3 files changed, 133 insertions, 0 deletions
diff --git a/plugin/tls/README.md b/plugin/tls/README.md
new file mode 100644
index 000000000..d2a56f793
--- /dev/null
+++ b/plugin/tls/README.md
@@ -0,0 +1,52 @@
+# tls
+
+*tls* allows you to configure the server certificates for the TLS and gRPC servers.
+For other types of servers it is ignored.
+
+CoreDNS supports queries that are encrypted using TLS (DNS over Transport Layer Security, RFC 7858)
+or are using gRPC (https://grpc.io/, not an IETF standard). Normally DNS traffic isn't encrypted at
+all (DNSSEC only signs resource records).
+
+The *proxy* plugin also support gRPC (`protocol gRPC`), meaning you can chain CoreDNS servers
+using this protocol.
+
+The *tls* "plugin" allows you to configure the cryptographic keys that are needed for both
+DNS-over-TLS and DNS-over-gRPC. If the `tls` directive is omitted, then no encryption takes place.
+
+The gRPC protobuffer is defined in `pb/dns.proto`. It defines the proto as a simple wrapper for the
+wire data of a DNS message.
+
+## Syntax
+
+~~~ txt
+tls CERT KEY CA
+~~~
+
+## Examples
+
+Start a DNS-over-TLS server that picks up incoming DNS-over-TLS queries on port 5553 and uses the
+nameservers defined in `/etc/resolv.conf` to resolve the query. This proxy path uses plain old DNS.
+
+~~~
+tls://.:5553 {
+	tls cert.pem key.pem ca.pem
+	proxy . /etc/resolv.conf
+}
+~~~
+
+Start a DNS-over-gRPC server that is similar to the previous example, but using DNS-over-gRPC for
+incoming queries.
+
+~~~
+grpc://. {
+	tls cert.pem key.pem ca.pem
+	proxy . /etc/resolv.conf
+}
+~~~
+
+Only Knot DNS' `kdig` supports DNS-over-TLS queries, no command line client supports gRPC making
+debugging these transports harder than it should be.
+
+## Also See
+
+RFC 7858 and https://grpc.io.
diff --git a/plugin/tls/tls.go b/plugin/tls/tls.go
new file mode 100644
index 000000000..e0958a9aa
--- /dev/null
+++ b/plugin/tls/tls.go
@@ -0,0 +1,37 @@
+package tls
+
+import (
+	"github.com/coredns/coredns/core/dnsserver"
+	"github.com/coredns/coredns/plugin"
+	"github.com/coredns/coredns/plugin/pkg/tls"
+
+	"github.com/mholt/caddy"
+)
+
+func init() {
+	caddy.RegisterPlugin("tls", caddy.Plugin{
+		ServerType: "dns",
+		Action:     setup,
+	})
+}
+
+func setup(c *caddy.Controller) error {
+	config := dnsserver.GetConfig(c)
+
+	if config.TLSConfig != nil {
+		return plugin.Error("tls", c.Errf("TLS already configured for this server instance"))
+	}
+
+	for c.Next() {
+		args := c.RemainingArgs()
+		if len(args) != 3 {
+			return plugin.Error("tls", c.ArgErr())
+		}
+		tls, err := tls.NewTLSConfig(args[0], args[1], args[2])
+		if err != nil {
+			return plugin.Error("tls", err)
+		}
+		config.TLSConfig = tls
+	}
+	return nil
+}
diff --git a/plugin/tls/tls_test.go b/plugin/tls/tls_test.go
new file mode 100644
index 000000000..2374d772c
--- /dev/null
+++ b/plugin/tls/tls_test.go
@@ -0,0 +1,44 @@
+package tls
+
+import (
+	"io/ioutil"
+	"log"
+	"strings"
+	"testing"
+
+	"github.com/mholt/caddy"
+)
+
+func TestTLS(t *testing.T) {
+	log.SetOutput(ioutil.Discard)
+
+	tests := []struct {
+		input              string
+		shouldErr          bool
+		expectedRoot       string // expected root, set to the controller. Empty for negative cases.
+		expectedErrContent string // substring from the expected error. Empty for positive cases.
+	}{
+	// positive
+	// negative
+	}
+
+	for i, test := range tests {
+		c := caddy.NewTestController("dns", test.input)
+		err := setup(c)
+		//cfg := dnsserver.GetConfig(c)
+
+		if test.shouldErr && err == nil {
+			t.Errorf("Test %d: Expected error but found %s for input %s", i, err, test.input)
+		}
+
+		if err != nil {
+			if !test.shouldErr {
+				t.Errorf("Test %d: Expected no error but found one for input %s. Error was: %v", i, test.input, err)
+			}
+
+			if !strings.Contains(err.Error(), test.expectedErrContent) {
+				t.Errorf("Test %d: Expected error to contain: %v, found error: %v, input: %s", i, test.expectedErrContent, err, test.input)
+			}
+		}
+	}
+}