CASCADE

Cascade is a purpose built DNSSEC signing solution. It is a so-called hidden bump-in-the-wire signer. Cascade serves as a replacement to OpenDNSSEC, which will reach end-of-life in October 2027. Cascade is written in Rust and designed to match modern operational needs, such as fine grained observability.

With Cascade we offer a solution with sensible defaults based on current best practices and provides a fresh user interface designed to be clear, transparent and simple for the operator.

The state machine based architecture of Cascade ensures that each zone pipeline is in a single consistent state at all times. It looks like this:

Cascade Architecture

Flexible signing

Cascade can generate and use on-disk key files and does not require a Hardware Security Module (HSM) to operate. For operators wishing to use an HSM, Cascade can connect to PKCS#11 and KMIP compatible HSMs.

Bespoke zone verification

Using Review Hooks, Cascade supports optional verification of your zone data at two critical stages: verification of the unsigned zone, and verification of the signed zone. These review hooks can be used to perform any validation you require to ensure your zone is correct at all stages, using any (third-party) tools desired.

Controllability

Cascade gives you tight control over key management, automation of key rolls and the DNSSEC signing process.

Features that grow with your needs

Cascade currently offers these features and will be continually maintaned and expanded:

  • Incremental signing
  • Upstream and downstream TSIG message authentication
  • Upstream and downstream IXFR
  • Zone and diff persistence
  • Prometheus metrics

To get started with Cascade, please refer to the extensive documentation.

Feedback

If you run into a problem with Cascade or you have a feature request, please create an issue on GitHub. We are also happy to accept your pull requests. For general discussion and exchanging operational experiences we host the NLnet Labs Community Forum. This is also where we will announce releases of the application and updates on the project.

Professional Services

Professional support services are available for Cascade, offering premium support, consultancy hours, early security warnings under non-disclosure, as well as priority feature requests.

Casacde and all supporting libraries are licensed under the BSD 3-Clause License.