dnssec-keytool.pl
changeset 88 0e1e5027e9c0
parent 52 53c95f2ff0ac
parent 87 6d624831079f
child 90 0b9ba3e760bd
--- a/dnssec-keytool.pl	Tue Dec 21 17:00:11 2010 +0100
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,370 +0,0 @@
-#! /usr/bin/perl
-
-use warnings;
-use strict;
-use FindBin;
-
-sub del_double {
-    my %all;
-    grep { $all{$_} = 0 } @_;
-    return (keys %all);
-}
-
-sub read_conf {
-
-    # read configuration
-    my @configs = ("$FindBin::Bin/dnstools.conf", "/etc/dnstools.conf");
-    our %config;
-
-    for (grep { -f } @configs) {
-        open(CONFIG, $_) or die "Can't open $_: $!\n";
-    }
-    unless (seek(CONFIG, 0, 0)) {
-        die "Can't open config (searched: @configs)\n";
-    }
-    while (<CONFIG>) {
-        chomp;
-        s/#.*//;
-        s/\t//g;
-        s/\s//g;
-
-        next unless length;
-        my ($cname, $ccont) = split(/\s*=\s*/, $_, 2);
-        $config{$cname} = $ccont;
-    }
-    close(CONFIG);
-}
-
-sub read_argv {
-    # evaluate argv or print the help
-    my $arg = shift @ARGV;
-    my $zone;
-    our $do;
-    our @zones;
-    our $master_dir;
-
-    if (!defined $arg) {
-        print " usage: dnssec-keytool <option> zone\n";
-        print "   -z  created a new ZSK\n";
-        print "   -k  created a new ZSK and KSK\n";
-        print "   -rm deletes the key-set of a zone\n";
-        print "   -c  created configuration files for the dnstools\n";
-        print "       and a new ZSK for an existing KSK\n";
-        print "\n";
-
-        exit;
-    }
-    elsif ($arg eq "-k")  { $do = "ksk"; }
-    elsif ($arg eq "-rm") { $do = "rm"; }
-    elsif ($arg eq "-c")  { $do = "ck"; }
-    elsif ($arg eq "-z")  { $do = "zsk"; }
-    else {
-        print "not a valid option.\n";
-        exit;
-    }
-
-    # checks the zones in argv if there are managed zones
-    for (@ARGV) {
-        chomp($zone = `idn --quiet "$_"`);
-        if (-e "$master_dir/$zone/$zone") {
-            push @zones, $zone;
-        }
-    }
-}
-
-sub rm_keys {
-    # deletes all the keys were handed over -rm in argv
-    our @zones;
-    our $master_dir;
-    my $zone;
-    my @new_zone_content;
-    my @old_zone_content;
-
-    for (@zones) {
-        $zone = $_;
-
-        my $zpf = "$master_dir/$zone";
-        my $ep  = 0;
-
-        if (-e "$zpf/$zone.signed") {
-            unlink "$zpf/$zone.signed" and $ep = 1;
-        }
-        if (-e "$zpf/.keycounter") {
-            unlink "$zpf/.keycounter" and $ep = 1;
-        }
-        if (-e "$zpf/.index.ksk") {
-            unlink "$zpf/.index.ksk" and $ep = 1;
-        }
-        if (-e "$zpf/.index.zsk") {
-            unlink "$zpf/.index.zsk" and $ep = 1;
-        }
-        if (-e "$zpf/dsset-$zone.") {
-            unlink "$zpf/dsset-$zone." and $ep = 1;
-        }
-        if (-e "$zpf/keyset-$zone.") {
-            unlink "$zpf/keyset-$zone." and $ep = 1;
-        }
-
-        for (glob("$zpf/K$zone*")) { 
-            chomp($_);
-            unlink ("$_");
-        }
-
-        if ($ep == 1) {
-            print " * $zone: removed key-set\n";
-        }
-
-        open(ZONE, "$zpf/$zone")
-          or die "$zpf/$zone: $!\n";
-        @old_zone_content = <ZONE>;
-        close(ZONE);
-
-        for (@old_zone_content) {
-            unless (m#\$INCLUDE.*\"K$zone.*\.key\"#) {
-                push @new_zone_content, $_;
-            }
-        }
-
-        open(ZONE, ">$zpf/$zone") or die "$zpf/$zone: $!\n";
-        print ZONE @new_zone_content;
-        close(ZONE);
-    }
-}
-
-sub creat_ksk {
-    our @zones;
-    our $master_dir;
-    my @index;
-    my $zone;
-    my $keyname;
-    my $zpf;
-
-    for (@zones) {
-        $zone = $_;
-        $zpf  = "$master_dir/$zone";
-
-        chdir "$zpf" or die "$zpf: $!\n";
-        $keyname = `dnssec-keygen -a RSASHA1 -b 2048 -f KSK -n ZONE $zone`;
-
-        unless (-f ".index.ksk") { @index = (); }
-        else {
-            open(INDEX, ".index.ksk") or die "$zpf/.index.ksk: $!\n";
-            @index = <INDEX>;
-            close(INDEX);
-        }
-
-        push @index, $keyname;
-        if (@index > 2) { shift(@index); }
-
-        open(INDEX, ">.index.ksk") or die "$zpf/.index.ksk: $!\n";
-        print INDEX @index;
-        close(INDEX);
-
-        chomp($keyname);
-        print " * $zone: new KSK $keyname\n";
-
-        print "!! THE KSK must be published !! \n";
-
-    }
-}
-
-sub creat_zsk {
-    our @zones;
-    our $master_dir;
-    my @index;
-    my $zone;
-    my $keyname;
-    my $zpf;
-
-    for (@zones) {
-        $zone = $_;
-        $zpf  = "$master_dir/$zone";
