I am exploring plugin options available in kubernetes coredns especially on dnssec validation.
- Default Corefile of coredns does not have dnssec plugin. Will the default coredns do dnssec validation or not?
- Can someone give an example to generate a key using dnssec-keygen and use it in dnssec plugin. what are all arguments needs to be passed? What should be given in place of ECDSAP256SHA256 and zonename(see below).
key file indicates that KEY file(s) should be read from disk. When multiple keys are specified, RRsets will be signed with all keys. Generating a key can be done with dnssec-keygen: dnssec-keygen -a ECDSAP256SHA256 zonename.
As I am new to coredns configuration dnssec, it would be really helpful if someone can explain about this. Thanks in advance!!
CoreDNS will not do DNSSEC validation as the DNSSEC plugin will be useful for signing if unsigned repliew. All the validations should come under downstream which are more likely to be client side.
Even CoreDNS will not do proxy DNSSEC signature validation. Plugins which are used for forward configuration cannot request DNSSEC when it is forwarding the query upstream and to verify the response whether it has a valid DNSSEC signature. Please refer to this document.