Signing in CoreDNS

July 1, 2019


I’m pondering adding a new plugin to CoreDNS that automatically signs DNS zones.

This new plugin will be called sign. I tried to prototype the in that PR, as I like to start with the documentation when designing something new. It will do the bare minimum to give you “good DNSSEC” and will not implement key rollovers, nor the KSK/ZSK split. It will, however, add CDS records to your zone for easier interaction with your parent zone. Sign with a CSK, and use a proper new algorithm like ECDSA.

I want this, so I can ditch my current solution:

# crontab -l
13 4 * * * /etc/coredns/zones/signzones /etc/coredns/zones

Current its Corefile syntax will be something, like this:

sign DBFILE [ZONES...] {
    keys KEYDIR
    directory DIR

Where DBFILE will be signed with the keys in KEYDIR and be written to DIR (I wonder if we need a directory or just an output file).

Moving to this setup for my zones will require a key rollover, which will be fun to perform. My DNS library will do most of the heavy lifting, but this will be fun to implement.

We also need a small utility that creates keys coredns-keygen which should be a good thing for a newcomer to write.