man/coredns-tls.7

.\" Generated by Mmark Markdown Processer - mmark.miek.nl
.TH "COREDNS-TLS" 7 "October 2020" "CoreDNS" "CoreDNS Plugins"

.SH "NAME"
.PP
\fItls\fP - allows you to configure the server certificates for the TLS and gRPC servers.

.SH "DESCRIPTION"
.PP
CoreDNS supports queries that are encrypted using TLS (DNS over Transport Layer Security, RFC 7858)
or are using gRPC (https://grpc.io/
\[la]https://grpc.io/\[ra], not an IETF standard). Normally DNS traffic isn't encrypted at
all (DNSSEC only signs resource records).

.PP
The \fItls\fP "plugin" allows you to configure the cryptographic keys that are needed for both
DNS-over-TLS and DNS-over-gRPC. If the \fItls\fP plugin is omitted, then no encryption takes place.

.PP
The gRPC protobuffer is defined in \fB\fCpb/dns.proto\fR. It defines the proto as a simple wrapper for the
wire data of a DNS message.

.SH "SYNTAX"
.PP
.RS

.nf
tls CERT KEY [CA]

.fi
.RE

.PP
Parameter CA is optional. If not set, system CAs can be used to verify the client certificate

.PP
.RS

.nf
tls CERT KEY [CA] {
    client\_auth nocert|request|require|verify\_if\_given|require\_and\_verify
}

.fi
.RE

.PP
If client_auth option is specified, it controls the client authentication policy.
The option value corresponds to the ClientAuthType values of the Go tls package
\[la]https://golang.org/pkg/crypto/tls/#ClientAuthType\[ra]: NoClientCert, RequestClientCert, RequireAnyClientCert, VerifyClientCertIfGiven, and RequireAndVerifyClientCert, respectively.
The default is "nocert".  Note that it makes no sense to specify parameter CA unless this option is
set to verify_if_given or require_and_verify.

.SH "EXAMPLES"
.PP
Start a DNS-over-TLS server that picks up incoming DNS-over-TLS queries on port 5553 and uses the
nameservers defined in \fB\fC/etc/resolv.conf\fR to resolve the query. This proxy path uses plain old DNS.

.PP
.RS

.nf
tls://.:5553 {
    tls cert.pem key.pem ca.pem
    forward . /etc/resolv.conf
}

.fi
.RE

.PP
Start a DNS-over-gRPC server that is similar to the previous example, but using DNS-over-gRPC for
incoming queries.

.PP
.RS

.nf
grpc://. {
    tls cert.pem key.pem ca.pem
    forward . /etc/resolv.conf
}

.fi
.RE

.PP
Only Knot DNS' \fB\fCkdig\fR supports DNS-over-TLS queries, no command line client supports gRPC making
debugging these transports harder than it should be.

.SH "ALSO SEE"
.PP
RFC 7858 and https://grpc.io
\[la]https://grpc.io\[ra].
doc update: run Makefile.doc (#3232) Add the new plugins ones: clouddns and sign. Remove federation from it. Signed-off-by: Miek Gieben <miek@miek.nl> 2019-08-30 15:58:25 +01:00			`.\" Generated by Mmark Markdown Processer - mmark.miek.nl`
auto make -f Makefile.doc 2020-10-12 17:10:58 +00:00			`.TH "COREDNS-TLS" 7 "October 2020" "CoreDNS" "CoreDNS Plugins"`
docs: Regenerate all manpages using mmark (#2762) Mmark recently became able to create manual pages. This removed the dependency on 'ronn' and just uses mmark (Go program). Re-hookup Makefile.doc to generate the correct header mmark needs to see and regenate them all. Spot checking a few pages suggest they look good and actually better than rendered with ronn, esp. lists in lists. Fixes #2757 Signed-off-by: Miek Gieben <miek@miek.nl> 2019-04-06 08:42:40 +01:00
doc: make -f Makefile.doc (#2919) mechanical change: create the manual pages. Signed-off-by: Miek Gieben <miek@miek.nl> 2019-06-24 12:37:27 +01:00			`.SH "NAME"`
docs: Regenerate all manpages using mmark (#2762) Mmark recently became able to create manual pages. This removed the dependency on 'ronn' and just uses mmark (Go program). Re-hookup Makefile.doc to generate the correct header mmark needs to see and regenate them all. Spot checking a few pages suggest they look good and actually better than rendered with ronn, esp. lists in lists. Fixes #2757 Signed-off-by: Miek Gieben <miek@miek.nl> 2019-04-06 08:42:40 +01:00			`.PP`
			`\fItls\fP - allows you to configure the server certificates for the TLS and gRPC servers.`

doc: make -f Makefile.doc (#2919) mechanical change: create the manual pages. Signed-off-by: Miek Gieben <miek@miek.nl> 2019-06-24 12:37:27 +01:00			`.SH "DESCRIPTION"`
docs: Regenerate all manpages using mmark (#2762) Mmark recently became able to create manual pages. This removed the dependency on 'ronn' and just uses mmark (Go program). Re-hookup Makefile.doc to generate the correct header mmark needs to see and regenate them all. Spot checking a few pages suggest they look good and actually better than rendered with ronn, esp. lists in lists. Fixes #2757 Signed-off-by: Miek Gieben <miek@miek.nl> 2019-04-06 08:42:40 +01:00			`.PP`
			`CoreDNS supports queries that are encrypted using TLS (DNS over Transport Layer Security, RFC 7858)`
			`or are using gRPC (https://grpc.io/`
			`\[la]https://grpc.io/\[ra], not an IETF standard). Normally DNS traffic isn't encrypted at`
			`all (DNSSEC only signs resource records).`

			`.PP`
			`The \fItls\fP "plugin" allows you to configure the cryptographic keys that are needed for both`
Run makefile.doc (#3365) Generate manual pages; no other changes. Signed-off-by: Miek Gieben <miek@miek.nl> 2019-10-10 07:45:28 +01:00			`DNS-over-TLS and DNS-over-gRPC. If the \fItls\fP plugin is omitted, then no encryption takes place.`
docs: Regenerate all manpages using mmark (#2762) Mmark recently became able to create manual pages. This removed the dependency on 'ronn' and just uses mmark (Go program). Re-hookup Makefile.doc to generate the correct header mmark needs to see and regenate them all. Spot checking a few pages suggest they look good and actually better than rendered with ronn, esp. lists in lists. Fixes #2757 Signed-off-by: Miek Gieben <miek@miek.nl> 2019-04-06 08:42:40 +01:00
			`.PP`
			`The gRPC protobuffer is defined in \fB\fCpb/dns.proto\fR. It defines the proto as a simple wrapper for the`
			`wire data of a DNS message.`

doc: make -f Makefile.doc (#2919) mechanical change: create the manual pages. Signed-off-by: Miek Gieben <miek@miek.nl> 2019-06-24 12:37:27 +01:00			`.SH "SYNTAX"`
docs: Regenerate all manpages using mmark (#2762) Mmark recently became able to create manual pages. This removed the dependency on 'ronn' and just uses mmark (Go program). Re-hookup Makefile.doc to generate the correct header mmark needs to see and regenate them all. Spot checking a few pages suggest they look good and actually better than rendered with ronn, esp. lists in lists. Fixes #2757 Signed-off-by: Miek Gieben <miek@miek.nl> 2019-04-06 08:42:40 +01:00			`.PP`
			`.RS`
Manual pages (#1346) * Add manual pages Generate manual pages from the README and extend README with Name and Description sections. The generation requires 'ronn' which may not be available. Just check in all generated manual pages. 2018-01-04 12:53:07 +00:00
docs: Regenerate all manpages using mmark (#2762) Mmark recently became able to create manual pages. This removed the dependency on 'ronn' and just uses mmark (Go program). Re-hookup Makefile.doc to generate the correct header mmark needs to see and regenate them all. Spot checking a few pages suggest they look good and actually better than rendered with ronn, esp. lists in lists. Fixes #2757 Signed-off-by: Miek Gieben <miek@miek.nl> 2019-04-06 08:42:40 +01:00			`.nf`
generate doc for 1.1.3 (#1832) 2018-05-24 07:51:59 +01:00			`tls CERT KEY [CA]`
docs: Regenerate all manpages using mmark (#2762) Mmark recently became able to create manual pages. This removed the dependency on 'ronn' and just uses mmark (Go program). Re-hookup Makefile.doc to generate the correct header mmark needs to see and regenate them all. Spot checking a few pages suggest they look good and actually better than rendered with ronn, esp. lists in lists. Fixes #2757 Signed-off-by: Miek Gieben <miek@miek.nl> 2019-04-06 08:42:40 +01:00
Manual pages (#1346) * Add manual pages Generate manual pages from the README and extend README with Name and Description sections. The generation requires 'ronn' which may not be available. Just check in all generated manual pages. 2018-01-04 12:53:07 +00:00			`.fi`
docs: Regenerate all manpages using mmark (#2762) Mmark recently became able to create manual pages. This removed the dependency on 'ronn' and just uses mmark (Go program). Re-hookup Makefile.doc to generate the correct header mmark needs to see and regenate them all. Spot checking a few pages suggest they look good and actually better than rendered with ronn, esp. lists in lists. Fixes #2757 Signed-off-by: Miek Gieben <miek@miek.nl> 2019-04-06 08:42:40 +01:00			`.RE`

			`.PP`
			`Parameter CA is optional. If not set, system CAs can be used to verify the client certificate`

doc: make -f Makefile.doc (#2919) mechanical change: create the manual pages. Signed-off-by: Miek Gieben <miek@miek.nl> 2019-06-24 12:37:27 +01:00			`.PP`
			`.RS`

			`.nf`
			`tls CERT KEY [CA] {`
			`client\_auth nocert\|request\|require\|verify\_if\_given\|require\_and\_verify`
			`}`

			`.fi`
			`.RE`

			`.PP`
doc: fix generated manual pages (#3571) Went over all generated manual pages and fixed some markdown issues, mostly escaping "_" to avoid underlining entire paragraphs. Some textual fixes in route53 and other cloud DNS plugins. Regenerated the markdown with mmark. Signed-off-by: Miek Gieben <miek@miek.nl> 2019-12-29 13:35:17 +01:00			`If client_auth option is specified, it controls the client authentication policy.`
doc: make -f Makefile.doc (#2919) mechanical change: create the manual pages. Signed-off-by: Miek Gieben <miek@miek.nl> 2019-06-24 12:37:27 +01:00			`The option value corresponds to the ClientAuthType values of the Go tls package`
			`\[la]https://golang.org/pkg/crypto/tls/#ClientAuthType\[ra]: NoClientCert, RequestClientCert, RequireAnyClientCert, VerifyClientCertIfGiven, and RequireAndVerifyClientCert, respectively.`
doc: fix generated manual pages (#3571) Went over all generated manual pages and fixed some markdown issues, mostly escaping "_" to avoid underlining entire paragraphs. Some textual fixes in route53 and other cloud DNS plugins. Regenerated the markdown with mmark. Signed-off-by: Miek Gieben <miek@miek.nl> 2019-12-29 13:35:17 +01:00			`The default is "nocert". Note that it makes no sense to specify parameter CA unless this option is`
			`set to verify_if_given or require_and_verify.`
doc: make -f Makefile.doc (#2919) mechanical change: create the manual pages. Signed-off-by: Miek Gieben <miek@miek.nl> 2019-06-24 12:37:27 +01:00
			`.SH "EXAMPLES"`
docs: Regenerate all manpages using mmark (#2762) Mmark recently became able to create manual pages. This removed the dependency on 'ronn' and just uses mmark (Go program). Re-hookup Makefile.doc to generate the correct header mmark needs to see and regenate them all. Spot checking a few pages suggest they look good and actually better than rendered with ronn, esp. lists in lists. Fixes #2757 Signed-off-by: Miek Gieben <miek@miek.nl> 2019-04-06 08:42:40 +01:00			`.PP`
			`Start a DNS-over-TLS server that picks up incoming DNS-over-TLS queries on port 5553 and uses the`
			`nameservers defined in \fB\fC/etc/resolv.conf\fR to resolve the query. This proxy path uses plain old DNS.`
Manual pages (#1346) * Add manual pages Generate manual pages from the README and extend README with Name and Description sections. The generation requires 'ronn' which may not be available. Just check in all generated manual pages. 2018-01-04 12:53:07 +00:00
docs: Regenerate all manpages using mmark (#2762) Mmark recently became able to create manual pages. This removed the dependency on 'ronn' and just uses mmark (Go program). Re-hookup Makefile.doc to generate the correct header mmark needs to see and regenate them all. Spot checking a few pages suggest they look good and actually better than rendered with ronn, esp. lists in lists. Fixes #2757 Signed-off-by: Miek Gieben <miek@miek.nl> 2019-04-06 08:42:40 +01:00			`.PP`
			`.RS`

