coredns/plugin/dnssec/README.md

# dnssec

## Name

*dnssec* - enable on-the-fly DNSSEC signing of served data.

## Description

With *dnssec* any reply that doesn't (or can't) do DNSSEC will get signed on-the-fly. Authenticated
denial of existence is implemented with NSEC black lies. Using ECDSA as an algorithm is preferred as
this leads to smaller signatures (compared to RSA). NSEC3 is *not* supported.

## Syntax

~~~
dnssec [ZONES... ] {
    key file KEY...
    cache_capacity CAPACITY
}
~~~

The specified key is used for all signing operations. The DNSSEC signing will treat this key a
CSK (common signing key), forgoing the ZSK/KSK split. All signing operations are done online.
Authenticated denial of existence is implemented with NSEC black lies. Using ECDSA as an algorithm
is preferred as this leads to smaller signatures (compared to RSA). NSEC3 is *not* supported.

If multiple *dnssec* plugins are specified in the same zone, the last one specified will be
used (See [bugs](#bugs)).

* **ZONES** zones that should be signed. If empty, the zones from the configuration block
    are used.

* `key file` indicates that **KEY** file(s) should be read from disk. When multiple keys are specified, RRsets
  will be signed with all keys. Generating a key can be done with `dnssec-keygen`: `dnssec-keygen -a
  ECDSAP256SHA256 <zonename>`. A key created for zone *A* can be safely used for zone *B*. The name of the
  key file can be specified as one of the following formats

    * basename of the generated key `Kexample.org+013+45330`
    * generated public key `Kexample.org+013+45330.key`
    * generated private key `Kexample.org+013+45330.private`

* `cache_capacity` indicates the capacity of the cache. The dnssec plugin uses a cache to store
  RRSIGs. The default for **CAPACITY** is 10000.

## Metrics

If monitoring is enabled (via the *prometheus* directive) then the following metrics are exported:

* `coredns_dnssec_cache_size{type}` - total elements in the cache, type is "signature".
* `coredns_dnssec_cache_capacity{type}` - total capacity of the cache, type is "signature".
* `coredns_dnssec_cache_hits_total{}` - Counter of cache hits.
* `coredns_dnssec_cache_misses_total{}` - Counter of cache misses.

## Examples

Sign responses for `example.org` with the key "Kexample.org.+013+45330.key".

~~~ corefile
example.org {
    dnssec {
        key file Kexample.org.+013+45330
    }
    whoami
}
~~~

Sign responses for a kubernetes zone with the key "Kcluster.local+013+45129.key".

~~~
cluster.local {
    kubernetes
    dnssec {
      key file Kcluster.local+013+45129
    }
}
~~~

## Bugs

Multiple *dnssec* plugins inside one server stanza will silently overwrite earlier ones, here
`example.org` will overwrite the one for `cluster.local`.

~~~
. {
    kubernetes cluster.local
    dnssec cluster.local {
      key file Kcluster.local+013+45129
    }
    dnssec example.org {
      key file Kexample.org.+013+45330
    }
}
~~~
Add middleware/dnssec (#133) This adds an online dnssec middleware. The middleware will sign responses on the fly. Negative responses are signed with NSEC black lies. 2016-04-26 17:57:11 +01:00			`# dnssec`

Manual pages (#1346) * Add manual pages Generate manual pages from the README and extend README with Name and Description sections. The generation requires 'ronn' which may not be available. Just check in all generated manual pages. 2018-01-04 12:53:07 +00:00			`## Name`

			`dnssec - enable on-the-fly DNSSEC signing of served data.`

			`## Description`

			`With dnssec any reply that doesn't (or can't) do DNSSEC will get signed on-the-fly. Authenticated`
			`denial of existence is implemented with NSEC black lies. Using ECDSA as an algorithm is preferred as`
			`this leads to smaller signatures (compared to RSA). NSEC3 is not supported.`
Add middleware/dnssec (#133) This adds an online dnssec middleware. The middleware will sign responses on the fly. Negative responses are signed with NSEC black lies. 2016-04-26 17:57:11 +01:00
			`## Syntax`

