coredns/plugin/dnssec/dnskey.go

package dnssec

import (
	"context"
	"crypto"
	"crypto/ecdsa"
	"crypto/rsa"
	"encoding/json"
	"errors"
	"os"
	"path/filepath"
	"strings"
	"time"

	"github.com/coredns/coredns/request"

	"github.com/aws/aws-sdk-go-v2/config"
	"github.com/aws/aws-sdk-go-v2/service/secretsmanager"
	"github.com/miekg/dns"
	"golang.org/x/crypto/ed25519"
)

// DNSKEY holds a DNSSEC public and private key used for on-the-fly signing.
type DNSKEY struct {
	K   *dns.DNSKEY
	D   *dns.DS
	s   crypto.Signer
	tag uint16
}

// SecretKeyData represents the structure of the DNS keys stored in AWS Secrets Manager.
type SecretKeyData struct {
	Key     string `json:"key"`
	Private string `json:"private"`
}

// ParseKeyFile read a DNSSEC keyfile as generated by dnssec-keygen or other
// utilities. It adds ".key" for the public key and ".private" for the private key.
func ParseKeyFile(pubFile, privFile string) (*DNSKEY, error) {
	f, e := os.Open(filepath.Clean(pubFile))
	if e != nil {
		return nil, e
	}
	defer f.Close()
	k, e := dns.ReadRR(f, pubFile)
	if e != nil {
		return nil, e
	}

	f, e = os.Open(filepath.Clean(privFile))
	if e != nil {
		return nil, e
	}
	defer f.Close()

	dk, ok := k.(*dns.DNSKEY)
	if !ok {
		return nil, errors.New("no public key found")
	}
	p, e := dk.ReadPrivateKey(f, privFile)
	if e != nil {
		return nil, e
	}

	if s, ok := p.(*rsa.PrivateKey); ok {
		return &DNSKEY{K: dk, D: dk.ToDS(dns.SHA256), s: s, tag: dk.KeyTag()}, nil
	}
	if s, ok := p.(*ecdsa.PrivateKey); ok {
		return &DNSKEY{K: dk, D: dk.ToDS(dns.SHA256), s: s, tag: dk.KeyTag()}, nil
	}
	if s, ok := p.(ed25519.PrivateKey); ok {
		return &DNSKEY{K: dk, D: dk.ToDS(dns.SHA256), s: s, tag: dk.KeyTag()}, nil
	}
	return &DNSKEY{K: dk, D: dk.ToDS(dns.SHA256), s: nil, tag: 0}, errors.New("no private key found")
}

// ParseKeyFromAWSSecretsManager retrieves and parses a DNSSEC key pair from AWS Secrets Manager.
func ParseKeyFromAWSSecretsManager(secretID string) (*DNSKEY, error) {
	// Load the AWS SDK configuration
	cfg, err := config.LoadDefaultConfig(context.TODO())
	if err != nil {
		return nil, err
	}

	// Create a Secrets Manager client
	client := secretsmanager.NewFromConfig(cfg)

	// Retrieve the secret value
	input := &secretsmanager.GetSecretValueInput{
		SecretId: &secretID,
	}
	result, err := client.GetSecretValue(context.TODO(), input)
	if err != nil {
		return nil, err
	}

	// Parse the secret string into SecretKeyData
	var secretData SecretKeyData
	err = json.Unmarshal([]byte(*result.SecretString), &secretData)
	if err != nil {
		return nil, err
	}

	// Parse the public key
	rr, err := dns.NewRR(secretData.Key)
	if err != nil {
		return nil, err
	}
	dk, ok := rr.(*dns.DNSKEY)
	if !ok {
		return nil, errors.New("invalid public key format")
	}

	// Parse the private key
	p, err := dk.ReadPrivateKey(strings.NewReader(secretData.Private), secretID)
	if err != nil {
		return nil, err
	}

	// Create the DNSKEY structure
	var s crypto.Signer
	var tag uint16
	switch key := p.(type) {
	case *rsa.PrivateKey:
		s = key
		tag = dk.KeyTag()
	case *ecdsa.PrivateKey:
		s = key
		tag = dk.KeyTag()
	case ed25519.PrivateKey:
		s = key
		tag = dk.KeyTag()
	default:
		return nil, errors.New("unsupported key type")
	}

	return &DNSKEY{K: dk, D: dk.ToDS(dns.SHA256), s: s, tag: tag}, nil
}

// getDNSKEY returns the correct DNSKEY to the client. Signatures are added when do is true.
func (d Dnssec) getDNSKEY(state request.Request, zone string, do bool, server string) *dns.Msg {
	keys := make([]dns.RR, len(d.keys))
	for i, k := range d.keys {
		keys[i] = dns.Copy(k.K)
		keys[i].Header().Name = zone
	}
	m := new(dns.Msg)
	m.SetReply(state.Req)
	m.Answer = keys
	if !do {
		return m
	}

	incep, expir := incepExpir(time.Now().UTC())
	if sigs, err := d.sign(keys, zone, 3600, incep, expir, server); err == nil {
		m.Answer = append(m.Answer, sigs...)
	}
	return m
}

// Return true if, and only if, this is a zone key with the SEP bit unset. This implies a ZSK (rfc4034 2.1.1).
func (k DNSKEY) isZSK() bool {
	return k.K.Flags&(1<<8) == (1<<8) && k.K.Flags&1 == 0
}

// Return true if, and only if, this is a zone key with the SEP bit set. This implies a KSK (rfc4034 2.1.1).
func (k DNSKEY) isKSK() bool {
	return k.K.Flags&(1<<8) == (1<<8) && k.K.Flags&1 == 1
}
Add middleware/dnssec (#133) This adds an online dnssec middleware. The middleware will sign responses on the fly. Negative responses are signed with NSEC black lies. 2016-04-26 17:57:11 +01:00			`package dnssec`

			`import (`
feat: dnssec load keys from AWS Secrets Manager (#6618) feat: dnssec load keys from AWS Secrets Manager Signed-off-by: kcolemangt <20099734+kcolemangt@users.noreply.github.com> 2024-10-24 14:50:04 -04:00			`"context"`
Add middleware/dnssec (#133) This adds an online dnssec middleware. The middleware will sign responses on the fly. Negative responses are signed with NSEC black lies. 2016-04-26 17:57:11 +01:00			`"crypto"`
			`"crypto/ecdsa"`
			`"crypto/rsa"`
feat: dnssec load keys from AWS Secrets Manager (#6618) feat: dnssec load keys from AWS Secrets Manager Signed-off-by: kcolemangt <20099734+kcolemangt@users.noreply.github.com> 2024-10-24 14:50:04 -04:00			`"encoding/json"`
Add middleware/dnssec (#133) This adds an online dnssec middleware. The middleware will sign responses on the fly. Negative responses are signed with NSEC black lies. 2016-04-26 17:57:11 +01:00			`"errors"`
			`"os"`
Fix security scans by cleaning up file path (#5185) While performing security scans there were several issue raised as G304 (CWE-22): Potential file inclusion via variable. As some files path are taken from user input, it is possible the filepath passed by user may have unintended effect if not properly formed. This fix add Clean to remove the security warning and address some potential issue. Signed-off-by: Yong Tang <yong.tang.github@outlook.com> 2022-02-14 08:24:21 -08:00			`"path/filepath"`
feat: dnssec load keys from AWS Secrets Manager (#6618) feat: dnssec load keys from AWS Secrets Manager Signed-off-by: kcolemangt <20099734+kcolemangt@users.noreply.github.com> 2024-10-24 14:50:04 -04:00			`"strings"`
Add middleware/dnssec (#133) This adds an online dnssec middleware. The middleware will sign responses on the fly. Negative responses are signed with NSEC black lies. 2016-04-26 17:57:11 +01:00			`"time"`