			`.nf`
			`tls://.:5553 {`
doc: run make -f Makefile.doc (#3314) add the acl manual page; mechanical change otherwise. Signed-off-by: Miek Gieben <miek@miek.nl> 2019-09-27 13:30:22 +01:00			`tls cert.pem key.pem ca.pem`
			`forward . /etc/resolv.conf`
Manual pages (#1346) * Add manual pages Generate manual pages from the README and extend README with Name and Description sections. The generation requires 'ronn' which may not be available. Just check in all generated manual pages. 2018-01-04 12:53:07 +00:00			`}`
docs: Regenerate all manpages using mmark (#2762) Mmark recently became able to create manual pages. This removed the dependency on 'ronn' and just uses mmark (Go program). Re-hookup Makefile.doc to generate the correct header mmark needs to see and regenate them all. Spot checking a few pages suggest they look good and actually better than rendered with ronn, esp. lists in lists. Fixes #2757 Signed-off-by: Miek Gieben <miek@miek.nl> 2019-04-06 08:42:40 +01:00
Manual pages (#1346) * Add manual pages Generate manual pages from the README and extend README with Name and Description sections. The generation requires 'ronn' which may not be available. Just check in all generated manual pages. 2018-01-04 12:53:07 +00:00			`.fi`
docs: Regenerate all manpages using mmark (#2762) Mmark recently became able to create manual pages. This removed the dependency on 'ronn' and just uses mmark (Go program). Re-hookup Makefile.doc to generate the correct header mmark needs to see and regenate them all. Spot checking a few pages suggest they look good and actually better than rendered with ronn, esp. lists in lists. Fixes #2757 Signed-off-by: Miek Gieben <miek@miek.nl> 2019-04-06 08:42:40 +01:00			`.RE`

			`.PP`
			`Start a DNS-over-gRPC server that is similar to the previous example, but using DNS-over-gRPC for`
			`incoming queries.`

			`.PP`
			`.RS`
Manual pages (#1346) * Add manual pages Generate manual pages from the README and extend README with Name and Description sections. The generation requires 'ronn' which may not be available. Just check in all generated manual pages. 2018-01-04 12:53:07 +00:00
docs: Regenerate all manpages using mmark (#2762) Mmark recently became able to create manual pages. This removed the dependency on 'ronn' and just uses mmark (Go program). Re-hookup Makefile.doc to generate the correct header mmark needs to see and regenate them all. Spot checking a few pages suggest they look good and actually better than rendered with ronn, esp. lists in lists. Fixes #2757 Signed-off-by: Miek Gieben <miek@miek.nl> 2019-04-06 08:42:40 +01:00			`.nf`
			`grpc://. {`
doc: run make -f Makefile.doc (#3314) add the acl manual page; mechanical change otherwise. Signed-off-by: Miek Gieben <miek@miek.nl> 2019-09-27 13:30:22 +01:00			`tls cert.pem key.pem ca.pem`
			`forward . /etc/resolv.conf`
Manual pages (#1346) * Add manual pages Generate manual pages from the README and extend README with Name and Description sections. The generation requires 'ronn' which may not be available. Just check in all generated manual pages. 2018-01-04 12:53:07 +00:00			`}`
docs: Regenerate all manpages using mmark (#2762) Mmark recently became able to create manual pages. This removed the dependency on 'ronn' and just uses mmark (Go program). Re-hookup Makefile.doc to generate the correct header mmark needs to see and regenate them all. Spot checking a few pages suggest they look good and actually better than rendered with ronn, esp. lists in lists. Fixes #2757 Signed-off-by: Miek Gieben <miek@miek.nl> 2019-04-06 08:42:40 +01:00
Manual pages (#1346) * Add manual pages Generate manual pages from the README and extend README with Name and Description sections. The generation requires 'ronn' which may not be available. Just check in all generated manual pages. 2018-01-04 12:53:07 +00:00			`.fi`
docs: Regenerate all manpages using mmark (#2762) Mmark recently became able to create manual pages. This removed the dependency on 'ronn' and just uses mmark (Go program). Re-hookup Makefile.doc to generate the correct header mmark needs to see and regenate them all. Spot checking a few pages suggest they look good and actually better than rendered with ronn, esp. lists in lists. Fixes #2757 Signed-off-by: Miek Gieben <miek@miek.nl> 2019-04-06 08:42:40 +01:00			`.RE`

			`.PP`
			`Only Knot DNS' \fB\fCkdig\fR supports DNS-over-TLS queries, no command line client supports gRPC making`
			`debugging these transports harder than it should be.`

doc: make -f Makefile.doc (#2919) mechanical change: create the manual pages. Signed-off-by: Miek Gieben <miek@miek.nl> 2019-06-24 12:37:27 +01:00			`.SH "ALSO SEE"`
docs: Regenerate all manpages using mmark (#2762) Mmark recently became able to create manual pages. This removed the dependency on 'ronn' and just uses mmark (Go program). Re-hookup Makefile.doc to generate the correct header mmark needs to see and regenate them all. Spot checking a few pages suggest they look good and actually better than rendered with ronn, esp. lists in lists. Fixes #2757 Signed-off-by: Miek Gieben <miek@miek.nl> 2019-04-06 08:42:40 +01:00			`.PP`
			`RFC 7858 and https://grpc.io`
			`\[la]https://grpc.io\[ra].`