plugin/dnssec: use entire RRset as key input (#4537)

* plugin/dnssec: use entire RRset as key input This uses the entire rrset as input for the hash key; this is to detect differences in the RRset and generate the correct signature. As this would then lead to unbounded growth, we periodically (every 8h) prune the cache of old entries. In theory we could rely on the random eviction, but it seems nicer to do this in a maintannce loop so that we remove the unused ones. This required adding a Walk function to the plugin/pkg/cache. Signed-off-by: Miek Gieben <miek@miek.nl> * Update plugin/dnssec/cache.go Co-authored-by: Chris O'Haver <cohaver@infoblox.com> Co-authored-by: Chris O'Haver <cohaver@infoblox.com>
2025-12-07 02:45:11 -05:00 · 2021-04-05 15:45:28 +02:00
parent 454bc9e0b9
commit 13cef2ee09
5 changed files with 98 additions and 15 deletions
--- a/plugin/dnssec/README.md
+++ b/plugin/dnssec/README.md
@@ -31,8 +31,11 @@ ZSK/KSK split. All signing operations are done online.
 Authenticated denial of existence is implemented with NSEC black lies. Using ECDSA as an algorithm
 is preferred as this leads to smaller signatures (compared to RSA). NSEC3 is *not* supported.

+As the *dnssec* plugin can't see the original TTL of the RRSets it signs, it will always use 3600s
+as the value.
+
 If multiple *dnssec* plugins are specified in the same zone, the last one specified will be
-used (See [bugs](#bugs)).
+used.

 * **ZONES** zones that should be signed. If empty, the zones from the configuration block
    are used.