1 #! /usr/bin/perl |
|
2 |
|
3 use warnings; |
|
4 use strict; |
|
5 use FindBin; |
|
6 |
|
7 sub del_double { |
|
8 my %all; |
|
9 grep { $all{$_} = 0 } @_; |
|
10 return (keys %all); |
|
11 } |
|
12 |
|
13 sub read_conf { |
|
14 |
|
15 # read configuration |
|
16 my @configs = ("$FindBin::Bin/dnstools.conf", "/etc/dnstools.conf"); |
|
17 our %config; |
|
18 |
|
19 for (grep { -f } @configs) { |
|
20 open(CONFIG, $_) or die "Can't open $_: $!\n"; |
|
21 } |
|
22 unless (seek(CONFIG, 0, 0)) { |
|
23 die "Can't open config (searched: @configs)\n"; |
|
24 } |
|
25 while (<CONFIG>) { |
|
26 chomp; |
|
27 s/#.*//; |
|
28 s/\t//g; |
|
29 s/\s//g; |
|
30 |
|
31 next unless length; |
|
32 my ($cname, $ccont) = split(/\s*=\s*/, $_, 2); |
|
33 $config{$cname} = $ccont; |
|
34 } |
|
35 close(CONFIG); |
|
36 } |
|
37 |
|
38 sub read_argv { |
|
39 # evaluate argv or print the help |
|
40 my $arg = shift @ARGV; |
|
41 my $zone; |
|
42 our $do; |
|
43 our @zones; |
|
44 our $master_dir; |
|
45 |
|
46 if (!defined $arg) { |
|
47 print " usage: dnssec-keytool <option> zone\n"; |
|
48 print " -z created a new ZSK\n"; |
|
49 print " -k created a new ZSK and KSK\n"; |
|
50 print " -rm deletes the key-set of a zone\n"; |
|
51 print " -c created configuration files for the dnstools\n"; |
|
52 print " and a new ZSK for an existing KSK\n"; |
|
53 print "\n"; |
|
54 |
|
55 exit; |
|
56 } |
|
57 elsif ($arg eq "-k") { $do = "ksk"; } |
|
58 elsif ($arg eq "-rm") { $do = "rm"; } |
|
59 elsif ($arg eq "-c") { $do = "ck"; } |
|
60 elsif ($arg eq "-z") { $do = "zsk"; } |
|
61 else { |
|
62 print "not a valid option.\n"; |
|
63 exit; |
|
64 } |
|
65 |
|
66 # checks the zones in argv if there are managed zones |
|
67 for (@ARGV) { |
|
68 chomp($zone = `idn --quiet "$_"`); |
|
69 if (-e "$master_dir/$zone/$zone") { |
|
70 push @zones, $zone; |
|
71 } |
|
72 } |
|
73 } |
|
74 |
|
75 sub rm_keys { |
|
76 # deletes all the keys were handed over -rm in argv |
|
77 our @zones; |
|
78 our $master_dir; |
|
79 my $zone; |
|
80 my @new_zone_content; |
|
81 my @old_zone_content; |
|
82 |
|
83 for (@zones) { |
|
84 $zone = $_; |
|
85 |
|
86 my $zpf = "$master_dir/$zone"; |
|
87 my $ep = 0; |
|
88 |
|
89 if (-e "$zpf/$zone.signed") { |
|
90 unlink "$zpf/$zone.signed" and $ep = 1; |
|
91 } |
|
92 if (-e "$zpf/.keycounter") { |
|
93 unlink "$zpf/.keycounter" and $ep = 1; |
|
94 } |
|
95 if (-e "$zpf/.index.ksk") { |
|
96 unlink "$zpf/.index.ksk" and $ep = 1; |
|
97 } |
|
98 if (-e "$zpf/.index.zsk") { |
|
99 unlink "$zpf/.index.zsk" and $ep = 1; |
|
100 } |
|
101 if (-e "$zpf/dsset-$zone.") { |
|
102 unlink "$zpf/dsset-$zone." and $ep = 1; |
|
103 } |
|
104 if (-e "$zpf/keyset-$zone.") { |
|
105 unlink "$zpf/keyset-$zone." and $ep = 1; |
|
106 } |
|
107 |
|
108 for (glob("$zpf/K$zone*")) { |
|
109 chomp($_); |
|
110 unlink ("$_"); |
|
111 } |
|
112 |
|
113 if ($ep == 1) { |
|
114 print " * $zone: removed key-set\n"; |
|
115 } |
|
116 |
|
117 open(ZONE, "$zpf/$zone") |
|
118 or die "$zpf/$zone: $!\n"; |
|
119 @old_zone_content = <ZONE>; |
|
120 close(ZONE); |
|
121 |
|
122 for (@old_zone_content) { |
|
123 unless (m#\$INCLUDE.*\"K$zone.*\.key\"#) { |
|
