coredns
/
coredns.io
mirror of https://github.com/coredns/coredns.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

auto content sync

This commit is contained in:
coredns-auto-sync[bot] 2021-03-15 14:42:30 +00:00
parent 9ffe73d728
commit a07dd9d3b9
2 changed files with 45 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
content/plugins/minimal.md Normal file
View File

@ -0,0 +1,39 @@
+++
title = "minimal"
description = "*minimal* minimizes size of the DNS response message whenever possible."
weight = 33
tags = ["plugin", "minimal"]
categories = ["plugin"]
date = "2021-03-15T14:42:29.8772983"
+++
## Description
The *minimal* plugin tries to minimize the size of the response. Depending on the response type it
removes resource records from the AUTHORITY and ADDITIONAL sections.
Specifically this plugin looks at successful responses (this excludes negative responses, i.e.
nodata or name error). If the successful response isn't a delegation only the RRs in the answer
section are written to the client.
## Syntax
~~~ txt
minimal
~~~
## Examples
Enable minimal responses:
~~~ corefile
example.org {
whoami
forward . 8.8.8.8
minimal
}
~~~
## See Also
[BIND 9 Configuration Reference](https://bind9.readthedocs.io/en/latest/reference.html#boolean-options)

17
content/plugins/sign.md
View File

@ -1,18 +1,18 @@
+++
title = "sign"
description = "*sign* adds DNSSEC records to zone files."
weight = 41
weight = 42
tags = ["plugin", "sign"]
categories = ["plugin"]
date = "2021-02-10T15:58:10.8771082"
date = "2021-03-15T14:42:29.8772983"
+++
## Description
The *sign* plugin is used to sign (see RFC 6781) zones. In this process DNSSEC resource records are
added to the zone. The signatures that sign the resource records sets have an expiration date. This
means the signing process must be repeated before this expiration data is reached. Otherwise the
zone's data will go BAD (RFC 4035, Section 5.5). The *sign* plugin takes care of this.
added. The signatures that sign the resource records sets have an expiration date, this means the
signing process must be repeated before this expiration data is reached. Otherwise the zone's data
will go BAD (RFC 4035, Section 5.5). The *sign* plugin takes care of this.
Only NSEC is supported, *sign* does *not* support NSEC3.
@ -32,12 +32,7 @@ it do key or algorithm rollovers - it just signs.
- the signature only has 14 days left before expiring.
Both these dates are only checked on the SOA's signature(s). This concerns the DNSSEC data, the
*sign* plugin will also take into account and resign if:
- the **mtime** of the zone file has changed, since the last time it was checked.
- the signed zone file doesn't exist on disk.
Both these dates are only checked on the SOA's signature(s).
* Create RRSIGs that have an inception of -3 hours (minus a jitter between 0 and 18 hours)
and a expiration of +32 (plus a jitter between 0 and 5 days) days for every given DNSKEY.