#!/bin/bash export PATH=$PATH:/usr/sbin:/sbin: # Script to sign and manage domain zones - forward and reverse. # Version 1.7 (19 Dec 2015) - Added OptOut option # Copyright (c) 2011 and onwards, Posix Systems - All rights reserved. # Written by: Mark Elkins - mje@posix.co.za # Redistribution and use in any form with or without modification are # permitted provided that the following conditions are met: # * Redistributions of source code must retain the above copyright notice, # this list of conditions and the following disclaimer. # * Neither the name of Posix Systems or its contributors may be used to # endorse or promote products derived from this software without specific # prior written permission. # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE # LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE # POSSIBILITY OF SUCH DAMAGE. # ------------------------------------------------------------------------------ # Format of the file system: # we assume that zones are under a common directory - such as "/etc/bind/pri" # There would then be a directory by the name of the zone - eg "foo.co.za" # In that directory will be the Zone file "db.foo.co.za". Reverse domains need to # be named as you find them in the zone statement line in named.conf. that is # something like '10.126.41.in-addr.arpa' for the '41.126.10.X' zone. Actual zone # contents are prefixed with 'db.' and after signing are suffixed with '.signed' # This system will then go on to create and manage three files in that Directory... # 1 - dnssec-, Contents are "None" - no Signing, # "Dynamic" - don't check CSum/SOA, its Dynamic! # "NSEC" for NSEC Signing, NSEC3 for NSEC3 Signing and NSEC3-OptOut. # Note: In checking - we often just compare first 4 chars... # 2 - md5sum-, the saved MD5Checksum of the zone # 3 - soa-, the saved Serial Number in the SOA for this zone. # A fourth file "parent-" if present will make this zone a quiet child, # The file should contain commands in order to update the DS records at the Parent. # The values of 'zone' and 'parent' are exported to this script. An example could be:- # # ssh dns1.domain.com rm -f /etc/bind/pri/${parent}/new-child-dsset-${zone}. /etc/bind/pri/${parent}/child-dsset-${zone}. # scp dsset-${zone}. dns1.domain.com:/etc/bind/pri/${parent}/new-child-dsset-${zone}. #... where 'dns1.domain.com' is the parent. You could also call an EPP client? # ALL of these control files have the file name appended with a '.' (dot). # To Sign a zone - change dnssec- to one of NSEC/NSEC3/NSEC3-OptOut and run this script. # You'll also need to modify 'named.conf' - the zone is now called ...db..signed # To change between NSEC and NSEC3 or back to unsigned - edit dnssec- # appropriately and remove the Key files - and have them correctly auto-recreated. # A DNSKEY created for NSEC use can not be used by NSEC3 - and visa versa. # Things to change DNSPRI=/etc/ns.d/pri # Where the directory of Primary zone directories live # often /etc/bind/pri, /var/cache/bind/pri -or- /var/bind/pri SupportMail=support@posix.co.za # Supports e-mail - preferably a role account DevRandom=/dev/urandom # Pseudo Random device, /dev/random may be slow! use: /dev/urandom ? # or install the 'haveged' package, www.irisa.fr/caps/projects/hipsor NAMED=named # Who owns KEY files (named/bind) IDNPROG=idn # IDN Conversion tool IDNFLAGS='-u' # IDN flag to convert Puny to UTF-8 LANG=en_ZA.utf8 # If this is not set to a UTF Language - the # 'idn' program will not work! # Nothing much from here should need changing MyName=$(host $(hostname) | head -1 | cut -d' ' -f1) # Name of this machine (Reference purposes) TODAY=$(date '+%Y%m%d') # Zone Serial Number format: 1996071501 = YYYYMMDDxx Prog=$(basename ${0}) # What this script is called RELOAD=0 # Do we need to reload named RELOAD_ZONES="" # List of the zones we'll reload cd ${DNSPRI} # ---------------- Functions -------------------------- # We need to know how many days old a (DNS key) file is - we use the "date" commands reference mode. NowInSeconds=$(date '+%s') Ftime() { FileAgeInSeconds=$(date --reference=${1} '+%s') echo $(( ( ${NowInSeconds} - ${FileAgeInSeconds} ) / 86400 )) } # We sort the list of directories, Umm, zones by length - longest first # This way - we process the children then the parents! lengthSortedList() { for ZoneName in * ; do echo $(echo ${ZoneName} | wc -c) ${ZoneName} done | sort -rn | cut -d' ' -f2 } #------------------- Program Start --------------------- for zone in $(lengthSortedList) ; do # [ [ ! -h ${DNSPRI}/${zone} -a -d ${DNSPRI}/${zone} ] || continue # Must be a directory cd ${DNSPRI}/${zone} # Is this a puny-encoded name? if [ "$IDNPROG" -a ${zone} != ${zone/xn--//} ] ; then idnzone=$($IDNPROG $IDNFLAGS ${zone}) IDN=" (${idnzone})" else idnzone=${zone} IDN="" fi MESG="${Prog}@${MyName} in '${DNSPRI}/${zone}'${IDN} -" # Initialise or read what type of zone this should be if [ ! -s dnssec-${zone}. ] ; then # [ [ echo "None" > dnssec-${zone}. DNSSEC="None" else # ] [ DNSSEC=$(< dnssec-${zone}.) if [ "${DNSSEC}" != "None" -a "${DNSSEC}" != "Dynamic" -a "${DNSSEC:0:4}" != "NSEC" ] ; then # [ MESG="${MESG}Bad value in 'dnssec-${zone}.' - I found '${DNSSEC}'\n should be one of 'None', 'Dynamic', 'NSEC', 'NSEC3' or 'NSEC3-OptOut' - Using 'None'\n" DNSSEC='None' fi # ] fi # ] ] MESG="${MESG} dnssec=${DNSSEC}\n" RESIGN=0 # Do we need to maybe resign this Zone RESERIAL=0 # Do we need to increment this zones SOA NEWZONE=0 # Is this zone set up correctly DYNAMIC=0 # Is the Zone a Dynamic Zone? # Is ths a Dynamic Zone? [ -f db.${zone}.jnl ] && DYNAMIC=1 [ ${DNSSEC} = 'Dynamic' ] && DYNAMIC=1 # Grab the current SOA Serial number in the zone if [ -f db.${zone} ] ; then # [ [ if [ ${DYNAMIC} -eq 1 ] ; then # [ [ SOA=$(grep -i serial db.${zone} | awk '{print $1}' | grep [0-9][0-9][0-9]) else # ] [ SOA=$(grep -i serial db.${zone} | awk '{print $1}' | grep [0-9][0-9][0-9][0-9][0-9][0-9]) fi # ] ] if [ "${SOA}" = '' ] ; then # [ MESG="${MESG}Can not locate the SOA Serial number in 'db.${zone}'\n Looking for the word 'Serial' - need a format something like...