124 push @new_zone_content, $_; |
|
125 } |
|
126 } |
|
127 |
|
128 open(ZONE, ">$zpf/$zone") or die "$zpf/$zone: $!\n"; |
|
129 print ZONE @new_zone_content; |
|
130 close(ZONE); |
|
131 } |
|
132 } |
|
133 |
|
134 sub creat_ksk { |
|
135 our @zones; |
|
136 our $master_dir; |
|
137 my @index; |
|
138 my $zone; |
|
139 my $keyname; |
|
140 my $zpf; |
|
141 |
|
142 for (@zones) { |
|
143 $zone = $_; |
|
144 $zpf = "$master_dir/$zone"; |
|
145 |
|
146 chdir "$zpf" or die "$zpf: $!\n"; |
|
147 $keyname = `dnssec-keygen -a RSASHA1 -b 2048 -f KSK -n ZONE $zone`; |
|
148 |
|
149 unless (-f ".index.ksk") { @index = (); } |
|
150 else { |
|
151 open(INDEX, ".index.ksk") or die "$zpf/.index.ksk: $!\n"; |
|
152 @index = <INDEX>; |
|
153 close(INDEX); |
|
154 } |
|
155 |
|
156 push @index, $keyname; |
|
157 if (@index > 2) { shift(@index); } |
|
158 |
|
159 open(INDEX, ">.index.ksk") or die "$zpf/.index.ksk: $!\n"; |
|
160 print INDEX @index; |
|
161 close(INDEX); |
|
162 |
|
163 chomp($keyname); |
|
164 print " * $zone: new KSK $keyname\n"; |
|
165 |
|
166 print "!! THE KSK must be published !! \n"; |
|
167 |
|
168 } |
|
169 } |
|
170 |
|
171 sub creat_zsk { |
|
172 our @zones; |
|
173 our $master_dir; |
|
174 my @index; |
|
175 my $zone; |
|
176 my $keyname; |
|
177 my $zpf; |
|
178 |
|
179 for (@zones) { |
|
180 $zone = $_; |
|
181 $zpf = "$master_dir/$zone"; |
|
182 |
|
183 chdir "$zpf" or die "$zpf: $!\n"; |
|
184 $keyname = `dnssec-keygen -a RSASHA1 -b 512 -n ZONE $zone`; |
|
185 |
|
186 unless (-f ".index.zsk") { @index = (); } |
|
187 else { |
|
188 open(INDEX, ".index.zsk") or die "$zpf/.index.zsk: $!\n"; |
|
189 @index = <INDEX>; |
|
190 close(INDEX); |
|
191 } |
|
192 |
|
193 push @index, $keyname; |
|
194 if (@index > 2) { shift(@index); } |
|
195 |
|
196 open(INDEX, ">.index.zsk") or die "$zpf/.index.zsk: $!\n"; |
|
197 print INDEX @index; |
|
198 close(INDEX); |
|
199 |
|
200 chomp($keyname); |
|
201 print " * $zone: new ZSK $keyname\n"; |
|
202 |
|
203 open(KC, ">.keycounter") or die "$zpf/keycounter: $!\n"; |
|
204 print KC "0"; |
|
205 close(KC); |
|
206 |
|
207 } |
|
208 } |
|
209 |
|
210 sub ck_zone { |
|
211 our @zones; |
|
212 our $master_dir; |
|
213 my $zone; |
|
214 |
|
215 for (@zones) { |
|
216 $zone = $_; |
|
217 my $zpf = "$master_dir/$zone"; |
|
218 my $keyfile; |
|
219 my @content; |
|
220 my @keylist; |
|
221 |
|
222 for (<$zpf/*>) { |
|
223 if (m#(K$zone.*\.key)#) { |
|
224 $keyfile = $1; |
|
225 open(KEYFILE, "<$zpf/$keyfile"); |
|
226 @content = <KEYFILE>; |
|
227 close(KEYFILE); |
|
228 for (@content) { |
|
229 if (m#DNSKEY.257#) { |
|
230 push @keylist, $keyfile; |
|
231 } |
|
232 } |
|
233 } |
|
234 } |
|
235 |
|
236 open(INDEX, ">.index.ksk") or die "$zpf/.index.ksk: $!\n"; |
|
237 for (@keylist) { |
|
238 s#\.key##; |
|
239 print INDEX "$_\n"; |
|
240 } |
|
241 close(INDEX); |
|
242 |
|
243 print " * $zone: new .index.ksk created\n"; |
|
244 |
|
245 if (-f "$zpf/.index.zsk") { |
|
246 unlink("$zpf/.index.zsk") or die "$zpf/.index.zsk: $!\n"; |
|
247 } |
|
248 } |
|
249 } |
|
250 |
|
251 sub post_creat { |
|
252 our @zones; |
|
253 our $master_dir; |
|
254 |
|
255 for (@zones) { |
