Mirrors/coredns
1
0
Fork 0
mirror of https://github.com/coredns/coredns.git synced 2025-10-27 08:14:18 -04:00
Code Issues Packages Projects Releases Wiki Activity
Files
1aa1a9219825e9f203eff718cb85360df706e542
coredns/middleware/dnssec
History
Miek Gieben 1aa1a92198 Add middleware/dnssec (#133) 
This adds an online dnssec middleware. The middleware will sign
responses on the fly. Negative responses are signed with NSEC black
lies.
2016-04-26 17:57:11 +01:00
..
black_lies_test.go
Add middleware/dnssec (#133)
2016-04-26 17:57:11 +01:00
black_lies.go
Add middleware/dnssec (#133)
2016-04-26 17:57:11 +01:00
cache_test.go
Add middleware/dnssec (#133)
2016-04-26 17:57:11 +01:00
cache.go
Add middleware/dnssec (#133)
2016-04-26 17:57:11 +01:00
dnskey.go
Add middleware/dnssec (#133)
2016-04-26 17:57:11 +01:00
dnssec_test.go
Add middleware/dnssec (#133)
2016-04-26 17:57:11 +01:00
dnssec.go
Add middleware/dnssec (#133)
2016-04-26 17:57:11 +01:00
handler_test.go
Add middleware/dnssec (#133)
2016-04-26 17:57:11 +01:00
handler.go
Add middleware/dnssec (#133)
2016-04-26 17:57:11 +01:00
README.md
Add middleware/dnssec (#133)
2016-04-26 17:57:11 +01:00
responsewriter.go
Add middleware/dnssec (#133)
2016-04-26 17:57:11 +01:00
rrsig.go
Add middleware/dnssec (#133)
2016-04-26 17:57:11 +01:00

README.md

dnssec

dnssec enables on-the-fly DNSSEC signing of served data.

Syntax

dnssec [zones...]
  • zones zones that should be signed. If empty the zones from the configuration block are used.

If keys are not specified (see below) a key is generated and used for all signing operations. The DNSSEC signing will treat this key a CSK (common signing key) forgoing the ZSK/KSK split. All signing operations are done online. Authenticated denial of existence is implemented with NSEC black lies. Using ECDSA as an algorithm is preferred as this leads to smaller signatures (compared to RSA).

A signing key can be specified by using the key directive.

TODO(miek): think about key rollovers.

dnssec [zones... ] {
    key file [key...]
}
  • key file indicates key file(s) should be read from disk. When multiple keys are specified, RRset will be signed with all keys. Generating a key can be done with dnssec-keygen: dnssec-keygen -a ECDSAP256SHA256 <zonename>. A key created for zone A can be safely used for zone B.

Examples