# HG changeset patch # User asuess@dns.net.schlittermann.de # Date 1281601138 -7200 # Node ID 1cea0705612463da481498c1923a5c30a533274f # Parent 5ac92c1ffdf921bf2a69b7d73eaf3d260a9b2828 renamed mkready as update-zone, added sign-function to update-zone diff -r 5ac92c1ffdf9 -r 1cea07056124 dnssec-creatkey --- a/dnssec-creatkey Wed Aug 11 14:08:33 2010 +0200 +++ b/dnssec-creatkey Thu Aug 12 10:18:58 2010 +0200 @@ -3,6 +3,12 @@ use strict; use FindBin; +sub del_double { + my %all; + grep { $all{$_} = 0 } @_; + return ( keys %all ); +} + # liest die Konfiguration ein my @configs = ( "$FindBin::Bin/dnstools.conf", "/etc/dnstools.conf" ); my %config; @@ -35,7 +41,6 @@ my $zone; my $keyname; - # prueft ob eingaben in ARGV domains sind und gibt sie in die liste @manu for (@ARGV) { chomp( my $zone = `idn --quiet "$_"` ); @@ -51,13 +56,14 @@ # prueft ob zonen mit schluesselmaterial ueber index- und keycounterdatei # verfuegen. # legt .index.ksk an falls nicht und gibt die entsprechende zone in die -# liste @change +# liste @change while (<$master_dir/*>) { chomp( $zone = $_ ); - if (-f "$zone/.index.zsk" and - -f "$zone/.index.ksk" and - -f "$zone/.keycounter") { + if ( -f "$zone/.index.zsk" + and -f "$zone/.index.ksk" + and -f "$zone/.keycounter" ) + { next; } @@ -65,26 +71,25 @@ if (m#^K#) { my $file_in_zone = $_; - open (KEY,$_) or die "$_: $!\n"; + open( KEY, $_ ) or die "$_: $!\n"; for () { if (m#DNSKEY.257#) { $file_in_zone =~ s#(/.*/)(.*).key#$2#; - open (INDEX, ">$zone/.index.ksk") or die; + open( INDEX, ">$zone/.index.ksk" ) or die; print INDEX "$file_in_zone\n"; - close (INDEX); + close(INDEX); $zone =~ s#($master_dir/)(.*)#$2#; push( @change, $zone ); } } - close (KEY); + close(KEY); } } } - # gibt alle zonen mit abgelaufenen keycounter in die liste @change while (<$master_dir/*>) { chomp( $zone = $_ ); @@ -105,7 +110,7 @@ } #erzeugt zsks -for ( @change, @manu ) { +for ( &del_double( @change, @manu ) ) { $zone = $_; chdir "$master_dir/$zone" or die "$master_dir/$zone: $!\n"; @@ -139,14 +144,14 @@ } #erzeugt ksks -for (@manu) { +for ( &del_double(@manu) ) { $zone = $_; chdir "$master_dir/$zone" or die "$master_dir/$zone: $!\n"; $keyname = `dnssec-keygen -a RSASHA1 -b 2048 -f KSK -n ZONE $zone`; print "creat new KSK for $zone? (no): "; - unless ( =~ m/^yes/) { + unless ( =~ m/^yes/ ) { next; } @@ -176,7 +181,7 @@ # loescht alle unbenoetigten schluessel, fuegt die schluessel in # die zone-datei -for ( @change, @manu ) { +for ( &del_double( @change, @manu ) ) { $zone = $_; my @old_zone_content = (); my @new_zone_content = (); @@ -201,7 +206,7 @@ # kuerzt die schluessel-bezeichnung aus der indexdatei auf die id um sie # besser vergleichen zu koennen. - for (@kkeylist, @zkeylist) { + for ( @kkeylist, @zkeylist ) { chomp; s#K.*\+.*\+(.*)#$1#; } @@ -231,7 +236,8 @@ if ( $file =~ /.*key/ ) { $file =~ s#/.*/(K.*)#$1#; - push @new_zone_content, "\$INCLUDE \"$file\"\t\t; dnssec-zsk\n" ; + push @new_zone_content, + "\$INCLUDE \"$file\"\t\t; dnssec-zsk\n"; last; } @@ -247,7 +253,8 @@ if ( $file =~ /.*key/ ) { $file =~ s#/.*/(K.*)#$1#; - push @new_zone_content, "\$INCLUDE \"$file\"\t\t; dnssec-ksk\n" ; + push @new_zone_content, + "\$INCLUDE \"$file\"\t\t; dnssec-ksk\n"; last; } diff -r 5ac92c1ffdf9 -r 1cea07056124 dnssec-killkey --- a/dnssec-killkey Wed Aug 11 14:08:33 2010 +0200 +++ b/dnssec-killkey Thu Aug 12 10:18:58 2010 +0200 @@ -3,6 +3,12 @@ use strict; use FindBin; +sub del_double { + my %all; + grep { $all{$_} = 0 } @_; + return ( keys %all ); +} + # liest die Konfiguration ein my @configs = ( "$FindBin::Bin/dnstools.conf", "/etc/dnstools.conf" ); my %config; @@ -129,7 +135,7 @@ # nach abgeschlossenem key-rollover werden fuer die entsprechende zone # unbenoetigte schluessel entfernt und die vorhandenen schluessel in die # zonedatei geschrieben. -for (@auto) { +for ( &del_double(@auto) ) { my $zone = $_; my @old_zone_content = (); my @new_zone_content = (); @@ -154,7 +160,7 @@ # kuerzt die schluessel-bezeichnung aus der indexdatei auf die # id um sie besser vergleichen zu koennen. - for (@kkeylist, @zkeylist) { + for ( @kkeylist, @zkeylist ) { chomp; s#K.*\+.*\+(.*)#$1#; } @@ -184,7 +190,8 @@ if ( $file =~ /.*key/ ) { $file =~ s#/.*/(K.