dnssec

package
v0.6.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 23, 2026 License: Apache-2.0 Imports: 9 Imported by: 0

Documentation

Overview

Package dnssec provides DNSSEC keypair management and RRSIG generation for zonegit zones. v0.6 ships Ed25519 (RFC 8080, algorithm 15) — the smallest, fastest, simplest DNSSEC algorithm. Adding RSA or ECDSA in the future is a matter of plumbing additional Algorithm cases through the same surfaces (generation, key file marshalling, RRSIG.Sign).

Key material lives in a "keys directory" — by default <repo>/keys/ — as four files per zone: 

<zone>.ksk.key   Ed25519 private key, base64    (mode 0600)
<zone>.ksk.pub   Ed25519 public  key, base64    (mode 0644)
<zone>.zsk.key   Ed25519 private key, base64    (mode 0600)
<zone>.zsk.pub   Ed25519 public  key, base64    (mode 0644)

The on-disk format is the same as pkg/sign uses for commit-signing keys, so a future operator can adopt the same KMS adapters transparently when v0.7 adds remote-key support.

Index

Constants

View Source 
const Algorithm = dns.ED25519

Algorithm 15 — Ed25519. The only algorithm v0.6 supports.

Variables

This section is empty.

Functions

func HasKeys 

func HasKeys(dir, zone string) bool

HasKeys reports whether a key bundle exists for zone in dir.

func SignRRset 

func SignRRset(rrs []dns.RR, zone string, key Keypair, isKSK bool, inception, expiration uint32) (*dns.RRSIG, error)

SignRRset returns an RRSIG covering rrs, signed by key. Use the KSK only for the DNSKEY RRset; the ZSK signs everything else.

inception and expiration are unix timestamps. A typical validity window is 7–30 days; callers passing zero get a 30-day default starting now.

func VerifyRRset 

func VerifyRRset(sig *dns.RRSIG, key Keypair, rrs []dns.RR) error

VerifyRRset is a convenience wrapper around (*dns.RRSIG).Verify for callers (mainly tests) that want to confirm an RRSIG validates.

Types

type Keypair 

type Keypair struct {
	Public  ed25519.PublicKey
	Private ed25519.PrivateKey
}

Keypair holds one DNSSEC key (KSK or ZSK).

type ZoneKeys 

type ZoneKeys struct {
	KSK Keypair
	ZSK Keypair
}

ZoneKeys holds both keys for a zone. By DNSSEC convention KSK signs only the DNSKEY RRset; ZSK signs everything else. Splitting the two lets operators rotate ZSKs frequently while keeping the KSK pinned in the parent zone's DS record.

func Generate 

func Generate() (*ZoneKeys, error)

Generate returns a freshly minted KSK+ZSK pair.

func LoadFromDir 

func LoadFromDir(dir, zone string) (*ZoneKeys, error)

LoadFromDir reads zone keys previously written by WriteToDir.

func (*ZoneKeys) DNSKEYs 

func (zk *ZoneKeys) DNSKEYs(zone string, ttl uint32) (ksk, zsk *dns.DNSKEY)

DNSKEYs returns the (KSK, ZSK) DNSKEY RRs derived from the keypair, ready to be staged via Repo.Set.

func (*ZoneKeys) WriteToDir 

func (zk *ZoneKeys) WriteToDir(dir, zone string) error

WriteToDir persists zk to dir using the per-zone filenames above. dir is created if necessary. Existing files are overwritten — callers that care must check existence themselves first.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.