4096c4906d
* Add a setup test for middleware/file This fix adds a setup test for middleware/file so that there is a basic coverage for the Corefile processing of middleware/file. This fix is related to 308 (Will look into it). Signed-off-by: Yong Tang <yong.tang.github@outlook.com> * middleware/file: use helper function for test Fixup setup_test.go and use the test.TempFile function to make things somewhat shorter. Use clean up the use of testing.T in TempFile - it is not used. |
||
|---|---|---|
| .. | ||
| black_lies.go | ||
| black_lies_test.go | ||
| cache.go | ||
| cache_test.go | ||
| dnskey.go | ||
| dnssec.go | ||
| dnssec_test.go | ||
| handler.go | ||
| handler_test.go | ||
| README.md | ||
| responsewriter.go | ||
| rrsig.go | ||
| setup.go | ||
| setup_test.go | ||
dnssec
dnssec enables on-the-fly DNSSEC signing of served data.
Syntax
dnssec [zones...]
zoneszones that should be signed. If empty, the zones from the configuration block are used.
If keys are not specified (see below), a key is generated and used for all signing operations. The DNSSEC signing will treat this key a CSK (common signing key), forgoing the ZSK/KSK split. All signing operations are done online. Authenticated denial of existence is implemented with NSEC black lies. Using ECDSA as an algorithm is preferred as this leads to smaller signatures (compared to RSA). NSEC3 is not supported.
A single signing key can be specified by using the key directive.
NOTE: Key generation has not been implemented yet.
TODO(miek): think about key rollovers, and how to do them automatically.
dnssec [zones... ] {
key file [key...]
}
key fileindicates that key file(s) should be read from disk. When multiple keys are specified, RRsets will be signed with all keys. Generating a key can be done withdnssec-keygen:dnssec-keygen -a ECDSAP256SHA256 <zonename>. A key created for zone A can be safely used for zone B.