CASCADE

Cascade is a purpose built DNSSEC signing solution. It is a so-called hidden bump-in-the-wire signer. Cascade serves as a replacement to OpenDNSSEC, which will reach end-of-life in October 2027. Cascade is written in Rust and designed to match modern operational needs, such as fine grained observability.

With Cascade we have applied the lessons learned from OpenDNSSEC, use sensible defaults based on current best practices, provide a fresh user interface designed to be clear, transparent and simple for the operator, and offer built-in pre-signing and pre-publication review hook functionality.

The state machine based architecture of Cascade ensures that each zone pipeline is in a single consistent state at all times. It looks like this:

Cascade Architecture

In addition to the review hooks and the friendly user interface, Cascade currently offers:

  • Incremental signing
  • Upstream and downstream TSIG message authentication
  • Upstream and downstream IXFR
  • Zone and diff persistence
  • Prometheus metrics

To get started with Cascade, please refer to the extensive documentation.

Feedback

If you run into a problem with Cascade or you have a feature request, please create an issue on GitHub. We are also happy to accept your pull requests. For general discussion and exchanging operational experiences we host the NLnet Labs Community Forum. This is also where we will announce releases of the application and updates on the project.

Professional Services

Professional support services are available for Cascade, offering premium support, consultancy hours, early security warnings under non-disclosure, as well as priority feature requests.

Casacde and all supporting libraries are licensed under the BSD 3-Clause License.