Skip to content

C
Coredns
Commit 3a96d1ab authored by Brad Beam's avatar Brad Beam Committed by Miek Gieben
Browse files
Options

Cleaning up dnssec docs (#1016)

parent 4b14243e
Hide whitespace changes
Inline Side-by-side
Showing with 31 additions and 19 deletions
middleware/dnssec/README.md
View file @ 3a96d1ab
...@@ -4,23 +4,6 @@ ...@@ -4,23 +4,6 @@
## Syntax ## Syntax
~~~
dnssec [ZONES...]
~~~
* **ZONES** zones that should be signed. If empty, the zones from the configuration block
are used.
If keys are not specified (see below), a key is generated and used for all signing operations. The
DNSSEC signing will treat this key a CSK (common signing key), forgoing the ZSK/KSK split. All
signing operations are done online. Authenticated denial of existence is implemented with NSEC black
lies. Using ECDSA as an algorithm is preferred as this leads to smaller signatures (compared to
RSA). NSEC3 is *not* supported.
A single signing key can be specified by using the `key` directive.
NOTE: Key generation has not been implemented yet.
~~~ ~~~
dnssec [ZONES... ] { dnssec [ZONES... ] {
key file KEY... key file KEY...
...@@ -28,9 +11,27 @@ dnssec [ZONES... ] { ...@@ -28,9 +11,27 @@ dnssec [ZONES... ] {
} }
~~~ ~~~
The specified key is used for all signing operations. The DNSSEC signing will treat this key a
CSK (common signing key), forgoing the ZSK/KSK split. All signing operations are done online.
Authenticated denial of existence is implemented with NSEC black lies. Using ECDSA as an algorithm
is preferred as this leads to smaller signatures (compared to RSA). NSEC3 is *not* supported.
If multiple *dnssec* middlewares are specified in the same zone, the last one specified will be
used ( see [bugs](#bugs) ).
* `ZONES` zones that should be signed. If empty, the zones from the configuration block
are used.
* `key file` indicates that key file(s) should be read from disk. When multiple keys are specified, RRsets * `key file` indicates that key file(s) should be read from disk. When multiple keys are specified, RRsets
will be signed with all keys. Generating a key can be done with `dnssec-keygen`: `dnssec-keygen -a will be signed with all keys. Generating a key can be done with `dnssec-keygen`: `dnssec-keygen -a
ECDSAP256SHA256 <zonename>`. A key created for zone *A* can be safely used for zone *B*. ECDSAP256SHA256 <zonename>`. A key created for zone *A* can be safely used for zone *B*. The name of the
key file can be specified as one of the following formats
* basename of the generated key `Kexample.org+013+45330`
* generated public key `Kexample.org+013+45330.key`
* generated private key `Kexample.org+013+45330.private`
* `cache_capacity` indicates the capacity of the cache. The dnssec middleware uses a cache to store * `cache_capacity` indicates the capacity of the cache. The dnssec middleware uses a cache to store
RRSIGs. The default capacity is 10000. RRSIGs. The default capacity is 10000.
...@@ -51,12 +52,23 @@ Sign responses for `example.org` with the key "Kexample.org.+013+45330.key". ...@@ -51,12 +52,23 @@ Sign responses for `example.org` with the key "Kexample.org.+013+45330.key".
~~~ ~~~
example.org:53 { example.org:53 {
dnssec { dnssec {
key file /etc/coredns/Kexample.org.+013+45330.key key file /etc/coredns/Kexample.org.+013+45330
} }
whoami whoami
} }
~~~ ~~~
Sign responses for a kubernetes zone with the key "Kcluster.local+013+45129.key".
~~~
cluster.local:53 {
kubernetes cluster.local
dnssec cluster.local {
key file /etc/coredns/Kcluster.local+013+45129
}
}
~~~
## Bugs ## Bugs
Multiple *dnssec* middlewares inside one server stanza will silently overwrite earlier ones, here Multiple *dnssec* middlewares inside one server stanza will silently overwrite earlier ones, here
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment