TrueCloudLab/coredns
16
0
Fork 2
Code Issues Pull requests 3 Projects Releases Packages Wiki Activity Actions
coredns/plugin/tls
History
Miek Gieben b003d06003
For caddy v1 in our org (#4018) 
* For caddy v1 in our org

This RP changes all imports for caddyserver/caddy to coredns/caddy. This
is the v1 code of caddy.

For the coredns/caddy repo the following changes have been made:

* anything not needed by us is deleted
* all `telemetry` stuff is deleted
* all its import paths are also changed to point to coredns/caddy
* the v1 branch has been moved to the master branch
* a v1.1.0 tag has been added to signal the latest release

Signed-off-by: Miek Gieben <miek@miek.nl>

* Fix imports

Signed-off-by: Miek Gieben <miek@miek.nl>

* Group coredns/caddy with out plugins

Signed-off-by: Miek Gieben <miek@miek.nl>

* remove this file

Signed-off-by: Miek Gieben <miek@miek.nl>

* Relax import ordering

github.com/coredns is now also a coredns dep, this makes
github.com/coredns/caddy fit more natural in the list.

Signed-off-by: Miek Gieben <miek@miek.nl>

* Fix final import

Signed-off-by: Miek Gieben <miek@miek.nl>
2020-09-24 18:14:41 +02:00
..
log_test.go Clean up tests logging (#1979) 2018-07-19 16:23:06 +01:00
README.md doc: fix generated manual pages (#3571) 2019-12-29 13:35:17 +01:00
test_ca.pem make sure client CA and auth type are set if CA is explicitly specified. (#2825) 2019-05-31 09:30:15 -07:00
test_cert.pem make sure client CA and auth type are set if CA is explicitly specified. (#2825) 2019-05-31 09:30:15 -07:00
test_key.pem make sure client CA and auth type are set if CA is explicitly specified. (#2825) 2019-05-31 09:30:15 -07:00
tls.go For caddy v1 in our org (#4018) 2020-09-24 18:14:41 +02:00
tls_test.go For caddy v1 in our org (#4018) 2020-09-24 18:14:41 +02:00

README.md

tls

Name

tls - allows you to configure the server certificates for the TLS and gRPC servers.

Description

CoreDNS supports queries that are encrypted using TLS (DNS over Transport Layer Security, RFC 7858) or are using gRPC (https://grpc.io/, not an IETF standard). Normally DNS traffic isn't encrypted at all (DNSSEC only signs resource records).

The tls "plugin" allows you to configure the cryptographic keys that are needed for both DNS-over-TLS and DNS-over-gRPC. If the tls plugin is omitted, then no encryption takes place.

The gRPC protobuffer is defined in pb/dns.proto. It defines the proto as a simple wrapper for the wire data of a DNS message.

Syntax

tls CERT KEY [CA]

Parameter CA is optional. If not set, system CAs can be used to verify the client certificate

tls CERT KEY [CA] {
    client_auth nocert|request|require|verify_if_given|require_and_verify
}

If client_auth option is specified, it controls the client authentication policy. The option value corresponds to the ClientAuthType values of the Go tls package: NoClientCert, RequestClientCert, RequireAnyClientCert, VerifyClientCertIfGiven, and RequireAndVerifyClientCert, respectively. The default is "nocert". Note that it makes no sense to specify parameter CA unless this option is set to verify_if_given or require_and_verify.

Examples

Start a DNS-over-TLS server that picks up incoming DNS-over-TLS queries on port 5553 and uses the nameservers defined in /etc/resolv.conf to resolve the query. This proxy path uses plain old DNS.

tls://.:5553 {
	tls cert.pem key.pem ca.pem
	forward . /etc/resolv.conf
}

Start a DNS-over-gRPC server that is similar to the previous example, but using DNS-over-gRPC for incoming queries.

grpc://. {
	tls cert.pem key.pem ca.pem
	forward . /etc/resolv.conf
}

Only Knot DNS' kdig supports DNS-over-TLS queries, no command line client supports gRPC making debugging these transports harder than it should be.

Also See

RFC 7858 and https://grpc.io.