coredns/plugin/dnssec/README.md

# dnssec

## Name

*dnssec* - enables on-the-fly DNSSEC signing of served data.

## Description

With *dnssec*, any reply that doesn't (or can't) do DNSSEC will get signed on the fly. Authenticated
denial of existence is implemented with NSEC black lies. Using ECDSA as an algorithm is preferred as
this leads to smaller signatures (compared to RSA). NSEC3 is *not* supported.

This plugin can only be used once per Server Block.

## Syntax

~~~
dnssec [ZONES... ] {
    key file|aws_secretsmanager KEY...
    cache_capacity CAPACITY
}
~~~

The signing behavior depends on the keys specified. If multiple keys are specified of which there is
at least one key with the SEP bit set and at least one key with the SEP bit unset, signing will happen
in split ZSK/KSK mode. DNSKEY records will be signed with all keys that have the SEP bit set. All other
records will be signed with all keys that do not have the SEP bit set.

In any other case, each specified key will be treated as a CSK (common signing key), forgoing the
ZSK/KSK split. All signing operations are done online.
Authenticated denial of existence is implemented with NSEC black lies. Using ECDSA as an algorithm
is preferred as this leads to smaller signatures (compared to RSA). NSEC3 is *not* supported.

As the *dnssec* plugin can't see the original TTL of the RRSets it signs, it will always use 3600s
as the value.

If multiple *dnssec* plugins are specified in the same zone, the last one specified will be
used.

* **ZONES** zones that should be signed. If empty, the zones from the configuration block
    are used.

* `key file` indicates that **KEY** file(s) should be read from disk. When multiple keys are specified, RRsets
  will be signed with all keys. Generating a key can be done with `dnssec-keygen`: `dnssec-keygen -a
  ECDSAP256SHA256 <zonename>`. A key created for zone *A* can be safely used for zone *B*. The name of the
  key file can be specified in one of the following formats

    * basename of the generated key `Kexample.org+013+45330`
    * generated public key `Kexample.org+013+45330.key`
    * generated private key `Kexample.org+013+45330.private`

* `key aws_secretsmanager` indicates that **KEY** secret(s) should be read from AWS Secrets Manager. Secret
  names or ARNs may be used. After generating the keys as described in the `key file` section, you can
  store them in AWS Secrets Manager using the following AWS CLI v2 command:

  ```sh
  aws secretsmanager create-secret --name "Kexample.org.+013+45330" \
  --description "DNSSEC keys for example.org" \
  --secret-string "$(jq -n --arg key "$(cat Kexample.org.+013+45330.key)" \
  --arg private "$(cat Kexample.org.+013+45330.private)" \
  '{key: $key, private: $private}')"
  ```

  This command reads the contents of the `.key` and `.private` files, constructs a JSON object, and stores it
  as a new secret in AWS Secrets Manager with the specified name and description. CoreDNS will then fetch
  the key data from AWS Secrets Manager when using the `key aws_secretsmanager` directive.

  [AWS SDK for Go V2](https://aws.github.io/aws-sdk-go-v2/docs/configuring-sdk/#specifying-credentials) is used
  for authentication with AWS Secrets Manager. Make sure the provided AWS credentials have the necessary
  permissions (e.g., `secretsmanager:GetSecretValue`) to access the specified secrets in AWS Secrets Manager.

* `cache_capacity` indicates the capacity of the cache. The dnssec plugin uses a cache to store
  RRSIGs. The default for **CAPACITY** is 10000.

## Metrics

If monitoring is enabled (via the *prometheus* plugin) then the following metrics are exported:

* `coredns_dnssec_cache_entries{server, type}` - total elements in the cache, type is "signature".
* `coredns_dnssec_cache_hits_total{server}` - Counter of cache hits.
* `coredns_dnssec_cache_misses_total{server}` - Counter of cache misses.

The label `server` indicated the server handling the request, see the *metrics* plugin for details.

