Affected by 
README
¶
dnssec
Name
dnssec - enables on-the-fly DNSSEC signing of served data.
Description
With dnssec, any reply that doesn't (or can't) do DNSSEC will get signed on the fly. Authenticated denial of existence is implemented with NSEC black lies. Using ECDSA as an algorithm is preferred as this leads to smaller signatures (compared to RSA). NSEC3 is not supported.
This plugin can only be used once per Server Block.
Syntax
dnssec [ZONES... ] {
key file|aws_secretsmanager KEY...
cache_capacity CAPACITY
}
The signing behavior depends on the keys specified. If multiple keys are specified of which there is at least one key with the SEP bit set and at least one key with the SEP bit unset, signing will happen in split ZSK/KSK mode. DNSKEY records will be signed with all keys that have the SEP bit set. All other records will be signed with all keys that do not have the SEP bit set.
In any other case, each specified key will be treated as a CSK (common signing key), forgoing the ZSK/KSK split. All signing operations are done online. Authenticated denial of existence is implemented with NSEC black lies. Using ECDSA as an algorithm is preferred as this leads to smaller signatures (compared to RSA). NSEC3 is not supported.
As the dnssec plugin can't see the original TTL of the RRSets it signs, it will always use 3600s as the value.
If multiple dnssec plugins are specified in the same zone, the last one specified will be used.
-
ZONES zones that should be signed. If empty, the zones from the configuration block are used.
-
key fileindicates that KEY file(s) should be read from disk. When multiple keys are specified, RRsets will be signed with all keys. Generating a key can be done withdnssec-keygen:dnssec-keygen -a ECDSAP256SHA256 <zonename>. A key created for zone A can be safely used for zone B. The name of the key file can be specified in one of the following formats- basename of the generated key
Kexample.org+013+45330 - generated public key
Kexample.org+013+45330.key - generated private key
Kexample.org+013+45330.private
- basename of the generated key
-
key aws_secretsmanagerindicates that KEY secret(s) should be read from AWS Secrets Manager. Secret names or ARNs may be used. After generating the keys as described in thekey filesection, you can store them in AWS Secrets Manager using the following AWS CLI v2 command:aws secretsmanager create-secret --name "Kexample.org.+013+45330" \ --description "DNSSEC keys for example.org" \ --secret-string "$(jq -n --arg key "$(cat Kexample.org.+013+45330.key)" \ --arg private "$(cat Kexample.org.+013+45330.private)" \ '{key: $key, private: $private}')"This command reads the contents of the
.keyand.privatefiles, constructs a JSON object, and stores it as a new secret in AWS Secrets Manager with the specified name and description. CoreDNS will then fetch the key data from AWS Secrets Manager when using thekey aws_secretsmanagerdirective.AWS SDK for Go V2 is used for authentication with AWS Secrets Manager. Make sure the provided AWS credentials have the necessary permissions (e.g.,
secretsmanager:GetSecretValue) to access the specified secrets in AWS Secrets Manager. -
cache_capacityindicates the capacity of the cache. The dnssec plugin uses a cache to store RRSIGs. The default for CAPACITY is 10000.
Metrics
If monitoring is enabled (via the prometheus plugin) then the following metrics are exported:
coredns_dnssec_cache_entries{server, type}- total elements in the cache, type is "signature".coredns_dnssec_cache_hits_total{server}- Counter of cache hits.coredns_dnssec_cache_misses_total{server}- Counter of cache misses.
The label server indicated the server handling the request, see the metrics plugin for details.
Examples
Sign responses for example.org with the key "Kexample.org.+013+45330.key".
example.org {
dnssec {
key file Kexample.org.+013+45330
}
whoami
}
Sign responses for example.org with the key stored in AWS Secrets Manager under the secret name
"Kexample.org.+013+45330".
example.org {
dnssec {
key aws_secretsmanager Kexample.org.+013+45330
}
whoami
}
Sign responses for a kubernetes zone with the key "Kcluster.local+013+45129.key".
cluster.local {
kubernetes
dnssec {
key file Kcluster.local+013+45129
}
}
Documentation
¶
Overview ¶
Package dnssec implements a plugin that signs responses on-the-fly using NSEC black lies.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type DNSKEY ¶
DNSKEY holds a DNSSEC public and private key used for on-the-fly signing.
func ParseKeyFile ¶
ParseKeyFile read a DNSSEC keyfile as generated by dnssec-keygen or other utilities. It adds ".key" for the public key and ".private" for the private key.
func ParseKeyFromAWSSecretsManager ¶ added in v1.11.4
ParseKeyFromAWSSecretsManager retrieves and parses a DNSSEC key pair from AWS Secrets Manager.
type Dnssec ¶
Dnssec signs the reply on-the-fly.
func New ¶
func New(zones []string, keys []*DNSKEY, splitkeys bool, next plugin.Handler, c *cache.Cache) Dnssec
New returns a new Dnssec.
func (Dnssec) Sign ¶
Sign signs the message in state. it takes care of negative or nodata responses. It uses NSEC black lies for authenticated denial of existence. For delegations it will insert DS records and sign those. Signatures will be cached for a short while. By default we sign for 8 days, starting 3 hours ago.
type ResponseWriter ¶
type ResponseWriter struct {
dns.ResponseWriter
// contains filtered or unexported fields
}
ResponseWriter signs the response on the fly.
type SecretKeyData ¶ added in v1.11.4
SecretKeyData represents the structure of the DNS keys stored in AWS Secrets Manager.
Source Files