5 use FindBin; |
5 use FindBin; |
6 |
6 |
7 sub del_double { |
7 sub del_double { |
8 my %all; |
8 my %all; |
9 grep { $all{$_} = 0 } @_; |
9 grep { $all{$_} = 0 } @_; |
10 return ( keys %all ); |
10 return (keys %all); |
11 } |
11 } |
12 |
12 |
13 sub read_conf { |
13 sub read_conf { |
|
14 |
14 # liest die Konfiguration ein |
15 # liest die Konfiguration ein |
15 my @configs = ( "$FindBin::Bin/dnstools.conf", "/etc/dnstools.conf" ); |
16 my @configs = ("$FindBin::Bin/dnstools.conf", "/etc/dnstools.conf"); |
16 our %config; |
17 our %config; |
17 |
18 |
18 for ( grep {-f} @configs ) { |
19 for (grep { -f } @configs) { |
19 open( CONFIG, $_ ) or die "Can't open $_: $!\n"; |
20 open(CONFIG, $_) or die "Can't open $_: $!\n"; |
20 } |
21 } |
21 unless ( seek( CONFIG, 0, 0 ) ) { |
22 unless (seek(CONFIG, 0, 0)) { |
22 die "Can't open config (searched: @configs)\n"; |
23 die "Can't open config (searched: @configs)\n"; |
23 } |
24 } |
24 while (<CONFIG>) { |
25 while (<CONFIG>) { |
25 chomp; |
26 chomp; |
26 s/#.*//; |
27 s/#.*//; |
27 s/\t//g; |
28 s/\t//g; |
28 s/\s//g; |
29 s/\s//g; |
29 |
30 |
30 next unless length; |
31 next unless length; |
31 my ( $cname, $ccont ) = split( /\s*=\s*/, $_, 2 ); |
32 my ($cname, $ccont) = split(/\s*=\s*/, $_, 2); |
32 $config{$cname} = $ccont; |
33 $config{$cname} = $ccont; |
33 } |
34 } |
34 close(CONFIG); |
35 close(CONFIG); |
35 } |
36 } |
36 |
37 |
37 sub read_argv { |
38 sub read_argv { |
|
39 |
38 # wertet argv aus oder gibt die hilfe aus |
40 # wertet argv aus oder gibt die hilfe aus |
39 my $arg = shift @ARGV; |
41 my $arg = shift @ARGV; |
40 my $zone; |
42 my $zone; |
41 our $do; |
43 our $do; |
42 our @zones; |
44 our @zones; |
43 our $master_dir; |
45 our $master_dir; |
44 |
46 |
45 if ( ! defined $arg ) { |
47 if (!defined $arg) { |
46 print " usage: dnssec-keytool <option> zone\n"; |
48 print " usage: dnssec-keytool <option> zone\n"; |
47 print " -z erstellt einen neuen ZSK\n"; |
49 print " -z erstellt einen neuen ZSK\n"; |
48 print " -k erstellt je einen neuen ZSK und KSK\n"; |
50 print " -k erstellt je einen neuen ZSK und KSK\n"; |
49 print " -rm loescht das Schluesselmaterial einer Zone\n"; |
51 print " -rm loescht das Schluesselmaterial einer Zone\n"; |
50 print " -c erstellt bei existierenden ksk konfigurationsdateien\n"; |
52 print " -c erstellt bei existierenden ksk konfigurationsdateien\n"; |
51 print " fuer die dnstools, sowie einen neuen zsk\n"; |
53 print " fuer die dnstools, sowie einen neuen zsk\n"; |
52 print "\n"; |
54 print "\n"; |
53 |
55 |
54 exit; |
56 exit; |
55 } |
57 } |
56 elsif ($arg eq "-k") {$do = "ksk";} |
58 elsif ($arg eq "-k") { $do = "ksk"; } |
57 elsif ($arg eq "-rm") {$do = "rm";} |
59 elsif ($arg eq "-rm") { $do = "rm"; } |
58 elsif ($arg eq "-c") {$do = "ck";} |
60 elsif ($arg eq "-c") { $do = "ck"; } |
59 elsif ($arg eq "-z") {$do = "zsk";} |
61 elsif ($arg eq "-z") { $do = "zsk"; } |
60 else { |
62 else { |
61 print "keine gueltige Option.\n"; |
63 print "keine gueltige Option.\n"; |
62 exit; |
64 exit; |
63 } |
65 } |
64 |
66 |
65 # prueft die zonen in argv ob es verwaltete zonen sind |
