TrueCloudLab/coredns
16
0
Fork 2
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions
coredns/plugin/dnssec
History
Miek Gieben dbd1c047cb
Run gostaticheck (#3325) 
* Run gostaticheck

Run gostaticcheck on the codebase and fix almost all flagged items.

Only keep

* coremain/run.go:192:2: var appVersion is unused (U1000)
* plugin/chaos/setup.go:54:3: the surrounding loop is unconditionally terminated (SA4004)
* plugin/etcd/setup.go:103:3: the surrounding loop is unconditionally terminated (SA4004)
* plugin/pkg/replacer/replacer.go:274:13: argument should be pointer-like to avoid allocations (SA6002)
* plugin/route53/setup.go:124:28: session.New is deprecated: Use NewSession functions to create sessions instead. NewSession has the same functionality as New except an error can be returned when the func is called instead of waiting to receive an error until a request is made.  (SA1019)
* test/grpc_test.go:25:69: grpc.WithTimeout is deprecated: use DialContext and context.WithTimeout instead.  Will be supported throughout 1.x.  (SA1019)

The first one isn't true, as this is set via ldflags. The rest is
minor. The deprecation should be fixed at some point; I'll file some
issues.

Signed-off-by: Miek Gieben <miek@miek.nl>

* Make sure to plug in the plugins

import the plugins, that file that did this was removed, put it in the
reload test as this requires an almost complete coredns server.

Signed-off-by: Miek Gieben <miek@miek.nl>
2019-10-01 07:41:29 +01:00
..
black_lies.go Fix some typos (#2560) 2019-02-17 08:31:12 +00:00
black_lies_bitmap_test.go plugin/dnssec: add per server metrics (#1743) 2018-04-27 19:37:31 +01:00
black_lies_test.go presubmit: Check errorf as well (#1845) 2018-06-02 11:48:39 -07:00
cache.go Move cache Keys to 64bit for a better dispersion and lower collision frequency (#2077) 2018-08-31 14:26:43 -07:00
cache_test.go plugin/dnssec: Add support for KSK/ZSK split key setups (#2196) 2018-10-20 16:35:59 +01:00
dnskey.go fix mis-spelling (#3310) 2019-09-26 13:19:45 +01:00
dnssec.go plugin/dnssec: Add support for KSK/ZSK split key setups (#2196) 2018-10-20 16:35:59 +01:00
dnssec_test.go Run gostaticheck (#3325) 2019-10-01 07:41:29 +01:00
handler.go fix: delete unused var and const (#3294) 2019-09-24 07:06:37 +01:00
handler_test.go Stop importing testing in the main binary (#2479) 2019-01-19 11:23:13 +00:00
log_test.go Clean up tests logging (#1979) 2018-07-19 16:23:06 +01:00
OWNERS Add OWNERS file (#1486) 2018-02-08 10:55:51 +00:00
README.md Making dnssec's README consistent with other plugins' READMEs (#3252) 2019-09-08 08:26:06 +01:00
responsewriter.go Default to scrubbing replies in the server (#2012) 2018-08-29 12:26:22 +01:00
rrsig.go plugin/dnssec; insert and sign DS records (#1153) 2017-10-20 09:22:02 +01:00
setup.go all: simply registering plugins (#3287) 2019-09-20 08:02:30 +01:00
setup_test.go Update Caddy to 1.0.1, and update import path (#2961) 2019-07-03 09:04:47 +08:00

README.md

dnssec

Name

dnssec - enables on-the-fly DNSSEC signing of served data.

Description

With dnssec, any reply that doesn't (or can't) do DNSSEC will get signed on the fly. Authenticated denial of existence is implemented with NSEC black lies. Using ECDSA as an algorithm is preferred as this leads to smaller signatures (compared to RSA). NSEC3 is not supported.

This plugin can only be used once per Server Block.

Syntax

dnssec [ZONES... ] {
    key file KEY...
    cache_capacity CAPACITY
}

The signing behavior depends on the keys specified. If multiple keys are specified of which there is at least one key with the SEP bit set and at least one key with the SEP bit unset, signing will happen in split ZSK/KSK mode. DNSKEY records will be signed with all keys that have the SEP bit set. All other records will be signed with all keys that do not have the SEP bit set.

In any other case, each specified key will be treated as a CSK (common signing key), forgoing the ZSK/KSK split. All signing operations are done online. Authenticated denial of existence is implemented with NSEC black lies. Using ECDSA as an algorithm is preferred as this leads to smaller signatures (compared to RSA). NSEC3 is not supported.

If multiple dnssec plugins are specified in the same zone, the last one specified will be used (See bugs).

  • ZONES zones that should be signed. If empty, the zones from the configuration block are used.

  • key file indicates that KEY file(s) should be read from disk. When multiple keys are specified, RRsets will be signed with all keys. Generating a key can be done with dnssec-keygen: dnssec-keygen -a ECDSAP256SHA256 <zonename>. A key created for zone A can be safely used for zone B. The name of the key file can be specified in one of the following formats

    • basename of the generated key Kexample.org+013+45330
    • generated public key Kexample.org+013+45330.key
    • generated private key Kexample.org+013+45330.private

  • cache_capacity indicates the capacity of the cache. The dnssec plugin uses a cache to store RRSIGs. The default for CAPACITY is 10000.

Metrics

If monitoring is enabled (via the prometheus directive) then the following metrics are exported:

  • coredns_dnssec_cache_size{server, type} - total elements in the cache, type is "signature".
  • coredns_dnssec_cache_hits_total{server} - Counter of cache hits.
  • coredns_dnssec_cache_misses_total{server} - Counter of cache misses.

The label server indicated the server handling the request, see the metrics plugin for details.

Examples

Sign responses for example.org with the key "Kexample.org.+013+45330.key".

example.org {
    dnssec {
        key file Kexample.org.+013+45330
    }
    whoami
}

Sign responses for a kubernetes zone with the key "Kcluster.local+013+45129.key".

cluster.local {
    kubernetes
    dnssec {
      key file Kcluster.local+013+45129
    }
}