# Signing in CoreDNS


I'm pondering adding a new [plugin](https://coredns.io/plugins) to CoreDNS that automatically
signs DNS zones.

This new plugin will be called [*sign*](https://github.com/coredns/coredns/pull/2949). I tried to
prototype the README.md in that PR, as I like to start with the documentation when designing something
new. It will do the bare minimum to give you "good DNSSEC" and will not implement key rollovers, nor
the KSK/ZSK split. It will, however, add CDS records to your zone for easier interaction with your
parent zone. Sign with a CSK, and use a proper new algorithm like ECDSA.

I want this, so I can ditch my current solution:
~~~
# crontab -l
13 4 * * * /etc/coredns/zones/signzones /etc/coredns/zones
~~~

Current its Corefile syntax will be something, like this:

~~~
sign DBFILE [ZONES...] {
    keys KEYDIR
    directory DIR
}
~~~

Where **DBFILE** will be signed with the keys in **KEYDIR** and be written to **DIR** (I wonder if
we need a directory or just an output file).

Moving to this setup for my zones will require a key rollover, which will be fun to perform. My [DNS
library](https://github.com/miekg/dns) will do most of the heavy lifting, but this will be fun to
implement.

We also need a small utility that creates keys
[`coredns-keygen`](https://github.com/coredns/coredns/issues/2950) which should be a good thing for
a newcomer to write.