TrueCloudLab/coredns
16
0
Fork 2
Code Issues Pull requests 3 Projects Releases Packages Wiki Activity Actions
coredns/plugin/tls
History
Miek Gieben f3134da45e
Clean up tests logging (#1979) 
* Clean up tests logging

This cleans up the travis logs so you can see the failures better.

Older tests in tests/ would call log.SetOutput(ioutil.Discard) in
a haphazard way. This add log.Discard and put an `init` function in each
package's dir (no way to do this globally). The cleanup in tests/ is
clear.

All plugins also got this init function to have some uniformity and kill
any (future) logging there in the tests as well.

There is a one-off in pkg/healthcheck because that does log.

Signed-off-by: Miek Gieben <miek@miek.nl>

* bring back original log_test.go

Signed-off-by: Miek Gieben <miek@miek.nl>

* suppress logging here as well

Signed-off-by: Miek Gieben <miek@miek.nl>
2018-07-19 16:23:06 +01:00
..
log_test.go Clean up tests logging (#1979) 2018-07-19 16:23:06 +01:00
OWNERS Add OWNERS file (#1486) 2018-02-08 10:55:51 +00:00
README.md plugin/tls: make CA parameter optional (#1800) 2018-05-15 12:53:46 -04:00
tls.go plugin/tls: make CA parameter optional (#1800) 2018-05-15 12:53:46 -04:00
tls_test.go golinter fix (#1807) 2018-05-16 22:35:31 +01:00

README.md

tls

Name

tls - allows you to configure the server certificates for the TLS and gRPC servers.

Description

CoreDNS supports queries that are encrypted using TLS (DNS over Transport Layer Security, RFC 7858) or are using gRPC (https://grpc.io/, not an IETF standard). Normally DNS traffic isn't encrypted at all (DNSSEC only signs resource records).

The proxy plugin also support gRPC (protocol gRPC), meaning you can chain CoreDNS servers using this protocol.

The tls "plugin" allows you to configure the cryptographic keys that are needed for both DNS-over-TLS and DNS-over-gRPC. If the tls directive is omitted, then no encryption takes place.

The gRPC protobuffer is defined in pb/dns.proto. It defines the proto as a simple wrapper for the wire data of a DNS message.

Syntax

tls CERT KEY [CA]

Parameter CA is optional. If not set, system CAs can be used to verify the client certificate

Examples

Start a DNS-over-TLS server that picks up incoming DNS-over-TLS queries on port 5553 and uses the nameservers defined in /etc/resolv.conf to resolve the query. This proxy path uses plain old DNS.

tls://.:5553 {
	tls cert.pem key.pem ca.pem
	proxy . /etc/resolv.conf
}

Start a DNS-over-gRPC server that is similar to the previous example, but using DNS-over-gRPC for incoming queries.

grpc://. {
	tls cert.pem key.pem ca.pem
	proxy . /etc/resolv.conf
}

Only Knot DNS' kdig supports DNS-over-TLS queries, no command line client supports gRPC making debugging these transports harder than it should be.

Also See

RFC 7858 and https://grpc.io.