![]() |
![]()
| ![]() |
![]()
NAMEdnssec - enables on-the-fly DNSSEC signing of served data.DESCRIPTIONWith dnssec, any reply that doesn't (or can't) do DNSSEC will get signed on the fly. Authenticated denial of existence is implemented with NSEC black lies. Using ECDSA as an algorithm is preferred as this leads to smaller signatures (compared to RSA). NSEC3 is not supported.This plugin can only be used once per Server Block. SYNTAXdnssec [ZONES... ] { key file KEY... cache_capacity CAPACITY } The signing behavior depends on the keys specified. If multiple keys are specified of which there is at least one key with the SEP bit set and at least one key with the SEP bit unset, signing will happen in split ZSK/KSK mode. DNSKEY records will be signed with all keys that have the SEP bit set. All other records will be signed with all keys that do not have the SEP bit set. In any other case, each specified key will be treated as a CSK (common signing key), forgoing the ZSK/KSK split. All signing operations are done online. Authenticated denial of existence is implemented with NSEC black lies. Using ECDSA as an algorithm is preferred as this leads to smaller signatures (compared to RSA). NSEC3 is not supported. If multiple dnssec plugins are specified in the same zone, the last one specified will be used (See bugs ⟨#bugs⟩).
METRICSIf monitoring is enabled (via the prometheus plugin) then the following metrics are exported:
The label server indicated the server handling the request, see the metrics plugin for details. EXAMPLESSign responses for example.org with the key "Kexample.org.+013+45330.key".example.org { dnssec { key file Kexample.org.+013+45330 } whoami } Sign responses for a kubernetes zone with the key "Kcluster.local+013+45129.key". cluster.local { kubernetes dnssec { key file Kcluster.local+013+45129 } }
|