
Property | Description |
|---|---|
ZSK_SEQUENCE_NUMBER | Sequence number to append after key alias prefix. Example: "1". |
FORCE_RESIGN | Specifies whether to resign previously signed records even if their signatures are valid and present in the signed zone file. Default: "FALSE". |