DNSSEC Signing.
TLD Tough.

Cascade goes production-grade this fall.

Explore on GitHub

Revolution, reinvented.

Cascade is a purpose-built, standalone DNSSEC signer, shaped by the real-world demands of TLD operators. People for whom safety, stability and speed aren’t features — they’re the foundation.

We didn’t patch the past — we started fresh. The result? A transparent signing pipeline with clear stages, full control over key management, and customizable validation. Engineered from the ground up for today's infrastructure.

Built in Rust

Cascade runs on our domain crate — engineered in Rust since 2015 and backed by NLnet Labs’ long-standing reputation for clean, predictable solutions that hold under pressure.

Backed by the builders

No outsourced helpdesk. No AI chat bots. When you need support, you’re talking to the engineers who built Cascade — the ones who know the code and the stakes.

Add trusted validation

Retain your own validation logic that you've come to trust. Or plug-in industry-standard tools, from us, or from others.

Clear docs

No more searching for vague guides with outdated information and missing steps. Cascade ships with comprehensive, up-to-date docs — built for real-world onboarding.

Sensible defaults

Cascade starts with the essentials done well. A solid foundation, ready to evolve with you.

Leave homebrew signing behind

Shell-script pipelines are not long-term maintainable solutions. Cascade provides a sustainable system, with flexibility at key points in the process.


We don’t sunset leading software lightly.

Our popular OpenDNSSEC signing engine has changed the game. But even the most trusted tools reach a point where they need to gracefully end their service with intention, and make room for what’s next

We know our code — but more importantly, we know the people we build it for, and what’s at stake if it breaks. That’s why we brought 16 top-level domains into the process of building a reliable successor from day one.

"Cascade is the new standard industry experts can stand behind — with conviction."

— Alex Band, Director of Product Development at NLnet Labs


Manage keys with confidence.

Our key manager lets you work with an HSM or sign in software. Cascade shows you what’s happening in every stage of your key lifecycle — and why. No magic. No black boxes


Prevent zone corruption before it breaks systems — and trust.

Cascade allows validation at each stage of the signing pipeline, letting you catch issues early, before they reach production. Plug in your own quality gates and automated tests, and stop updates before they corrupt your zone.


"It's always DNS…"

When DNS fails, everything fails. If a registry goes dark, hospitals, banks, and e-commerce all go offline with it. Government portals can’t deliver essential services. Businesses stop transacting. And people are no longer able to connect, communicate, or pay. Our users’ infrastructure can’t afford downtime—not even 5 minutes. Cascade is designed to help operators build a dependable DNS infrastructure.

Cascade for Infrastructure Engineers

No trials. No sales calls. No friction. Just an open source solution that gets the job done — and keeps getting better.

  • Essential features, out of the box – Built with the input of TLDs and SREs, with everything you need to get started — and sensible defaults so you’re not stuck hand-editing XML.
  • Zero downtime, zero firefighting – Fast, boring reliability. The kind your on-call team will thank you for.
  • Run it your way – Native packages for Debian, RHEL and more. Or container images ready to drop into your stack.
  • Built-in version control – Full change history and instant rollbacks — because mistakes happen.
  • Effortless scaling – From 10 zones to 10,000, with millions of records — no re-architecting required.
  • Observability out of the box – Monitoring that fits into your existing setup, plus a clean API for whatever else you need.
  • Docs that actually help – Up-to-date manuals, examples, and a community that doesn’t treat questions like bugs.
  • Support by people you trust – Actively developed by engineers you already know. And when you need backup, you're talking to the builders.

Cascade for Security & Compliance Leads

Cascade is designed from the ground up to meet the needs of critical infrastructure operators, national registries, and anyone who can’t afford a security lapse — or a failed audit.

  • Essential features, out of the box – Built with the input of TLDs and SREs, with everything you need to get started — and sensible defaults so you’re not stuck hand-editing XML.
  • Zero downtime, zero firefighting – Fast, boring reliability. The kind your on-call team will thank you for.
  • Run it your way – Native packages for Debian, RHEL and more. Or container images ready to drop into your stack.
  • Built-in version control – Full change history and instant rollbacks — because mistakes happen.
  • Effortless scaling – From 10 zones to 10,000, with millions of records — no re-architecting required.
  • Observability out of the box – Monitoring that fits into your existing setup, plus a clean API for whatever else you need.
  • Docs that actually help – Up-to-date manuals, examples, and a community that doesn’t treat questions like bugs.
  • Maintained by people you trust – Actively developed by engineers you already know. And when you need backup, you're talking to the builders.

Cascade for Infrastructure Heads

Cascade is backed by NLnet Labs — with 25 years of engineering integrity, open standards leadership, and real-world operational trust.

  • Built and supported by experts – Get direct access to the team behind the code — from architecture to rollout and beyond.
  • No lock-in, no limits – Open source, standards-based, and liberally licensed. No freemium features. No usage caps. Run it your way.
  • A true successor to OpenDNSSEC – Modern, purpose-built, and ready to replace brittle legacy setups.
  • Modern stack, no legacy syntax – No Perl. No fragile XML. Just clean, maintainable tools your team won’t hate.
  • Low total cost of ownership – No license fees. Minimal operational overhead. Serious value compared to commercial alternatives.
  • Onboarding done right – Clear, comprehensive docs written for production, not prototypes.
  • Fits into your stack, cleanly – Designed for integration, with robust APIs and predictable behaviour at scale.

Enterprise-grade support across the entire system lifecycle.

Open source is how we hand you top-tier tools and solutions for systems that can’t afford to go down. Enterprise-grade support across the entire system lifecycle is how you keep the experts in the room—on your team, and ready when the hard questions come.

Onboarding & Integration

We help you migrate, integrate, and move from testbed to production without friction.

Deployment & Configuration

Straightforward setup in complex environments — hybrid, on-prem, or anything in between.

Security Patches & Bug Fixes

As a CVE Numbering Authority, we coordinate disclosures responsibly — with NDA pre-notifications so you can schedule maintenance ahead. No surprises.

Performance Updates & Feature Releases

Regular improvements without breaking your workflow — with clear changelogs and optional staged rollouts.

Experts On Call

For critical open-source infrastructure, added support isn’t optional - it’s the professional standard. You get direct access to the engineers who built Cascade and know what's at stake. No ticket triage. No outsourced delays. Just real answers from real experts when it matters.

Simplify Conversations With Your Regulator

NIS2 puts your critical infrastructure in the spotlight. Our support puts our experts in the room so you're ready when the hard questions come.

Your Engineers, Our Developers

We don’t just ship code — we build in conversation. Your experience, feedback, and requests help move the project forward, together.

End-of-Life & Migration Support

Two-year EOL notice and help moving forward when the future calls.


The inside view.

Managing Director Benno Overeinder and Director of Product Development Alex Band explain why Cascade was built, what needed to change, and why NLnet Labs chose to rebuild its new DNSSEC signer from the ground up.


Unbox with us

Tuesday October 7

16:35


OARC 45

Stockholm, Sweden

Cascade will make its official debut live on stage at OARC 45 in Stockholm.

Watch Software Engineer Arya Khanna dive into the architecture, take a closer look under the hood, and explain how we’re rethinking DNSSEC signing from first principles.


Can’t wait?

Let’s talk now.

If you’re weighing your options, let’s talk today.

We’ll show you why Cascade is built for what’s next — how it fits your stack, and how enterprise-grade support keeps your infrastructure stable, secure, standardized, and scalable.

We’ve led the last 25 years with DNS that delivers under pressure.
Cascade is how we carry the legacy forward.