Key Management

How does a software solution like Signer keep keys safe online?

Signer runs on SourceT, Secure64’s Genuinely Secure micro operating system. SourceT’s architecture makes it and any applications running on it immune to malware and resistant to network attacks. Private keys are always encrypted when stored on disk. The architecture has been reviewed by third party security experts and found to be immune to all known forms of malware.

What is the source of randomness for key generation?
Signer uses a number of sources of input from the onboard Trusted Platform Module and other hardware components to create the random numbers used to generate keys.

What techniques does Signer use to perform key rollover?

Signer uses the prepublish technique with ZSKs in order to reduce the size of the signed zone data. Signer uses the double signing technique with KSKs.

What happens if a key is compromised?

Signer generates and keeps in reserve a spare KSK and ZSK for each zone. In the event that a published KSK or ZSK is compromised, the administrator can issue a command that rolls the key to the spare.

How do I establish and maintain the chain of trust with my parent zone?
Signer can be configured to notify the administrator of any new or modified public keys that must be communicated to the parent zone or to a DLV. Public keys can also be queried for any zone by the administrator.

RFC Support

Does Signer support the full DNSSEC standards?

Yes, Signer provides full support for RFCs 4033, 4034 and 4035.

Does Signer support NSEC3?
Yes, Signer provides full support for NSEC3 (RFC 5155)

Does Signer support opt-out with NSEC3?
Yes. Signer supports opt-out with NSEC3. This allows non-signed zones to be excluded from the NSEC3 chain, which improves signing performance and decreases the size of the signed zone data.

Does Signer automatically maintain the NSEC or NSEC3 chains?
Yes. Whenever any change is made to the zone data (add, modify or delete zones or records), Signer automatically updates the NSEC or NSEC3 chains.

Does Signer support best practices for deploying DNSSEC?
Yes. Signer supports RFC 4641, which outlines operational practices for deploying DNSSEC.

Management

Can I get a report of the status of my signed zones?
Yes. Signer provides a command to report on the status of all signed zones. Information returned includes the name of the zone, the type of signing algorithm used, the key size, the public key, and the key inception and expiration dates. Keys that are in transition state are also noted.

How can I monitor the health and correctness of my signed zones?
There are a number of open source tools that monitor and report on the health of signed zones. These tools can be used in conjunction with any signed zones, including those created by Signer.

Performance and Capacity

How can Signer keep up with changes to a large zone, especially if I have a short update interval?

Typical implementations will run Signer once with a completely unsigned zone, and then send incremental changes only thereafter. In this configuration, Signer is able to keep up with changes to even the largest zones (such as large TLDs) while still being able to update slave servers as frequently as every couple of minutes.

How many signed zones and records can Signer handle?
Maximum capacity is limited only by available RAM. Signer has been tested with hundreds of thousands of zones and millions of records.