Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Sign in / Register
Toggle navigation
C
Coredns
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Locked Files
Issues
0
Issues
0
List
Boards
Labels
Service Desk
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Security & Compliance
Security & Compliance
Dependency List
License Compliance
Packages
Packages
List
Container Registry
Analytics
Analytics
CI / CD
Code Review
Insights
Issues
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Railgun
Coredns
Commits
ed6eb571
Commit
ed6eb571
authored
Jul 03, 2022
by
coredns[bot]
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
auto make -f Makefile.doc
Signed-off-by:
coredns[bot]
<
bot@bot.coredns.io
>
parent
c4d02442
Changes
1
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
150 additions
and
0 deletions
+150
-0
man/coredns-tsig.7
man/coredns-tsig.7
+150
-0
No files found.
man/coredns-tsig.7
0 → 100644
View file @
ed6eb571
.\" Generated by Mmark Markdown Processer - mmark.miek.nl
.TH "COREDNS-TSIG" 7 "July 2022" "CoreDNS" "CoreDNS Plugins"
.SH "NAME"
.PP
\fItsig\fP - validate TSIG requests and sign responses.
.SH "DESCRIPTION"
.PP
With \fItsig\fP, you can define a set of TSIG secret keys for validating incoming TSIG requests and signing
responses. It can also require TSIG for certain query types, refusing requests that do not comply.
.SH "SYNTAX"
.PP
.RS
.nf
tsig [ZONE...] {
secret NAME KEY
secrets FILE
require [QTYPE...]
}
.fi
.RE
.IP \(bu 4
\fBZONE\fP - the zones \fItsig\fP will TSIG. By default, the zones from the server block are used.
.IP \(bu 4
\fB\fCsecret\fR \fBNAME\fP \fBKEY\fP - specifies a TSIG secret for \fBNAME\fP with \fBKEY\fP. Use this option more than once
to define multiple secrets. Secrets are global to the server instance, not just for the enclosing \fBZONE\fP.
.IP \(bu 4
\fB\fCsecrets\fR \fBFILE\fP - same as \fB\fCsecret\fR, but load the secrets from a file. The file may define any number
of unique keys, each in the following \fB\fCnamed.conf\fR format:
.PP
.RS
.nf
key "example." {
secret "X28hl0BOfAL5G0jsmJWSacrwn7YRm2f6U5brnzwWEus=";
};
.fi
.RE
Each key may also specify an \fB\fCalgorithm\fR e.g. \fB\fCalgorithm hmac-sha256;\fR, but this is currently ignored by the plugin.
.RS
.IP \(en 4
\fB\fCrequire\fR \fBQTYPE...\fP - the query types that must be TSIG'd. Requests of the specified types
will be \fB\fCREFUSED\fR if they are not signed.\fB\fCrequire all\fR will require requests of all types to be
signed. \fB\fCrequire none\fR will not require requests any types to be signed. Default behavior is to not require.
.RE
.SH "EXAMPLES"
.PP
Require TSIG signed transactions for transfer requests to \fB\fCexample.zone\fR.
.PP
.RS
.nf
example.zone {
tsig {
secret example.zone.key. NoTCJU+DMqFWywaPyxSijrDEA/eC3nK0xi3AMEZuPVk=
require AXFR IXFR
}
transfer {
to *
}
}
.fi
.RE
.PP
Require TSIG signed transactions for all requests to \fB\fCauth.zone\fR.
.PP
.RS
.nf
auth.zone {
tsig {
secret auth.zone.key. NoTCJU+DMqFWywaPyxSijrDEA/eC3nK0xi3AMEZuPVk=
require all
}
forward . 10.1.0.2
}
.fi
.RE
.SH "BUGS"
.SS "ZONE TRANSFER NOTIFIES"
.PP
With the transfer plugin, zone transfer notifications from CoreDNS are not TSIG signed.
.SS "SPECIAL CONSIDERATIONS FOR FORWARDING SERVERS (RFC 8945 5.5)"
.PP
https://datatracker.ietf.org/doc/html/rfc8945#section-5.5
\[la]https://datatracker.ietf.org/doc/html/rfc8945#section-5.5\[ra]
.PP
CoreDNS does not implement this section as follows ...
.IP \(bu 4
RFC requirement:
> If the name on the TSIG is not
of a secret that the server shares with the originator, the server
MUST forward the message unchanged including the TSIG.
.PP
CoreDNS behavior:
If ths zone of the request matches the \fItsig\fP plugin zones, then the TSIG record
is always stripped. But even when the \fItsig\fP plugin is not involved, the \fIforward\fP plugin
may alter the message with compression, which would cause validation failure
at the destination.
.IP \(bu 4
RFC requirement:
> If the TSIG passes all checks, the forwarding
server MUST, if possible, include a TSIG of its own to the
destination or the next forwarder.
.PP
CoreDNS behavior:
If ths zone of the request matches the \fItsig\fP plugin zones, \fIforward\fP plugin will
proxy the request upstream without TSIG.
.IP \(bu 4
RFC requirement:
> If no transaction security is
available to the destination and the message is a query, and if the
corresponding response has the AD flag (see RFC4035) set, the
forwarder MUST clear the AD flag before adding the TSIG to the
response and returning the result to the system from which it
received the query.
.PP
CoreDNS behavior:
The AD flag is not cleared.
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment