diff options
| author |  Miek Gieben <miek@miek.nl>
| 2019-12-06 19:54:31 +0000 |
|---|---|---|
| committer |  GitHub <noreply@github.com>
| 2019-12-06 19:54:31 +0000 |
| commit | a53321d9d6bdc80cc4aa88982f401ef2e3267e34 (patch) | |
| tree | 92d2917113a570c43e1635fcc4a308bae234c569 /plugin.cfg | |
| parent | 799dce4bffeb6d40b5b15cca47f34d4a7d24e6d3 (diff) | |
| download | coredns-a53321d9d6bdc80cc4aa88982f401ef2e3267e34.tar.gz coredns-a53321d9d6bdc80cc4aa88982f401ef2e3267e34.tar.zst coredns-a53321d9d6bdc80cc4aa88982f401ef2e3267e34.zip | |
plugin/sign: fix signing of authoritative data (#3479)
Don't sign data we are not authoritative for. This adds an AuthWalk
which skips names we should not authoritative for. Adds a few tests to
check this is the case. Generates zones have been compared to
dnssec-signzone.
A number of changes have been made:
* don't add DS records to the apex
* NSEC TTL is the SOA's minttl value (copying bind9)
* Various cleanups
* signer struct was cleaned up: doesn't need ttl, nor expiration or
inception.
* plugin/sign: remove apex stuff from names()
This is never used because we will always have other types in the
apex, because we *ADD* them ourselves, before we sign (DNSKEY, CDS and
CDNSKEY).
Signed-off-by: Miek Gieben <miek@miek.nl>
Co-Authored-By: Chris O'Haver <cohaver@infoblox.com>
Diffstat (limited to 'plugin.cfg')
0 files changed, 0 insertions, 0 deletions