Cascade is a friendly DNSSEC signing pipeline.
An alpha release is available now, we encourage you to test it. Read our comprehensive documentation to get started. Based on your feedback, we will continue work to offer a production grade release of Cascade in the first half of 2026. Please do not use the current codebase in production.
If you have questions, suggestions or feature requests, don't hesitate to create an issue on GitGub, send us an email or mention us on Mastodon! You can also find us in the NLnet Labs DNS channel on the DNS OARC Mattermost server.
The Cascade pipeline runs as a single binary, without the need for additional database software. Zones are loaded, signed and published in several stages, letting you review and approve with automation at each step:
Get started easily with sensible default settings based on industry best practices. Cascade can generate and use on-disk key files and does not require a Hardware Security Module (HSM) to operate. For operators wishing to use an HSM, Cascade can connect to PKCS#11 and KMIP compatible HSMs.
Using Review Hooks, Cascade supports optional verification of your zone data at two critical stages: verification of the unsigned zone, and verification of the signed zone. These review hooks can be used to perform any validation you require to ensure your zone is correct at all stages, using any (third-party) tools desired.
Cascade gives you tight control over key management, automation of key rolls and the DNSSEC signing process.
Install Cascade from a binary package for either Debian and Ubuntu or for Red Hat Enterprise Linux (RHEL) and compatible systems, such as Rocky Linux. Alternatively, you can build from the source code using Cargo, Rust’s build system and package manager.