## Examples

Sign responses for `example.org` with the key "Kexample.org.+013+45330.key".

~~~ corefile
example.org {
    dnssec {
        key file Kexample.org.+013+45330
    }
    whoami
}
~~~

Sign responses for `example.org` with the key stored in AWS Secrets Manager under the secret name
"Kexample.org.+013+45330".

~~~
example.org {
    dnssec {
        key aws_secretsmanager Kexample.org.+013+45330
    }
    whoami
}
~~~

Sign responses for a kubernetes zone with the key "Kcluster.local+013+45129.key".

~~~
cluster.local {
    kubernetes
    dnssec {
      key file Kcluster.local+013+45129
    }
}
~~~
Add middleware/dnssec (#133) This adds an online dnssec middleware. The middleware will sign responses on the fly. Negative responses are signed with NSEC black lies. 2016-04-26 17:57:11 +01:00			`# dnssec`

Manual pages (#1346) * Add manual pages Generate manual pages from the README and extend README with Name and Description sections. The generation requires 'ronn' which may not be available. Just check in all generated manual pages. 2018-01-04 12:53:07 +00:00			`## Name`

Making dnssec's README consistent with other plugins' READMEs (#3252) 2019-09-08 00:26:06 -07:00			`dnssec - enables on-the-fly DNSSEC signing of served data.`
Manual pages (#1346) * Add manual pages Generate manual pages from the README and extend README with Name and Description sections. The generation requires 'ronn' which may not be available. Just check in all generated manual pages. 2018-01-04 12:53:07 +00:00
			`## Description`

Making dnssec's README consistent with other plugins' READMEs (#3252) 2019-09-08 00:26:06 -07:00			`With dnssec, any reply that doesn't (or can't) do DNSSEC will get signed on the fly. Authenticated`
Manual pages (#1346) * Add manual pages Generate manual pages from the README and extend README with Name and Description sections. The generation requires 'ronn' which may not be available. Just check in all generated manual pages. 2018-01-04 12:53:07 +00:00			`denial of existence is implemented with NSEC black lies. Using ECDSA as an algorithm is preferred as`
			`this leads to smaller signatures (compared to RSA). NSEC3 is not supported.`
Add middleware/dnssec (#133) This adds an online dnssec middleware. The middleware will sign responses on the fly. Negative responses are signed with NSEC black lies. 2016-04-26 17:57:11 +01:00
return an error for multiple use of some plugins (#1559) * plugins: Return error for multiple use of some Return plugin.ErrOnce when a plugin that doesn't support it, is called mutliple times. This now adds it for: cache, dnssec, errors, forward, hosts, nsid. And changes it slightly in kubernetes, pprof, reload, root. * more tests 2018-02-28 18:16:05 -08:00			`This plugin can only be used once per Server Block.`

Add middleware/dnssec (#133) This adds an online dnssec middleware. The middleware will sign responses on the fly. Negative responses are signed with NSEC black lies. 2016-04-26 17:57:11 +01:00			`## Syntax`

			`~~~`
docs: rewrite using manpage style (#327) This still needs cleanup, but this is a first pass the cleans some cruft and documents our style (in middleware.md) and makes all the docs match that style. 2016-10-10 20:13:22 +01:00			`dnssec [ZONES... ] {`
feat: dnssec load keys from AWS Secrets Manager (#6618) feat: dnssec load keys from AWS Secrets Manager Signed-off-by: kcolemangt <20099734+kcolemangt@users.noreply.github.com> 2024-10-24 14:50:04 -04:00			`key file\|aws_secretsmanager KEY...`
Add `cache_capacity` option to dnssec middleware for the capacity of LRU cache (#339) This fix adds a `cache_capacity` option to dnssec middleware, so that it is possible to specify the capacity of the LRU cache used by dnssec middleware. Signed-off-by: Yong Tang <yong.tang.github@outlook.com> 2016-10-18 13:33:23 -07:00			`cache_capacity CAPACITY`
Add middleware/dnssec (#133) This adds an online dnssec middleware. The middleware will sign responses on the fly. Negative responses are signed with NSEC black lies. 2016-04-26 17:57:11 +01:00			`}`
			`~~~`

plugin/dnssec: Add support for KSK/ZSK split key setups (#2196) * plugin/dnssec: Add support for KSK/ZSK split key setups * plugin/dnssec: Update README to document split ZSK/KSK operation 2018-10-20 17:35:59 +02:00			`The signing behavior depends on the keys specified. If multiple keys are specified of which there is`
			`at least one key with the SEP bit set and at least one key with the SEP bit unset, signing will happen`
			`in split ZSK/KSK mode. DNSKEY records will be signed with all keys that have the SEP bit set. All other`
			`records will be signed with all keys that do not have the SEP bit set.`

