ius/dnstools: comparison update-serial.pl

equal deleted inserted replaced

-:fdf4df74d8c5
+:bffb3f2cca90
 use FindBin;
 use File::Basename;
 use Pod::Usage;
 use Getopt::Long;
 use File::Temp;
+use IO::File;
 use POSIX qw(strftime);
 use if $ENV{DEBUG} => "Smart::Comments";
 sub uniq(@);
 sub read_conf(@);
 sub zones(@);
 sub changed_zones();
 sub update_index($);
-sub sign_expired($);
+sub signature_expired($);
 sub need_rollover();
 sub done_rollover();
 sub begin_rollover(@);
+sub end_rollover(@);
 sub unlink_unused_keys($);
+sub include_keys($);
-sub sign_zone;
+sub sign($);
-sub update_serial;
+sub update_serial($);
 sub mk_zone_conf;
 sub file_entry;
 sub server_reload;
-sub key_to_zonefile;
-sub end_ro;
 my %config;
 my %opt;
 MAIN: {
 GetOptions(
 "sign-alert-time=i" => \$opt{sign_alert_time},
-		"key-counter-end=i" => \$opt{key_counter_end},
+"key-counter-end=i" => \$opt{key_counter_end},
 "h|help"            => sub { pod2usage(-exit 0, -verbose => 1) },
 "m|man"             => sub {
 pod2usage(
 -exit 0,
 -verbose   => 2,
 %config = (
 read_conf("$FindBin::Bin/dnstools.conf", "/etc/dnstools.conf"),
 map { $_ => $opt{$_} } grep { defined $opt{$_} } keys %opt
 );
-our @new_serial;     # DO NOT USE
-our @end_ro_list;    # liste mit zonen deren key-rollover fertig ist
 our $bind_dir = $config{bind_dir};
 our $conf_dir = $config{zone_conf_dir};
 my @candidates = @ARGV ? zones(@ARGV) : changed_zones;
 push @candidates, update_index($config{indexzone});
-push @candidates, sign_expired($config{sign_alert_time});
+push @candidates, signature_expired($config{sign_alert_time});
 my @need_rollover = need_rollover;
 my @done_rollover = done_rollover;
-### @candidates
-### @need_rollover
+push @candidates, begin_rollover(@need_rollover);
-### @done_rollover
+push @candidates, end_rollover(@done_rollover);
-begin_rollover(@need_rollover);    # eine rollover-beginn-sequenz
+foreach my $zone (uniq(@candidates)) {
+update_serial($zone);
+sign($zone);
+}
+say "Need to ... file_entry, mk_zone_conf, server_reload";
 exit;
-if (@end_ro_list) {
-end_ro;                        # eine rollover-end-squenz
-}
-if (@new_serial) {
-#--update_index;     # index zone aktuallisieren
-update_serial;                 # serial aktuallisieren
-sign_zone;                     # zone signieren
-}
 file_entry;       # bearbeitet die file-eintraege der konfigurations-datei
 mk_zone_conf;     # konfiguration zusammenfuegen
 server_reload;    # server neu laden
 say " * $zone: zone file modified";
 }
 return @r;
 }
-sub sign_expired($) {
+sub signature_expired($) {
 my $sign_alert_time = shift;  # the time between the end and the new signing
 # (see external configuration)
 my @r;
 # erzeugt $time (die zeit ab der neu signiert werden soll)
 }
 return @r;
 }
-sub sign_zone {
+sub sign($) {
-# signiert die zonen und erhoeht den wert in der keycounter-datei
+my $zone = shift;
-our @new_serial;
+my $dir  = "$config{master_dir}/$zone";
-my $zone;
-my $kc;
+my $pid = fork // die "Can't fork: $!";
-for (uniq(@new_serial)) {
+if ($pid == 0) {
-$zone = $_;
+chdir $dir or die "Can't chdir to $dir: $!\n";
+exec "dnssec-signzone" => $zone;
-unless (-e "$config{master_dir}/$zone/.index.zsk") {
+die "Can't exec: $!\n";
-next;
+}
-}
+wait == $pid or die "Child is lost: $!";
-chdir "$config{master_dir}/$zone";
+die "Can't sign zone!" if $?;
-if (`dnssec-signzone $zone 2>/dev/null`) {
-print " * $zone neu signiert \n";
+say " * $zone neu signiert";
-# erhoeht den keycounter
+open(my $fh, "+>>$dir/.keycounter")
-if ("$config{master_dir}/$zone/.keycounter") {
+or die "Can't open $dir/.keycounter for update: $!\n";
-open(KC, "$config{master_dir}/$zone/.keycounter");
+seek($fh, 0, 0);
-$kc = <KC>;
+my $kc = <$fh>;
-close(KC);
+truncate($fh, 0);
-$kc += 1;
+say $fh ++$kc;
 }
-else {
-$kc = 1;
+sub update_serial($) {
-}
-open(KC, ">$config{master_dir}/$zone/.keycounter");
+my $zone = shift;
-print KC $kc;
-close(KC);
+my $file = "$config{master_dir}/$zone/$zone";
-}
+my $in   = IO::File->new($file) or die "Can't open $file: $!\n";
-else { print "$zone konnte nicht signiert werden \n"; }
+my $out  = File::Temp->new(DIR => dirname $file)
-}
+or die "Can't open tmpfile: $!\n";
-}
+my $_ = join "" => <$in>;
-sub update_serial {
-our @new_serial;
-chomp(my $date = `date +%Y%m%d`);
-my @new_content;
-my $sdate;
-my $scount;
 my $serial;
+s/^(\s+)(\d{10})(?=\s*;\s*serial)/$1 . ($serial = new_serial($2))/emi
-for (uniq(@new_serial)) {
+or die "Serial number not found for replacement!";
-# erhoeht den serial
+print $out $_;
-my $zone        = $_;
-my $file        = "$config{master_dir}/$zone/$zone";
+close($in);
-my @new_content = ();
+close($out);
-open(SER, "<$file") or die "$file: $!\n";
+rename($out->filename => $file)
-for (<SER>) {
+or die "Can't rename tmp to $file: $!\n";
-if (/^\s+(\d+)(\d{2})\s*;\s*serial/i) {
-$sdate  = $1;
+$serial =~ s/\s*//g;
-$scount = $2;
+say " * $zone: serial incremented to $serial";
-$serial = "$sdate$scount";
-if ($date eq $sdate) {
+open(my $stamp, ">", dirname($file) . "/.stamp");
-$scount++;
+print $stamp time() . " " . localtime() . "\n";
-}
-else {
+say " * $zone: stamp aktualisiert";
-$sdate  = $date;
+}
-$scount = "00";
-}
+sub new_serial($) {
-}
-if ($serial) {
+my ($date, $cnt) = $_[0] =~ /(\d{8})(\d\d)/;
-s/$serial/$sdate$scount/;
-}
+state $now = strftime("%4Y%02m%02d", localtime);
-push @new_content, $_;
-}
+return $date eq $now
-close(SER);
+? sprintf "%s%02d", $date, $cnt + 1
+: "${now}00";
-open(RES, ">$file") or die "$file: $!\n";
-print RES @new_content;
-close(RES);
-print " * $zone: serial erhoeht \n";
-open(STAMP, ">$config{master_dir}/$zone/.stamp")
-or die "$config{master_dir}/$zone/.stamp: $!\n";
-close(STAMP);
-print " * $zone: stamp aktualisiert \n";
-}
 }
 sub mk_zone_conf {
 # erzeugt eine named.conf-datei aus den entsprechenden vorlagen.
 my @zones = @_;
 my @r;
 # anfang des key-rollovers
-#??  for (uniq(@begin_ro_list)) {
 foreach my $zone (@zones) {
 # erzeugt zsks
 my $dir = "$config{master_dir}/$zone";
 my ($keyname, @keys);
+# create a new key
 {    # need to change the direcoty, thus some more effort
 # alternativly: $keyname = `cd $dir && dnssec-keygen ...`;
 # would do, but is more fragile on shell meta characters
 open(my $keygen, "-|") or do {
 chdir $dir or die "Can't chdir to $dir: $!\n";
 exec "dnssec-keygen",
 -a => "RSASHA1",
 -b => 512,
 -n => "ZONE",
-		  $zone;
+$zone;
 die "Can't exec: $!";
 };
 chomp($keyname = <$keygen>);
 close($keygen) or die "dnssec-keygen failed: $@";
 }
-open(my $fh, "+<$dir/.index.zsk") or die "$dir/.index.zsk: $!\n";
+open(my $fh, "+>>$dir/.index.zsk") or die "$dir/.index.zsk: $!\n";
+seek($fh, 0, 0);
 chomp(@keys = <$fh>);
-	### @keys
+### @keys
 push @keys, $keyname;
 shift @keys if @keys > 2;
-seek($fh, 0, 0) or die "seek";    # FIXME
+truncate($fh, 0) or die "truncate";
-truncate($fh, 0) or die "truncate";    # FIXME
 print $fh join "\n" => @keys;
 print " * $zone: neuer ZSK $keyname erstellt\n";
 open($fh, ">$dir/.keycounter") or die "$dir/.keycounter: $!\n";
 say $fh 0;
 close($fh);
 unlink_unused_keys($zone);
-&key_to_zonefile($zone);
+include_keys($zone);
 push @r, $zone;
 }
 return @r;
 }
-sub key_to_zonefile {
+sub include_keys($) {
 # die funktion fugt alle schluessel in eine zonedatei
-my $zone = $_[0];
+my $zone = shift;
-my $zpf  = "$config{master_dir}/$zone";
+my $dir  = "$config{master_dir}/$zone";
-my @old_content;
-my @new_content = ();
+my $in = IO::File->new("$dir/$zone") or die "Can't open $dir/$zone: $!\n";
+my $out = File::Temp->new(DIR => $dir) or die "Can't open tmpfile: $!\n";
-open(ZONEFILE, "<$zpf/$zone");
-@old_content = <ZONEFILE>;
+print $out grep { !/\$include\s+.*key/i } $in;
-close(ZONEFILE);
+print $out map  { "\$INCLUDE @{[basename $_]}\n" } glob "$dir/K*key";
-for (@old_content) {
+close $in;
-unless (m#INCLUDE.*key#) { push @new_content, $_; }
+close $out;
-}
+rename($out->filename => "$dir/$zone")
+or die "Can't rename tmp to $dir/$zone: $!\n";
-for (<$zpf/*>) {
-if (m#(.*\/)(K.*\.key)#) {
-push @new_content, "\$INCLUDE \"$2\"\n";
-}
-}
-open(ZONEFILE, ">$zpf/$zone") or die "$zpf/$zone: $!\n";
-print ZONEFILE @new_content;
-close(ZONEFILE);
 }
 sub unlink_unused_keys($) {
 # die funktion loescht alle schluessel die nicht in der index.zsk
 # der uebergebenen zone stehen
 my $zone = shift;
 my @keys;
-my $dir  = "$config{master_dir}/$zone";
+my $dir = "$config{master_dir}/$zone";
 {
-	# collect the keys and cut everything except the key id
-	# we cut the basenames (w/o the .private|.key suffix)
+# collect the keys and cut everything except the key id
+# we cut the basenames (w/o the .private|.key suffix)
 open(my $zsk, "<$dir/.index.zsk") or die "$dir/.index.zsk: $!\n";
 open(my $ksk, "<$dir/.index.ksk") or die "$dir/.index.ksk: $!\n";
-	@keys = (<$zsk>, <$ksk>);
+@keys = (<$zsk>, <$ksk>);
 }
 # prueft alle schluesseldateien (ksk, zsk) ob sie in der jeweiligen
 # indexdatei beschrieben sind. wenn nicht werden sie geloescht.
 for my $file (glob "$dir/K*.key $dir/K*.private") {
-	unlink $file if basename($file, ".key", ".private") ~~ @keys;
+unlink $file if basename($file, ".key", ".private") ~~ @keys;
 }
 }
-sub end_ro {
+sub end_rollover(@) {
-our @end_ro_list;
-our @new_serial;
+my @zones = @_;
-my @content;
+my @r;
-for (@end_ro_list) {
+foreach my $zone (@zones) {
-my $zone  = $_;
-my $count = 0;
+my $dir = "$config{master_dir}/$zone";
-my @content;
-my $last_key;
+open(my $fh, "+>>$dir/.index.zsk")
+or die "Can't open $dir/.index.zsk: $!\n";
-open(INDEX, "<$config{master_dir}/$zone/.index.zsk");
+seek($fh, 0, 0);
-@content = <INDEX>;
+chomp(my @keys = <$fh>);
-close(INDEX);
+if (@keys > 1) {
-for (@content) {
+truncate($fh, 0);
-$count++;
+say $fh $keys[-1];
-$last_key = $_;
+}
-}
+close($fh);
-if ($count > 1) {
-open(INDEX, ">$config{master_dir}/$zone/.index.zsk");
-print INDEX $last_key;
-close(INDEX);
-}
 unlink_unused_keys($zone);
-&key_to_zonefile($zone);
+include_keys($zone);
-push @new_serial, $zone;
+push @r => $zone;
 }
+return @r;
 }
 __END__
 =head1 NAME

branch	hs12
changeset 70	bffb3f2cca90
parent 67	6adcf16d5cd6
child 71	e25fc893e203