coredns/middleware/dnssec/README.md

# dnssec

*dnssec* enables on-the-fly DNSSEC signing of served data.

## Syntax

~~~
dnssec [ZONES...]
~~~

* **ZONES** zones that should be signed. If empty, the zones from the configuration block
    are used.

If keys are not specified (see below), a key is generated and used for all signing operations. The
DNSSEC signing will treat this key a CSK (common signing key), forgoing the ZSK/KSK split. All
signing operations are done online. Authenticated denial of existence is implemented with NSEC black
lies. Using ECDSA as an algorithm is preferred as this leads to smaller signatures (compared to
RSA). NSEC3 is *not* supported.

A single signing key can be specified by using the `key` directive.

NOTE: Key generation has not been implemented yet.

TODO(miek): think about key rollovers, and how to do them automatically.

~~~
dnssec [ZONES... ] {
    key file KEY...
    cache_capacity CAPACITY
}
~~~

* `key file` indicates that key file(s) should be read from disk. When multiple keys are specified, RRsets
  will be signed with all keys. Generating a key can be done with `dnssec-keygen`: `dnssec-keygen -a
  ECDSAP256SHA256 <zonename>`. A key created for zone *A* can be safely used for zone *B*.

* `cache_capacity` indicates the capacity of the LRU cache. The dnssec middleware uses LRU cache to manage
  objects and the default capacity is 10000.

## Metrics

If monitoring is enabled (via the *prometheus* directive) then the following metrics are exported:

* coredns_dnssec_cache_size{type} - total elements in the cache, type is "signature".
* coredns_dnssec_cache_capacity{type} - total capacity of the cache, type is "signature".

## Examples
Add middleware/dnssec (#133) This adds an online dnssec middleware. The middleware will sign responses on the fly. Negative responses are signed with NSEC black lies. 2016-04-26 17:57:11 +01:00			`# dnssec`

docs: rewrite using manpage style (#327) This still needs cleanup, but this is a first pass the cleans some cruft and documents our style (in middleware.md) and makes all the docs match that style. 2016-10-10 20:13:22 +01:00			`dnssec enables on-the-fly DNSSEC signing of served data.`
Add middleware/dnssec (#133) This adds an online dnssec middleware. The middleware will sign responses on the fly. Negative responses are signed with NSEC black lies. 2016-04-26 17:57:11 +01:00
			`## Syntax`

			`~~~`
docs: rewrite using manpage style (#327) This still needs cleanup, but this is a first pass the cleans some cruft and documents our style (in middleware.md) and makes all the docs match that style. 2016-10-10 20:13:22 +01:00			`dnssec [ZONES...]`
Add middleware/dnssec (#133) This adds an online dnssec middleware. The middleware will sign responses on the fly. Negative responses are signed with NSEC black lies. 2016-04-26 17:57:11 +01:00			`~~~`

docs: rewrite using manpage style (#327) This still needs cleanup, but this is a first pass the cleans some cruft and documents our style (in middleware.md) and makes all the docs match that style. 2016-10-10 20:13:22 +01:00			`* ZONES zones that should be signed. If empty, the zones from the configuration block`
Add middleware/dnssec (#133) This adds an online dnssec middleware. The middleware will sign responses on the fly. Negative responses are signed with NSEC black lies. 2016-04-26 17:57:11 +01:00			`are used.`

