Mirrors/coredns
1
0
Fork 0
mirror of https://github.com/coredns/coredns.git synced 2025-12-04 17:35:13 -05:00
Code Issues Packages Projects Releases Wiki Activity

plugin/dnssec: Add support for KSK/ZSK split key setups (#2196)

Browse Source 
* plugin/dnssec: Add support for KSK/ZSK split key setups

* plugin/dnssec: Update README to document split ZSK/KSK operation
This commit is contained in:
Manuel Stocker
2018-10-20 17:35:59 +02:00
committed by Miek Gieben
parent dbc2efc49a
commit cf04223718
8 changed files with 128 additions and 45 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
plugin/dnssec/README.md
View File

@@ -21,8 +21,13 @@ dnssec [ZONES... ] {
}
~~~
The specified key is used for all signing operations. The DNSSEC signing will treat this key as a
CSK (common signing key), forgoing the ZSK/KSK split. All signing operations are done online.
The signing behavior depends on the keys specified. If multiple keys are specified of which there is
at least one key with the SEP bit set and at least one key with the SEP bit unset, signing will happen
in split ZSK/KSK mode. DNSKEY records will be signed with all keys that have the SEP bit set. All other
records will be signed with all keys that do not have the SEP bit set.
In any other case, each specified key will be treated as a CSK (common signing key), forgoing the
ZSK/KSK split. All signing operations are done online.
Authenticated denial of existence is implemented with NSEC black lies. Using ECDSA as an algorithm
is preferred as this leads to smaller signatures (compared to RSA). NSEC3 is *not* supported.