coredns

rsp2k/coredns

Fork 0

Commit Graph

Author	SHA1	Message	Date
Ryan Malloy	066ba1892a	coredns: DoT (:853) + DoH (:443) listeners with self-signed cert - New Corefile snippet (common) shared across plain DNS / DoT / DoH so zone-loading + forward + cache stay DRY across all three transports - scripts/generate-certs.sh: openssl-only self-signed RSA cert with SANs for localhost / 127.0.0.1 / ::1 / coredns / dns.local. Idempotent — skips regeneration if cert is valid >24h ahead; FORCE=1 to rotate. - Key chmod is 0644 so the CoreDNS container's nonroot user can read it via the bind mount. Acceptable for local dev; production should mount real certs with proper UID/GID. - DOT_PORT=8853, DOH_PORT=8443 (avoids Caddy already-on-443 collision) - Makefile: `make certs`, `make test-tls` - All three transports verified end-to-end (dig +tls, dig +https, curl with raw RFC 8484 wire format)	2026-05-14 01:12:25 -06:00

Author

SHA1

Message

Date

Ryan Malloy

066ba1892a

coredns: DoT (:853) + DoH (:443) listeners with self-signed cert

- New Corefile snippet (common) shared across plain DNS / DoT / DoH so
  zone-loading + forward + cache stay DRY across all three transports
- scripts/generate-certs.sh: openssl-only self-signed RSA cert with SANs
  for localhost / 127.0.0.1 / ::1 / coredns / dns.local. Idempotent —
  skips regeneration if cert is valid >24h ahead; FORCE=1 to rotate.
- Key chmod is 0644 so the CoreDNS container's nonroot user can read it
  via the bind mount. Acceptable for local dev; production should mount
  real certs with proper UID/GID.
- DOT_PORT=8853, DOH_PORT=8443 (avoids Caddy already-on-443 collision)
- Makefile: `make certs`, `make test-tls`
- All three transports verified end-to-end (dig +tls, dig +https,
  curl with raw RFC 8484 wire format)

2026-05-14 01:12:25 -06:00

1 Commits