67 # prueft die zonen in argv ob es verwaltete zonen sind |
66 for (@ARGV) { |
68 for (@ARGV) { |
67 chomp( $zone = `idn --quiet "$_"` ); |
69 chomp($zone = `idn --quiet "$_"`); |
68 if ( -e "$master_dir/$zone/$zone" ) { |
70 if (-e "$master_dir/$zone/$zone") { |
69 push @zones, $zone; |
71 push @zones, $zone; |
70 } |
72 } |
71 } |
73 } |
72 } |
74 } |
73 |
75 |
80 |
82 |
81 for (@zones) { |
83 for (@zones) { |
82 $zone = $_; |
84 $zone = $_; |
83 |
85 |
84 my $zpf = "$master_dir/$zone"; |
86 my $zpf = "$master_dir/$zone"; |
85 my $ep = 0; |
87 my $ep = 0; |
86 |
88 |
87 if ( -e "$zpf/$zone.signed" ) { |
89 if (-e "$zpf/$zone.signed") { |
88 unlink "$zpf/$zone.signed" and $ep = 1 } |
90 unlink "$zpf/$zone.signed" and $ep = 1; |
89 if ( -e "$zpf/.keycounter" ) { |
91 } |
90 unlink "$zpf/.keycounter" and $ep = 1 } |
92 if (-e "$zpf/.keycounter") { |
91 if ( -e "$zpf/.index.ksk" ) { |
93 unlink "$zpf/.keycounter" and $ep = 1; |
92 unlink "$zpf/.index.ksk" and $ep = 1 } |
94 } |
93 if ( -e "$zpf/.index.zsk" ) { |
95 if (-e "$zpf/.index.ksk") { |
94 unlink "$zpf/.index.zsk" and $ep = 1 } |
96 unlink "$zpf/.index.ksk" and $ep = 1; |
95 if ( -e "$zpf/dsset-$zone." ) { |
97 } |
96 unlink "$zpf/dsset-$zone." and $ep = 1 } |
98 if (-e "$zpf/.index.zsk") { |
97 if ( -e "$zpf/keyset-$zone." ) { |
99 unlink "$zpf/.index.zsk" and $ep = 1; |
98 unlink "$zpf/keyset-$zone." and $ep = 1 } |
100 } |
99 |
101 if (-e "$zpf/dsset-$zone.") { |
100 for (`ls $zpf/K$zone*`) { |
102 unlink "$zpf/dsset-$zone." and $ep = 1; |
|
103 } |
|
104 if (-e "$zpf/keyset-$zone.") { |
|
105 unlink "$zpf/keyset-$zone." and $ep = 1; |
|
106 } |
|
107 |
|
108 for (`ls $zpf/K$zone*`) { |
101 chomp($_); |
109 chomp($_); |
102 print "weg du scheissezwerg $_"; |
110 print "weg du scheissezwerg $_"; |
103 unlink ("$_"); |
111 unlink("$_"); |
104 } |
112 } |
105 |
113 |
106 if ($ep == 1) { |
114 if ($ep == 1) { |
107 print " * $zone: schluesselmaterial entfernt\n"; |
115 print " * $zone: schluesselmaterial entfernt\n"; |
108 } |
116 } |
109 |
117 |
110 open( ZONE, "$zpf/$zone" ) |
118 open(ZONE, "$zpf/$zone") |
111 or die "$zpf/$zone: $!\n"; |
119 or die "$zpf/$zone: $!\n"; |
112 @old_zone_content = <ZONE>; |
120 @old_zone_content = <ZONE>; |
113 close(ZONE); |
121 close(ZONE); |
114 |
122 |
115 for (@old_zone_content) { |
123 for (@old_zone_content) { |
116 unless (m#\$INCLUDE.*\"K$zone.*\.key\"#) { |
124 unless (m#\$INCLUDE.*\"K$zone.*\.key\"#) { |
117 push @new_zone_content, $_; |
125 push @new_zone_content, $_; |
118 } |
126 } |
119 } |
127 } |
120 |
128 |
121 open( ZONE, ">$zpf/$zone" ) or die "$zpf/$zone: $!\n"; |
129 open(ZONE, ">$zpf/$zone") or die "$zpf/$zone: $!\n"; |
122 print ZONE @new_zone_content; |
130 print ZONE @new_zone_content; |
123 close(ZONE); |
131 close(ZONE); |
124 } |
132 } |
125 } |
133 } |
126 |
134 |
132 my $keyname; |
140 my $keyname; |
133 my $zpf; |
141 my $zpf; |
134 |
142 |
135 for (@zones) { |
143 for (@zones) { |
136 $zone = $_; |
144 $zone = $_; |
137 $zpf = "$master_dir/$zone"; |
145 $zpf = "$master_dir/$zone"; |
138 |
146 |
139 chdir "$zpf" or die "$zpf: $!\n"; |
147 chdir "$zpf" or die "$zpf: $!\n"; |