			`~~~`
docs: rewrite using manpage style (#327) This still needs cleanup, but this is a first pass the cleans some cruft and documents our style (in middleware.md) and makes all the docs match that style. 2016-10-10 20:13:22 +01:00			`dnssec [ZONES... ] {`
			`key file KEY...`
Add `cache_capacity` option to dnssec middleware for the capacity of LRU cache (#339) This fix adds a `cache_capacity` option to dnssec middleware, so that it is possible to specify the capacity of the LRU cache used by dnssec middleware. Signed-off-by: Yong Tang <yong.tang.github@outlook.com> 2016-10-18 13:33:23 -07:00			`cache_capacity CAPACITY`
Add middleware/dnssec (#133) This adds an online dnssec middleware. The middleware will sign responses on the fly. Negative responses are signed with NSEC black lies. 2016-04-26 17:57:11 +01:00			`}`
			`~~~`

Cleaning up dnssec docs (#1016) 2017-09-02 11:41:52 -05:00			`The specified key is used for all signing operations. The DNSSEC signing will treat this key a`
			`CSK (common signing key), forgoing the ZSK/KSK split. All signing operations are done online.`
			`Authenticated denial of existence is implemented with NSEC black lies. Using ECDSA as an algorithm`
			`is preferred as this leads to smaller signatures (compared to RSA). NSEC3 is not supported.`

Remove the word middleware (#1067) * Rename middleware to plugin first pass; mostly used 'sed', few spots where I manually changed text. This still builds a coredns binary. * fmt error * Rename AddMiddleware to AddPlugin * Readd AddMiddleware to remain backwards compat 2017-09-14 09:36:06 +01:00			`If multiple dnssec plugins are specified in the same zone, the last one specified will be`
doc update (#1140) * doc update Go through all README and fix mistakes, extend example and let more corefile snippets be test for validity. * Cant use spefic addr in test 2017-10-10 09:39:35 +02:00			`used (See [bugs](#bugs)).`
Cleaning up dnssec docs (#1016) 2017-09-02 11:41:52 -05:00
doc update (#1140) * doc update Go through all README and fix mistakes, extend example and let more corefile snippets be test for validity. * Cant use spefic addr in test 2017-10-10 09:39:35 +02:00			`* ZONES zones that should be signed. If empty, the zones from the configuration block`
Cleaning up dnssec docs (#1016) 2017-09-02 11:41:52 -05:00			`are used.`

doc update (#1140) * doc update Go through all README and fix mistakes, extend example and let more corefile snippets be test for validity. * Cant use spefic addr in test 2017-10-10 09:39:35 +02:00			* `key file` indicates that KEY file(s) should be read from disk. When multiple keys are specified, RRsets
Add middleware/dnssec (#133) This adds an online dnssec middleware. The middleware will sign responses on the fly. Negative responses are signed with NSEC black lies. 2016-04-26 17:57:11 +01:00			will be signed with all keys. Generating a key can be done with `dnssec-keygen`: `dnssec-keygen -a
Cleaning up dnssec docs (#1016) 2017-09-02 11:41:52 -05:00			ECDSAP256SHA256 <zonename>`. A key created for zone A can be safely used for zone B. The name of the
			`key file can be specified as one of the following formats`

			* basename of the generated key `Kexample.org+013+45330`
			* generated public key `Kexample.org+013+45330.key`
			* generated private key `Kexample.org+013+45330.private`
Add middleware/dnssec (#133) This adds an online dnssec middleware. The middleware will sign responses on the fly. Negative responses are signed with NSEC black lies. 2016-04-26 17:57:11 +01:00
Remove the word middleware (#1067) * Rename middleware to plugin first pass; mostly used 'sed', few spots where I manually changed text. This still builds a coredns binary. * fmt error * Rename AddMiddleware to AddPlugin * Readd AddMiddleware to remain backwards compat 2017-09-14 09:36:06 +01:00			* `cache_capacity` indicates the capacity of the cache. The dnssec plugin uses a cache to store
doc update (#1140) * doc update Go through all README and fix mistakes, extend example and let more corefile snippets be test for validity. * Cant use spefic addr in test 2017-10-10 09:39:35 +02:00			`RRSIGs. The default for CAPACITY is 10000.`
Add `cache_capacity` option to dnssec middleware for the capacity of LRU cache (#339) This fix adds a `cache_capacity` option to dnssec middleware, so that it is possible to specify the capacity of the LRU cache used by dnssec middleware. Signed-off-by: Yong Tang <yong.tang.github@outlook.com> 2016-10-18 13:33:23 -07:00
middleware/metrics: cleanup (#355) * middleware/metrics: add more metrics middleware/cache: Add metrics for number of elements in the cache. Also export the total size. Update README to detail the new metrics. middleware/metrics Move metrics into subpackage called "vars". This breaks the import cycle and is cleaner. This allows vars.Report to be used in the the dnsserver to log refused queries. middleware/metrics: tests Add tests to the metrics framework. The metrics/test subpackage allows scraping of the local server. Do a few test scrape of the metrics that are defined in the metrics middleware. This also allows metrics integration tests to check if the caching and dnssec middleware export their metrics correctly. * update README * typos * fix tests 2016-10-26 10:01:52 +01:00			`## Metrics`

