feat: dnssec load keys from AWS Secrets Manager (#6618)

feat: dnssec load keys from AWS Secrets Manager Signed-off-by: kcolemangt <20099734+kcolemangt@users.noreply.github.com>
2025-11-02 02:03:13 -05:00 · 2024-10-24 14:50:04 -04:00
parent 04d00b0083
commit 7078f1576f
5 changed files with 170 additions and 1 deletions
--- a/plugin/dnssec/README.md
+++ b/plugin/dnssec/README.md
@@ -16,7 +16,7 @@ This plugin can only be used once per Server Block.

 ~~~
 dnssec [ZONES... ] {
-    key file KEY...
+    key file|aws_secretsmanager KEY...
    cache_capacity CAPACITY
 }
 ~~~
@@ -49,6 +49,26 @@ used.
    * generated public key `Kexample.org+013+45330.key`
    * generated private key `Kexample.org+013+45330.private`

+* `key aws_secretsmanager` indicates that **KEY** secret(s) should be read from AWS Secrets Manager. Secret
+  names or ARNs may be used. After generating the keys as described in the `key file` section, you can
+  store them in AWS Secrets Manager using the following AWS CLI v2 command:
+
+  ```sh
+  aws secretsmanager create-secret --name "Kexample.org.+013+45330" \
+  --description "DNSSEC keys for example.org" \
+  --secret-string "$(jq -n --arg key "$(cat Kexample.org.+013+45330.key)" \
+  --arg private "$(cat Kexample.org.+013+45330.private)" \
+  '{key: $key, private: $private}')"
+  ```
+
+  This command reads the contents of the `.key` and `.private` files, constructs a JSON object, and stores it
+  as a new secret in AWS Secrets Manager with the specified name and description. CoreDNS will then fetch
+  the key data from AWS Secrets Manager when using the `key aws_secretsmanager` directive.
+
+  [AWS SDK for Go V2](https://aws.github.io/aws-sdk-go-v2/docs/configuring-sdk/#specifying-credentials) is used
+  for authentication with AWS Secrets Manager. Make sure the provided AWS credentials have the necessary
+  permissions (e.g., `secretsmanager:GetSecretValue`) to access the specified secrets in AWS Secrets Manager.
+
 * `cache_capacity` indicates the capacity of the cache. The dnssec plugin uses a cache to store
  RRSIGs. The default for **CAPACITY** is 10000.

@@ -75,6 +95,18 @@ example.org {
 }
 ~~~

+Sign responses for `example.org` with the key stored in AWS Secrets Manager under the secret name
+"Kexample.org.+013+45330".
+
+~~~
+example.org {
+    dnssec {
+        key aws_secretsmanager Kexample.org.+013+45330
+    }
+    whoami
+}
+~~~
+
 Sign responses for a kubernetes zone with the key "Kcluster.local+013+45129.key".

 ~~~