OpenDNSSEC > DNSSEC Signer

The DNSSEC Signer is signer solution, which handles the DNSSEC signing and maintenance operations as automated as possible. It seamlessly integrates with existing DNS deployment scenarios by using various inbound and outbound adapters; e.g. file in/out, AXFR, IXFR, and SVN, to communicate with its surrounding. The different adapters will thus make easier for an implementer to integrate DNSSEC into their environment, without the necessity to overhaul the entire existing infrastructure.

The trust mechanism in DNSSEC is based on the use of public and private crypto keys, where the holder of the private key is the only one who can put the correct signature on the DNS resource record. It is thus important to protect the private key and making sure that no external parties can get hold of it. One way of protecting the keys is to store them on separate hardware, so called Hardware Security Module (HSM), which is utilized by the DNSSEC Signer.

Another obstacle for DNSSEC is the key management. Whenever a key is rolled-over to another key, it must be performed in the correct order and during the correct time sequence. A faulty key management will break the trust architecture created by DNSSEC for a given domain. The DNSSEC Signer will handle the key management as automated as possible, making sure that this will not happen.

About

DNSSEC Signer is based on the requirements specified by the project members. The requirements have then been turned into a system architecture.

• Requirements
• Auditor Requirements
• Partial Auditor Requirements
• Architecture
• Configuration Checker
• More on keys
• Version Numbering Policy

Documentation

The following page and its subpages will describe how to install and use OpenDNSSEC.

• Using OpenDNSSEC

Current development

Visit http://www.opendnssec.org/ to see our releases and release plan

Plugins

There is a possibility to write different plugins. Below are some requirements on these.

• EPP Client