dnssec

package
v0.0.0-...-0c57748 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 27, 2016 License: Apache-2.0 Imports: 18 Imported by: 0

README

dnssec

dnssec enables on-the-fly DNSSEC signing of served data.

Syntax

dnssec [zones...]
  • zones zones that should be signed. If empty, the zones from the configuration block are used.

If keys are not specified (see below), a key is generated and used for all signing operations. The DNSSEC signing will treat this key a CSK (common signing key), forgoing the ZSK/KSK split. All signing operations are done online. Authenticated denial of existence is implemented with NSEC black lies. Using ECDSA as an algorithm is preferred as this leads to smaller signatures (compared to RSA).

A signing key can be specified by using the key directive.

WARNING: when a key is generated there is currently no way to extract any key material from CoreDNS, as this key only lives in memory. See issue https://github.com/miekg/coredns/issues/211.

TODO(miek): think about key rollovers.

dnssec [zones... ] {
    key file [key...]
}
  • key file indicates that key file(s) should be read from disk. When multiple keys are specified, RRsets will be signed with all keys. Generating a key can be done with dnssec-keygen: dnssec-keygen -a ECDSAP256SHA256 <zonename>. A key created for zone A can be safely used for zone B.

Examples

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type DNSKEY 

type DNSKEY struct {
	K *dns.DNSKEY
	// contains filtered or unexported fields
}

func ParseKeyFile 

func ParseKeyFile(pubFile, privFile string) (*DNSKEY, error)

ParseKeyFile read a DNSSEC keyfile as generated by dnssec-keygen or other utilities. It adds ".key" for the public key and ".private" for the private key.

func (*DNSKEY) NewRRSIG 

func (k *DNSKEY) NewRRSIG(signerName string, ttl, incep, expir uint32) *dns.RRSIG

newRRSIG return a new RRSIG, with all fields filled out, except the signed data.

type Dnssec 

type Dnssec struct {
	Next middleware.Handler
	// contains filtered or unexported fields
}

func New 

func New(zones []string, keys []*DNSKEY, next middleware.Handler) Dnssec

func (Dnssec) ServeDNS 

func (d Dnssec) ServeDNS(ctx context.Context, w dns.ResponseWriter, r *dns.Msg) (int, error)

ServeDNS implements the middleware.Handler interface.

func (Dnssec) Sign 

func (d Dnssec) Sign(state middleware.State, zone string, now time.Time) *dns.Msg

Sign signs the message m. it takes care of negative or nodata responses. It uses NSEC black lies for authenticated denial of existence. Signatures creates will be cached for a short while. By default we sign for 8 days, starting 3 hours ago.

type DnssecResponseWriter 

type DnssecResponseWriter struct {
	dns.ResponseWriter
	// contains filtered or unexported fields
}

func NewDnssecResponseWriter 

func NewDnssecResponseWriter(w dns.ResponseWriter, d Dnssec) *DnssecResponseWriter

func (*DnssecResponseWriter) Hijack 

func (d *DnssecResponseWriter) Hijack()

func (*DnssecResponseWriter) Write 

func (d *DnssecResponseWriter) Write(buf []byte) (int, error)

func (*DnssecResponseWriter) WriteMsg 

func (d *DnssecResponseWriter) WriteMsg(res *dns.Msg) error

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.