\n @ IN SOA mje99.posix.co.za. dns-admin.posix.co.za. (\n 2011042901 ; Serial\n Need 6 digits, found: $(grep -i serial db.${zone})\n" echo -e "${MESG}" continue fi # ] # We record a CheckSum of the Zone, a change may result in an SOA Update if [ ! -s md5sum-${zone}. ] ; then # [ [ md5sum db.${zone} > md5sum-${zone}. else # ] [ md5sum --status -c md5sum-${zone}. if [ $? -ne 0 -a ${DYNAMIC} -eq 0 ] ; then # [ RESIGN=1 md5sum db.${zone} > md5sum-${zone}. MESG="${MESG}CheckSum change detected: " fi # ] fi # ] ] # We record the SOA Serial Number - a change may result in a resigning if [ ! -s soa-${zone}. ] ; then # [ [ echo "${SOA}" > soa-${zone}. else # ] [ OldSOA=$(< soa-${zone}.) if [ "${OldSOA}" != "${SOA}" -a ${DYNAMIC} -eq 0 ] ; then # [ RESIGN=1 [ ${SOA} -gt ${OldSOA} ] && echo "${SOA}" > soa-${zone}. [ ${SOA} -le ${OldSOA} ] && RESERIAL=1 echo "${SOA}" > soa-${zone}. if [ "${DNSSEC:0:4}" != "NSEC" ] ; then # [ RELOAD=$(( ${RELOAD} + 1 )) RELOAD_ZONES="$RELOAD_ZONES $zone" MESG="${MESG}SOA has changed in 'db.${zone}', queuing reload[${RELOAD}]" fi # ] fi # ] [ ${SOA} -lt ${OldSOA} ] && MESG="${MESG}SOA Serial in 'db.${zone}' has become smaller? Was '${OldSOA}', now '${SOA}'\n" && RESERIAL=1 # If the file checksum changed and SOA Serial is unchanged - fire an update [ $RESIGN -eq 1 -a ${SOA} -eq ${OldSOA} ] && RESERIAL=1 fi # ] ] # Work out a potential new SOA Serial Number - max of 99 changes per day if [ ${DYNAMIC} -eq 1 ] ; then # [ [ NewSOA=$(( ${SOA} + 1 )) else # ] [ COUNT=${SOA:8} if [ "$TODAY" = "${SOA:0:8}" ] ; then # [ [ # The '10#' forces base 10, otherwise numbers like '008' are illegal octal numbers COUNT=$(( 10#${COUNT} + 1 )) [ ${COUNT} -ge 99 ] && COUNT=99 if [ $COUNT -lt 10 ] ; then NewSOA="${TODAY}0${COUNT}" else NewSOA="${TODAY}${COUNT}" fi else # ] [ NewSOA="${TODAY}01" fi # ] ] fi # ] ] else # ] [ MESG="${MESG}Could not find the zonefile 'db.${zone}' - bad configuration?\n" echo -e "${MESG}" continue fi # ] ] # -------------------- Update the SOA Serial number on file ----------------------- if [ ${RESERIAL} -eq 1 ] ; then # [ [ ${DYNAMIC} -eq 1 ] && rndc freeze ${zone} # Only change the Serial number on a line with the word Serial! sed -e "/[Ss]erial/s/${SOA}/${NewSOA}/" db.${zone} > db.${zone}.new mv db.${zone}.new db.${zone} md5sum db.${zone} > md5sum-${zone}. echo "${NewSOA}" > soa-${zone}. chown $NAMED: db.${zone} [ ${DYNAMIC} -eq 1 ] && rndc thaw ${zone} >/dev/null MESG="${MESG}Updated SOA ${SOA} to ${NewSOA} in 'db.${zone}'" if [ "${DNSSEC:0:4}" != "NSEC" ] ; then # [ RELOAD=$(( ${RELOAD} + 1 )) RELOAD_ZONES="$RELOAD_ZONES $zone" MESG="${MESG}, queuing reload[${RELOAD}]" fi # ] MESG="${MESG}\n" RESIGN=1 RESERIAL=2 # ie - the zones SOA has been updated fi # ] # if [ $RESIGN -ne 0 -a "$MyName" = "mje99.posix.co.za" ] ; then # ssh vhost1 mkdir -p /etc/ns.d/pri/${zone} # scp db.${zone} vhost1:/etc/ns.d/pri/${zone}/db.