mirror of
https://github.com/coredns/coredns.git
synced 2026-04-05 11:45:33 -04:00
a8caf4c375
* tls: Add the keylog option to configure TLSConfig.KeyLogWriter Signed-off-by: Ilya Kulakov <kulakov.ilya@gmail.com> * tls: Close keylog file on instance shutdown. Signed-off-by: Ilya Kulakov <kulakov.ilya@gmail.com> --------- Signed-off-by: Ilya Kulakov <kulakov.ilya@gmail.com>
78 lines
2.4 KiB
Markdown
78 lines
2.4 KiB
Markdown
# tls
|
|
|
|
## Name
|
|
|
|
*tls* - allows you to configure the server certificates for the TLS, gRPC, DoH servers.
|
|
|
|
## Description
|
|
|
|
CoreDNS supports queries that are encrypted using TLS (DNS over Transport Layer Security, RFC 7858)
|
|
or are using gRPC (https://grpc.io/ , not an IETF standard). Normally DNS traffic isn't encrypted at
|
|
all (DNSSEC only signs resource records).
|
|
|
|
The *tls* "plugin" allows you to configure the cryptographic keys that are needed for both
|
|
DNS-over-TLS and DNS-over-gRPC. If the *tls* plugin is omitted, then no encryption takes place.
|
|
|
|
The gRPC protobuffer is defined in `pb/dns.proto`. It defines the proto as a simple wrapper for the
|
|
wire data of a DNS message.
|
|
|
|
## Syntax
|
|
|
|
~~~ txt
|
|
tls CERT KEY [CA]
|
|
~~~
|
|
|
|
Parameter CA is optional. If not set, system CAs can be used to verify the client certificate
|
|
|
|
~~~ txt
|
|
tls CERT KEY [CA] {
|
|
client_auth nocert|request|require|verify_if_given|require_and_verify
|
|
keylog FILE
|
|
}
|
|
~~~
|
|
|
|
If client\_auth option is specified, it controls the client authentication policy.
|
|
The option value corresponds to the [ClientAuthType values of the Go tls package](https://golang.org/pkg/crypto/tls/#ClientAuthType): NoClientCert, RequestClientCert, RequireAnyClientCert, VerifyClientCertIfGiven, and RequireAndVerifyClientCert, respectively.
|
|
The default is "nocert". Note that it makes no sense to specify parameter CA unless this option is
|
|
set to verify\_if\_given or require\_and\_verify.
|
|
|
|
The keylog can be specified to export TLS master secrets in key log format to allow external programs
|
|
to decrypt TLS connections. It compromises security and should only be used for debugging!
|
|
|
|
## Examples
|
|
|
|
Start a DNS-over-TLS server that picks up incoming DNS-over-TLS queries on port 5553 and uses the
|
|
nameservers defined in `/etc/resolv.conf` to resolve the query. This proxy path uses plain old DNS.
|
|
|
|
~~~
|
|
tls://.:5553 {
|
|
tls cert.pem key.pem ca.pem
|
|
forward . /etc/resolv.conf
|
|
}
|
|
~~~
|
|
|
|
Start a DNS-over-gRPC server that is similar to the previous example, but using DNS-over-gRPC for
|
|
incoming queries.
|
|
|
|
~~~
|
|
grpc://. {
|
|
tls cert.pem key.pem ca.pem
|
|
forward . /etc/resolv.conf
|
|
}
|
|
~~~
|
|
|
|
Start a DoH server on port 443 that is similar to the previous example, but using DoH for incoming queries.
|
|
~~~
|
|
https://. {
|
|
tls cert.pem key.pem ca.pem
|
|
forward . /etc/resolv.conf
|
|
}
|
|
~~~
|
|
|
|
Only Knot DNS' `kdig` supports DNS-over-TLS queries, no command line client supports gRPC making
|
|
debugging these transports harder than it should be.
|
|
|
|
## See Also
|
|
|
|
RFC 7858 and https://grpc.io.
|