ZoneZipFileServerSideSigner

The ZoneZipFileServerSideSigner signer has the fully qualified class name: org.signserver.module.dnssec.signer.ZoneZipFileServerSideSigner

Overview

The ZoneZipFileServerSideSigner signer can be used to sign a Domain Name System (DNS) zone file contained in a zip file, using DNS Security Extensions (DNSSEC).

The ZoneZipFileServerSideSigner is similar to the ZoneFileServerSideSigner with the difference that this signer uses the input of a zip file containing an unsigned zone file and a previously signed zone file. Depending on the request metadata property FORCE_RESIGN, signatures present in previously signed zone files are reused if they are valid, and only new records are signed. 

Available Properties

PropertyDescription
ZSK_KEY_ALIAS_PREFIX

Key alias prefix to use for zone signing. The key used will be based on the prefix with the key sequence number appended. Required. Example: "example.com_Z_".

ACTIVE_KSKSActive key signing keys to use. Must specify exactly 1 or 2 key aliases, comma-separated. Required. Example: "example.com_K_1,example.com_K_2".
ZONE_NAMEThe name of the top-level zone in the zone file. Required. Example: "example.com.".
PUBLISH_PREVIOUS_ZSKIf the previous ZSK (if one) should be kept published. Optional. Example: "false". Default: "true".
NSEC3_SALTFixed, hex-encoded salt (64-bit value) to use instead of a random salt for testing/troubleshooting purposes. Optional. Example: "6dcd4ce23d88e2ee".
DISABLEKEYUSAGECOUNTERDisables the key usage counter. As the key usage counter is not supported by this signer, if set, only the value "true" is supported.
SIGNATUREALGORITHM

Signature algorithm to use for all signatures. Default: "SHA256withRSA". Currently, only "SHA1withRSA", "SHA256withRSA" and "SHA512withRSA are supported. All signature algorithms map to DNSSEC algorithms using NSEC3.

Request Parameters

PropertyDescription
ZSK_SEQUENCE_NUMBERSequence number to append after key alias prefix. Example: "1".
FORCE_RESIGNSpecifies whether to resign previously signed records even if their signatures are valid and present in the signed zone file. Default: "FALSE".