Cleaning up dnssec docs (#1016)
This commit is contained in:
Brad Beam
Miek Gieben
parent
4b14243e9b
commit
3a96d1ab77
1 changed files with 31 additions and 19 deletions
|
|
@ -4,23 +4,6 @@
|
|||
|
||||
## Syntax
|
||||
|
||||
~~~
|
||||
dnssec [ZONES...]
|
||||
~~~
|
||||
|
||||
* **ZONES** zones that should be signed. If empty, the zones from the configuration block
|
||||
are used.
|
||||
|
||||
If keys are not specified (see below), a key is generated and used for all signing operations. The
|
||||
DNSSEC signing will treat this key a CSK (common signing key), forgoing the ZSK/KSK split. All
|
||||
signing operations are done online. Authenticated denial of existence is implemented with NSEC black
|
||||
lies. Using ECDSA as an algorithm is preferred as this leads to smaller signatures (compared to
|
||||
RSA). NSEC3 is *not* supported.
|
||||
|
||||
A single signing key can be specified by using the `key` directive.
|
||||
|
||||
NOTE: Key generation has not been implemented yet.
|
||||
|
||||
~~~
|
||||
dnssec [ZONES... ] {
|
||||
key file KEY...
|
||||
|
|
@ -28,9 +11,27 @@ dnssec [ZONES... ] {
|
|||
}
|
||||
~~~
|
||||
|
||||
The specified key is used for all signing operations. The DNSSEC signing will treat this key a
|
||||
CSK (common signing key), forgoing the ZSK/KSK split. All signing operations are done online.
|
||||
Authenticated denial of existence is implemented with NSEC black lies. Using ECDSA as an algorithm
|
||||
is preferred as this leads to smaller signatures (compared to RSA). NSEC3 is *not* supported.
|
||||
|
||||
If multiple *dnssec* middlewares are specified in the same zone, the last one specified will be
|
||||
used ( see [bugs](#bugs) ).
|
||||
|
||||
* `ZONES` zones that should be signed. If empty, the zones from the configuration block
|
||||
are used.
|
||||
|
||||
* `key file` indicates that key file(s) should be read from disk. When multiple keys are specified, RRsets
|
||||
will be signed with all keys. Generating a key can be done with `dnssec-keygen`: `dnssec-keygen -a
|
||||
ECDSAP256SHA256 <zonename>`. A key created for zone *A* can be safely used for zone *B*.
|
||||
ECDSAP256SHA256 <zonename>`. A key created for zone *A* can be safely used for zone *B*. The name of the
|
||||
key file can be specified as one of the following formats
|
||||
|
||||
* basename of the generated key `Kexample.org+013+45330`
|
||||
|
||||
* generated public key `Kexample.org+013+45330.key`
|
||||
|
||||
* generated private key `Kexample.org+013+45330.private`
|
||||
|
||||
* `cache_capacity` indicates the capacity of the cache. The dnssec middleware uses a cache to store
|
||||
RRSIGs. The default capacity is 10000.
|
||||
|
|
@ -51,12 +52,23 @@ Sign responses for `example.org` with the key "Kexample.org.+013+45330.key".
|
|||
~~~
|
||||
example.org:53 {
|
||||
dnssec {
|
||||
key file /etc/coredns/Kexample.org.+013+45330.key
|
||||
key file /etc/coredns/Kexample.org.+013+45330
|
||||
}
|
||||
whoami
|
||||
}
|
||||
~~~
|
||||
|
||||
Sign responses for a kubernetes zone with the key "Kcluster.local+013+45129.key".
|
||||
|
||||
~~~
|
||||
cluster.local:53 {
|
||||
kubernetes cluster.local
|
||||
dnssec cluster.local {
|
||||
key file /etc/coredns/Kcluster.local+013+45129
|
||||
}
|
||||
}
|
||||
~~~
|
||||
|
||||
## Bugs
|
||||
|
||||
Multiple *dnssec* middlewares inside one server stanza will silently overwrite earlier ones, here
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue