TrueCloudLab/coredns
16
0
Fork 2
Code Issues Pull requests 3 Projects Releases Packages Wiki Activity Actions
coredns/middleware/dnssec
History
cricketliu 5325dadb7c Update README.md
2016-08-22 14:04:21 -07:00
..
black_lies.go Add middleware/dnssec (#133) 2016-04-26 17:57:11 +01:00
black_lies_test.go Add middleware/dnssec (#133) 2016-04-26 17:57:11 +01:00
cache.go Add middleware/dnssec (#133) 2016-04-26 17:57:11 +01:00
cache_test.go Make CoreDNS a server type plugin for Caddy (#220) 2016-08-19 17:14:17 -07:00
dnskey.go Add middleware/dnssec (#133) 2016-04-26 17:57:11 +01:00
dnssec.go Make CoreDNS a server type plugin for Caddy (#220) 2016-08-19 17:14:17 -07:00
dnssec_test.go Make CoreDNS a server type plugin for Caddy (#220) 2016-08-19 17:14:17 -07:00
handler.go Set Authoritative Answer - DNSKEY (fix #210) (#212) 2016-08-14 11:19:36 -07:00
handler_test.go Make CoreDNS a server type plugin for Caddy (#220) 2016-08-19 17:14:17 -07:00
README.md Update README.md 2016-08-22 14:04:21 -07:00
responsewriter.go Add middleware/dnssec (#133) 2016-04-26 17:57:11 +01:00
rrsig.go Add middleware/dnssec (#133) 2016-04-26 17:57:11 +01:00
setup.go Make CoreDNS a server type plugin for Caddy (#220) 2016-08-19 17:14:17 -07:00
setup_test.go Make CoreDNS a server type plugin for Caddy (#220) 2016-08-19 17:14:17 -07:00

README.md

dnssec

dnssec enables on-the-fly DNSSEC signing of served data.

Syntax

dnssec [zones...]
  • zones zones that should be signed. If empty, the zones from the configuration block are used.

If keys are not specified (see below), a key is generated and used for all signing operations. The DNSSEC signing will treat this key a CSK (common signing key), forgoing the ZSK/KSK split. All signing operations are done online. Authenticated denial of existence is implemented with NSEC black lies. Using ECDSA as an algorithm is preferred as this leads to smaller signatures (compared to RSA).

A signing key can be specified by using the key directive.

WARNING: when a key is generated there is currently no way to extract any key material from CoreDNS, as this key only lives in memory. See issue https://github.com/miekg/coredns/issues/211.

TODO(miek): think about key rollovers.

dnssec [zones... ] {
    key file [key...]
}
  • key file indicates that key file(s) should be read from disk. When multiple keys are specified, RRsets will be signed with all keys. Generating a key can be done with dnssec-keygen: dnssec-keygen -a ECDSAP256SHA256 <zonename>. A key created for zone A can be safely used for zone B.

Examples