ZoneZipFileServerSideSigner
The ZoneZipFileServerSideSigner signer has the fully qualified class name: org.signserver.module.dnssec.signer.ZoneZipFileServerSideSigner
Overview
The ZoneZipFileServerSideSigner signer can be used to sign a Domain Name System (DNS) zone file contained in a zip file, using DNS Security Extensions (DNSSEC).
The ZoneZipFileServerSideSigner is similar to the ZoneFileServerSideSigner with the difference that this signer uses the input of a zip file containing an unsigned zone file and a previously signed zone file. Depending on the request metadata property FORCE_RESIGN, signatures present in previously signed zone files are reused if they are valid, and only new records are signed.
Available Properties
|
Property |
Description |
|
ZSK_KEY_ALIAS_PREFIX |
Key alias prefix to use for zone signing. The key used will be based on the prefix with the key sequence number appended. Required. Example: "example.com_Z_". |
|
ACTIVE_KSKS |
Active key signing keys to use. Must specify exactly 1 or 2 key aliases, comma-separated. Required. Example: "example.com_K_1,example.com_K_2". |
|
ZONE_NAME |
The name of the top-level zone in the zone file. Required. Example: "example.com.". |
|
PUBLISH_PREVIOUS_ZSK |
If the previous ZSK (if one) should be kept published. Optional. Example: "false". Default: "true". |
|
NSEC3_SALT |
Fixed, hex-encoded salt (64-bit value) to use instead of a random salt for testing/troubleshooting purposes. Optional. Example: "6dcd4ce23d88e2ee". |
|
DISABLEKEYUSAGECOUNTER |
Disables the key usage counter. As the key usage counter is not supported by this signer, if set, only the value "true" is supported. |
|
SIGNATUREALGORITHM |
Signature algorithm to use for all signatures. Default: "SHA256withRSA". Currently, only "SHA1withRSA", "SHA256withRSA" and "SHA512withRSA are supported. All signature algorithms map to DNSSEC algorithms using NSEC3. |
Request Parameters
|
Property |
Description |
|
ZSK_SEQUENCE_NUMBER |
Sequence number to append after key alias prefix. Example: "1". |
|
FORCE_RESIGN |
Specifies whether to resign previously signed records even if their signatures are valid and present in the signed zone file. Default: "FALSE". |