Fix import path `github.com/miekg/coredns` -> `github.com/coredns/coredns` (#547) This fix fixes import path from `github.com/miekg/coredns` -> `github.com/coredns/coredns` 2017-02-21 22:51:47 -08:00			`"github.com/coredns/coredns/request"`
plugin/dnssec, plugin/sign: ed25519 support (#3380) * add ed25519 dnskey support Signed-off-by: Sean Liao <seankhliao@gmail.com> * fix ed25519 type assertion Signed-off-by: Sean Liao <seankhliao@gmail.com> * clean up whitespace Signed-off-by: Sean Liao <seankhliao@gmail.com> 2019-10-16 08:32:11 +02:00
feat: dnssec load keys from AWS Secrets Manager (#6618) feat: dnssec load keys from AWS Secrets Manager Signed-off-by: kcolemangt <20099734+kcolemangt@users.noreply.github.com> 2024-10-24 14:50:04 -04:00			`"github.com/aws/aws-sdk-go-v2/config"`
			`"github.com/aws/aws-sdk-go-v2/service/secretsmanager"`
presubmit: check import path ordering (#3636) Add a test for this as well as it's annoying to point out in every code review. Fix all the import paths that are flagged by this new test. Fixes: #3634 Signed-off-by: Miek Gieben <miek@miek.nl> 2020-01-30 09:19:26 +00:00			`"github.com/miekg/dns"`
plugin/dnssec, plugin/sign: ed25519 support (#3380) * add ed25519 dnskey support Signed-off-by: Sean Liao <seankhliao@gmail.com> * fix ed25519 type assertion Signed-off-by: Sean Liao <seankhliao@gmail.com> * clean up whitespace Signed-off-by: Sean Liao <seankhliao@gmail.com> 2019-10-16 08:32:11 +02:00			`"golang.org/x/crypto/ed25519"`
Add middleware/dnssec (#133) This adds an online dnssec middleware. The middleware will sign responses on the fly. Negative responses are signed with NSEC black lies. 2016-04-26 17:57:11 +01:00			`)`

Golint2 (#280) * Fix linter errors * More linting fixes * More docs and making members private that dont need to be public * Fix linter errors * More linting fixes * More docs and making members private that dont need to be public * More lint fixes This leaves: ~~~ middleware/kubernetes/nametemplate/nametemplate.go:64:6: exported type NameTemplate should have comment or be unexported middleware/kubernetes/nametemplate/nametemplate.go:71:1: exported method NameTemplate.SetTemplate should have comment or be unexported middleware/kubernetes/nametemplate/nametemplate.go:108:1: exported method NameTemplate.GetZoneFromSegmentArray should have comment or be unexported middleware/kubernetes/nametemplate/nametemplate.go:116:1: exported method NameTemplate.GetNamespaceFromSegmentArray should have comment or be unexported middleware/kubernetes/nametemplate/nametemplate.go:120:1: exported method NameTemplate.GetServiceFromSegmentArray should have comment or be unexported middleware/kubernetes/nametemplate/nametemplate.go:124:1: exported method NameTemplate.GetTypeFromSegmentArray should have comment or be unexported middleware/kubernetes/nametemplate/nametemplate.go:135:1: exported method NameTemplate.GetSymbolFromSegmentArray should have comment or be unexported middleware/kubernetes/nametemplate/nametemplate.go:167:1: exported method NameTemplate.IsValid should have comment or be unexported middleware/kubernetes/nametemplate/nametemplate.go:182:6: exported type NameValues should have comment or be unexported middleware/kubernetes/util/util.go:1:1: package comment should be of the form "Package util ..." middleware/kubernetes/util/util.go:27:2: exported const WildcardStar should have comment (or a comment on this block) or be unexported middleware/proxy/lookup.go:66:1: exported method Proxy.Forward should have comment or be unexported middleware/proxy/proxy.go:24:6: exported type Client should have comment or be unexported middleware/proxy/proxy.go:107:1: exported function Clients should have comment or be unexported middleware/proxy/reverseproxy.go:10:6: exported type ReverseProxy should have comment or be unexported middleware/proxy/reverseproxy.go:16:1: exported method ReverseProxy.ServeDNS should have comment or be unexported middleware/proxy/upstream.go:42:6: exported type Options should have comment or be unexported ~~~ I plan on reworking the proxy anyway, so I'll leave that be. 2016-09-23 09:14:12 +01:00			`// DNSKEY holds a DNSSEC public and private key used for on-the-fly signing.`
Add middleware/dnssec (#133) This adds an online dnssec middleware. The middleware will sign responses on the fly. Negative responses are signed with NSEC black lies. 2016-04-26 17:57:11 +01:00			`type DNSKEY struct {`
plugin/dnssec; insert and sign DS records (#1153) * plugin/dnssec; insert and sign DS records Sign a delegation as well and insert DS records. Fixes #698 * better 2017-10-20 09:22:02 +01:00			`K *dns.DNSKEY`
			`D *dns.DS`
			`s crypto.Signer`
			`tag uint16`
Add middleware/dnssec (#133) This adds an online dnssec middleware. The middleware will sign responses on the fly. Negative responses are signed with NSEC black lies. 2016-04-26 17:57:11 +01:00			`}`

feat: dnssec load keys from AWS Secrets Manager (#6618) feat: dnssec load keys from AWS Secrets Manager Signed-off-by: kcolemangt <20099734+kcolemangt@users.noreply.github.com> 2024-10-24 14:50:04 -04:00			`// SecretKeyData represents the structure of the DNS keys stored in AWS Secrets Manager.`
			`type SecretKeyData struct {`
			Key string `json:"key"`
			Private string `json:"private"`
			`}`

Add middleware/dnssec (#133) This adds an online dnssec middleware. The middleware will sign responses on the fly. Negative responses are signed with NSEC black lies. 2016-04-26 17:57:11 +01:00			`// ParseKeyFile read a DNSSEC keyfile as generated by dnssec-keygen or other`
			`// utilities. It adds ".key" for the public key and ".private" for the private key.`
			`func ParseKeyFile(pubFile, privFile string) (*DNSKEY, error) {`
Fix security scans by cleaning up file path (#5185) While performing security scans there were several issue raised as G304 (CWE-22): Potential file inclusion via variable. As some files path are taken from user input, it is possible the filepath passed by user may have unintended effect if not properly formed. This fix add Clean to remove the security warning and address some potential issue. Signed-off-by: Yong Tang <yong.tang.github@outlook.com> 2022-02-14 08:24:21 -08:00			`f, e := os.Open(filepath.Clean(pubFile))`
Add middleware/dnssec (#133) This adds an online dnssec middleware. The middleware will sign responses on the fly. Negative responses are signed with NSEC black lies. 2016-04-26 17:57:11 +01:00			`if e != nil {`
			`return nil, e`
			`}`
plugin/dnssec: Add support for KSK/ZSK split key setups (#2196) * plugin/dnssec: Add support for KSK/ZSK split key setups * plugin/dnssec: Update README to document split ZSK/KSK operation 2018-10-20 17:35:59 +02:00			`defer f.Close()`
Add middleware/dnssec (#133) This adds an online dnssec middleware. The middleware will sign responses on the fly. Negative responses are signed with NSEC black lies. 2016-04-26 17:57:11 +01:00			`k, e := dns.ReadRR(f, pubFile)`
			`if e != nil {`
			`return nil, e`
			`}`