140 $keyname = `dnssec-keygen -a RSASHA1 -b 2048 -f KSK -n ZONE $zone`; |
148 $keyname = `dnssec-keygen -a RSASHA1 -b 2048 -f KSK -n ZONE $zone`; |
141 |
149 |
142 unless ( -f ".index.ksk" ) { @index = ();} |
150 unless (-f ".index.ksk") { @index = (); } |
143 else { |
151 else { |
144 open( INDEX, ".index.ksk" ) or die "$zpf/.index.ksk: $!\n"; |
152 open(INDEX, ".index.ksk") or die "$zpf/.index.ksk: $!\n"; |
145 @index = <INDEX>; |
153 @index = <INDEX>; |
146 close(INDEX); |
154 close(INDEX); |
147 } |
155 } |
148 |
156 |
149 push @index, $keyname; |
157 push @index, $keyname; |
150 if ( @index > 2 ) { shift(@index);} |
158 if (@index > 2) { shift(@index); } |
151 |
159 |
152 open( INDEX, ">.index.ksk" ) or die "$zpf/.index.ksk: $!\n"; |
160 open(INDEX, ">.index.ksk") or die "$zpf/.index.ksk: $!\n"; |
153 print INDEX @index; |
161 print INDEX @index; |
154 close(INDEX); |
162 close(INDEX); |
155 |
163 |
156 chomp($keyname); |
164 chomp($keyname); |
157 print " * $zone: neuer KSK $keyname\n"; |
165 print " * $zone: neuer KSK $keyname\n"; |
158 |
|
159 |
166 |
160 print "!! DER KSK muss der Chain of Trust veroeffentlicht werden !! \n"; |
167 print "!! DER KSK muss der Chain of Trust veroeffentlicht werden !! \n"; |
161 |
168 |
162 } |
169 } |
163 } |
170 } |
170 my $keyname; |
177 my $keyname; |
171 my $zpf; |
178 my $zpf; |
172 |
179 |
173 for (@zones) { |
180 for (@zones) { |
174 $zone = $_; |
181 $zone = $_; |
175 $zpf = "$master_dir/$zone"; |
182 $zpf = "$master_dir/$zone"; |
176 |
183 |
177 chdir "$zpf" or die "$zpf: $!\n"; |
184 chdir "$zpf" or die "$zpf: $!\n"; |
178 $keyname = `dnssec-keygen -a RSASHA1 -b 512 -n ZONE $zone`; |
185 $keyname = `dnssec-keygen -a RSASHA1 -b 512 -n ZONE $zone`; |
179 |
186 |
180 unless ( -f ".index.zsk" ) { @index = ();} |
187 unless (-f ".index.zsk") { @index = (); } |
181 else { |
188 else { |
182 open( INDEX, ".index.zsk" ) or die "$zpf/.index.zsk: $!\n"; |
189 open(INDEX, ".index.zsk") or die "$zpf/.index.zsk: $!\n"; |
183 @index = <INDEX>; |
190 @index = <INDEX>; |
184 close(INDEX); |
191 close(INDEX); |
185 } |
192 } |
186 |
193 |
187 push @index, $keyname; |
194 push @index, $keyname; |
188 if ( @index > 2 ) { shift(@index);} |
195 if (@index > 2) { shift(@index); } |
189 |
196 |
190 open( INDEX, ">.index.zsk" ) or die "$zpf/.index.zsk: $!\n"; |
197 open(INDEX, ">.index.zsk") or die "$zpf/.index.zsk: $!\n"; |
191 print INDEX @index; |
198 print INDEX @index; |
192 close(INDEX); |
199 close(INDEX); |
193 |
200 |
194 chomp($keyname); |
201 chomp($keyname); |
195 print " * $zone: neuer ZSK $keyname\n"; |
202 print " * $zone: neuer ZSK $keyname\n"; |
196 |
203 |
197 open( KC, ">.keycounter" ) or die "$zpf/keycounter: $!\n"; |
204 open(KC, ">.keycounter") or die "$zpf/keycounter: $!\n"; |
198 print KC "0"; |
205 print KC "0"; |
199 close(KC); |
206 close(KC); |
200 |
207 |
201 } |
208 } |
202 } |
209 } |
214 my @keylist; |
221 my @keylist; |
215 |
222 |
216 for (<$zpf/*>) { |
223 for (<$zpf/*>) { |
217 if (m#(K$zone.*\.key)#) { |
224 if (m#(K$zone.*\.key)#) { |
218 $keyfile = $1; |
225 $keyfile = $1; |
219 open (KEYFILE, "<$zpf/$keyfile"); |
