19 sub update_index($); |
19 sub update_index($); |
20 sub sign_expired($); |
20 sub sign_expired($); |
21 sub need_rollover(); |
21 sub need_rollover(); |
22 sub done_rollover(); |
22 sub done_rollover(); |
23 sub begin_rollover(@); |
23 sub begin_rollover(@); |
|
24 sub kill_useless_keys($); |
24 |
25 |
25 sub sign_zone; |
26 sub sign_zone; |
26 sub update_serial; |
27 sub update_serial; |
27 sub mk_zone_conf; |
28 sub mk_zone_conf; |
28 sub file_entry; |
29 sub file_entry; |
29 sub server_reload; |
30 sub server_reload; |
30 sub key_to_zonefile; |
31 sub key_to_zonefile; |
31 sub kill_useless_keys; |
|
32 sub end_ro; |
32 sub end_ro; |
33 |
33 |
34 my %config; |
34 my %config; |
35 my %opt; |
35 my %opt; |
36 |
36 |
37 MAIN: { |
37 MAIN: { |
38 |
38 |
39 GetOptions( |
39 GetOptions( |
40 "sign-alert-time=i" => \$opt{sign_alert_time}, |
40 "sign-alert-time=i" => \$opt{sign_alert_time}, |
|
41 "key-counter-end=i" => \$opt{key_counter_end}, |
41 "h|help" => sub { pod2usage(-exit 0, -verbose => 1) }, |
42 "h|help" => sub { pod2usage(-exit 0, -verbose => 1) }, |
42 "m|man" => sub { |
43 "m|man" => sub { |
43 pod2usage( |
44 pod2usage( |
44 -exit 0, |
45 -exit 0, |
45 -verbose => 2, |
46 -verbose => 2, |
66 my @need_rollover = need_rollover; |
67 my @need_rollover = need_rollover; |
67 my @done_rollover = done_rollover; |
68 my @done_rollover = done_rollover; |
68 ### @candidates |
69 ### @candidates |
69 ### @need_rollover |
70 ### @need_rollover |
70 ### @done_rollover |
71 ### @done_rollover |
71 |
|
72 begin_rollover(@need_rollover); # eine rollover-beginn-sequenz |
72 begin_rollover(@need_rollover); # eine rollover-beginn-sequenz |
73 exit; |
73 exit; |
74 |
74 |
75 if (@end_ro_list) { |
75 if (@end_ro_list) { |
76 end_ro; # eine rollover-end-squenz |
76 end_ro; # eine rollover-end-squenz |
77 } |
77 } |
78 |
78 |
79 if (@new_serial) { |
79 if (@new_serial) { |
80 |
80 |
81 #--update_index; # index zone aktuallisieren |
81 #--update_index; # index zone aktuallisieren |
82 update_serial; # serial aktuallisieren |
82 update_serial; # serial aktuallisieren |
83 sign_zone; # zone signieren |
83 sign_zone; # zone signieren |
84 } |
84 } |
85 |
85 |
86 file_entry; # bearbeitet die file-eintraege der konfigurations-datei |
86 file_entry; # bearbeitet die file-eintraege der konfigurations-datei |
87 mk_zone_conf; # konfiguration zusammenfuegen |
87 mk_zone_conf; # konfiguration zusammenfuegen |
88 server_reload; # server neu laden |
88 server_reload; # server neu laden |
433 # anfang des key-rollovers |
433 # anfang des key-rollovers |
434 |
434 |
435 #?? for (uniq(@begin_ro_list)) { |
435 #?? for (uniq(@begin_ro_list)) { |
436 foreach my $zone (@zones) { |
436 foreach my $zone (@zones) { |
437 |
437 |
438 #erzeugt zsks |
438 # erzeugt zsks |
439 my $dir = "$config{master_dir}/$zone"; |
439 my $dir = "$config{master_dir}/$zone"; |
440 my @keys; |
440 my ($keyname, @keys); |
441 |
441 |
442 chomp(my $keyname = `cd $dir && dnssec-keygen -a RSASHA1 -b 512 -n ZONE $zone`); |
442 { # need to change the direcoty, thus some more effort |
|
443 # alternativly: $keyname = `cd $dir && dnssec-keygen ...`; |
|
444 # would do, but is more fragile on shell meta characters |
|
445 |
|
446 open(my $keygen, "-|") or do { |
|
447 chdir $dir or die "Can't chdir to $dir: $!\n"; |
|
448 exec "dnssec-keygen", |
|
449 -a => "RSASHA1", |
|
450 -b => 512, |
|
451 -n => "ZONE", |
|
452 $zone; |
|
453 die "Can't exec: $!"; |
|
454 }; |
|
455 chomp($keyname = <$keygen>); |
|
456 close($keygen) or die "dnssec-keygen failed: $@"; |
|
457 } |
443 |
458 |
444 open(my $fh, "+<$dir/.index.zsk") or die "$dir/.index.zsk: $!\n"; |
459 open(my $fh, "+<$dir/.index.zsk") or die "$dir/.index.zsk: $!\n"; |
445 chomp(@keys = <$fh>); |
460 chomp(@keys = <$fh>); |
446 |
461 |
|
462 ### @keys |
|
463 |
447 push @keys, $keyname; |
464 push @keys, $keyname; |
448 shift @keys if @keys > 2; |
465 shift @keys if @keys > 2; |
449 |
466 |
450 seek($fh, 0, 0) or die "seek"; # FIXME |
467 seek($fh, 0, 0) or die "seek"; # FIXME |
451 truncate($fh, 0) or die "truncate"; # FIXME |
468 truncate($fh, 0) or die "truncate"; # FIXME |
452 print $fh join "\n" => @keys; |
469 print $fh join "\n" => @keys; |
453 |
470 |
454 print " * $zone: neuer ZSK $keyname erstellt\n"; |
471 print " * $zone: neuer ZSK $keyname erstellt\n"; |
455 |
472 |
456 open($fh, ">$dir/.keycounter") or die "$dir/.keycounter: $!\n"; |
473 open($fh, ">$dir/.keycounter") or die "$dir/.keycounter: $!\n"; |
457 say $fh 0; |
474 say $fh 0; |
458 close($fh); |
475 close($fh); |
459 |
476 |
460 &kill_useless_keys($zone); |
477 kill_useless_keys($zone); |
461 &key_to_zonefile($zone); |
478 &key_to_zonefile($zone); |
462 push @r, $zone; |
479 push @r, $zone; |
463 } |
480 } |
464 |
481 |
465 return @r; |
482 return @r; |
489 open(ZONEFILE, ">$zpf/$zone") or die "$zpf/$zone: $!\n"; |
506 open(ZONEFILE, ">$zpf/$zone") or die "$zpf/$zone: $!\n"; |
490 print ZONEFILE @new_content; |
507 print ZONEFILE @new_content; |
491 close(ZONEFILE); |
508 close(ZONEFILE); |
492 } |
509 } |
493 |
510 |
494 sub kill_useless_keys { |
511 sub kill_useless_keys($) { |
495 |
512 |
496 # die funktion loescht alle schluessel die nicht in der index.zsk |
513 # die funktion loescht alle schluessel die nicht in der index.zsk |
497 # der uebergebenen zone stehen |
514 # der uebergebenen zone stehen |
498 my $zone = $_[0]; |
515 my $zone = shift; |
499 my @keylist = (); |
516 |
500 my $zpf = "$config{master_dir}/$zone"; |
517 my @keys = (); |
501 |
518 my $dir = "$config{master_dir}/$zone"; |
502 open(INDEX, "<$zpf/.index.zsk") or die "$zpf/.index.zsk: $!\n"; |
519 |
503 @keylist = <INDEX>; |
520 { |
504 close(INDEX); |
521 # collect the keys and cut everything except the key id |
505 open(INDEX, "<$zpf/.index.ksk") or die "$zpf/.index.ksk: $!\n"; |
522 open(my $zsk, "<$dir/.index.zsk") or die "$dir/.index.zsk: $!\n"; |
506 push @keylist, <INDEX>; |
523 open(my $ksk, "<$dir/.index.ksk") or die "$dir/.index.ksk: $!\n"; |
507 |
524 @keys = map { basename $_, ".private", ".key" } (<$zsk>, <$ksk>); |
508 # kuerzt die schluessel-bezeichnung aus der indexdatei auf die id um sie |
525 } |
509 # besser vergleichen zu koennen. |
526 |
510 for (@keylist) { |
527 ### @keys |
511 chomp; |
|
512 s#K.*\+.*\+(.*)#$1#; |
|
513 } |
|
514 |
528 |
515 # prueft alle schluesseldateien (ksk, zsk) ob sie in der jeweiligen |
529 # prueft alle schluesseldateien (ksk, zsk) ob sie in der jeweiligen |
516 # indexdatei beschrieben sind. wenn nicht werden sie geloescht. |
530 # indexdatei beschrieben sind. wenn nicht werden sie geloescht. |
517 for (grep /(?:key|private)$/ => glob "$config{master_dir}/$zone/K*") { |
531 # ---- <><><><> |
518 chomp; |
532 for my $file (grep /(?:key|private)$/ => glob "$config{master_dir}/$zone/K*") { |
519 my $file = $_; |
533 $file = basename $file, ".private", ".key"; |
520 my $rm_count = 1; |
534 unlink "$file.key", "$file.private" if $file ~~ @keys; |
521 my $keyname; |
|
522 for (@keylist) { |
|
523 if ($file =~ /$_/) { $rm_count = 0; } |
|
524 } |
|
525 if ($rm_count == 1) { |
|
526 unlink "$file"; |
|
527 if ($file =~ /$zpf\/(.*\.key)/) { |
|
528 print " * $zone: Schluessel $1 entfernt \n"; |
|
529 } |
|
530 } |
|
531 } |
535 } |
532 } |
536 } |
533 |
537 |
534 sub end_ro { |
538 sub end_ro { |
535 our @end_ro_list; |
539 our @end_ro_list; |
553 if ($count > 1) { |
557 if ($count > 1) { |
554 open(INDEX, ">$config{master_dir}/$zone/.index.zsk"); |
558 open(INDEX, ">$config{master_dir}/$zone/.index.zsk"); |
555 print INDEX $last_key; |
559 print INDEX $last_key; |
556 close(INDEX); |
560 close(INDEX); |
557 } |
561 } |
558 &kill_useless_keys($zone); |
562 kill_useless_keys($zone); |
559 &key_to_zonefile($zone); |
563 &key_to_zonefile($zone); |
560 push @new_serial, $zone; |
564 push @new_serial, $zone; |
561 } |
565 } |
562 } |
566 } |
563 |
567 |