mirror of
https://github.com/coredns/coredns.git
synced 2025-11-11 22:42:21 -05:00
1aa1a92198
This adds an online dnssec middleware. The middleware will sign responses on the fly. Negative responses are signed with NSEC black lies.
36 lines
1.0 KiB
Markdown
36 lines
1.0 KiB
Markdown
# dnssec
|
|
|
|
`dnssec` enables on-the-fly DNSSEC signing of served data.
|
|
|
|
## Syntax
|
|
|
|
~~~
|
|
dnssec [zones...]
|
|
~~~
|
|
|
|
* `zones` zones that should be signed. If empty the zones from the configuration block
|
|
are used.
|
|
|
|
If keys are not specified (see below) a key is generated and used for all signing operations. The
|
|
DNSSEC signing will treat this key a CSK (common signing key) forgoing the ZSK/KSK split. All
|
|
signing operations are done online. Authenticated denial of existence is implemented with NSEC black
|
|
lies. Using ECDSA as an algorithm is preferred as this leads to smaller signatures (compared to
|
|
RSA).
|
|
|
|
A signing key can be specified by using the `key` directive.
|
|
|
|
TODO(miek): think about key rollovers.
|
|
|
|
|
|
~~~
|
|
dnssec [zones... ] {
|
|
key file [key...]
|
|
}
|
|
~~~
|
|
|
|
* `key file` indicates key file(s) should be read from disk. When multiple keys are specified, RRset
|
|
will be signed with all keys. Generating a key can be done with `dnssec-keygen`: `dnssec-keygen -a
|
|
ECDSAP256SHA256 <zonename>`. A key created for zone *A* can be safely used for zone *B*.
|
|
|
|
## Examples
|