Signer Archicture

docs/dnssec-signer-arch.png

Signer Engine

The signer engine is the core of this system. It drives the whole signing process by reading the KASP database and enforcing the policy KASP defines. it works as a black box server process. If for some reason it can not enforce the policy then it will alert the system administrator (via SNMP or Nagios ??? ) and continue trying until things start working again.

The signer engine is responsible for

  • resigning before signatures expires
  • resigning when the keys have changed
  • creating a new NSEC3 chain, update NSEC3PARAM, wait for dist, remove old chain
  • updating the SOA serial when changing keys

Zone Storage

Zone storage need to have the complete zone with information about if it has been updated with new data, and information about when it was last signed it also need to store the signatures and NSEC-records.

Security Module

The security module is responsible for generating and storing all keypairs. Since private keys are not allowed to leave the security module in unencrypted format, all signing operations must be performed within the security module. The security module can be implemented using a HSM or as a seprate software function on the signer host. The interface towards the security module is most likely PKCS#11.

Multiple security modules may exists within one signer. This is particular useful when transitioning between different HSM:s or if one have different security requirements for KSK and ZSK.

Key and Signing Policy

The Key and Signing Policy (KASP) does not need to know anything anything about the key material, all that is taken care of by the Key Management module. The KASP only describes the policy for the zone and its key management, key sizes, intervals and algorithms used. The Zone Admin Tool can update the policy for a zone and these changes will take place for new keys or when resigning the zone.

See the signer policy page for requirements on KASP parameters.

Key Management (aka KASP Enforcer)

Key management implements the Key and Signing policy, i.e. creating keys (using the security module) that is needed, removing keys no longer needed, handles pre- and post publishing timers etc. All dynamic (i.e. non-policy) information about keys and key's parameters is stored in the Metastore.

The signer engine queries the key mangement for all signing parameters:

  • The current set of Key Signing Keys (KSK) and Zone Signing Keys (ZSK)
  • The current set of all published and revoked DNSKEYs
  • Signature inception/exception settings (including possible exception jitter)

More on Key Management.

RRset Signer

The RRset Signer signs a single RRset with one or more keys using the security module.

NSEC-ifier

The NSEC-ifier maintains the NSEC and NSEC3 chains in zone and is also responsible for sorting the zone unless it is already sorted.

Inbound Zone Adapter

The Inbound Zone Adapter fetches the unsigned zone using AXFR/IXFR/SSH.

Outbound Zone Adapter

The Outbound Zone Adapter delivers the signed zone using AXFR/IXFR/SSH.