dnssec

package
v0.0.0-...-d8714e6 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Sep 14, 2017 License: Apache-2.0 Imports: 21 Imported by: 0

README

dnssec

dnssec enables on-the-fly DNSSEC signing of served data.

Syntax

dnssec [ZONES... ] {
    key file KEY...
    cache_capacity CAPACITY
}

The specified key is used for all signing operations. The DNSSEC signing will treat this key a CSK (common signing key), forgoing the ZSK/KSK split. All signing operations are done online. Authenticated denial of existence is implemented with NSEC black lies. Using ECDSA as an algorithm is preferred as this leads to smaller signatures (compared to RSA). NSEC3 is not supported.

If multiple dnssec plugins are specified in the same zone, the last one specified will be used ( see bugs ).

  • ZONES zones that should be signed. If empty, the zones from the configuration block are used.

  • key file indicates that key file(s) should be read from disk. When multiple keys are specified, RRsets will be signed with all keys. Generating a key can be done with dnssec-keygen: dnssec-keygen -a ECDSAP256SHA256 <zonename>. A key created for zone A can be safely used for zone B. The name of the key file can be specified as one of the following formats

    • basename of the generated key Kexample.org+013+45330

    • generated public key Kexample.org+013+45330.key

    • generated private key Kexample.org+013+45330.private

  • cache_capacity indicates the capacity of the cache. The dnssec plugin uses a cache to store RRSIGs. The default capacity is 10000.

Metrics

If monitoring is enabled (via the prometheus directive) then the following metrics are exported:

  • coredns_dnssec_cache_size{type} - total elements in the cache, type is "signature".
  • coredns_dnssec_cache_capacity{type} - total capacity of the cache, type is "signature".
  • coredns_dnssec_cache_hits_total - Counter of cache hits.
  • coredns_dnssec_cache_misses_total - Counter of cache misses.

Examples

Sign responses for example.org with the key "Kexample.org.+013+45330.key".

example.org:53 {
    dnssec {
        key file /etc/coredns/Kexample.org.+013+45330
    }
    whoami
}

Sign responses for a kubernetes zone with the key "Kcluster.local+013+45129.key".

cluster.local:53 {
    kubernetes cluster.local
    dnssec cluster.local {
      key file /etc/coredns/Kcluster.local+013+45129
    }
}

Bugs

Multiple dnssec plugins inside one server stanza will silently overwrite earlier ones, here example.local will overwrite the one for cluster.local.

.:53 {
    kubernetes cluster.local
    dnssec cluster.local {
      key file /etc/coredns/cluster.local
    }
    dnssec example.local {
      key file /etc/coredns/example.local
    }
    whoami
}

Documentation

Overview

Package dnssec implements a plugin that signs responses on-the-fly using NSEC black lies.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type DNSKEY

type DNSKEY struct {
	K *dns.DNSKEY
	// contains filtered or unexported fields
}

DNSKEY holds a DNSSEC public and private key used for on-the-fly signing.

func ParseKeyFile

func ParseKeyFile(pubFile, privFile string) (*DNSKEY, error)

ParseKeyFile read a DNSSEC keyfile as generated by dnssec-keygen or other utilities. It adds ".key" for the public key and ".private" for the private key.

type Dnssec

type Dnssec struct {
	Next plugin.Handler
	// contains filtered or unexported fields
}

Dnssec signs the reply on-the-fly.

func New

func New(zones []string, keys []*DNSKEY, next plugin.Handler, c *cache.Cache) Dnssec

New returns a new Dnssec.

func (Dnssec) Name

func (d Dnssec) Name() string

Name implements the Handler interface.

func (Dnssec) ServeDNS

func (d Dnssec) ServeDNS(ctx context.Context, w dns.ResponseWriter, r *dns.Msg) (int, error)

ServeDNS implements the plugin.Handler interface.

func (Dnssec) Sign

func (d Dnssec) Sign(state request.Request, zone string, now time.Time) *dns.Msg

Sign signs the message in state. it takes care of negative or nodata responses. It uses NSEC black lies for authenticated denial of existence. Signatures creates will be cached for a short while. By default we sign for 8 days, starting 3 hours ago.

type ResponseWriter

type ResponseWriter struct {
	dns.ResponseWriter
	// contains filtered or unexported fields
}

ResponseWriter sign the response on the fly.

func (*ResponseWriter) Hijack

func (d *ResponseWriter) Hijack()

Hijack implements the dns.ResponseWriter interface.

func (*ResponseWriter) Write

func (d *ResponseWriter) Write(buf []byte) (int, error)

Write implements the dns.ResponseWriter interface.

func (*ResponseWriter) WriteMsg

func (d *ResponseWriter) WriteMsg(res *dns.Msg) error

WriteMsg implements the dns.ResponseWriter interface.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL