blob: 244984750ee73a957478634e317b1773f9cefcfb (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
|
# tls
## Name
*tls* - allows you to configure the server certificates for the TLS and gRPC servers.
## Description
CoreDNS supports queries that are encrypted using TLS (DNS over Transport Layer Security, RFC 7858)
or are using gRPC (https://grpc.io/, not an IETF standard). Normally DNS traffic isn't encrypted at
all (DNSSEC only signs resource records).
The *tls* "plugin" allows you to configure the cryptographic keys that are needed for both
DNS-over-TLS and DNS-over-gRPC. If the `tls` directive is omitted, then no encryption takes place.
The gRPC protobuffer is defined in `pb/dns.proto`. It defines the proto as a simple wrapper for the
wire data of a DNS message.
## Syntax
~~~ txt
tls CERT KEY [CA]
~~~
Parameter CA is optional. If not set, system CAs can be used to verify the client certificate
## Examples
Start a DNS-over-TLS server that picks up incoming DNS-over-TLS queries on port 5553 and uses the
nameservers defined in `/etc/resolv.conf` to resolve the query. This proxy path uses plain old DNS.
~~~
tls://.:5553 {
tls cert.pem key.pem ca.pem
forward . /etc/resolv.conf
}
~~~
Start a DNS-over-gRPC server that is similar to the previous example, but using DNS-over-gRPC for
incoming queries.
~~~
grpc://. {
tls cert.pem key.pem ca.pem
forward . /etc/resolv.conf
}
~~~
Only Knot DNS' `kdig` supports DNS-over-TLS queries, no command line client supports gRPC making
debugging these transports harder than it should be.
## Also See
RFC 7858 and https://grpc.io.
|