			`In any other case, each specified key will be treated as a CSK (common signing key), forgoing the`
			`ZSK/KSK split. All signing operations are done online.`
Cleaning up dnssec docs (#1016) 2017-09-02 11:41:52 -05:00			`Authenticated denial of existence is implemented with NSEC black lies. Using ECDSA as an algorithm`
			`is preferred as this leads to smaller signatures (compared to RSA). NSEC3 is not supported.`

plugin/dnssec: use entire RRset as key input (#4537) * plugin/dnssec: use entire RRset as key input This uses the entire rrset as input for the hash key; this is to detect differences in the RRset and generate the correct signature. As this would then lead to unbounded growth, we periodically (every 8h) prune the cache of old entries. In theory we could rely on the random eviction, but it seems nicer to do this in a maintannce loop so that we remove the unused ones. This required adding a Walk function to the plugin/pkg/cache. Signed-off-by: Miek Gieben <miek@miek.nl> * Update plugin/dnssec/cache.go Co-authored-by: Chris O'Haver <cohaver@infoblox.com> Co-authored-by: Chris O'Haver <cohaver@infoblox.com> 2021-04-05 15:45:28 +02:00			`As the dnssec plugin can't see the original TTL of the RRSets it signs, it will always use 3600s`
			`as the value.`

Remove the word middleware (#1067) * Rename middleware to plugin first pass; mostly used 'sed', few spots where I manually changed text. This still builds a coredns binary. * fmt error * Rename AddMiddleware to AddPlugin * Readd AddMiddleware to remain backwards compat 2017-09-14 09:36:06 +01:00			`If multiple dnssec plugins are specified in the same zone, the last one specified will be`
plugin/dnssec: use entire RRset as key input (#4537) * plugin/dnssec: use entire RRset as key input This uses the entire rrset as input for the hash key; this is to detect differences in the RRset and generate the correct signature. As this would then lead to unbounded growth, we periodically (every 8h) prune the cache of old entries. In theory we could rely on the random eviction, but it seems nicer to do this in a maintannce loop so that we remove the unused ones. This required adding a Walk function to the plugin/pkg/cache. Signed-off-by: Miek Gieben <miek@miek.nl> * Update plugin/dnssec/cache.go Co-authored-by: Chris O'Haver <cohaver@infoblox.com> Co-authored-by: Chris O'Haver <cohaver@infoblox.com> 2021-04-05 15:45:28 +02:00			`used.`
Cleaning up dnssec docs (#1016) 2017-09-02 11:41:52 -05:00
doc update (#1140) * doc update Go through all README and fix mistakes, extend example and let more corefile snippets be test for validity. * Cant use spefic addr in test 2017-10-10 09:39:35 +02:00			`* ZONES zones that should be signed. If empty, the zones from the configuration block`
Cleaning up dnssec docs (#1016) 2017-09-02 11:41:52 -05:00			`are used.`

doc update (#1140) * doc update Go through all README and fix mistakes, extend example and let more corefile snippets be test for validity. * Cant use spefic addr in test 2017-10-10 09:39:35 +02:00			* `key file` indicates that KEY file(s) should be read from disk. When multiple keys are specified, RRsets
Add middleware/dnssec (#133) This adds an online dnssec middleware. The middleware will sign responses on the fly. Negative responses are signed with NSEC black lies. 2016-04-26 17:57:11 +01:00			will be signed with all keys. Generating a key can be done with `dnssec-keygen`: `dnssec-keygen -a
Cleaning up dnssec docs (#1016) 2017-09-02 11:41:52 -05:00			ECDSAP256SHA256 <zonename>`. A key created for zone A can be safely used for zone B. The name of the
Update README.md (#1374) Fixing a couple of small textual problems. 2018-01-10 23:31:34 -08:00			`key file can be specified in one of the following formats`
Cleaning up dnssec docs (#1016) 2017-09-02 11:41:52 -05:00
			* basename of the generated key `Kexample.org+013+45330`
			* generated public key `Kexample.org+013+45330.key`
			* generated private key `Kexample.org+013+45330.private`
Add middleware/dnssec (#133) This adds an online dnssec middleware. The middleware will sign responses on the fly. Negative responses are signed with NSEC black lies. 2016-04-26 17:57:11 +01:00
feat: dnssec load keys from AWS Secrets Manager (#6618) feat: dnssec load keys from AWS Secrets Manager Signed-off-by: kcolemangt <20099734+kcolemangt@users.noreply.github.com> 2024-10-24 14:50:04 -04:00			* `key aws_secretsmanager` indicates that KEY secret(s) should be read from AWS Secrets Manager. Secret
			names or ARNs may be used. After generating the keys as described in the `key file` section, you can
			`store them in AWS Secrets Manager using the following AWS CLI v2 command:`

			```sh
			`aws secretsmanager create-secret --name "Kexample.org.+013+45330" \`
			`--description "DNSSEC keys for example.org" \`
			`--secret-string "$(jq -n --arg key "$(cat Kexample.org.+013+45330.key)" \`
			`--arg private "$(cat Kexample.org.+013+45330.private)" \`
			`'{key: $key, private: $private}')"`
			```

			This command reads the contents of the `.key` and `.private` files, constructs a JSON object, and stores it
			`as a new secret in AWS Secrets Manager with the specified name and description. CoreDNS will then fetch`
			the key data from AWS Secrets Manager when using the `key aws_secretsmanager` directive.

			`[AWS SDK for Go V2](https://aws.github.io/aws-sdk-go-v2/docs/configuring-sdk/#specifying-credentials) is used`
			`for authentication with AWS Secrets Manager. Make sure the provided AWS credentials have the necessary`
			permissions (e.g., `secretsmanager:GetSecretValue`) to access the specified secrets in AWS Secrets Manager.

Remove the word middleware (#1067) * Rename middleware to plugin first pass; mostly used 'sed', few spots where I manually changed text. This still builds a coredns binary. * fmt error * Rename AddMiddleware to AddPlugin * Readd AddMiddleware to remain backwards compat 2017-09-14 09:36:06 +01:00			* `cache_capacity` indicates the capacity of the cache. The dnssec plugin uses a cache to store
doc update (#1140) * doc update Go through all README and fix mistakes, extend example and let more corefile snippets be test for validity. * Cant use spefic addr in test 2017-10-10 09:39:35 +02:00			`RRSIGs. The default for CAPACITY is 10000.`
Add `cache_capacity` option to dnssec middleware for the capacity of LRU cache (#339) This fix adds a `cache_capacity` option to dnssec middleware, so that it is possible to specify the capacity of the LRU cache used by dnssec middleware. Signed-off-by: Yong Tang <yong.tang.github@outlook.com> 2016-10-18 13:33:23 -07:00
middleware/metrics: cleanup (#355) * middleware/metrics: add more metrics middleware/cache: Add metrics for number of elements in the cache. Also export the total size. Update README to detail the new metrics. middleware/metrics Move metrics into subpackage called "vars". This breaks the import cycle and is cleaner. This allows vars.Report to be used in the the dnsserver to log refused queries. middleware/metrics: tests Add tests to the metrics framework. The metrics/test subpackage allows scraping of the local server. Do a few test scrape of the metrics that are defined in the metrics middleware. This also allows metrics integration tests to check if the caching and dnssec middleware export their metrics correctly. * update README * typos * fix tests 2016-10-26 10:01:52 +01:00			`## Metrics`

Directive -> plugin (#3363) Caught my eye, we name things directive still, esp when talking about the prometheus plugin. Rename everything that needs to be plugin to 'plugin'. Also make sure Metrics is a H2 section (not H1). Signed-off-by: Miek Gieben <miek@miek.nl> 2019-10-08 10:20:48 +01:00			`If monitoring is enabled (via the prometheus plugin) then the following metrics are exported:`
middleware/metrics: cleanup (#355) * middleware/metrics: add more metrics middleware/cache: Add metrics for number of elements in the cache. Also export the total size. Update README to detail the new metrics. middleware/metrics Move metrics into subpackage called "vars". This breaks the import cycle and is cleaner. This allows vars.Report to be used in the the dnsserver to log refused queries. middleware/metrics: tests Add tests to the metrics framework. The metrics/test subpackage allows scraping of the local server. Do a few test scrape of the metrics that are defined in the metrics middleware. This also allows metrics integration tests to check if the caching and dnssec middleware export their metrics correctly. * update README * typos * fix tests 2016-10-26 10:01:52 +01:00
introduce metric naming test (#3789) * introduce metric naming test Signed-off-by: zounengren <zounengren@cmss.chinamobile.com> * Update metrics.go Signed-off-by: zounengren <zounengren@cmss.chinamobile.com> 2020-03-31 14:07:36 +08:00			* `coredns_dnssec_cache_entries{server, type}` - total elements in the cache, type is "signature".
plugin/dnssec: add per server metrics (#1743) * plugin/dnssec: add per server metrics final plugin. Fixes #1696 #1492 #1189 * Move cache cap into handler so we can access the server label * Remove cache-capacity from it entirely 2018-04-27 19:37:31 +01:00			* `coredns_dnssec_cache_hits_total{server}` - Counter of cache hits.
			* `coredns_dnssec_cache_misses_total{server}` - Counter of cache misses.