|
256 my $zone = $_; |
|
257 `touch $master_dir/$zone/$zone`; |
|
258 |
|
259 &kill_useless_keys($zone); |
|
260 &key_to_zonefile($zone); |
|
261 } |
|
262 |
|
263 } |
|
264 |
|
265 sub kill_useless_keys { |
|
266 |
|
267 # the function deletes all keys that are not available in the zone |
|
268 # of index.zsk |
|
269 our $master_dir; |
|
270 my $zone = $_[0]; |
|
271 my @keylist = (); |
|
272 my $zpf = "$master_dir/$zone"; |
|
273 |
|
274 open(INDEX, "<$zpf/.index.zsk") or die "$zpf/.index.zsk: $!\n"; |
|
275 @keylist = <INDEX>; |
|
276 close(INDEX); |
|
277 open(INDEX, "<$zpf/.index.ksk") or die "$zpf/.index.ksk: $!\n"; |
|
278 push @keylist, <INDEX>; |
|
279 |
|
280 # shortened the key name from the index file on the id in order to |
|
281 # be able to compare |
|
282 for (@keylist) { |
|
283 chomp; |
|
284 s#K.*\+.*\+(.*)#$1#; |
|
285 } |
|
286 |
|
287 # reviewed every key file (KSK, ZSK), whether they are described in |
|
288 # the respective index file. if not they will be deleted. |
|
289 for ( glob("$master_dir/$zone/K*") { |
|
290 chomp; |
|
291 my $file = $_; |
|
292 my $rm_count = 1; |
|
293 my $keyname; |
|
294 for (@keylist) { |
|
295 if ($file =~ /$_/) { $rm_count = 0; } |
|
296 } |
|
297 if ($rm_count == 1) { |
|
298 unlink "$file"; |
|
299 if ($file =~ /$zpf\/(.*\.key)/) { |
|
300 print " * $zone: Schluessel $1 entfernt \n"; |
|
301 } |
|
302 } |
|
303 } |
|
304 } |
|
305 |
|
306 sub key_to_zonefile { |
|
307 |
|
308 # the function added all keys to the indexfile |
|
309 our $master_dir; |
|
310 my $zone = $_[0]; |
|
311 my $zpf = "$master_dir/$zone"; |
|
312 my @old_content; |
|
313 my @new_content = (); |
|
314 |
|
315 open(ZONEFILE, "<$zpf/$zone"); |
|
316 @old_content = <ZONEFILE>; |
|
317 close(ZONEFILE); |
|
318 |
|
319 for (@old_content) { |
|
320 unless (m#INCLUDE.*key#) { push @new_content, $_; } |
|
321 } |
|
322 |
|
323 for (<$zpf/*>) { |
|
324 if (m#(.*\/)(K.*\.key)#) { |
|
325 push @new_content, "\$INCLUDE \"$2\"\n"; |
|
326 } |
|
327 } |
|
328 open(ZONEFILE, ">$zpf/$zone") or die "$zpf/$zone: $!\n"; |
|
329 print ZONEFILE @new_content; |
|
330 close(ZONEFILE); |
|
331 } |
|
332 |
|
333 &read_conf; |
|
334 |
|
335 our %config; |
|
336 our $do; # statements from argv |
|
337 our @zones; # list of zones from argv |
|
338 our $master_dir = $config{master_dir}; |
|
339 our $bind_dir = $config{bind_dir}; |
|
340 our $conf_dir = $config{zone_conf_dir}; |
|
341 our $sign_alert_time = $config{sign_alert_time}; |
|
342 our $indexzone = $config{indexzone}; |
|
343 our $key_counter_end = $config{key_counter_end}; |
|
344 our $ablauf_zeit = $config{abl_zeit}; |
|
345 |
|
346 &read_argv; |
|
347 |
|
348 # completed the program, if not a valid zones was handed over |
|
349 unless (@zones) { exit; } |
|
350 |
|
351 if ($do eq "rm") { &rm_keys; exit; } |
|
352 if ($do eq "ck") { &ck_zone; } |
|
353 if ($do eq "ksk") { &creat_ksk; } |
|
354 |
|
355 &creat_zsk; |
|
356 &post_creat; |
|
357 |
|
358 __END__ |
|
359 |
|
360 =pod |
|
361 |
|
362 =head1 NAME |
|
363 |
|
364 dnssec-keytool |
|
365 |
|
366 =head1 SYNOPSIS |
|
367 |
|
368 dnssec-keytool <option> zone |
|
369 |
|
370 =head1 DESCRIPTION |
|