ba1efee4f1
Every plugin needs to deal with EDNS0 and should call Scrub to make a message fit the client's buffer. Move this functionality into the server and wrapping the ResponseWriter into a ScrubWriter that handles these bits for us. Result: Less code and faster, because multiple chained plugins could all be calling scrub and SizeAndDo - now there is just one place. Most tests in file/* and dnssec/* needed adjusting because in those unit tests you don't see OPT RRs anymore. The DNSSEC signer was also looking at the returned OPT RR to see if it needed to sign - as those are now added by the server (and thus later), this needed to change slightly. Scrub itself still exist (for backward compat reasons), but has been made a noop. Scrub has been renamed to scrub as it should not be used by external plugins. Fixes: #2010 Signed-off-by: Miek Gieben <miek@miek.nl> |
||
|---|---|---|
| .. | ||
| black_lies.go | ||
| black_lies_bitmap_test.go | ||
| black_lies_test.go | ||
| cache.go | ||
| cache_test.go | ||
| dnskey.go | ||
| dnssec.go | ||
| dnssec_test.go | ||
| handler.go | ||
| handler_test.go | ||
| log_test.go | ||
| OWNERS | ||
| README.md | ||
| responsewriter.go | ||
| rrsig.go | ||
| setup.go | ||
| setup_test.go | ||
dnssec
Name
dnssec - enable on-the-fly DNSSEC signing of served data.
Description
With dnssec any reply that doesn't (or can't) do DNSSEC will get signed on the fly. Authenticated denial of existence is implemented with NSEC black lies. Using ECDSA as an algorithm is preferred as this leads to smaller signatures (compared to RSA). NSEC3 is not supported.
This plugin can only be used once per Server Block.
Syntax
dnssec [ZONES... ] {
key file KEY...
cache_capacity CAPACITY
}
The specified key is used for all signing operations. The DNSSEC signing will treat this key as a CSK (common signing key), forgoing the ZSK/KSK split. All signing operations are done online. Authenticated denial of existence is implemented with NSEC black lies. Using ECDSA as an algorithm is preferred as this leads to smaller signatures (compared to RSA). NSEC3 is not supported.
If multiple dnssec plugins are specified in the same zone, the last one specified will be used (See bugs).
-
ZONES zones that should be signed. If empty, the zones from the configuration block are used.
-
key fileindicates that KEY file(s) should be read from disk. When multiple keys are specified, RRsets will be signed with all keys. Generating a key can be done withdnssec-keygen:dnssec-keygen -a ECDSAP256SHA256 <zonename>. A key created for zone A can be safely used for zone B. The name of the key file can be specified in one of the following formats- basename of the generated key
Kexample.org+013+45330 - generated public key
Kexample.org+013+45330.key - generated private key
Kexample.org+013+45330.private
- basename of the generated key
-
cache_capacityindicates the capacity of the cache. The dnssec plugin uses a cache to store RRSIGs. The default for CAPACITY is 10000.
Metrics
If monitoring is enabled (via the prometheus directive) then the following metrics are exported:
coredns_dnssec_cache_size{server, type}- total elements in the cache, type is "signature".coredns_dnssec_cache_hits_total{server}- Counter of cache hits.coredns_dnssec_cache_misses_total{server}- Counter of cache misses.
The label server indicated the server handling the request, see the metrics plugin for details.
Examples
Sign responses for example.org with the key "Kexample.org.+013+45330.key".
example.org {
dnssec {
key file Kexample.org.+013+45330
}
whoami
}
Sign responses for a kubernetes zone with the key "Kcluster.local+013+45129.key".
cluster.local {
kubernetes
dnssec {
key file Kcluster.local+013+45129
}
}