95 lines
2.4 KiB
Groff
95 lines
2.4 KiB
Groff
.\" Generated by Mmark Markdown Processer - mmark.miek.nl
|
|
.TH "COREDNS-TLS" 7 "March 2021" "CoreDNS" "CoreDNS Plugins"
|
|
|
|
.SH "NAME"
|
|
.PP
|
|
\fItls\fP - allows you to configure the server certificates for the TLS and gRPC servers.
|
|
|
|
.SH "DESCRIPTION"
|
|
.PP
|
|
CoreDNS supports queries that are encrypted using TLS (DNS over Transport Layer Security, RFC 7858)
|
|
or are using gRPC (https://grpc.io/
|
|
\[la]https://grpc.io/\[ra], not an IETF standard). Normally DNS traffic isn't encrypted at
|
|
all (DNSSEC only signs resource records).
|
|
|
|
.PP
|
|
The \fItls\fP "plugin" allows you to configure the cryptographic keys that are needed for both
|
|
DNS-over-TLS and DNS-over-gRPC. If the \fItls\fP plugin is omitted, then no encryption takes place.
|
|
|
|
.PP
|
|
The gRPC protobuffer is defined in \fB\fCpb/dns.proto\fR. It defines the proto as a simple wrapper for the
|
|
wire data of a DNS message.
|
|
|
|
.SH "SYNTAX"
|
|
.PP
|
|
.RS
|
|
|
|
.nf
|
|
tls CERT KEY [CA]
|
|
|
|
.fi
|
|
.RE
|
|
|
|
.PP
|
|
Parameter CA is optional. If not set, system CAs can be used to verify the client certificate
|
|
|
|
.PP
|
|
.RS
|
|
|
|
.nf
|
|
tls CERT KEY [CA] {
|
|
client\_auth nocert|request|require|verify\_if\_given|require\_and\_verify
|
|
}
|
|
|
|
.fi
|
|
.RE
|
|
|
|
.PP
|
|
If client_auth option is specified, it controls the client authentication policy.
|
|
The option value corresponds to the ClientAuthType values of the Go tls package
|
|
\[la]https://golang.org/pkg/crypto/tls/#ClientAuthType\[ra]: NoClientCert, RequestClientCert, RequireAnyClientCert, VerifyClientCertIfGiven, and RequireAndVerifyClientCert, respectively.
|
|
The default is "nocert". Note that it makes no sense to specify parameter CA unless this option is
|
|
set to verify_if_given or require_and_verify.
|
|
|
|
.SH "EXAMPLES"
|
|
.PP
|
|
Start a DNS-over-TLS server that picks up incoming DNS-over-TLS queries on port 5553 and uses the
|
|
nameservers defined in \fB\fC/etc/resolv.conf\fR to resolve the query. This proxy path uses plain old DNS.
|
|
|
|
.PP
|
|
.RS
|
|
|
|
.nf
|
|
tls://.:5553 {
|
|
tls cert.pem key.pem ca.pem
|
|
forward . /etc/resolv.conf
|
|
}
|
|
|
|
.fi
|
|
.RE
|
|
|
|
.PP
|
|
Start a DNS-over-gRPC server that is similar to the previous example, but using DNS-over-gRPC for
|
|
incoming queries.
|
|
|
|
.PP
|
|
.RS
|
|
|
|
.nf
|
|
grpc://. {
|
|
tls cert.pem key.pem ca.pem
|
|
forward . /etc/resolv.conf
|
|
}
|
|
|
|
.fi
|
|
.RE
|
|
|
|
.PP
|
|
Only Knot DNS' \fB\fCkdig\fR supports DNS-over-TLS queries, no command line client supports gRPC making
|
|
debugging these transports harder than it should be.
|
|
|
|
.SH "SEE ALSO"
|
|
.PP
|
|
RFC 7858 and https://grpc.io
|
|
\[la]https://grpc.io\[ra].
|
|
|