			`If monitoring is enabled (via the prometheus directive) then the following metrics are exported:`

doc update (#1140) * doc update Go through all README and fix mistakes, extend example and let more corefile snippets be test for validity. * Cant use spefic addr in test 2017-10-10 09:39:35 +02:00			* `coredns_dnssec_cache_size{type}` - total elements in the cache, type is "signature".
			* `coredns_dnssec_cache_capacity{type}` - total capacity of the cache, type is "signature".
			* `coredns_dnssec_cache_hits_total{}` - Counter of cache hits.
			* `coredns_dnssec_cache_misses_total{}` - Counter of cache misses.
Add `cache_capacity` option to dnssec middleware for the capacity of LRU cache (#339) This fix adds a `cache_capacity` option to dnssec middleware, so that it is possible to specify the capacity of the LRU cache used by dnssec middleware. Signed-off-by: Yong Tang <yong.tang.github@outlook.com> 2016-10-18 13:33:23 -07:00
Add middleware/dnssec (#133) This adds an online dnssec middleware. The middleware will sign responses on the fly. Negative responses are signed with NSEC black lies. 2016-04-26 17:57:11 +01:00			`## Examples`
mw/dnssec: improve docs (#1015) * mw/dnssec: improve docs Improve the docs: add example and details the perrils of having multiple dnssec middlewares in one zone. * better 2017-09-01 15:54:51 +02:00
			Sign responses for `example.org` with the key "Kexample.org.+013+45330.key".

readme: more tests (#1184) * readme: more tests Add dnssec and file plugin to the test readme. This requires creating a bunch of files with the right content. Doing so already unconvered an unconditional type assertion in DNSSEC. This PR will include the fix for that as well. Also extended the snippets in the file plugin README, so that they are whole Corefile - showing more value and checking all corefile snippets. Create outliner right now is the kubernetes plugin, because even setting the right env vars will result in: open /var/run/secrets/kubernetes.io/serviceaccount/token: no such file or directory": Which we can't create for a test. * lint 2017-10-31 07:14:49 +00:00			`~~~ corefile`
			`example.org {`
mw/dnssec: improve docs (#1015) * mw/dnssec: improve docs Improve the docs: add example and details the perrils of having multiple dnssec middlewares in one zone. * better 2017-09-01 15:54:51 +02:00			`dnssec {`
readme: more tests (#1184) * readme: more tests Add dnssec and file plugin to the test readme. This requires creating a bunch of files with the right content. Doing so already unconvered an unconditional type assertion in DNSSEC. This PR will include the fix for that as well. Also extended the snippets in the file plugin README, so that they are whole Corefile - showing more value and checking all corefile snippets. Create outliner right now is the kubernetes plugin, because even setting the right env vars will result in: open /var/run/secrets/kubernetes.io/serviceaccount/token: no such file or directory": Which we can't create for a test. * lint 2017-10-31 07:14:49 +00:00			`key file Kexample.org.+013+45330`
mw/dnssec: improve docs (#1015) * mw/dnssec: improve docs Improve the docs: add example and details the perrils of having multiple dnssec middlewares in one zone. * better 2017-09-01 15:54:51 +02:00			`}`
			`whoami`
			`}`
			`~~~`

Cleaning up dnssec docs (#1016) 2017-09-02 11:41:52 -05:00			`Sign responses for a kubernetes zone with the key "Kcluster.local+013+45129.key".`

