plugin/tls/README.md

# tls

*tls* allows you to configure the server certificates for the TLS and gRPC servers.
For other types of servers it is ignored.

CoreDNS supports queries that are encrypted using TLS (DNS over Transport Layer Security, RFC 7858)
or are using gRPC (https://grpc.io/, not an IETF standard). Normally DNS traffic isn't encrypted at
all (DNSSEC only signs resource records).

The *proxy* plugin also support gRPC (`protocol gRPC`), meaning you can chain CoreDNS servers
using this protocol.

The *tls* "plugin" allows you to configure the cryptographic keys that are needed for both
DNS-over-TLS and DNS-over-gRPC. If the `tls` directive is omitted, then no encryption takes place.

The gRPC protobuffer is defined in `pb/dns.proto`. It defines the proto as a simple wrapper for the
wire data of a DNS message.

## Syntax

~~~ txt
tls CERT KEY CA
~~~

## Examples

Start a DNS-over-TLS server that picks up incoming DNS-over-TLS queries on port 5553 and uses the
nameservers defined in `/etc/resolv.conf` to resolve the query. This proxy path uses plain old DNS.

~~~
tls://.:5553 {
	tls cert.pem key.pem ca.pem
	proxy . /etc/resolv.conf
}
~~~

Start a DNS-over-gRPC server that is similar to the previous example, but using DNS-over-gRPC for
incoming queries.

~~~
grpc://. {
	tls cert.pem key.pem ca.pem
	proxy . /etc/resolv.conf
}
~~~

Only Knot DNS' `kdig` supports DNS-over-TLS queries, no command line client supports gRPC making
debugging these transports harder than it should be.

## Also See

RFC 7858 and https://grpc.io.
core: add more transports (#574) * core: add listening for other protocols Allow CoreDNS to listen for TLS request coming over port 853. This can be enabled with `tls://` in the config file. Implement listening for grps:// as well. a Corefile like: ~~~ . tls://.:1853 { whoami tls } ~~~ Means we listen on 1853 for tls requests, the `tls` config item allows configuration for TLS parameters. We might be tempted to use Caddy's Let's Encrypt implementation here. * Refactor coredns/grpc into CoreDNS This makes gRPC a first class citizen in CoreDNS. Add defines as being just another server. * some cleanups * unexport the servers * Move protobuf dir * Hook up TLS properly * Fix test * listen for TLS as well. README updates * disable test, fix package * fix test * Fix tests * Fix remaining test * Some tests * Make the test work * Add grpc test from #580 * fix crash * Fix tests * Close conn * README cleanups * README * link RFC 2017-03-13 20:24:37 +00:00			`# tls`

Clean up the tls middleware README (#631) 2017-04-19 17:43:10 -04:00			`tls allows you to configure the server certificates for the TLS and gRPC servers.`
			`For other types of servers it is ignored.`
core: add more transports (#574) * core: add listening for other protocols Allow CoreDNS to listen for TLS request coming over port 853. This can be enabled with `tls://` in the config file. Implement listening for grps:// as well. a Corefile like: ~~~ . tls://.:1853 { whoami tls } ~~~ Means we listen on 1853 for tls requests, the `tls` config item allows configuration for TLS parameters. We might be tempted to use Caddy's Let's Encrypt implementation here. * Refactor coredns/grpc into CoreDNS This makes gRPC a first class citizen in CoreDNS. Add defines as being just another server. * some cleanups * unexport the servers * Move protobuf dir * Hook up TLS properly * Fix test * listen for TLS as well. README updates * disable test, fix package * fix test * Fix tests * Fix remaining test * Some tests * Make the test work * Add grpc test from #580 * fix crash * Fix tests * Close conn * README cleanups * README * link RFC 2017-03-13 20:24:37 +00:00
Update the tls documentation (#1061) * Update the tls documentation * cant test corefile because we dont have pem data * Add note on client support 2017-09-12 14:54:26 +01:00			`CoreDNS supports queries that are encrypted using TLS (DNS over Transport Layer Security, RFC 7858)`
			`or are using gRPC (https://grpc.io/, not an IETF standard). Normally DNS traffic isn't encrypted at`
			`all (DNSSEC only signs resource records).`

Remove the word middleware (#1067) * Rename middleware to plugin first pass; mostly used 'sed', few spots where I manually changed text. This still builds a coredns binary. * fmt error * Rename AddMiddleware to AddPlugin * Readd AddMiddleware to remain backwards compat 2017-09-14 09:36:06 +01:00			The proxy plugin also support gRPC (`protocol gRPC`), meaning you can chain CoreDNS servers
Update the tls documentation (#1061) * Update the tls documentation * cant test corefile because we dont have pem data * Add note on client support 2017-09-12 14:54:26 +01:00			`using this protocol.`

Remove the word middleware (#1067) * Rename middleware to plugin first pass; mostly used 'sed', few spots where I manually changed text. This still builds a coredns binary. * fmt error * Rename AddMiddleware to AddPlugin * Readd AddMiddleware to remain backwards compat 2017-09-14 09:36:06 +01:00			`The tls "plugin" allows you to configure the cryptographic keys that are needed for both`
Update the tls documentation (#1061) * Update the tls documentation * cant test corefile because we dont have pem data * Add note on client support 2017-09-12 14:54:26 +01:00			DNS-over-TLS and DNS-over-gRPC. If the `tls` directive is omitted, then no encryption takes place.

			The gRPC protobuffer is defined in `pb/dns.proto`. It defines the proto as a simple wrapper for the
			`wire data of a DNS message.`

core: add more transports (#574) * core: add listening for other protocols Allow CoreDNS to listen for TLS request coming over port 853. This can be enabled with `tls://` in the config file. Implement listening for grps:// as well. a Corefile like: ~~~ . tls://.:1853 { whoami tls } ~~~ Means we listen on 1853 for tls requests, the `tls` config item allows configuration for TLS parameters. We might be tempted to use Caddy's Let's Encrypt implementation here. * Refactor coredns/grpc into CoreDNS This makes gRPC a first class citizen in CoreDNS. Add defines as being just another server. * some cleanups * unexport the servers * Move protobuf dir * Hook up TLS properly * Fix test * listen for TLS as well. README updates * disable test, fix package * fix test * Fix tests * Fix remaining test * Some tests * Make the test work * Add grpc test from #580 * fix crash * Fix tests * Close conn * README cleanups * README * link RFC 2017-03-13 20:24:37 +00:00			`## Syntax`

			`~~~ txt`
Clean up the tls middleware README (#631) 2017-04-19 17:43:10 -04:00			`tls CERT KEY CA`
core: add more transports (#574) * core: add listening for other protocols Allow CoreDNS to listen for TLS request coming over port 853. This can be enabled with `tls://` in the config file. Implement listening for grps:// as well. a Corefile like: ~~~ . tls://.:1853 { whoami tls } ~~~ Means we listen on 1853 for tls requests, the `tls` config item allows configuration for TLS parameters. We might be tempted to use Caddy's Let's Encrypt implementation here. * Refactor coredns/grpc into CoreDNS This makes gRPC a first class citizen in CoreDNS. Add defines as being just another server. * some cleanups * unexport the servers * Move protobuf dir * Hook up TLS properly * Fix test * listen for TLS as well. README updates * disable test, fix package * fix test * Fix tests * Fix remaining test * Some tests * Make the test work * Add grpc test from #580 * fix crash * Fix tests * Close conn * README cleanups * README * link RFC 2017-03-13 20:24:37 +00:00			`~~~`

			`## Examples`
Clean up the tls middleware README (#631) 2017-04-19 17:43:10 -04:00
Update the tls documentation (#1061) * Update the tls documentation * cant test corefile because we dont have pem data * Add note on client support 2017-09-12 14:54:26 +01:00			`Start a DNS-over-TLS server that picks up incoming DNS-over-TLS queries on port 5553 and uses the`
			nameservers defined in `/etc/resolv.conf` to resolve the query. This proxy path uses plain old DNS.
Clean up the tls middleware README (#631) 2017-04-19 17:43:10 -04:00
			`~~~`
Update the tls documentation (#1061) * Update the tls documentation * cant test corefile because we dont have pem data * Add note on client support 2017-09-12 14:54:26 +01:00			`tls://.:5553 {`
Clean up the tls middleware README (#631) 2017-04-19 17:43:10 -04:00			`tls cert.pem key.pem ca.pem`
			`proxy . /etc/resolv.conf`
			`}`
			`~~~`

Update the tls documentation (#1061) * Update the tls documentation * cant test corefile because we dont have pem data * Add note on client support 2017-09-12 14:54:26 +01:00			`Start a DNS-over-gRPC server that is similar to the previous example, but using DNS-over-gRPC for`
			`incoming queries.`
Clean up the tls middleware README (#631) 2017-04-19 17:43:10 -04:00
			`~~~`
Update the tls documentation (#1061) * Update the tls documentation * cant test corefile because we dont have pem data * Add note on client support 2017-09-12 14:54:26 +01:00			`grpc://. {`
Clean up the tls middleware README (#631) 2017-04-19 17:43:10 -04:00			`tls cert.pem key.pem ca.pem`
			`proxy . /etc/resolv.conf`
			`}`
			`~~~`
Update the tls documentation (#1061) * Update the tls documentation * cant test corefile because we dont have pem data * Add note on client support 2017-09-12 14:54:26 +01:00
			Only Knot DNS' `kdig` supports DNS-over-TLS queries, no command line client supports gRPC making
			`debugging these transports harder than it should be.`

			`## Also See`

			`RFC 7858 and https://grpc.io.`