2016-04-26 17:57:11 +01:00
|
|
|
# dnssec
|
|
|
|
|
|
2016-10-10 20:13:22 +01:00
|
|
|
*dnssec* enables on-the-fly DNSSEC signing of served data.
|
2016-04-26 17:57:11 +01:00
|
|
|
|
|
|
|
|
## Syntax
|
|
|
|
|
|
|
|
|
|
~~~
|
2016-10-10 20:13:22 +01:00
|
|
|
dnssec [ZONES...]
|
2016-04-26 17:57:11 +01:00
|
|
|
~~~
|
|
|
|
|
|
2016-10-10 20:13:22 +01:00
|
|
|
* **ZONES** zones that should be signed. If empty, the zones from the configuration block
|
2016-04-26 17:57:11 +01:00
|
|
|
are used.
|
|
|
|
|
|
2016-08-22 14:04:21 -07:00
|
|
|
If keys are not specified (see below), a key is generated and used for all signing operations. The
|
|
|
|
|
DNSSEC signing will treat this key a CSK (common signing key), forgoing the ZSK/KSK split. All
|
2016-04-26 17:57:11 +01:00
|
|
|
signing operations are done online. Authenticated denial of existence is implemented with NSEC black
|
|
|
|
|
lies. Using ECDSA as an algorithm is preferred as this leads to smaller signatures (compared to
|
2016-08-29 19:15:04 +01:00
|
|
|
RSA). NSEC3 is *not* supported.
|
2016-04-26 17:57:11 +01:00
|
|
|
|
2016-09-05 09:32:11 +01:00
|
|
|
A single signing key can be specified by using the `key` directive.
|
2016-04-26 17:57:11 +01:00
|
|
|
|
2016-08-29 19:15:04 +01:00
|
|
|
NOTE: Key generation has not been implemented yet.
|
2016-08-14 07:30:41 -07:00
|
|
|
|
2016-04-26 17:57:11 +01:00
|
|
|
~~~
|
2016-10-10 20:13:22 +01:00
|
|
|
dnssec [ZONES... ] {
|
|
|
|
|
key file KEY...
|
2016-10-18 13:33:23 -07:00
|
|
|
cache_capacity CAPACITY
|
2016-04-26 17:57:11 +01:00
|
|
|
}
|
|
|
|
|
~~~
|
|
|
|
|
|
2016-08-22 14:04:21 -07:00
|
|
|
* `key file` indicates that key file(s) should be read from disk. When multiple keys are specified, RRsets
|
2016-04-26 17:57:11 +01:00
|
|
|
will be signed with all keys. Generating a key can be done with `dnssec-keygen`: `dnssec-keygen -a
|
|
|
|
|
ECDSAP256SHA256 <zonename>`. A key created for zone *A* can be safely used for zone *B*.
|
|
|
|
|
|
2017-09-01 15:54:51 +02:00
|
|
|
* `cache_capacity` indicates the capacity of the cache. The dnssec middleware uses a cache to store
|
|
|
|
|
RRSIGs. The default capacity is 10000.
|
2016-10-18 13:33:23 -07:00
|
|
|
|
2016-10-26 10:01:52 +01:00
|
|
|
## Metrics
|
|
|
|
|
|
|
|
|
|
If monitoring is enabled (via the *prometheus* directive) then the following metrics are exported:
|
|
|
|
|
|
2016-10-30 10:06:57 +01:00
|
|
|
* coredns_dnssec_cache_size{type} - total elements in the cache, type is "signature".
|
|
|
|
|
* coredns_dnssec_cache_capacity{type} - total capacity of the cache, type is "signature".
|
2016-10-31 19:50:50 +01:00
|
|
|
* coredns_dnssec_cache_hits_total - Counter of cache hits.
|
|
|
|
|
* coredns_dnssec_cache_misses_total - Counter of cache misses.
|
2016-10-18 13:33:23 -07:00
|
|
|
|
2016-04-26 17:57:11 +01:00
|
|
|
## Examples
|
2017-09-01 15:54:51 +02:00
|
|
|
|
|
|
|
|
Sign responses for `example.org` with the key "Kexample.org.+013+45330.key".
|
|
|
|
|
|
|
|
|
|
~~~
|
|
|
|
|
example.org:53 {
|
|
|
|
|
dnssec {
|
|
|
|
|
key file /etc/coredns/Kexample.org.+013+45330.key
|
|
|
|
|
}
|
|
|
|
|
whoami
|
|
|
|
|
}
|
|
|
|
|
~~~
|
|
|
|
|
|
|
|
|
|
## Bugs
|
|
|
|
|
|
|
|
|
|
Multiple *dnssec* middlewares inside one server stanza will silently overwrite earlier ones, here
|
|
|
|
|
`example.local` will overwrite the one for `cluster.local`.
|
|
|
|
|
|
|
|
|
|
~~~
|
|
|
|
|
.:53 {
|
|
|
|
|
kubernetes cluster.local
|
|
|
|
|
dnssec cluster.local {
|
|
|
|
|
key file /etc/coredns/cluster.local
|
|
|
|
|
}
|
|
|
|
|
dnssec example.local {
|
|
|
|
|
key file /etc/coredns/example.local
|
|
|
|
|
}
|
|
|
|
|
whoami
|
|
|
|
|
}
|
|
|
|
|
~~~
|