			`~~~`
readme: more tests (#1184) * readme: more tests Add dnssec and file plugin to the test readme. This requires creating a bunch of files with the right content. Doing so already unconvered an unconditional type assertion in DNSSEC. This PR will include the fix for that as well. Also extended the snippets in the file plugin README, so that they are whole Corefile - showing more value and checking all corefile snippets. Create outliner right now is the kubernetes plugin, because even setting the right env vars will result in: open /var/run/secrets/kubernetes.io/serviceaccount/token: no such file or directory": Which we can't create for a test. * lint 2017-10-31 07:14:49 +00:00			`cluster.local {`
			`kubernetes`
			`dnssec {`
			`key file Kcluster.local+013+45129`
Cleaning up dnssec docs (#1016) 2017-09-02 11:41:52 -05:00			`}`
			`}`
			`~~~`

mw/dnssec: improve docs (#1015) * mw/dnssec: improve docs Improve the docs: add example and details the perrils of having multiple dnssec middlewares in one zone. * better 2017-09-01 15:54:51 +02:00			`## Bugs`

Remove the word middleware (#1067) * Rename middleware to plugin first pass; mostly used 'sed', few spots where I manually changed text. This still builds a coredns binary. * fmt error * Rename AddMiddleware to AddPlugin * Readd AddMiddleware to remain backwards compat 2017-09-14 09:36:06 +01:00			`Multiple dnssec plugins inside one server stanza will silently overwrite earlier ones, here`
plugins/dnssec: Fix hostnames in README (#1310) 2017-12-13 22:36:35 +01:00			`example.org` will overwrite the one for `cluster.local`.
mw/dnssec: improve docs (#1015) * mw/dnssec: improve docs Improve the docs: add example and details the perrils of having multiple dnssec middlewares in one zone. * better 2017-09-01 15:54:51 +02:00
			`~~~`
readme: more tests (#1184) * readme: more tests Add dnssec and file plugin to the test readme. This requires creating a bunch of files with the right content. Doing so already unconvered an unconditional type assertion in DNSSEC. This PR will include the fix for that as well. Also extended the snippets in the file plugin README, so that they are whole Corefile - showing more value and checking all corefile snippets. Create outliner right now is the kubernetes plugin, because even setting the right env vars will result in: open /var/run/secrets/kubernetes.io/serviceaccount/token: no such file or directory": Which we can't create for a test. * lint 2017-10-31 07:14:49 +00:00			`. {`
mw/dnssec: improve docs (#1015) * mw/dnssec: improve docs Improve the docs: add example and details the perrils of having multiple dnssec middlewares in one zone. * better 2017-09-01 15:54:51 +02:00			`kubernetes cluster.local`
			`dnssec cluster.local {`
readme: more tests (#1184) * readme: more tests Add dnssec and file plugin to the test readme. This requires creating a bunch of files with the right content. Doing so already unconvered an unconditional type assertion in DNSSEC. This PR will include the fix for that as well. Also extended the snippets in the file plugin README, so that they are whole Corefile - showing more value and checking all corefile snippets. Create outliner right now is the kubernetes plugin, because even setting the right env vars will result in: open /var/run/secrets/kubernetes.io/serviceaccount/token: no such file or directory": Which we can't create for a test. * lint 2017-10-31 07:14:49 +00:00			`key file Kcluster.local+013+45129`
mw/dnssec: improve docs (#1015) * mw/dnssec: improve docs Improve the docs: add example and details the perrils of having multiple dnssec middlewares in one zone. * better 2017-09-01 15:54:51 +02:00			`}`
readme: more tests (#1184) * readme: more tests Add dnssec and file plugin to the test readme. This requires creating a bunch of files with the right content. Doing so already unconvered an unconditional type assertion in DNSSEC. This PR will include the fix for that as well. Also extended the snippets in the file plugin README, so that they are whole Corefile - showing more value and checking all corefile snippets. Create outliner right now is the kubernetes plugin, because even setting the right env vars will result in: open /var/run/secrets/kubernetes.io/serviceaccount/token: no such file or directory": Which we can't create for a test. * lint 2017-10-31 07:14:49 +00:00			`dnssec example.org {`
			`key file Kexample.org.+013+45330`
mw/dnssec: improve docs (#1015) * mw/dnssec: improve docs Improve the docs: add example and details the perrils of having multiple dnssec middlewares in one zone. * better 2017-09-01 15:54:51 +02:00			`}`
			`}`
			`~~~`