Update README.md 2016-08-22 14:04:21 -07:00			`If keys are not specified (see below), a key is generated and used for all signing operations. The`
			`DNSSEC signing will treat this key a CSK (common signing key), forgoing the ZSK/KSK split. All`
Add middleware/dnssec (#133) This adds an online dnssec middleware. The middleware will sign responses on the fly. Negative responses are signed with NSEC black lies. 2016-04-26 17:57:11 +01:00			`signing operations are done online. Authenticated denial of existence is implemented with NSEC black`
			`lies. Using ECDSA as an algorithm is preferred as this leads to smaller signatures (compared to`
Update docs Update the file and dnssec docs and glarify what is implement and that we only do NSEC. 2016-08-29 19:15:04 +01:00			`RSA). NSEC3 is not supported.`
Add middleware/dnssec (#133) This adds an online dnssec middleware. The middleware will sign responses on the fly. Negative responses are signed with NSEC black lies. 2016-04-26 17:57:11 +01:00
Fs (#242) * play around with fs idea * docs and fix test * better docs 2016-09-05 09:32:11 +01:00			A single signing key can be specified by using the `key` directive.
Add middleware/dnssec (#133) This adds an online dnssec middleware. The middleware will sign responses on the fly. Negative responses are signed with NSEC black lies. 2016-04-26 17:57:11 +01:00
Update docs Update the file and dnssec docs and glarify what is implement and that we only do NSEC. 2016-08-29 19:15:04 +01:00			`NOTE: Key generation has not been implemented yet.`
middleware/dnssec Add warning about in memory keys and the impossibilty to extract them. 2016-08-14 07:30:41 -07:00
Update docs Update the file and dnssec docs and glarify what is implement and that we only do NSEC. 2016-08-29 19:15:04 +01:00			`TODO(miek): think about key rollovers, and how to do them automatically.`
Add middleware/dnssec (#133) This adds an online dnssec middleware. The middleware will sign responses on the fly. Negative responses are signed with NSEC black lies. 2016-04-26 17:57:11 +01:00
			`~~~`
docs: rewrite using manpage style (#327) This still needs cleanup, but this is a first pass the cleans some cruft and documents our style (in middleware.md) and makes all the docs match that style. 2016-10-10 20:13:22 +01:00			`dnssec [ZONES... ] {`
			`key file KEY...`
Add `cache_capacity` option to dnssec middleware for the capacity of LRU cache (#339) This fix adds a `cache_capacity` option to dnssec middleware, so that it is possible to specify the capacity of the LRU cache used by dnssec middleware. Signed-off-by: Yong Tang <yong.tang.github@outlook.com> 2016-10-18 13:33:23 -07:00			`cache_capacity CAPACITY`
Add middleware/dnssec (#133) This adds an online dnssec middleware. The middleware will sign responses on the fly. Negative responses are signed with NSEC black lies. 2016-04-26 17:57:11 +01:00			`}`
			`~~~`

Update README.md 2016-08-22 14:04:21 -07:00			* `key file` indicates that key file(s) should be read from disk. When multiple keys are specified, RRsets
Add middleware/dnssec (#133) This adds an online dnssec middleware. The middleware will sign responses on the fly. Negative responses are signed with NSEC black lies. 2016-04-26 17:57:11 +01:00			will be signed with all keys. Generating a key can be done with `dnssec-keygen`: `dnssec-keygen -a
			ECDSAP256SHA256 <zonename>`. A key created for zone A can be safely used for zone B.

Add `cache_capacity` option to dnssec middleware for the capacity of LRU cache (#339) This fix adds a `cache_capacity` option to dnssec middleware, so that it is possible to specify the capacity of the LRU cache used by dnssec middleware. Signed-off-by: Yong Tang <yong.tang.github@outlook.com> 2016-10-18 13:33:23 -07:00			* `cache_capacity` indicates the capacity of the LRU cache. The dnssec middleware uses LRU cache to manage
			`objects and the default capacity is 10000.`

middleware/metrics: cleanup (#355) * middleware/metrics: add more metrics middleware/cache: Add metrics for number of elements in the cache. Also export the total size. Update README to detail the new metrics. middleware/metrics Move metrics into subpackage called "vars". This breaks the import cycle and is cleaner. This allows vars.Report to be used in the the dnsserver to log refused queries. middleware/metrics: tests Add tests to the metrics framework. The metrics/test subpackage allows scraping of the local server. Do a few test scrape of the metrics that are defined in the metrics middleware. This also allows metrics integration tests to check if the caching and dnssec middleware export their metrics correctly. * update README * typos * fix tests 2016-10-26 10:01:52 +01:00			`## Metrics`

			`If monitoring is enabled (via the prometheus directive) then the following metrics are exported:`

Update metric names (#371) Cleanup names/typos to match standard naming conventions. 2016-10-30 10:06:57 +01:00			`* coredns_dnssec_cache_size{type} - total elements in the cache, type is "signature".`
			`* coredns_dnssec_cache_capacity{type} - total capacity of the cache, type is "signature".`
Add `cache_capacity` option to dnssec middleware for the capacity of LRU cache (#339) This fix adds a `cache_capacity` option to dnssec middleware, so that it is possible to specify the capacity of the LRU cache used by dnssec middleware. Signed-off-by: Yong Tang <yong.tang.github@outlook.com> 2016-10-18 13:33:23 -07:00
Add middleware/dnssec (#133) This adds an online dnssec middleware. The middleware will sign responses on the fly. Negative responses are signed with NSEC black lies. 2016-04-26 17:57:11 +01:00			`## Examples`