1 #!/usr/bin/perl -w |
|
2 |
|
3 use strict; |
|
4 use FindBin; |
|
5 |
|
6 sub del_double { |
|
7 my %all; |
|
8 grep { $all{$_} = 0 } @_; |
|
9 return ( keys %all ); |
|
10 } |
|
11 |
|
12 # liest die Konfiguration ein |
|
13 my @configs = ( "$FindBin::Bin/dnstools.conf", "/etc/dnstools.conf" ); |
|
14 my %config; |
|
15 |
|
16 for ( grep {-f} @configs ) { |
|
17 open( CONFIG, $_ ) or die "Can't open $_: $!\n"; |
|
18 } |
|
19 |
|
20 unless ( seek( CONFIG, 0, 0 ) ) { |
|
21 die "Can't open config (searched: @configs)\n"; |
|
22 } |
|
23 |
|
24 while (<CONFIG>) { |
|
25 chomp; |
|
26 s/#.*//; |
|
27 s/\t//g; |
|
28 s/\s//g; |
|
29 |
|
30 next unless length; |
|
31 my ( $cname, $ccont ) = split( /\s*=\s*/, $_, 2 ); |
|
32 $config{$cname} = $ccont; |
|
33 } |
|
34 close(CONFIG); |
|
35 |
|
36 my $master_dir = $config{master_dir}; |
|
37 my $ablauf_zeit = $config{abl_zeit}; |
|
38 my $zone; |
|
39 my @status; |
|
40 my @auto; |
|
41 my @manu; |
|
42 my @old_zone_content; |
|
43 my @new_zone_content; |
|
44 chomp( my $now_time = `date +%s` ); # aktuelle unixzeit |
|
45 |
|
46 # prueft zonen aus ARGV und loescht das schluesselmaterial |
|
47 for (@ARGV) { |
|
48 chomp( $zone = `idn --quiet $_` ); |
|
49 my $zdir = "$master_dir/$zone"; |
|
50 my $ep = 0; |
|
51 |
|
52 unless ( -e "$master_dir/$zone" ) { |
|
53 print "$zone ist keine verwaltete zone \n"; |
|
54 } |
|
55 else { |
|
56 if ( -e "$zdir/$zone.signed" ) { |
|
57 unlink "$zdir/$zone.signed" and $ep = 1 } |
|
58 if ( -e "$zdir/.keycounter" ) { |
|
59 unlink "$zdir/.keycounter" and $ep = 1 } |
|
60 if ( -e "$zdir/.index.ksk" ) { |
|
61 unlink "$zdir/.index.ksk" and $ep = 1 } |
|
62 if ( -e "$zdir/.index.zsk" ) { |
|
63 unlink "$zdir/.index.zsk" and $ep = 1 } |
|
64 if ( -e "$zdir/dsset-$zone." ) { |
|
65 unlink "$zdir/dsset-$zone." and $ep = 1 } |
|
66 if ( -e "$zdir/keyset-$zone." ) { |
|
67 unlink "$zdir/keyset-$zone." and $ep = 1 } |
|
68 |
|
69 for (`ls $master_dir/$zone/K*[key,private]`) { |
|
70 unlink $_ and $ep = 1 |
|
71 } |
|
72 |
|
73 if ($ep == 1) { |
|
74 print "$zone: keys removed\n"; |
|
75 } |
|
76 |
|
77 open( ZONE, "$master_dir/$zone/$zone" ) |
|
78 or die "$master_dir/$zone/$zone: $!\n"; |
|
79 @old_zone_content = <ZONE>; |
|
80 close(ZONE); |
|
81 |
|
82 for (@old_zone_content) { |
|
83 unless (/dnssec-(ksk|zsk)/) { |
|
84 push @new_zone_content, $_; |
|
85 } |
|
86 } |
|
87 |
|
88 open( ZONE, ">$master_dir/$zone/$zone" ) |
|
89 or die "$master_dir/$zone/$zone: $!\n"; |
|
90 print ZONE @new_zone_content; |
|
91 close(ZONE); |
|
92 |
|
93 push @manu, $zone; |
|
94 } |
|
95 } |
|
96 |
|
97 # beendet den key-rollover |
|
98 for (<$master_dir/*>) { |
|
99 $zone = $_; |
|
100 $zone =~ s#($master_dir/)(.*)#$2#; |
|
101 |
|
102 my @index = (); |
|
103 my $index_wc; |
|
104 |
|
105 # prueft nach der ".index.zsk"-datei und erstellt den zeitpunkt |
|
106 # an dem das key-rollover endet. - $status[9] |
|
107 if ( -e "$master_dir/$zone/.index.zsk" ) { |
|
108 @status = stat("$master_dir/$zone/.index.zsk"); |
|
109 $status[9] += ( 3600 * $ablauf_zeit ); |
|
110 } |
|
111 else { |
|
112 next; |
|
113 } |
|
114 |
|
115 # prueft ob das key-rollover-ende erreicht ist |
|
116 unless ( $status[9] < $now_time ) { |
|
117 next; |
|
118 } |
|
119 |
|
120 # prueft die anzahl der schluessel in der ".index.zsk" |
|
121 # loescht alte schluessel |
|
122 open( INDEX, "$master_dir/$zone/.index.zsk" ) |
|
123 or die "$master_dir/$zone/.index.zsk: $!\n"; |
|
124 @index = <INDEX>; |
|
125 $index_wc = @index; |
|
126 close(INDEX); |
|
127 if ( $index_wc > 1 ) { |
|
128 open( INDEX, ">$master_dir/$zone/.index.zsk" ) |
|
129 or die "$master_dir/$zone/.index.zsk: $!\n"; |