Fix security scans by cleaning up file path (#5185) While performing security scans there were several issue raised as G304 (CWE-22): Potential file inclusion via variable. As some files path are taken from user input, it is possible the filepath passed by user may have unintended effect if not properly formed. This fix add Clean to remove the security warning and address some potential issue. Signed-off-by: Yong Tang <yong.tang.github@outlook.com> 2022-02-14 08:24:21 -08:00			`f, e = os.Open(filepath.Clean(privFile))`
Add middleware/dnssec (#133) This adds an online dnssec middleware. The middleware will sign responses on the fly. Negative responses are signed with NSEC black lies. 2016-04-26 17:57:11 +01:00			`if e != nil {`
			`return nil, e`
			`}`
plugin/dnssec: Add support for KSK/ZSK split key setups (#2196) * plugin/dnssec: Add support for KSK/ZSK split key setups * plugin/dnssec: Update README to document split ZSK/KSK operation 2018-10-20 17:35:59 +02:00			`defer f.Close()`
plugin/dnssec; insert and sign DS records (#1153) * plugin/dnssec; insert and sign DS records Sign a delegation as well and insert DS records. Fixes #698 * better 2017-10-20 09:22:02 +01:00
readme: more tests (#1184) * readme: more tests Add dnssec and file plugin to the test readme. This requires creating a bunch of files with the right content. Doing so already unconvered an unconditional type assertion in DNSSEC. This PR will include the fix for that as well. Also extended the snippets in the file plugin README, so that they are whole Corefile - showing more value and checking all corefile snippets. Create outliner right now is the kubernetes plugin, because even setting the right env vars will result in: open /var/run/secrets/kubernetes.io/serviceaccount/token: no such file or directory": Which we can't create for a test. * lint 2017-10-31 07:14:49 +00:00			`dk, ok := k.(*dns.DNSKEY)`
			`if !ok {`
			`return nil, errors.New("no public key found")`
			`}`
plugin/dnssec; insert and sign DS records (#1153) * plugin/dnssec; insert and sign DS records Sign a delegation as well and insert DS records. Fixes #698 * better 2017-10-20 09:22:02 +01:00			`p, e := dk.ReadPrivateKey(f, privFile)`
Add middleware/dnssec (#133) This adds an online dnssec middleware. The middleware will sign responses on the fly. Negative responses are signed with NSEC black lies. 2016-04-26 17:57:11 +01:00			`if e != nil {`
			`return nil, e`
			`}`

plugin/dnssec; insert and sign DS records (#1153) * plugin/dnssec; insert and sign DS records Sign a delegation as well and insert DS records. Fixes #698 * better 2017-10-20 09:22:02 +01:00			`if s, ok := p.(*rsa.PrivateKey); ok {`
			`return &DNSKEY{K: dk, D: dk.ToDS(dns.SHA256), s: s, tag: dk.KeyTag()}, nil`
Add middleware/dnssec (#133) This adds an online dnssec middleware. The middleware will sign responses on the fly. Negative responses are signed with NSEC black lies. 2016-04-26 17:57:11 +01:00			`}`
plugin/dnssec; insert and sign DS records (#1153) * plugin/dnssec; insert and sign DS records Sign a delegation as well and insert DS records. Fixes #698 * better 2017-10-20 09:22:02 +01:00			`if s, ok := p.(*ecdsa.PrivateKey); ok {`
			`return &DNSKEY{K: dk, D: dk.ToDS(dns.SHA256), s: s, tag: dk.KeyTag()}, nil`
Add middleware/dnssec (#133) This adds an online dnssec middleware. The middleware will sign responses on the fly. Negative responses are signed with NSEC black lies. 2016-04-26 17:57:11 +01:00			`}`
plugin/dnssec, plugin/sign: ed25519 support (#3380) * add ed25519 dnskey support Signed-off-by: Sean Liao <seankhliao@gmail.com> * fix ed25519 type assertion Signed-off-by: Sean Liao <seankhliao@gmail.com> * clean up whitespace Signed-off-by: Sean Liao <seankhliao@gmail.com> 2019-10-16 08:32:11 +02:00			`if s, ok := p.(ed25519.PrivateKey); ok {`
			`return &DNSKEY{K: dk, D: dk.ToDS(dns.SHA256), s: s, tag: dk.KeyTag()}, nil`
			`}`
readme: more tests (#1184) * readme: more tests Add dnssec and file plugin to the test readme. This requires creating a bunch of files with the right content. Doing so already unconvered an unconditional type assertion in DNSSEC. This PR will include the fix for that as well. Also extended the snippets in the file plugin README, so that they are whole Corefile - showing more value and checking all corefile snippets. Create outliner right now is the kubernetes plugin, because even setting the right env vars will result in: open /var/run/secrets/kubernetes.io/serviceaccount/token: no such file or directory": Which we can't create for a test. * lint 2017-10-31 07:14:49 +00:00			`return &DNSKEY{K: dk, D: dk.ToDS(dns.SHA256), s: nil, tag: 0}, errors.New("no private key found")`
Add middleware/dnssec (#133) This adds an online dnssec middleware. The middleware will sign responses on the fly. Negative responses are signed with NSEC black lies. 2016-04-26 17:57:11 +01:00			`}`