${zone} # ssh vhost1 chown -R named: /etc/ns.d/pri/${zone} # ssh vhost1 rndc reload # fi # ----------------- Here we do some signing magic ----------------------------- # If this zone is marked as being signed - then make it so.... if [ "${DNSSEC:0:4}" = "NSEC" ] ; then # [ CHILD=0 # Is this zone the Child of a local Parent [ -d ../${zone#*.} ] && CHILD=1 [ -s "parent-${zone}." ] && CHILD=2 # There was a time when we used different KeyGen Algorithms for NSEC vs NSEC3 KEYGEN_TYPE=RSASHA1 KEYSIGN_OPT='' if [ "${DNSSEC:0:5}" = "NSEC3" ] ; then # [ # This generates a random 4 byte hash for NSEC3 zones NSec3hash=$(openssl rand 4 |od -t x4 | awk '/0000000/ { print $2};') KEYGEN_TYPE=NSEC3RSASHA1 KEYSIGN_OPT="-3 ${NSec3hash} -H 5" # Test for OptOut - don't care how it is spelt [ "${DNSSEC:0:6}" = "NSEC3-" ] && KEYSIGN_OPT="-3 ${NSec3hash} -H 5 -A" fi # ] NEW_KEYGEN_TYPE=RSASHA256 # No ZSK Keys at all - generate some! if [ $(cat K${zone}.+*.key 2>/dev/null|grep -ci 'DNSKEY 256') -eq 0 ] ; then # [ # dnssec-keygen -a ${NEW_KEYGEN_TYPE} -b 1024 -I now+34d -D now+40d -r ${DevRandom} ${zone} >/dev/null 2>&1 dnssec-keygen -a ${NEW_KEYGEN_TYPE} -b 1024 -n ZONE -r ${DevRandom} ${zone} >/dev/null 2>&1 RESIGN=1 chmod 600 K${zone}.+*.key K${zone}.+*.private MESG="${MESG}ZSK: Added your first ZSK Key for ${zone}.\n" fi # ] # No KSK Keys at all - generate some! if [ $(cat K${zone}.+*.key 2>/dev/null|grep -ci 'DNSKEY 257') -eq 0 ] ; then # [ dnssec-keygen -a ${NEW_KEYGEN_TYPE} -b 2048 -n ZONE -f KSK -r ${DevRandom} ${zone} >/dev/null 2>&1 RESIGN=1 chmod 600 K${zone}.+*.key K${zone}.+*.private if [ ${CHILD} -eq 0 ] ; then # [ MESG="${MESG}Added your first KSK to ${zone} - manual intervention may be needed.\n" echo "${Prog}: Added a new KSK to ${zone} on ${MyName} - Update the Parent The DNS for the domain '${zone}' has been signed (dnssec=${DNSSEC}). It is currently beyond the ability of this system to syncronise Key-Signing-Keys (KSK) records with the parent of this zone so you must do this by hand. You could create a script to export the KSK - call it \"parent-${zone}.\" -- ${SupportMail} The DNS support team" | mail -a "From: ${SupportMail}" -a "Reply-To: ${SupportMail}" -s "DNSSEC: Added a new KSK for ${zone} on ${MyName}" ${SupportMail} fi # ] fi # ] # So now some keys exist - see if any of the KSK's are signed with RSASHA256 and if so # just use that for the ZSK's ALL_KSK=$(grep -l 'DNSKEY 257' K${zone}.+*.key) for ksk in ${ALL_KSK} do KeyBase=$(basename ${ksk} .key) # Get the KeyAlgo from the key file KeyAlgo=$(echo ${KeyBase} | cut -d'+' -f2) KeyAlgo=$(( 10#${KeyAlgo} + 0 )) [ ${KeyAlgo} -eq 8 ] && KEYGEN_TYPE=${NEW_KEYGEN_TYPE} done # ----- ZSK: if only one key - add a second when age = 17 ------------ # otherwise - if more than one - if older than 34 # delete it and create a new one ALL_ZSK=$(grep -l 'DNSKEY 256' K${zone}.+*.key) CNT_ZSK=$(echo "${ALL_ZSK}" | wc -l) if [ ${CNT_ZSK} -eq 1 ]; then # [ [ AGE=$(Ftime ${ALL_ZSK}) if [ ${AGE} -ge 17 ] ; then # [ dnssec-keygen -a ${KEYGEN_TYPE} -b 1024 -n ZONE -r ${DevRandom} ${zone} >/dev/null 2>&1 && \ RESIGN=1 chmod 600 K${zone}.+*.key K${zone}.+*.private MESG="${MESG}ZSK: Created the second (new) Key for ${zone} - will need resigning.\n" fi # ] else # ] [ # So more than one ZSK exists - see if any of them are signed with RSASHA256 USING_RS256=0 for zsk in ${ALL_ZSK} do KeyBase=$(basename ${zsk} .key) # Get the KeyAlgo from the key file KeyAlgo=$(echo ${KeyBase} | cut -d'+' -f2) KeyAlgo=$(( 10#${KeyAlgo} + 0 )) [ ${KeyAlgo} -eq 8 ] && USING_RS256=1 done for zsk in ${ALL_ZSK} ; do # [ AGE=$(Ftime ${zsk}) if [ ${AGE} -ge 34 ] ; then # [ rm ${zsk} $(basename ${zsk} .key).private # If there are no old algorithm ZSK Keys (KEYGEN_TYPEs = $NEW_KEYGEN_TYPE and USING_RS256=1) # but there is an old algorithm KSK - remove the old KSK and shout if [ ${KEYGEN_TYPE} = ${NEW_KEYGEN_TYPE} -a ${USING_RS256} -eq 1 ] ; then # [ for ksk in ${ALL_KSK} do KeyBase=$(basename ${ksk} .key) # Get the KeyAlgo from the key file KeyAlgo=$(echo ${KeyBase} | cut -d'+' -f2) KeyAlgo=$(( 10#${KeyAlgo} + 0 )) if [ ${KeyAlgo} -eq 5 ] ; then # [ rm -f ${ksk} ${KeyBase}.private MESG="${MESG}Deleted the KSK ${ksk} from ${zone} with old Key Algorithm - manual intervention may be needed.\n" echo "${Prog}: Deleted a ${AGE} day old KSK (${ksk}) on ${MyName}, all ZSK's are SHAR256 and this was the last SHAR1 KSK. The DNS for the domain '${zone}' has been signed (dnssec=${DNSSEC}). It is currently beyond the ability of this system to syncronise Key-Signing-Keys (KSK) records with the parent of this zone so you must do this by hand. -- ${SupportMail} The DNS support team" | mail -a "From: ${SupportMail}" -a "Reply-To: ${SupportMail}" -s "DNSSEC: Deleting a SHA1 KSK for ${zone} on ${MyName}" ${SupportMail} fi # ] done fi # ] dnssec-keygen -a ${KEYGEN_TYPE} -b 1024 -n ZONE -r ${DevRandom} ${zone} >/dev/null 2>&1 RESIGN=1 chmod 600 K${zone}.+*.key K${zone}.+*.private MESG="${MESG}ZSK: Deleting & Replacing $(basename ${zsk} .key) aged ${AGE}.\n" fi # ] done # ] fi # ] ] # Any ZSK's with new Key Algo? AnyNewZsk=0 for zsk in ${ALL_ZSK} do KeyBase=$(basename ${zsk} .key) # Get the KeyAlgo from the key file KeyAlgo=$(echo ${KeyBase} | cut -d'+' -f2) KeyAlgo=$(( 10#${KeyAlgo} + 0 )) [ ${KeyAlgo} -eq 8 ] && AnyNewZsk=1 done # ------------------ check (& report) old KSK's --------------- ALL_KSK=$(grep -l 'DNSKEY 257' K${zone}.+*.key) CNT_KSK=$(echo "${ALL_KSK}" | wc -l) if [ ${CNT_KSK} -eq 1 ]; then # [ [ AGE=$(Ftime ${ALL_KSK}) if [ ${AGE} -ge 185 ] ; then # [ MESG="${MESG}Running: dnssec-keygen -a ${NEW_KEYGEN_TYPE} -b 2048 -n ZONE -f KSK -r ${DevRandom} ${zone}\n" dnssec-keygen -a ${NEW_KEYGEN_TYPE} -b 2048 -n ZONE -f KSK -r ${DevRandom} ${zone} # >/dev/null 2>&1 RESIGN=1 chmod 600 K${zone}.+*.key K${zone}.+*.private if [ ${CHILD} -eq 0 ] ; then # [ MESG="${MESG}Created a new KSK to ${zone} - manual intervention may be needed.\n" echo "${Prog}: Created a new KSK to ${zone} on ${MyName} - Update the Parent The DNS for the domain '${zone}' has been signed (dnssec=${DNSSEC}). It is currently beyond the ability of this system to syncronise Key-Signing-Keys (KSK) records with the parent of this zone so you must do this by hand. You could create a script to export the KSK - call it \"parent-${zone}.