226 open(KEYFILE, "<$zpf/$keyfile"); |
220 @content = <KEYFILE>; |
227 @content = <KEYFILE>; |
221 close (KEYFILE); |
228 close(KEYFILE); |
222 for (@content) { |
229 for (@content) { |
223 if (m#DNSKEY.257#) { |
230 if (m#DNSKEY.257#) { |
224 push @keylist, $keyfile; |
231 push @keylist, $keyfile; |
225 } |
232 } |
226 } |
233 } |
227 } |
234 } |
228 } |
235 } |
229 |
236 |
230 open( INDEX, ">.index.ksk" ) or die "$zpf/.index.ksk: $!\n"; |
237 open(INDEX, ">.index.ksk") or die "$zpf/.index.ksk: $!\n"; |
231 for (@keylist) { |
238 for (@keylist) { |
232 s#\.key##; |
239 s#\.key##; |
233 print INDEX "$_\n"; |
240 print INDEX "$_\n"; |
234 } |
241 } |
235 close(INDEX); |
242 close(INDEX); |
236 |
243 |
237 print " * $zone: neue .index.ksk erzeugt\n"; |
244 print " * $zone: neue .index.ksk erzeugt\n"; |
238 |
245 |
239 if (-f "$zpf/.index.zsk") { |
246 if (-f "$zpf/.index.zsk") { |
240 unlink ("$zpf/.index.zsk") or die "$zpf/.index.zsk: $!\n"; |
247 unlink("$zpf/.index.zsk") or die "$zpf/.index.zsk: $!\n"; |
241 } |
248 } |
242 } |
249 } |
243 } |
250 } |
244 |
251 |
245 sub post_creat { |
252 sub post_creat { |
255 } |
262 } |
256 |
263 |
257 } |
264 } |
258 |
265 |
259 sub kill_useless_keys { |
266 sub kill_useless_keys { |
|
267 |
260 # die funktion loescht alle schluessel die nicht in der index.zsk |
268 # die funktion loescht alle schluessel die nicht in der index.zsk |
261 # der uebergebenen zone stehen |
269 # der uebergebenen zone stehen |
262 our $master_dir; |
270 our $master_dir; |
263 my $zone = $_[0]; |
271 my $zone = $_[0]; |
264 my @keylist = (); |
272 my @keylist = (); |
265 my $zpf = "$master_dir/$zone"; |
273 my $zpf = "$master_dir/$zone"; |
266 |
274 |
267 open (INDEX, "<$zpf/.index.zsk") or die "$zpf/.index.zsk: $!\n"; |
275 open(INDEX, "<$zpf/.index.zsk") or die "$zpf/.index.zsk: $!\n"; |
268 @keylist = <INDEX>; |
276 @keylist = <INDEX>; |
269 close(INDEX); |
277 close(INDEX); |
270 open (INDEX, "<$zpf/.index.ksk") or die "$zpf/.index.ksk: $!\n"; |
278 open(INDEX, "<$zpf/.index.ksk") or die "$zpf/.index.ksk: $!\n"; |
271 push @keylist, <INDEX>; |
279 push @keylist, <INDEX>; |
272 |
280 |
273 # kuerzt die schluessel-bezeichnung aus der indexdatei auf die id um sie |
281 # kuerzt die schluessel-bezeichnung aus der indexdatei auf die id um sie |
274 # besser vergleichen zu koennen. |
282 # besser vergleichen zu koennen. |
275 for ( @keylist ) { |
283 for (@keylist) { |
276 chomp; |
284 chomp; |
277 s#K.*\+.*\+(.*)#$1#; |
285 s#K.*\+.*\+(.*)#$1#; |
278 } |
286 } |
279 |
287 |
280 # prueft alle schluesseldateien (ksk, zsk) ob sie in der jeweiligen |
288 # prueft alle schluesseldateien (ksk, zsk) ob sie in der jeweiligen |
281 # indexdatei beschrieben sind. wenn nicht werden sie geloescht. |
289 # indexdatei beschrieben sind. wenn nicht werden sie geloescht. |
282 for (`ls $master_dir/$zone/K*[key,private]`) { |
290 for (`ls $master_dir/$zone/K*[key,private]`) { |
283 chomp; |
291 chomp; |
284 my $file = $_; |
292 my $file = $_; |
285 my $rm_count = 1; |
293 my $rm_count = 1; |
286 my $keyname; |
294 my $keyname; |
287 for (@keylist) { |
295 for (@keylist) { |
