- SignServer Introduction
- SignServer Installation
- Worker Setup
- Configure Client Certificate Authentication and Authorization
- Certificate Renewals Using Peer Systems
- Setting up Key Wrapping
- Setting up One-time Keys
- Setting up OpenPGP Signer
- Client HTTP Interface
- Client WS Interface
- Client CLI
- Admin WS Interface
- Legacy Interfaces
- Apache HTTP Server as Reverse Proxy
- Stresstest CLI
- P11NG CLI
- Deploy-time Configuration
- Common Configuration
- Common Properties
- Appx Signer
- Appx CMS Signer
- CMS Signer
- Debian Dpkg-sig Signer
- Extended CMS Signer
- Extended Time Stamp Signer
- JArchive Signer
- JArchive CMS Signer
- MRTD Signer
- MRTD SOD Signer
- MS Authenticode Time Stamp Signer
- Master List Signer
- MS Authenticode Signer
- MS Authenticode CMS Signer
- ODF Signer
- OOXML Signer
- OpenPGP Signer
- OpenPGPPlain Signer
- PDF Signer
- Plain Signer
- Time Stamp Signer
- XAdES Signer
- XML Signer
- SignServer Document Validators
- SignServer Dispatchers
- SignServer Validation Service Framework
- SignServer Timed Services
- Other Workers
- Alias Selectors
- SignServer Authentication and Authorization
- Status Repository
- Health Check
- SignServer TimeMonitor Application
SignServer User Interfaces
- Administration CLI
- Administration GUI
- Main Page
- Workers Activation Page
- Workers Deactivation Page
- Workers Key Generation Page
- Workers Test Key Page
- Workers CSR Page
- Workers Install Certificates Page
- Workers Renewal Page
- Workers Removal Page
- Workers Reload from Database Page
- Workers Export Page
- Workers Add Page
- Worker Page
- Global Configuration Page
- Administrators Page
- Audit Log Page
- Archive Page
- Database CLI
- Peer Systems
- Client-Side Hashing
- Key Wrapping
- Developer Reference
- SignServer Release Information
Code Signing How-to Guides
- Code Signing Technical How-to
- Authenticode Code Signing Technical How-to
The ZoneHashSigner signer has the fully qualified class name: org.signserver.module.dnssec.signer.ZoneHashSigner
The ZoneHashSigner signer can be used to sign DNS zone zip files using the SignClient in client-side hashing and construction mode, contained in a zip file, using DNS Security Extensions (DNSSEC).
For information on invoking the SignClient, see DNSSEC Signing in Client-Side Hashing.
The signer is designed around a two-stage request-response protocol, see Protocol.
Key alias prefix to use for zone signing. The key used will be based on the prefix with the key sequence number appended. Required. Example: "example.com_Z_".
|ACTIVE_KSKS||Active key signing keys to use. Must specify exactly 1 or 2 key aliases, comma-separated. Required. Example: "example.com_K_1,example.com_K_2".|
|ZONE_NAME||The name of the top-level zone in the zone file. Required. Example: "example.com.".|
|PUBLISH_PREVIOUS_ZSK||If the previous ZSK (if one) should be kept published. Optional. Example: "false". Default: "true".|
|NSEC3_SALT||Fixed, hex-encoded salt (64-bit value) to use instead of a random salt for testing/troubleshooting purposes. Optional. Example: "6dcd4ce23d88e2ee".|
|DISABLEKEYUSAGECOUNTER||Disables the key usage counter. As the key usage counter is not supported by this signer, if set, only the value "true" is supported.|
Signature algorithm to use for all signatures. Default: "SHA256withRSA". Currently only "SHA256withRSA is supported. All signature algorithms map to DNSSEC algorithms using NSEC3 and the NONEwithRSA algorithm is used for signing the digests.
|ZSK_SEQUENCE_NUMBER||Sequence number to append after key alias prefix. Example: "1".|
|SOA_TTL||Specify the TTL of the SOA (start of authority) record in seconds. This is only used for the pre-request. This property is required when sending the pre-request.|
Due to the way DNSSEC zone file signing works, this signer is designed around a two-stage request-response protocol.
In the first request (pre-sign request), the request body is empty (this tells the signer that the request is a pre-request). The request metadata parameters ZSK_SEQUENCE_NUMBER and SOA_TTL are included to indicate the zone signing key sequence number to use and the TTL (Time To Live) of the SOA (Start of Authority) record.
The signer sends back a pre-sign response with DNSKEY records, signature records for the DNSKEY records, and the NSEC3PARAM record. These are encoded in the response in the format of a Java properties file.
The client will then construct the sign request containing the same ZSK_SEQUENCE_NUMBER as in the pre-sign request, the same SIG record data as received from the pre-sign response, and mappings from each RRsetId to hash that should be signed. The hash is calculated using the SIG record data received in the pre-sign response and the RRset. The server verifies that the received footprint is correct (and matches the ZSK_SEQUENCE_NUMBER). The server signs each hash and responds with a sign response containing a mapping from the same ID:s provided in the sign request to the signature values. The response data is formatted as a Java properties file. The receiving client (for example, the SignClient) then constructs each SIG record and inserts the signature received from the server.
- Request body
- Response body
rr.dnskey.z0=...base64 of wire format for DNSKEY 256 (if one)...
rr.dnskey.z1=...base64 of wire format for DNSKEY 256... rr.dnskey.z2=...base64 of wire format for DNSKEY 256 (if one)... rr.dnskey.k1=...base64 of wire format for DNSKEY 257... rr.dnskey.k2=...base64 of wire format for DNSKEY 257 (if one)... rr.dnskey.sig.z1=...base64 of wire format for RRSIG with Z1 key... rr.dnskey.sig.k1=...base64 of wire format for RRSIG with K1 key... rr.dnskey.sig.k2=...base64 of wire format for RRSIG with K2 key (if one)... rr.nsec3param=...base64 of wire format for NSEC3PARAM... rr.nsec3param.sig=...base64 of wire format for RRSIG of NSEC3PARAM...
ZSK_SEQUENCE_NUMBER=10, rr.dnskey.z1.expiretime=1577011258284, rr.dnskey.z1.signingtime=1574419258284, rr.dnskey.z1.footprint=11644, rr.dnskey.z1.algorithm=8
hash.1=...base64 of hash or signature input...
- Response body
sig.1=...base64 of signature of hash.1... sig.2=... sig.N=...