\" -- ${SupportMail} The DNS support team" | mail -a "From: ${SupportMail}" -a "Reply-To: ${SupportMail}" -s "DNSSEC: Added a new KSK for ${zone} on ${MyName}" ${SupportMail} fi # ] fi # ] else # ] [ for ksk in ${ALL_KSK} ; do # [ AGE=$(Ftime ${ksk}) # MJE # Only roll arpa zones... #if [ ${zone##*.} = 'zone' -a ${AGE} -ge 370 ] ; then if [ ${AGE} -ge 370 ] ; then # [ rm ${ksk} $(basename ${ksk} .key).private dnssec-keygen -a ${NEW_KEYGEN_TYPE} -b 2048 -n ZONE -f KSK -r ${DevRandom} ${zone} >/dev/null 2>&1 RESIGN=1 chmod 600 K${zone}.+*.key K${zone}.+*.private if [ ${CHILD} -eq 0 ] ; then # [ MESG="${MESG}replaced a KSK for ${zone} - manual intervention may be needed.\n" echo "${Prog}: Deleted a ${AGE} day old KSK (${ksk}) on ${MyName}, created a new one - Please update the parent. The DNS for the domain '${zone}' has been signed (dnssec=${DNSSEC}). It is currently beyond the ability of this system to syncronise Key-Signing-Keys (KSK) records with the parent of this zone so you must do this by hand. You could create a script to export the KSK - call it \"parent-${zone}.\" -- ${SupportMail} The DNS support team" | mail -a "From: ${SupportMail}" -a "Reply-To: ${SupportMail}" -s "DNSSEC: Replacing a KSK for ${zone} on ${MyName}" ${SupportMail} fi # ] fi # ] done # ] fi # ] ] # ------------------------------------------------------------------------------------------ # If there has been a Key Update, or Children have unprocessed DS records - Update the SOA Serial before signing # MJE - New # The parent of this domain is? parent=${zone#*.} ToCheck=$(dig +nofail +short ${parent} ns) while [ "${ToCheck}" = "" ]; do oparent=$parent parent=${parent#*.} [ "$oparent" = "$parent" ] && break # There were no more dots ToCheck=$(dig +nofail +short ${parent} ns) done export parent NEWCHILD=0 ncCheck=$(echo new-child-dsset-*) [ "${ncCheck}" != 'new-child-dsset-*' ] && NEWCHILD=1 if [ ${RESIGN} -eq 1 -o ${NEWCHILD} -eq 1 ] ; then # [ if [ ${DYNAMIC} -eq 1 ] ; then # [ rndc freeze ${zone} SOA=$(grep -i serial db.${zone} | awk '{print $1}' | grep [0-9][0-9][0-9]) if [ "${SOA}" = '' ] ; then # [ MESG="${MESG}Can not locate the SOA Serial number in Dynamic Signed 'db.${zone}'\n Looking for the word 'Serial' - need a line something like...\n 123 ; Serial\n Need 3 digits, found: $(grep -i serial db.${zone})\n" rndc thaw ${zone} echo -e "${MESG}" continue fi # ] NewSOA=$(( ${SOA} + 1 )) fi # ] if [ "${SOA}" != "${NewSOA}" -a ${RESERIAL} -ne 2 ] ; then # [ sed -e "s/${SOA}/${NewSOA}/" db.${zone} > db.${zone}.new mv db.${zone}.new db.${zone} md5sum db.${zone} > md5sum-${zone}. echo "${NewSOA}" > soa-${zone}. chown $NAMED: db.${zone} MESG="${MESG}Update Soa ${SOA} to ${NewSOA}" fi # ] if [ ${AnyNewZsk} -eq 0 -a ${KEYGEN_TYPE} = ${NEW_KEYGEN_TYPE} ] ; then # [ [ cat db.${zone} K${zone}.+00[57]+*.key > db.${zone}.tosign else # ] [ cat db.${zone} K${zone}.+*.key > db.${zone}.tosign fi # ] ] if [ ${NEWCHILD} -eq 1 ] ; then # [ for child in new-child-dsset-* ; do # [ mv ${child} ${child#*-} done # ] fi # ] cdCheck=$(echo child-dsset-*) [ "${cdCheck}" != 'child-dsset-*' ] && cat child-dsset-* >> db.