-
-        chdir "$zpf" or die "$zpf: $!\n";
-        $keyname = `dnssec-keygen -a RSASHA1 -b 512 -n ZONE $zone`;
-
-        unless (-f ".index.zsk") { @index = (); }
-        else {
-            open(INDEX, ".index.zsk") or die "$zpf/.index.zsk: $!\n";
-            @index = <INDEX>;
-            close(INDEX);
-        }
-
-        push @index, $keyname;
-        if (@index > 2) { shift(@index); }
-
-        open(INDEX, ">.index.zsk") or die "$zpf/.index.zsk: $!\n";
-        print INDEX @index;
-        close(INDEX);
-
-        chomp($keyname);
-        print " * $zone: new ZSK $keyname\n";
-
-        open(KC, ">.keycounter") or die "$zpf/keycounter: $!\n";
-        print KC "0";
-        close(KC);
-
-    }
-}
-
-sub ck_zone {
-    our @zones;
-    our $master_dir;
-    my $zone;
-
-    for (@zones) {
-        $zone = $_;
-        my $zpf = "$master_dir/$zone";
-        my $keyfile;
-        my @content;
-        my @keylist;
-
-        for (<$zpf/*>) {
-            if (m#(K$zone.*\.key)#) {
-                $keyfile = $1;
-                open(KEYFILE, "<$zpf/$keyfile");
-                @content = <KEYFILE>;
-                close(KEYFILE);
-                for (@content) {
-                    if (m#DNSKEY.257#) {
-                        push @keylist, $keyfile;
-                    }
-                }
-            }
-        }
-
-        open(INDEX, ">.index.ksk") or die "$zpf/.index.ksk: $!\n";
-        for (@keylist) {
-            s#\.key##;
-            print INDEX "$_\n";
-        }
-        close(INDEX);
-
-        print " * $zone: new .index.ksk created\n";
-
-        if (-f "$zpf/.index.zsk") {
-            unlink("$zpf/.index.zsk") or die "$zpf/.index.zsk: $!\n";
-        }
-    }
-}
-
-sub post_creat {
-    our @zones;
-    our $master_dir;
-
-    for (@zones) {
-        my $zone = $_;
-        `touch $master_dir/$zone/$zone`;
-
-        &kill_useless_keys($zone);
-        &key_to_zonefile($zone);
-    }
-
-}
-
-sub kill_useless_keys {
-
-    # the function deletes all keys that are not available in the zone
-    # of index.zsk
-    our $master_dir;
-    my $zone    = $_[0];
-    my @keylist = ();
-    my $zpf     = "$master_dir/$zone";
-
-    open(INDEX, "<$zpf/.index.zsk") or die "$zpf/.index.zsk: $!\n";
-    @keylist = <INDEX>;
-    close(INDEX);
-    open(INDEX, "<$zpf/.index.ksk") or die "$zpf/.index.ksk: $!\n";
-    push @keylist, <INDEX>;
-
-    # shortened the key name from the index file on the id in order to
-    # be able to compare
-    for (@keylist) {
-        chomp;
-        s#K.*\+.*\+(.*)#$1#;
-    }
-
-    # reviewed every key file (KSK, ZSK), whether they are described in
-    # the respective index file. if not they will be deleted.
-    for ( glob("$master_dir/$zone/K*") {
-        chomp;
-        my $file     = $_;
-        my $rm_count = 1;
-        my $keyname;
-        for (@keylist) {
-            if ($file =~ /$_/) { $rm_count = 0; }
-        }
-        if ($rm_count == 1) {
-            unlink "$file";
-            if ($file =~ /$zpf\/(.*\.key)/) {
-                print " * $zone: Schluessel $1 entfernt \n";
-            }
-        }
-    }
-}
-
-sub key_to_zonefile {
-
-    # the function added all keys to the indexfile
-    our $master_dir;
-    my $zone = $_[0];
-    my $zpf  = "$master_dir/$zone";
-    my @old_content;
-    my @new_content = ();
-
-    open(ZONEFILE, "<$zpf/$zone");
-    @old_content = <ZONEFILE>;
-    close(ZONEFILE);
-
-    for (@old_content) {
-        unless (m#INCLUDE.*key#) { push @new_content, $_; }
-    }
-
-    for (<$zpf/*>) {
-        if (m#(.*\/)(K.*\.key)#) {
-            push @new_content, "\$INCLUDE \"$2\"\n";
-        }
-    }
-    open(ZONEFILE, ">$zpf/$zone") or die "$zpf/$zone: $!\n";
-    print ZONEFILE @new_content;
-    close(ZONEFILE);
-}
-
-&read_conf;
-
-our %config;
-our $do;       # statements from argv
-our @zones;    # list of zones from argv
-our $master_dir      = $config{master_dir};
-our $bind_dir        = $config{bind_dir};
-our $conf_dir        = $config{zone_conf_dir};
-our $sign_alert_time = $config{sign_alert_time};
-our $indexzone       = $config{indexzone};
-our $key_counter_end = $config{key_counter_end};
-our $ablauf_zeit     = $config{abl_zeit};
-
-&read_argv;
-
-# completed the program, if not a valid zones was handed over
-unless (@zones) { exit; }
-
-if ($do eq "rm") { &rm_keys; exit; }
-if ($do eq "ck") { &ck_zone; }
-if ($do eq "ksk") { &creat_ksk; }
-
-&creat_zsk;
-&post_creat;
-
-__END__
-
-=pod
-
-=head1 NAME
-
-dnssec-keytool
-
-=head1 SYNOPSIS
-
-dnssec-keytool <option> zone
-
-=head1 DESCRIPTION