Mirrors/coredns
1
0
Fork 0
mirror of https://github.com/coredns/coredns.git synced 2025-11-02 02:03:13 -05:00
Code Issues Packages Projects Releases Wiki Activity
Files
778fb731770bb4681d9e17dc415d46ae196c0528
coredns/middleware/dnssec
History
Miek Gieben 778fb73177 mw/dnssec: improve docs (#1015) 
* mw/dnssec: improve docs

Improve the docs: add example and details the perrils of having multiple
*dnssec* middlewares in one zone.

* better
2017-09-01 15:54:51 +02:00
..
black_lies_test.go
Fix import path github.com/miekg/coredns -> github.com/coredns/coredns (#547)
2017-02-22 06:51:47 +00:00
black_lies.go
Add middleware/dnssec (#133)
2016-04-26 17:57:11 +01:00
cache_test.go
all: gometalinter (#843)
2017-08-06 05:54:24 -07:00
cache.go
New cache implementation and prefetch handing in mw/cache (#731)
2017-06-13 12:39:10 -07:00
dnskey.go
Fix import path github.com/miekg/coredns -> github.com/coredns/coredns (#547)
2017-02-22 06:51:47 +00:00
dnssec_test.go
New cache implementation and prefetch handing in mw/cache (#731)
2017-06-13 12:39:10 -07:00
dnssec.go
New cache implementation and prefetch handing in mw/cache (#731)
2017-06-13 12:39:10 -07:00
handler_test.go
tests: add SortAndCheck helper (#926)
2017-08-16 15:30:58 +01:00
handler.go
Fix import path github.com/miekg/coredns -> github.com/coredns/coredns (#547)
2017-02-22 06:51:47 +00:00
README.md
mw/dnssec: improve docs (#1015)
2017-09-01 15:54:51 +02:00
responsewriter.go
Fix import path github.com/miekg/coredns -> github.com/coredns/coredns (#547)
2017-02-22 06:51:47 +00:00
rrsig.go
Golint2 (#280)
2016-09-23 09:14:12 +01:00
setup_test.go
mw/dnssec: warn when keys don't sign zones (#1011)
2017-09-01 08:52:13 +02:00
setup.go
mw/dnssec: warn when keys don't sign zones (#1011)
2017-09-01 08:52:13 +02:00

README.md

dnssec

dnssec enables on-the-fly DNSSEC signing of served data.

Syntax

dnssec [ZONES...]
  • ZONES zones that should be signed. If empty, the zones from the configuration block are used.

If keys are not specified (see below), a key is generated and used for all signing operations. The DNSSEC signing will treat this key a CSK (common signing key), forgoing the ZSK/KSK split. All signing operations are done online. Authenticated denial of existence is implemented with NSEC black lies. Using ECDSA as an algorithm is preferred as this leads to smaller signatures (compared to RSA). NSEC3 is not supported.

A single signing key can be specified by using the key directive.

NOTE: Key generation has not been implemented yet.

dnssec [ZONES... ] {
    key file KEY...
    cache_capacity CAPACITY
}

  • key file indicates that key file(s) should be read from disk. When multiple keys are specified, RRsets will be signed with all keys. Generating a key can be done with dnssec-keygen: dnssec-keygen -a ECDSAP256SHA256 <zonename>. A key created for zone A can be safely used for zone B.

  • cache_capacity indicates the capacity of the cache. The dnssec middleware uses a cache to store RRSIGs. The default capacity is 10000.

Metrics

If monitoring is enabled (via the prometheus directive) then the following metrics are exported:

  • coredns_dnssec_cache_size{type} - total elements in the cache, type is "signature".
  • coredns_dnssec_cache_capacity{type} - total capacity of the cache, type is "signature".
  • coredns_dnssec_cache_hits_total - Counter of cache hits.
  • coredns_dnssec_cache_misses_total - Counter of cache misses.

Examples

Sign responses for example.org with the key "Kexample.org.+013+45330.key".

example.org:53 {
    dnssec {
        key file /etc/coredns/Kexample.org.+013+45330.key
    }
    whoami
}

Bugs

Multiple dnssec middlewares inside one server stanza will silently overwrite earlier ones, here example.local will overwrite the one for cluster.local.

.:53 {
    kubernetes cluster.local
    dnssec cluster.local {
      key file /etc/coredns/cluster.local
    }
    dnssec example.local {
      key file /etc/coredns/example.local
    }
    whoami
}
Reference in New Issue View Git Blame Copy Permalink