Mirrors/coredns
1
0
Fork 0
mirror of https://github.com/coredns/coredns.git synced 2025-11-03 18:53:13 -05:00
Code Issues Packages Projects Releases Wiki Activity
Files
b44d82839facb4911f03f6a8e6003529a01c67bf
coredns/middleware/dnssec/README.md
Miek Gieben eea77cc97c Fs (#242) 
* play around with fs idea

* docs and fix test

* better docs
2016-09-05 09:32:11 +01:00

38 lines
1.2 KiB
Markdown
Raw Blame History

# dnssec
`dnssec` enables on-the-fly DNSSEC signing of served data.
## Syntax
~~~
dnssec [zones...]
~~~
* `zones` zones that should be signed. If empty, the zones from the configuration block
are used.
If keys are not specified (see below), a key is generated and used for all signing operations. The
DNSSEC signing will treat this key a CSK (common signing key), forgoing the ZSK/KSK split. All
signing operations are done online. Authenticated denial of existence is implemented with NSEC black
lies. Using ECDSA as an algorithm is preferred as this leads to smaller signatures (compared to
RSA). NSEC3 is *not* supported.
A single signing key can be specified by using the `key` directive.
NOTE: Key generation has not been implemented yet.
TODO(miek): think about key rollovers, and how to do them automatically.
~~~
dnssec [zones... ] {
key file [key...]
}
~~~
* `key file` indicates that key file(s) should be read from disk. When multiple keys are specified, RRsets
will be signed with all keys. Generating a key can be done with `dnssec-keygen`: `dnssec-keygen -a
ECDSAP256SHA256 <zonename>`. A key created for zone *A* can be safely used for zone *B*.
## Examples
Reference in New Issue View Git Blame Copy Permalink