${zone}.tosign # Add the current CDS records for this zone #cat K${zone}.+*.key | ldns-key2ds -n -2 /dev/stdin | sed -e 's/DS/CDS/' >> db.${zone}.tosign for key in K${zone}.+*.key do dnssec-dsfromkey -C $key done >> db.${zone}.tosign [ -s dsset-${zone}. ] && cp dsset-${zone}. dsset-${zone}.orig dnssec-signzone -a ${KEYSIGN_OPT} -e +3024000 -o ${zone} db.${zone}.tosign # >/dev/null 2>&1 # -e +(86400 * 35) if [ ! -s db.${zone}.tosign.signed ] ; then # [ MESG="${MESG}.\nERROR: Signer failed - error is:\n" dnssec-signzone -a ${KEYSIGN_OPT} -e +3024000 -o ${zone} db.${zone}.tosign fi # ] [ -s dsset-${zone}. ] && cmp -s dsset-${zone}. dsset-${zone}.orig && CHILD=0 # dsset records have not changed - keep child quiet. mv db.${zone}.tosign.signed db.${zone}.signed chown $NAMED: db.${zone}.signed rm -f db.${zone}.tosign dsset-${zone}.orig RELOAD=$(( ${RELOAD} + 1 )) RELOAD_ZONES="$RELOAD_ZONES $zone" MESG="${MESG}, Resigned, queuing reload[${RELOAD}]\n" [ ${DYNAMIC} -eq 1 ] && rndc thaw ${zone} # If this domain is a signed child of another locally hosted zone, should remove any # existing dsset records for this child and then copy over the childs new DS records. # Remember - we process the list ordered by longest length of zone if [ ${CHILD} -eq 1 ] ; then # [ rm -f ../${zone#*.}/child-dsset-${zone}. ../${zone#*.}/new-child-dsset-${zone}. cp dsset-${zone}. ../${zone#*.}/new-child-dsset-${zone}. fi # ] # If we are a clever child - go update the remote parent! if [ ${CHILD} -eq 2 -a -s dsset-${zone}. ] ; then # [ # Some variables that the 'parent' script can use... export zone if [ -s dsset-${zone}.ok ] ; then # [ if cmp -s dsset-${zone}. dsset-${zone}.ok ; then # [ [ rm -f dsset-${zone}. else # ] [ rm -f dsset-${zone}.ok sh parent-${zone}. >/dev/null && mv dsset-${zone}. dsset-${zone}.ok fi # ] ] else # ] [ sh parent-${zone}. >/dev/null && mv dsset-${zone}. dsset-${zone}.ok fi # ] fi # ] of 'CHILD -eq 2' fi # ] # Look at doing some DS Signature checks if [ ${RESIGN} -gt 0 ] ; then # [ # Check DS is at a Parent CheckNS=$(echo "$ToCheck"| sort) CheckNS=$(echo nameservers $CheckNS) [ ${CHILD} -eq 0 ] && CheckAt="" [ ${CHILD} -eq 1 ] && CheckAt="@127.0.0.1" [ ${CHILD} -eq 2 ] && CheckAt="@$(echo "$ToCheck"|head -1)" PDS=$(dig +nofail +short ${zone}. ds $CheckAt ) [ "${PDS}" ] && MESG="${MESG}DS Records are in the parent ${parent} at ${CheckNS}\n" fi # ] fi # ] [ $(echo -e "${MESG}" | wc -l) -gt 2 ] && echo -e "${MESG}" done # ] ... looping aound all the zones # --------------- Last thing - if we need to tickle named - then do so -------------------- if [ ${RELOAD} -gt 0 ] ; then # [ echo "Calling 'rndc reload' - ${RELOAD} Zone(s) ($RELOAD_ZONES) - $(rndc reload)" for zone in $RELOAD_ZONES do rndc reload $zone sleep 2 php /home/www/vweb.co.za/bin/tickle.php $zone echo "RunSign on VWEB, Check '$zone' for DNSSEC Updates" | mail -s "Check Domain '$zone' for updates" mje@posix.co.za done fi # ] # vim: sw=4 filetype=bash