|
130 print INDEX $index[1]; |
|
131 close(INDEX); |
|
132 push @auto, $zone; |
|
133 } |
|
134 |
|
135 # prueft die anzahl der schluessel in der ".index.ksk" |
|
136 # loescht alte schluessel |
|
137 open( INDEX, "$master_dir/$zone/.index.ksk" ) |
|
138 or die "$master_dir/$zone/.index.ksk: $!\n"; |
|
139 @index = <INDEX>; |
|
140 $index_wc = @index; |
|
141 close(INDEX); |
|
142 if ( $index_wc > 1 ) { |
|
143 open( INDEX, ">$master_dir/$zone/.index.ksk" ) |
|
144 or die "$master_dir/$zone/.index.ksk: $!\n"; |
|
145 print INDEX $index[1]; |
|
146 close(INDEX); |
|
147 push @auto, $zone; |
|
148 } |
|
149 |
|
150 } |
|
151 |
|
152 # nach abgeschlossenem key-rollover werden fuer die entsprechende zone |
|
153 # unbenoetigte schluessel entfernt und die vorhandenen schluessel in die |
|
154 # zonedatei geschrieben. |
|
155 for ( &del_double(@auto) ) { |
|
156 my $zone = $_; |
|
157 my @old_zone_content = (); |
|
158 my @new_zone_content = (); |
|
159 my @kkeylist = (); |
|
160 my @zkeylist = (); |
|
161 my $file; |
|
162 |
|
163 open( INDEX, "$master_dir/$zone/.index.zsk" ) |
|
164 or die "$master_dir/$zone/.index.zsk: $!\n"; |
|
165 @zkeylist = <INDEX>; |
|
166 close(INDEX); |
|
167 |
|
168 open( INDEX, "$master_dir/$zone/.index.ksk" ) |
|
169 or die "$master_dir/$zone/.index.ksk: $!\n"; |
|
170 @kkeylist = <INDEX>; |
|
171 close(INDEX); |
|
172 |
|
173 open( ZONE, "$master_dir/$zone/$zone" ) |
|
174 or die "$master_dir/$zone/$zone: $!\n"; |
|
175 @old_zone_content = <ZONE>; |
|
176 close(ZONE); |
|
177 |
|
178 # kuerzt die schluessel-bezeichnung aus der indexdatei auf die |
|
179 # id um sie besser vergleichen zu koennen. |
|
180 for ( @kkeylist, @zkeylist ) { |
|
181 chomp; |
|
182 s#K.*\+.*\+(.*)#$1#; |
|
183 } |
|
184 |
|
185 # filtert alle schluessel aus der zonedatei |
|
186 # old_zone_content ==> new_zone_content |
|
187 for (@old_zone_content) { |
|
188 unless (/dnssec-(ksk|zsk)/) { |
|
189 push @new_zone_content, $_; |
|
190 } |
|
191 } |
|
192 |
|
193 # prueft alle schluesseldateien (ksk, zsk) ob sie in der jeweiligen |
|
194 # indexdatei beschrieben sind. wenn nicht werden sie geloescht. |
|
195 for (`ls $master_dir/$zone/K*[key,private]`) { |
|
196 chomp; |
|
197 $file = $_; |
|
198 my $rm_count = 1; |
|
199 |
|
200 for (@zkeylist) { |
|
201 |
|
202 if ( $file =~ /$_/ ) { |
|
203 $rm_count = 0; |
|
204 |
|
205 # schluessel die in der indexdatei standen, werden an die |
|
206 # zonedatei angehangen. |
|
207 if ( $file =~ /.*key/ ) { |
|
208 |
|
209 $file =~ s#/.*/(K.*)#$1#; |
|
210 push @new_zone_content, |
|
211 "\$INCLUDE \"$file\"\t\t; dnssec-zsk\n"; |
|
212 |
|
213 last; |
|
214 } |
|
215 } |
|
216 } |
|
217 for (@kkeylist) { |
|
218 |
|
219 if ( $file =~ /$_/ ) { |
|
220 $rm_count = 0; |
|
221 |
|
222 # schluessel die in der indexdatei standen, werden an die |
|
223 # zonedatei angehangen. |
|
224 if ( $file =~ /.*key/ ) { |
|
225 |
|
226 $file =~ s#/.*/(K.*)#$1#; |
|
227 push @new_zone_content, |
|
228 "\$INCLUDE \"$file\"\t\t; dnssec-ksk\n"; |
|
229 |
|
230 last; |
|
231 } |
|
232 } |
|
233 } |
|
234 |
|
235 #loescht alle unbenoetigten schluessel |
|
236 if ( $rm_count == 1 ) { |
|
237 print `rm -f $file`; |
|
238 } |
|
239 } |
|
240 |
|
241 open( ZONE, ">$master_dir/$zone/$zone" ) |
|
242 or die "$master_dir/$zone/$zone: $!\n"; |
|
243 print ZONE @new_zone_content; |
|
244 close(ZONE); |
|
245 |
|
246 print "$master_dir/$zone/$zone wurde neu erstellt \n"; |
|
247 } |
|
248 |
|
249 # "toucht" alle zonen damit der serial erhoht wird und die |
|
250 # zone neu signiert wird |
|
251 for ( &del_double( @auto, @manu ) ) { |
|
252 system "touch $master_dir/$_/$_"; |
|
253 } |
|
254 |
|