e9eda7e7c8
* cache: add sharded cache implementation Add Cache impl and a few tests. This cache is 256-way sharded, mainly so each shard has it's own lock. The main cache structure is a readonly jump plane into the right shard. This should remove the single lock contention on the main lock and provide more concurrent throughput - Obviously this hasn't been tested or measured. The key into the cache was made a uint32 (hash.fnv) and the hashing op is not using strings.ToLower anymore remove any GC in that code path. * here too * Minimum shard size * typos * blurp * small cleanups no defer * typo * Add freq based on Johns idea * cherry-pick conflict resolv * typo * update from early code review from john * add prefetch to the cache * mw/cache: add prefetch * remove println * remove comment * Fix tests * Test prefetch in setup * Add start of cache * try add diff cache options * Add hacky testcase * not needed * allow the use of a percentage for prefetch If the TTL falls below xx% do a prefetch, if the record was popular. Some other fixes and correctly prefetch only popular records. |
||
|---|---|---|
| .. | ||
| black_lies.go | ||
| black_lies_test.go | ||
| cache.go | ||
| cache_test.go | ||
| dnskey.go | ||
| dnssec.go | ||
| dnssec_test.go | ||
| handler.go | ||
| handler_test.go | ||
| README.md | ||
| responsewriter.go | ||
| rrsig.go | ||
| setup.go | ||
| setup_test.go | ||
dnssec
dnssec enables on-the-fly DNSSEC signing of served data.
Syntax
dnssec [ZONES...]
- ZONES zones that should be signed. If empty, the zones from the configuration block are used.
If keys are not specified (see below), a key is generated and used for all signing operations. The DNSSEC signing will treat this key a CSK (common signing key), forgoing the ZSK/KSK split. All signing operations are done online. Authenticated denial of existence is implemented with NSEC black lies. Using ECDSA as an algorithm is preferred as this leads to smaller signatures (compared to RSA). NSEC3 is not supported.
A single signing key can be specified by using the key directive.
NOTE: Key generation has not been implemented yet.
TODO(miek): think about key rollovers, and how to do them automatically.
dnssec [ZONES... ] {
key file KEY...
cache_capacity CAPACITY
}
-
key fileindicates that key file(s) should be read from disk. When multiple keys are specified, RRsets will be signed with all keys. Generating a key can be done withdnssec-keygen:dnssec-keygen -a ECDSAP256SHA256 <zonename>. A key created for zone A can be safely used for zone B. -
cache_capacityindicates the capacity of the LRU cache. The dnssec middleware uses LRU cache to manage objects and the default capacity is 10000.
Metrics
If monitoring is enabled (via the prometheus directive) then the following metrics are exported:
- coredns_dnssec_cache_size{type} - total elements in the cache, type is "signature".
- coredns_dnssec_cache_capacity{type} - total capacity of the cache, type is "signature".
- coredns_dnssec_cache_hits_total - Counter of cache hits.
- coredns_dnssec_cache_misses_total - Counter of cache misses.