TrueCloudLab/coredns
16
0
Fork 2
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

Cleaning up dnssec docs (#1016)

Browse source
This commit is contained in:
Brad Beam 2017-09-02 11:41:52 -05:00 committed by Miek Gieben
parent 4b14243e9b
commit 3a96d1ab77
1 changed files with 31 additions and 19 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

50
middleware/dnssec/README.md
View file

@ -4,23 +4,6 @@
## Syntax ## Syntax
~~~
dnssec [ZONES...]
~~~
* **ZONES** zones that should be signed. If empty, the zones from the configuration block
are used.
If keys are not specified (see below), a key is generated and used for all signing operations. The
DNSSEC signing will treat this key a CSK (common signing key), forgoing the ZSK/KSK split. All
signing operations are done online. Authenticated denial of existence is implemented with NSEC black
lies. Using ECDSA as an algorithm is preferred as this leads to smaller signatures (compared to
RSA). NSEC3 is *not* supported.
A single signing key can be specified by using the `key` directive.
NOTE: Key generation has not been implemented yet.
~~~ ~~~
dnssec [ZONES... ] { dnssec [ZONES... ] {
key file KEY... key file KEY...
@ -28,9 +11,27 @@ dnssec [ZONES... ] {
} }
~~~ ~~~
The specified key is used for all signing operations. The DNSSEC signing will treat this key a
CSK (common signing key), forgoing the ZSK/KSK split. All signing operations are done online.
Authenticated denial of existence is implemented with NSEC black lies. Using ECDSA as an algorithm
is preferred as this leads to smaller signatures (compared to RSA). NSEC3 is *not* supported.
If multiple *dnssec* middlewares are specified in the same zone, the last one specified will be
used ( see [bugs](#bugs) ).
* `ZONES` zones that should be signed. If empty, the zones from the configuration block
are used.
* `key file` indicates that key file(s) should be read from disk. When multiple keys are specified, RRsets * `key file` indicates that key file(s) should be read from disk. When multiple keys are specified, RRsets
will be signed with all keys. Generating a key can be done with `dnssec-keygen`: `dnssec-keygen -a will be signed with all keys. Generating a key can be done with `dnssec-keygen`: `dnssec-keygen -a
ECDSAP256SHA256 <zonename>`. A key created for zone *A* can be safely used for zone *B*. ECDSAP256SHA256 <zonename>`. A key created for zone *A* can be safely used for zone *B*. The name of the
key file can be specified as one of the following formats
* basename of the generated key `Kexample.org+013+45330`
* generated public key `Kexample.org+013+45330.key`
* generated private key `Kexample.org+013+45330.private`
* `cache_capacity` indicates the capacity of the cache. The dnssec middleware uses a cache to store * `cache_capacity` indicates the capacity of the cache. The dnssec middleware uses a cache to store
RRSIGs. The default capacity is 10000. RRSIGs. The default capacity is 10000.
@ -51,12 +52,23 @@ Sign responses for `example.org` with the key "Kexample.org.+013+45330.key".
~~~ ~~~
example.org:53 { example.org:53 {
dnssec { dnssec {
key file /etc/coredns/Kexample.org.+013+45330.key key file /etc/coredns/Kexample.org.+013+45330
} }
whoami whoami
} }
~~~ ~~~
Sign responses for a kubernetes zone with the key "Kcluster.local+013+45129.key".
~~~
cluster.local:53 {
kubernetes cluster.local
dnssec cluster.local {
key file /etc/coredns/Kcluster.local+013+45129
}
}
~~~
## Bugs ## Bugs
Multiple *dnssec* middlewares inside one server stanza will silently overwrite earlier ones, here Multiple *dnssec* middlewares inside one server stanza will silently overwrite earlier ones, here