dnssec

package

v0.0.0-...-d1ad60c Latest Latest Go to latest Published: Sep 12, 2016 License: Apache-2.0 Imports: 20 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/karasz/coredns

Links

Open Source Insights

README ¶

dnssec

dnssec enables on-the-fly DNSSEC signing of served data.

Syntax

dnssec [zones...]

zones zones that should be signed. If empty, the zones from the configuration block are used.

If keys are not specified (see below), a key is generated and used for all signing operations. The DNSSEC signing will treat this key a CSK (common signing key), forgoing the ZSK/KSK split. All signing operations are done online. Authenticated denial of existence is implemented with NSEC black lies. Using ECDSA as an algorithm is preferred as this leads to smaller signatures (compared to RSA). NSEC3 is not supported.

A single signing key can be specified by using the key directive.

NOTE: Key generation has not been implemented yet.

TODO(miek): think about key rollovers, and how to do them automatically.

dnssec [zones... ] {
    key file [key...]
}

key file indicates that key file(s) should be read from disk. When multiple keys are specified, RRsets will be signed with all keys. Generating a key can be done with dnssec-keygen: dnssec-keygen -a ECDSAP256SHA256 <zonename>. A key created for zone A can be safely used for zone B.

Examples

Documentation ¶

Index ¶

type DNSKEY
- func ParseKeyFile(pubFile, privFile string) (*DNSKEY, error)
- func (k *DNSKEY) NewRRSIG(signerName string, ttl, incep, expir uint32) *dns.RRSIG
type Dnssec
- func New(zones []string, keys []*DNSKEY, next middleware.Handler) Dnssec
- func (d Dnssec) ServeDNS(ctx context.Context, w dns.ResponseWriter, r *dns.Msg) (int, error)
- func (d Dnssec) Sign(state request.Request, zone string, now time.Time) *dns.Msg
type DnssecResponseWriter
- func NewDnssecResponseWriter(w dns.ResponseWriter, d Dnssec) *DnssecResponseWriter

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type DNSKEY ¶

type DNSKEY struct {
	K *dns.DNSKEY
	// contains filtered or unexported fields
}

func ParseKeyFile ¶

func ParseKeyFile(pubFile, privFile string) (*DNSKEY, error)

ParseKeyFile read a DNSSEC keyfile as generated by dnssec-keygen or other utilities. It adds ".key" for the public key and ".private" for the private key.

func (*DNSKEY) NewRRSIG ¶

func (k *DNSKEY) NewRRSIG(signerName string, ttl, incep, expir uint32) *dns.RRSIG

newRRSIG return a new RRSIG, with all fields filled out, except the signed data.

type Dnssec ¶

type Dnssec struct {
	Next middleware.Handler
	// contains filtered or unexported fields
}

func New ¶

func New(zones []string, keys []*DNSKEY, next middleware.Handler) Dnssec

func (Dnssec) ServeDNS ¶

func (d Dnssec) ServeDNS(ctx context.Context, w dns.ResponseWriter, r *dns.Msg) (int, error)

ServeDNS implements the middleware.Handler interface.

func (Dnssec) Sign ¶

func (d Dnssec) Sign(state request.Request, zone string, now time.Time) *dns.Msg

Sign signs the message in state. it takes care of negative or nodata responses. It uses NSEC black lies for authenticated denial of existence. Signatures creates will be cached for a short while. By default we sign for 8 days, starting 3 hours ago.

type DnssecResponseWriter ¶

type DnssecResponseWriter struct {
	dns.ResponseWriter
	// contains filtered or unexported fields
}

func NewDnssecResponseWriter ¶

func NewDnssecResponseWriter(w dns.ResponseWriter, d Dnssec) *DnssecResponseWriter

func (*DnssecResponseWriter) Hijack ¶

func (d *DnssecResponseWriter) Hijack()

func (*DnssecResponseWriter) Write ¶

func (d *DnssecResponseWriter) Write(buf []byte) (int, error)

func (*DnssecResponseWriter) WriteMsg ¶

func (d *DnssecResponseWriter) WriteMsg(res *dns.Msg) error

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL