2016-04-26 17:57:11 +01:00
|
|
|
# dnssec
|
|
|
|
|
|
2016-10-10 20:13:22 +01:00
|
|
|
*dnssec* enables on-the-fly DNSSEC signing of served data.
|
2016-04-26 17:57:11 +01:00
|
|
|
|
|
|
|
|
## Syntax
|
|
|
|
|
|
|
|
|
|
~~~
|
2016-10-10 20:13:22 +01:00
|
|
|
dnssec [ZONES... ] {
|
|
|
|
|
key file KEY...
|
2016-10-18 13:33:23 -07:00
|
|
|
cache_capacity CAPACITY
|
2016-04-26 17:57:11 +01:00
|
|
|
}
|
|
|
|
|
~~~
|
|
|
|
|
|
2017-09-02 11:41:52 -05:00
|
|
|
The specified key is used for all signing operations. The DNSSEC signing will treat this key a
|
|
|
|
|
CSK (common signing key), forgoing the ZSK/KSK split. All signing operations are done online.
|
|
|
|
|
Authenticated denial of existence is implemented with NSEC black lies. Using ECDSA as an algorithm
|
|
|
|
|
is preferred as this leads to smaller signatures (compared to RSA). NSEC3 is *not* supported.
|
|
|
|
|
|
|
|
|
|
If multiple *dnssec* middlewares are specified in the same zone, the last one specified will be
|
|
|
|
|
used ( see [bugs](#bugs) ).
|
|
|
|
|
|
|
|
|
|
* `ZONES` zones that should be signed. If empty, the zones from the configuration block
|
|
|
|
|
are used.
|
|
|
|
|
|
2016-08-22 14:04:21 -07:00
|
|
|
* `key file` indicates that key file(s) should be read from disk. When multiple keys are specified, RRsets
|
2016-04-26 17:57:11 +01:00
|
|
|
will be signed with all keys. Generating a key can be done with `dnssec-keygen`: `dnssec-keygen -a
|
2017-09-02 11:41:52 -05:00
|
|
|
ECDSAP256SHA256 <zonename>`. A key created for zone *A* can be safely used for zone *B*. The name of the
|
|
|
|
|
key file can be specified as one of the following formats
|
|
|
|
|
|
|
|
|
|
* basename of the generated key `Kexample.org+013+45330`
|
|
|
|
|
|
|
|
|
|
* generated public key `Kexample.org+013+45330.key`
|
|
|
|
|
|
|
|
|
|
* generated private key `Kexample.org+013+45330.private`
|
2016-04-26 17:57:11 +01:00
|
|
|
|
2017-09-01 15:54:51 +02:00
|
|
|
* `cache_capacity` indicates the capacity of the cache. The dnssec middleware uses a cache to store
|
|
|
|
|
RRSIGs. The default capacity is 10000.
|
2016-10-18 13:33:23 -07:00
|
|
|
|
2016-10-26 10:01:52 +01:00
|
|
|
## Metrics
|
|
|
|
|
|
|
|
|
|
If monitoring is enabled (via the *prometheus* directive) then the following metrics are exported:
|
|
|
|
|
|
2016-10-30 10:06:57 +01:00
|
|
|
* coredns_dnssec_cache_size{type} - total elements in the cache, type is "signature".
|
|
|
|
|
* coredns_dnssec_cache_capacity{type} - total capacity of the cache, type is "signature".
|
2016-10-31 19:50:50 +01:00
|
|
|
* coredns_dnssec_cache_hits_total - Counter of cache hits.
|
|
|
|
|
* coredns_dnssec_cache_misses_total - Counter of cache misses.
|
2016-10-18 13:33:23 -07:00
|
|
|
|
2016-04-26 17:57:11 +01:00
|
|
|
## Examples
|
2017-09-01 15:54:51 +02:00
|
|
|
|
|
|
|
|
Sign responses for `example.org` with the key "Kexample.org.+013+45330.key".
|
|
|
|
|
|
|
|
|
|
~~~
|
|
|
|
|
example.org:53 {
|
|
|
|
|
dnssec {
|
2017-09-02 11:41:52 -05:00
|
|
|
key file /etc/coredns/Kexample.org.+013+45330
|
2017-09-01 15:54:51 +02:00
|
|
|
}
|
|
|
|
|
whoami
|
|
|
|
|
}
|
|
|
|
|
~~~
|
|
|
|
|
|
2017-09-02 11:41:52 -05:00
|
|
|
Sign responses for a kubernetes zone with the key "Kcluster.local+013+45129.key".
|
|
|
|
|
|
|
|
|
|
~~~
|
|
|
|
|
cluster.local:53 {
|
|
|
|
|
kubernetes cluster.local
|
|
|
|
|
dnssec cluster.local {
|
|
|
|
|
key file /etc/coredns/Kcluster.local+013+45129
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
~~~
|
|
|
|
|
|
2017-09-01 15:54:51 +02:00
|
|
|
## Bugs
|
|
|
|
|
|
|
|
|
|
Multiple *dnssec* middlewares inside one server stanza will silently overwrite earlier ones, here
|
|
|
|
|
`example.local` will overwrite the one for `cluster.local`.
|
|
|
|
|
|
|
|
|
|
~~~
|
|
|
|
|
.:53 {
|
|
|
|
|
kubernetes cluster.local
|
|
|
|
|
dnssec cluster.local {
|
|
|
|
|
key file /etc/coredns/cluster.local
|
|
|
|
|
}
|
|
|
|
|
dnssec example.local {
|
|
|
|
|
key file /etc/coredns/example.local
|
|
|
|
|
}
|
|
|
|
|
whoami
|
|
|
|
|
}
|
|
|
|
|
~~~
|