feat: dnssec load keys from AWS Secrets Manager (#6618) feat: dnssec load keys from AWS Secrets Manager Signed-off-by: kcolemangt <20099734+kcolemangt@users.noreply.github.com> 2024-10-24 14:50:04 -04:00			`// ParseKeyFromAWSSecretsManager retrieves and parses a DNSSEC key pair from AWS Secrets Manager.`
			`func ParseKeyFromAWSSecretsManager(secretID string) (*DNSKEY, error) {`
			`// Load the AWS SDK configuration`
			`cfg, err := config.LoadDefaultConfig(context.TODO())`
			`if err != nil {`
			`return nil, err`
			`}`

			`// Create a Secrets Manager client`
			`client := secretsmanager.NewFromConfig(cfg)`

			`// Retrieve the secret value`
			`input := &secretsmanager.GetSecretValueInput{`
			`SecretId: &secretID,`
			`}`
			`result, err := client.GetSecretValue(context.TODO(), input)`
			`if err != nil {`
			`return nil, err`
			`}`

			`// Parse the secret string into SecretKeyData`
			`var secretData SecretKeyData`
			`err = json.Unmarshal([]byte(*result.SecretString), &secretData)`
			`if err != nil {`
			`return nil, err`
			`}`

			`// Parse the public key`
			`rr, err := dns.NewRR(secretData.Key)`
			`if err != nil {`
			`return nil, err`
			`}`
			`dk, ok := rr.(*dns.DNSKEY)`
			`if !ok {`
			`return nil, errors.New("invalid public key format")`
			`}`

			`// Parse the private key`
			`p, err := dk.ReadPrivateKey(strings.NewReader(secretData.Private), secretID)`
			`if err != nil {`
			`return nil, err`
			`}`

			`// Create the DNSKEY structure`
			`var s crypto.Signer`
			`var tag uint16`
			`switch key := p.(type) {`
			`case *rsa.PrivateKey:`
			`s = key`
			`tag = dk.KeyTag()`
			`case *ecdsa.PrivateKey:`
			`s = key`
			`tag = dk.KeyTag()`
			`case ed25519.PrivateKey:`
			`s = key`
			`tag = dk.KeyTag()`
			`default:`
			`return nil, errors.New("unsupported key type")`
			`}`

			`return &DNSKEY{K: dk, D: dk.ToDS(dns.SHA256), s: s, tag: tag}, nil`
			`}`

Add middleware/dnssec (#133) This adds an online dnssec middleware. The middleware will sign responses on the fly. Negative responses are signed with NSEC black lies. 2016-04-26 17:57:11 +01:00			`// getDNSKEY returns the correct DNSKEY to the client. Signatures are added when do is true.`
plugin/dnssec: add per server metrics (#1743) * plugin/dnssec: add per server metrics final plugin. Fixes #1696 #1492 #1189 * Move cache cap into handler so we can access the server label * Remove cache-capacity from it entirely 2018-04-27 19:37:31 +01:00			`func (d Dnssec) getDNSKEY(state request.Request, zone string, do bool, server string) *dns.Msg {`
Add middleware/dnssec (#133) This adds an online dnssec middleware. The middleware will sign responses on the fly. Negative responses are signed with NSEC black lies. 2016-04-26 17:57:11 +01:00			`keys := make([]dns.RR, len(d.keys))`
			`for i, k := range d.keys {`
			`keys[i] = dns.Copy(k.K)`
			`keys[i].Header().Name = zone`
			`}`
			`m := new(dns.Msg)`
			`m.SetReply(state.Req)`
			`m.Answer = keys`
			`if !do {`
			`return m`
			`}`

