Mirrors/coredns
1
0
Fork 0
mirror of https://github.com/coredns/coredns.git synced 2025-10-30 17:53:21 -04:00
Code Issues Packages Projects Releases Wiki Activity
Files
aa16e0eff1b83db871bdbcdd97a24d3deddfc90b
coredns/man/coredns-tls.7
coredns-auto-go-mod-tidy[bot] 964b621d32 auto make -f Makefile.doc
2020-08-10 08:38:37 +00:00

96 lines
2.4 KiB
Groff
Raw Blame History

.\" Generated by Mmark Markdown Processer - mmark.miek.nl
.TH "COREDNS-TLS" 7 "August 2020" "CoreDNS" "CoreDNS Plugins"
.SH "NAME"
.PP
\fItls\fP - allows you to configure the server certificates for the TLS and gRPC servers.
.SH "DESCRIPTION"
.PP
CoreDNS supports queries that are encrypted using TLS (DNS over Transport Layer Security, RFC 7858)
or are using gRPC (https://grpc.io/
\[la]https://grpc.io/\[ra], not an IETF standard). Normally DNS traffic isn't encrypted at
all (DNSSEC only signs resource records).
.PP
The \fItls\fP "plugin" allows you to configure the cryptographic keys that are needed for both
DNS-over-TLS and DNS-over-gRPC. If the \fItls\fP plugin is omitted, then no encryption takes place.
.PP
The gRPC protobuffer is defined in \fB\fCpb/dns.proto\fR. It defines the proto as a simple wrapper for the
wire data of a DNS message.
.SH "SYNTAX"
.PP
.RS
.nf
tls CERT KEY [CA]
.fi
.RE
.PP
Parameter CA is optional. If not set, system CAs can be used to verify the client certificate
.PP
.RS
.nf
tls CERT KEY [CA] {
client\_auth nocert|request|require|verify\_if\_given|require\_and\_verify
}
.fi
.RE
.PP
If client_auth option is specified, it controls the client authentication policy.
The option value corresponds to the ClientAuthType values of the Go tls package
\[la]https://golang.org/pkg/crypto/tls/#ClientAuthType\[ra]: NoClientCert, RequestClientCert, RequireAnyClientCert, VerifyClientCertIfGiven, and RequireAndVerifyClientCert, respectively.
The default is "nocert". Note that it makes no sense to specify parameter CA unless this option is
set to verify_if_given or require_and_verify.
.SH "EXAMPLES"
.PP
Start a DNS-over-TLS server that picks up incoming DNS-over-TLS queries on port 5553 and uses the
nameservers defined in \fB\fC/etc/resolv.conf\fR to resolve the query. This proxy path uses plain old DNS.
.PP
.RS
.nf
tls://.:5553 {
tls cert.pem key.pem ca.pem
forward . /etc/resolv.conf
}
.fi
.RE
.PP
Start a DNS-over-gRPC server that is similar to the previous example, but using DNS-over-gRPC for
incoming queries.
.PP
.RS
.nf
grpc://. {
tls cert.pem key.pem ca.pem
forward . /etc/resolv.conf
}
.fi
.RE
.PP
Only Knot DNS' \fB\fCkdig\fR supports DNS-over-TLS queries, no command line client supports gRPC making
debugging these transports harder than it should be.
.SH "ALSO SEE"
.PP
RFC 7858 and https://grpc.io
\[la]https://grpc.io\[ra].
Reference in New Issue View Git Blame Copy Permalink