Mercurial Mercurial > hg > ius > dnstools / diff
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
update-serial.pl
branchhs12
changeset 62 8a85723f4b53
parent 60 2c45d68844bf
child 65 ea0afdd6b026
child 66 c44bc1c8e396 
--- a/update-serial.pl	Wed Dec 29 12:02:01 2010 +0100
+++ b/update-serial.pl	Wed Dec 29 22:10:40 2010 +0100
@@ -21,6 +21,7 @@
 sub need_rollover();
 sub done_rollover();
 sub begin_rollover(@);
+sub kill_useless_keys($);
 
 sub sign_zone;
 sub update_serial;
@@ -28,7 +29,6 @@
 sub file_entry;
 sub server_reload;
 sub key_to_zonefile;
-sub kill_useless_keys;
 sub end_ro;
 
 my %config;
@@ -38,6 +38,7 @@
 
     GetOptions(
         "sign-alert-time=i" => \$opt{sign_alert_time},
+	"key-counter-end=i" => \$opt{key_counter_end},
         "h|help"            => sub { pod2usage(-exit 0, -verbose => 1) },
         "m|man"             => sub {
             pod2usage(
@@ -68,19 +69,18 @@
     ### @candidates
     ### @need_rollover
     ### @done_rollover
-
     begin_rollover(@need_rollover);    # eine rollover-beginn-sequenz
     exit;
 
     if (@end_ro_list) {
-        end_ro;      # eine rollover-end-squenz
+        end_ro;                        # eine rollover-end-squenz
     }
 
     if (@new_serial) {
 
         #--update_index;     # index zone aktuallisieren
-        update_serial;    # serial aktuallisieren
-        sign_zone;        # zone signieren
+        update_serial;                 # serial aktuallisieren
+        sign_zone;                     # zone signieren
     }
 
     file_entry;       # bearbeitet die file-eintraege der konfigurations-datei
@@ -435,29 +435,46 @@
     #??  for (uniq(@begin_ro_list)) {
     foreach my $zone (@zones) {
 
-        #erzeugt zsks
-        my $dir  = "$config{master_dir}/$zone";
-        my @keys;
+        # erzeugt zsks
+        my $dir = "$config{master_dir}/$zone";
+        my ($keyname, @keys);
+
+        {    # need to change the direcoty, thus some more effort
+                # alternativly: $keyname = `cd $dir && dnssec-keygen ...`;
+                # would do, but is more fragile on shell meta characters
 
-        chomp(my $keyname = `cd $dir && dnssec-keygen -a RSASHA1 -b 512 -n ZONE $zone`);
+            open(my $keygen, "-|") or do {
+                chdir $dir or die "Can't chdir to $dir: $!\n";
+                exec "dnssec-keygen",
+                  -a => "RSASHA1",
+                  -b => 512,
+                  -n => "ZONE", 
+		  $zone;
+                die "Can't exec: $!";
+            };
+            chomp($keyname = <$keygen>);
+            close($keygen) or die "dnssec-keygen failed: $@";
+        }
 
         open(my $fh, "+<$dir/.index.zsk") or die "$dir/.index.zsk: $!\n";
         chomp(@keys = <$fh>);
 
-        push @keys, $keyname;
-	shift @keys if @keys > 2;
+	### @keys
 
-	seek($fh, 0, 0) or die "seek";		# FIXME
-	truncate($fh, 0) or die "truncate";	# FIXME
+        push @keys, $keyname;
+        shift @keys if @keys > 2;
+
+        seek($fh, 0, 0) or die "seek";    # FIXME
+        truncate($fh, 0) or die "truncate";    # FIXME
         print $fh join "\n" => @keys;
 
         print " * $zone: neuer ZSK $keyname erstellt\n";
 
         open($fh, ">$dir/.keycounter") or die "$dir/.keycounter: $!\n";
         say $fh 0;
-	close($fh);
+        close($fh);
 
-        &kill_useless_keys($zone);
+        kill_useless_keys($zone);
         &key_to_zonefile($zone);
         push @r, $zone;
     }
@@ -491,43 +508,30 @@
     close(ZONEFILE);
 }
 
-sub kill_useless_keys {
+sub kill_useless_keys($) {
 
     # die funktion loescht alle schluessel die nicht in der index.zsk
     # der uebergebenen zone stehen
-    my $zone    = $_[0];
-    my @keylist = ();
-    my $zpf     = "$config{master_dir}/$zone";
+    my $zone = shift;
+
+    my @keys = ();
+    my $dir  = "$config{master_dir}/$zone";
 
-    open(INDEX, "<$zpf/.index.zsk") or die "$zpf/.index.zsk: $!\n";
-    @keylist = <INDEX>;
-    close(INDEX);
-    open(INDEX, "<$zpf/.index.ksk") or die "$zpf/.index.ksk: $!\n";
-    push @keylist, <INDEX>;
+    {
+	# collect the keys and cut everything except the key id
+        open(my $zsk, "<$dir/.index.zsk") or die "$dir/.index.zsk: $!\n";
+        open(my $ksk, "<$dir/.index.ksk") or die "$dir/.index.ksk: $!\n";
+	@keys = map { basename $_, ".private", ".key" } (<$zsk>, <$ksk>);
+    }
 
-    # kuerzt die schluessel-bezeichnung aus der indexdatei auf die id um sie
-    # besser vergleichen zu koennen.
-    for (@keylist) {
-        chomp;
-        s#K.*\+.*\+(.*)#$1#;
-    }
+    ### @keys
 
     # prueft alle schluesseldateien (ksk, zsk) ob sie in der jeweiligen
     # indexdatei beschrieben sind. wenn nicht werden sie geloescht.
-    for (grep /(?:key|private)$/ => glob "$config{master_dir}/$zone/K*") {
-        chomp;
-        my $file     = $_;
-        my $rm_count = 1;
-        my $keyname;
-        for (@keylist) {
-            if ($file =~ /$_/) { $rm_count = 0; }
-        }
-        if ($rm_count == 1) {
-            unlink "$file";
-            if ($file =~ /$zpf\/(.*\.key)/) {
-                print " * $zone: Schluessel $1 entfernt \n";
-            }
-        }
+    # ---- <><><><>
+    for my $file (grep /(?:key|private)$/ => glob "$config{master_dir}/$zone/K*") {
+	$file = basename $file, ".private", ".key";
+	unlink "$file.key", "$file.private" if $file ~~ @keys;
     }
 }
 
@@ -555,7 +559,7 @@
             print INDEX $last_key;
             close(INDEX);
         }
-        &kill_useless_keys($zone);
+        kill_useless_keys($zone);
         &key_to_zonefile($zone);
         push @new_serial, $zone;
     }
@@ -582,6 +586,10 @@
 
 =item B<--sign-alert-time> I<days>
 
+=item B<--key-counter-end> I<integer>
+
+Maximum number if key usages.
+
 
 =back
ius/dnstools