			`incep, expir := incepExpir(time.Now().UTC())`
plugin/dnssec: add per server metrics (#1743) * plugin/dnssec: add per server metrics final plugin. Fixes #1696 #1492 #1189 * Move cache cap into handler so we can access the server label * Remove cache-capacity from it entirely 2018-04-27 19:37:31 +01:00			`if sigs, err := d.sign(keys, zone, 3600, incep, expir, server); err == nil {`
Add middleware/dnssec (#133) This adds an online dnssec middleware. The middleware will sign responses on the fly. Negative responses are signed with NSEC black lies. 2016-04-26 17:57:11 +01:00			`m.Answer = append(m.Answer, sigs...)`
			`}`
			`return m`
			`}`
plugin/dnssec: Add support for KSK/ZSK split key setups (#2196) * plugin/dnssec: Add support for KSK/ZSK split key setups * plugin/dnssec: Update README to document split ZSK/KSK operation 2018-10-20 17:35:59 +02:00
Correct some if/iff mixups (#3406) This is a fixup for https://github.com/coredns/coredns/pull/3310 which replaced some 'iff's with 'if' under the assumption they were typos. I'm fairly confident they were "If and only if" (https://en.wikipedia.org/wiki/If_and_only_if), which is commonly shortened as "iff". I've updated them to the full length 'if, and only if' for the sake of readability. Signed-off-by: Euan Kemp <euan@ngrok.com> 2019-10-29 06:38:56 -07:00			`// Return true if, and only if, this is a zone key with the SEP bit unset. This implies a ZSK (rfc4034 2.1.1).`
plugin/dnssec: Add support for KSK/ZSK split key setups (#2196) * plugin/dnssec: Add support for KSK/ZSK split key setups * plugin/dnssec: Update README to document split ZSK/KSK operation 2018-10-20 17:35:59 +02:00			`func (k DNSKEY) isZSK() bool {`
fix formatting (#2302) 2018-11-13 16:46:48 -05:00			`return k.K.Flags&(1<<8) == (1<<8) && k.K.Flags&1 == 0`
plugin/dnssec: Add support for KSK/ZSK split key setups (#2196) * plugin/dnssec: Add support for KSK/ZSK split key setups * plugin/dnssec: Update README to document split ZSK/KSK operation 2018-10-20 17:35:59 +02:00			`}`

Correct some if/iff mixups (#3406) This is a fixup for https://github.com/coredns/coredns/pull/3310 which replaced some 'iff's with 'if' under the assumption they were typos. I'm fairly confident they were "If and only if" (https://en.wikipedia.org/wiki/If_and_only_if), which is commonly shortened as "iff". I've updated them to the full length 'if, and only if' for the sake of readability. Signed-off-by: Euan Kemp <euan@ngrok.com> 2019-10-29 06:38:56 -07:00			`// Return true if, and only if, this is a zone key with the SEP bit set. This implies a KSK (rfc4034 2.1.1).`
plugin/dnssec: Add support for KSK/ZSK split key setups (#2196) * plugin/dnssec: Add support for KSK/ZSK split key setups * plugin/dnssec: Update README to document split ZSK/KSK operation 2018-10-20 17:35:59 +02:00			`func (k DNSKEY) isKSK() bool {`
fix formatting (#2302) 2018-11-13 16:46:48 -05:00			`return k.K.Flags&(1<<8) == (1<<8) && k.K.Flags&1 == 1`
plugin/dnssec: Add support for KSK/ZSK split key setups (#2196) * plugin/dnssec: Add support for KSK/ZSK split key setups * plugin/dnssec: Update README to document split ZSK/KSK operation 2018-10-20 17:35:59 +02:00			`}`