288 if ( $file =~ /$_/ ) { $rm_count = 0;} |
296 if ($file =~ /$_/) { $rm_count = 0; } |
289 } |
297 } |
290 if ($rm_count == 1) { |
298 if ($rm_count == 1) { |
291 unlink "$file"; |
299 unlink "$file"; |
292 if ($file =~ /$zpf\/(.*\.key)/ ) { |
300 if ($file =~ /$zpf\/(.*\.key)/) { |
293 print " * $zone: Schluessel $1 entfernt \n"; |
301 print " * $zone: Schluessel $1 entfernt \n"; |
294 } |
302 } |
295 } |
303 } |
296 } |
304 } |
297 } |
305 } |
298 |
306 |
299 sub key_to_zonefile { |
307 sub key_to_zonefile { |
|
308 |
300 # die funktion fugt alle schluessel in eine zonedatei |
309 # die funktion fugt alle schluessel in eine zonedatei |
301 our $master_dir; |
310 our $master_dir; |
302 my $zone = $_[0]; |
311 my $zone = $_[0]; |
303 my $zpf = "$master_dir/$zone"; |
312 my $zpf = "$master_dir/$zone"; |
304 my @old_content; |
313 my @old_content; |
305 my @new_content = (); |
314 my @new_content = (); |
306 |
315 |
307 open(ZONEFILE, "<$zpf/$zone"); |
316 open(ZONEFILE, "<$zpf/$zone"); |
308 @old_content = <ZONEFILE>; |
317 @old_content = <ZONEFILE>; |
315 for (<$zpf/*>) { |
324 for (<$zpf/*>) { |
316 if (m#(.*\/)(K.*\.key)#) { |
325 if (m#(.*\/)(K.*\.key)#) { |
317 push @new_content, "\$INCLUDE \"$2\"\n"; |
326 push @new_content, "\$INCLUDE \"$2\"\n"; |
318 } |
327 } |
319 } |
328 } |
320 open( ZONEFILE, ">$zpf/$zone" ) or die "$zpf/$zone: $!\n"; |
329 open(ZONEFILE, ">$zpf/$zone") or die "$zpf/$zone: $!\n"; |
321 print ZONEFILE @new_content; |
330 print ZONEFILE @new_content; |
322 close(ZONEFILE); |
331 close(ZONEFILE); |
323 } |
332 } |
324 |
333 |
325 |
|
326 &read_conf; |
334 &read_conf; |
327 |
335 |
328 our %config; |
336 our %config; |
329 our $do; # arbeitsschritte aus argv |
337 our $do; # arbeitsschritte aus argv |
330 our @zones; # liste der zonen in argv |
338 our @zones; # liste der zonen in argv |
331 our $master_dir = $config{master_dir}; |
339 our $master_dir = $config{master_dir}; |
332 our $bind_dir = $config{bind_dir}; |
340 our $bind_dir = $config{bind_dir}; |
333 our $conf_dir = $config{zone_conf_dir}; |
341 our $conf_dir = $config{zone_conf_dir}; |
334 our $sign_alert_time = $config{sign_alert_time}; |
342 our $sign_alert_time = $config{sign_alert_time}; |
335 our $indexzone = $config{indexzone}; |
343 our $indexzone = $config{indexzone}; |
336 our $key_counter_end = $config{key_counter_end}; |
344 our $key_counter_end = $config{key_counter_end}; |
337 our $ablauf_zeit = $config{abl_zeit}; |
345 our $ablauf_zeit = $config{abl_zeit}; |
338 |
346 |
339 &read_argv; |
347 &read_argv; |
340 |
348 |
341 unless (@zones) {exit;} # beendet das programm, wurden keine |
349 unless (@zones) { exit; } # beendet das programm, wurden keine |
342 # gueltigen zonen uebergeben |
350 # gueltigen zonen uebergeben |
343 |
351 |
344 if ($do eq "rm") { &rm_keys; exit;} |
352 if ($do eq "rm") { &rm_keys; exit; } |
345 if ($do eq "ck") { &ck_zone;} |
353 if ($do eq "ck") { &ck_zone; } |
346 if ($do eq "ksk") { &creat_ksk; } |
354 if ($do eq "ksk") { &creat_ksk; } |
347 |
355 |
348 &creat_zsk; |
356 &creat_zsk; |
349 &post_creat; |
357 &post_creat; |
350 |
358 |
351 |
|