mirror of
https://github.com/coredns/coredns.git
synced 2025-11-14 07:52:17 -05:00
ad7e78ec31
This fix adds a `cache_capacity` option to dnssec middleware, so that it is possible to specify the capacity of the LRU cache used by dnssec middleware. Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
43 lines
1.3 KiB
Markdown
43 lines
1.3 KiB
Markdown
# dnssec
|
|
|
|
*dnssec* enables on-the-fly DNSSEC signing of served data.
|
|
|
|
## Syntax
|
|
|
|
~~~
|
|
dnssec [ZONES...]
|
|
~~~
|
|
|
|
* **ZONES** zones that should be signed. If empty, the zones from the configuration block
|
|
are used.
|
|
|
|
If keys are not specified (see below), a key is generated and used for all signing operations. The
|
|
DNSSEC signing will treat this key a CSK (common signing key), forgoing the ZSK/KSK split. All
|
|
signing operations are done online. Authenticated denial of existence is implemented with NSEC black
|
|
lies. Using ECDSA as an algorithm is preferred as this leads to smaller signatures (compared to
|
|
RSA). NSEC3 is *not* supported.
|
|
|
|
A single signing key can be specified by using the `key` directive.
|
|
|
|
NOTE: Key generation has not been implemented yet.
|
|
|
|
TODO(miek): think about key rollovers, and how to do them automatically.
|
|
|
|
~~~
|
|
dnssec [ZONES... ] {
|
|
key file KEY...
|
|
cache_capacity CAPACITY
|
|
}
|
|
~~~
|
|
|
|
* `key file` indicates that key file(s) should be read from disk. When multiple keys are specified, RRsets
|
|
will be signed with all keys. Generating a key can be done with `dnssec-keygen`: `dnssec-keygen -a
|
|
ECDSAP256SHA256 <zonename>`. A key created for zone *A* can be safely used for zone *B*.
|
|
|
|
|
|
* `cache_capacity` indicates the capacity of the LRU cache. The dnssec middleware uses LRU cache to manage
|
|
objects and the default capacity is 10000.
|
|
|
|
|
|
## Examples
|