			The label `server` indicated the server handling the request, see the metrics plugin for details.
Add `cache_capacity` option to dnssec middleware for the capacity of LRU cache (#339) This fix adds a `cache_capacity` option to dnssec middleware, so that it is possible to specify the capacity of the LRU cache used by dnssec middleware. Signed-off-by: Yong Tang <yong.tang.github@outlook.com> 2016-10-18 13:33:23 -07:00
Add middleware/dnssec (#133) This adds an online dnssec middleware. The middleware will sign responses on the fly. Negative responses are signed with NSEC black lies. 2016-04-26 17:57:11 +01:00			`## Examples`
mw/dnssec: improve docs (#1015) * mw/dnssec: improve docs Improve the docs: add example and details the perrils of having multiple dnssec middlewares in one zone. * better 2017-09-01 15:54:51 +02:00
			Sign responses for `example.org` with the key "Kexample.org.+013+45330.key".

readme: more tests (#1184) * readme: more tests Add dnssec and file plugin to the test readme. This requires creating a bunch of files with the right content. Doing so already unconvered an unconditional type assertion in DNSSEC. This PR will include the fix for that as well. Also extended the snippets in the file plugin README, so that they are whole Corefile - showing more value and checking all corefile snippets. Create outliner right now is the kubernetes plugin, because even setting the right env vars will result in: open /var/run/secrets/kubernetes.io/serviceaccount/token: no such file or directory": Which we can't create for a test. * lint 2017-10-31 07:14:49 +00:00			`~~~ corefile`
			`example.org {`
mw/dnssec: improve docs (#1015) * mw/dnssec: improve docs Improve the docs: add example and details the perrils of having multiple dnssec middlewares in one zone. * better 2017-09-01 15:54:51 +02:00			`dnssec {`
readme: more tests (#1184) * readme: more tests Add dnssec and file plugin to the test readme. This requires creating a bunch of files with the right content. Doing so already unconvered an unconditional type assertion in DNSSEC. This PR will include the fix for that as well. Also extended the snippets in the file plugin README, so that they are whole Corefile - showing more value and checking all corefile snippets. Create outliner right now is the kubernetes plugin, because even setting the right env vars will result in: open /var/run/secrets/kubernetes.io/serviceaccount/token: no such file or directory": Which we can't create for a test. * lint 2017-10-31 07:14:49 +00:00			`key file Kexample.org.+013+45330`
mw/dnssec: improve docs (#1015) * mw/dnssec: improve docs Improve the docs: add example and details the perrils of having multiple dnssec middlewares in one zone. * better 2017-09-01 15:54:51 +02:00			`}`
			`whoami`
			`}`
			`~~~`

feat: dnssec load keys from AWS Secrets Manager (#6618) feat: dnssec load keys from AWS Secrets Manager Signed-off-by: kcolemangt <20099734+kcolemangt@users.noreply.github.com> 2024-10-24 14:50:04 -04:00			Sign responses for `example.org` with the key stored in AWS Secrets Manager under the secret name
			`"Kexample.org.+013+45330".`

			`~~~`
			`example.org {`
			`dnssec {`
			`key aws_secretsmanager Kexample.org.+013+45330`
			`}`
			`whoami`
			`}`
			`~~~`

Cleaning up dnssec docs (#1016) 2017-09-02 11:41:52 -05:00			`Sign responses for a kubernetes zone with the key "Kcluster.local+013+45129.key".`

			`~~~`
readme: more tests (#1184) * readme: more tests Add dnssec and file plugin to the test readme. This requires creating a bunch of files with the right content. Doing so already unconvered an unconditional type assertion in DNSSEC. This PR will include the fix for that as well. Also extended the snippets in the file plugin README, so that they are whole Corefile - showing more value and checking all corefile snippets. Create outliner right now is the kubernetes plugin, because even setting the right env vars will result in: open /var/run/secrets/kubernetes.io/serviceaccount/token: no such file or directory": Which we can't create for a test. * lint 2017-10-31 07:14:49 +00:00			`cluster.local {`
			`kubernetes`
			`dnssec {`
			`key file Kcluster.local+013+45129`
Cleaning up dnssec docs (#1016) 2017-09-02 11:41:52 -05:00			`}`
			`}`
			`~~~`