*)#$1#; - push @new_zone_content, "\$INCLUDE \"$file\"\t\t; dnssec-zsk\n" ; + push @new_zone_content, + "\$INCLUDE \"$file\"\t\t; dnssec-zsk\n"; last; } @@ -200,7 +207,8 @@ if ( $file =~ /.*key/ ) { $file =~ s#/.*/(K.*)#$1#; - push @new_zone_content, "\$INCLUDE \"$file\"\t\t; dnssec-ksk\n" ; + push @new_zone_content, + "\$INCLUDE \"$file\"\t\t; dnssec-ksk\n"; last; } diff -r 5ac92c1ffdf9 -r 1cea07056124 dnssec-sign --- a/dnssec-sign Wed Aug 11 14:08:33 2010 +0200 +++ b/dnssec-sign Thu Aug 12 10:18:58 2010 +0200 @@ -4,6 +4,12 @@ use warnings; use FindBin; +sub del_double { + my %all; + grep { $all{$_} = 0 } @_; + return ( keys %all ); +} + # liest die Konfiguration ein my @configs = ( "$FindBin::Bin/dnstools.conf", "/etc/dnstools.conf" ); my %config; @@ -95,7 +101,7 @@ # signiert alle zonen in @auto und @manu und erhoeht den wert in # der keycounter-datei -for ( @auto, @manu ) { +for ( &del_double( @auto, @manu ) ) { $zone = $_; chdir "$master_dir/$zone"; diff -r 5ac92c1ffdf9 -r 1cea07056124 mkready --- a/mkready Wed Aug 11 14:08:33 2010 +0200 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,106 +0,0 @@ -#!/usr/bin/perl - -use strict; -use FindBin; - -# liest die Konfiguration ein -my @configs = ( "$FindBin::Bin/dnstools.conf", "/etc/dnstools.conf" ); -my %config; - -foreach ( grep {-f} @configs ) { - open( CONFIG, $_ ) or die "Can't open $_: $!\n"; -} - -unless ( seek( CONFIG, 0, 0 ) ) { - die "Can't open config (searched: @configs)\n"; -} - -while () { - chomp; - s/#.*//; - s/\t//g; - s/\s//g; - next unless length; - my ( $cname, $ccont ) = split( /\s*=\s*/, $_, 2 ); - $config{$cname} = $ccont; -} -close(CONFIG); - -my $bind_dir = $config{bind_dir}; -my $conf_dir = $config{zone_conf_dir}; -my $master_dir = $config{master_dir}; - -unless ( -d $master_dir and -r $master_dir ) { - die "$master_dir: $!\n"; -} - -unless ( -d $bind_dir and -r $bind_dir ) { - die "$bind_dir: $!\n"; -} - -# prueft jede domain, die ein verzeichnis in $master_dir hat, ob es eine -# datei $zone_file.signed gibt und ob diese datei in $config_file eingetragen -# ist. -# passt die eintraege in $config_file falls noetig an. -while (<$master_dir/*>) { - s#($master_dir/)(.*)#$2#; - my $zone = $_; - - my $zone_file = "$master_dir/$zone/$zone"; - my $conf_file = "$conf_dir/$zone"; - my @c_content; - - unless ( -f "$conf_file" ) { - die "$conf_file: $! \n"; - } - - if ( -f "$zone_file.signed" ) { - - open( FILE, "<$conf_file" ) or die "$conf_file: $!\n"; - @c_content = ; - close(FILE); - - for (@c_content) { - if (m{(.*)($zone_file)(";)}) { - print "$2 ==> $2.signed\n"; - $_ = "$1$2.signed$3\n"; - } - - open( FILE, ">$conf_file" ) or die "$conf_file: $!\n"; - print FILE @c_content; - close(FILE); - - } - } - else { - - open( FILE, "<$conf_file" ) or die "$conf_file: $!\n"; - @c_content = ; - close(FILE); - - for (@c_content) { - if (m{(.*)($zone_file)\.signed(.*)}) { - print "$2.signed ==> $2\n"; - $_ = "$1$2$3\n"; - } - } - - open( FILE, ">$conf_file" ) or die "$conf_file: $!\n"; - print FILE @c_content; - close(FILE); - } -} - -# erzeugt eine named.conf-datei aus den entsprechenden vorlagen. -open( TO, ">$bind_dir/named.conf.zones" ) - or die "$bind_dir/named.conf.zones: $!\n"; -while (<$conf_dir/*>) { - open( FROM, "$_" ) or die "$_: $! \n"; - print TO ; - close(FROM); -} -close(TO); - -system "named-checkconf"; -system "named-checkconf -z"; -system "rndc reload"; diff -r 5ac92c1ffdf9 -r 1cea07056124 update-serial --- a/update-serial Wed Aug 11 14:08:33 2010 +0200 +++ b/update-serial Thu Aug 12 10:18:58 2010 +0200 @@ -4,16 +4,15 @@ # … work in progress do integrate dnssec (branch suess) # # Update the serial numbers in zone files -# The serial number needs to match a specified pattern (see +# The serial number needs to match a specified pattern (see # the line marked w/ PATTERN. -# +# # ToDo: # . test against an md5 sum, not just the date of the stamp file -# . FIXME: handle `/' in file names (currently only working in +# . FIXME: handle `/' in file names (currently only working in # the current directory) # . optionally reload the named - use strict; use warnings; @@ -22,9 +21,11 @@ use FindBin; my @configs = ( "$FindBin::Bin/dnstools.conf", "/etc/dnstools.conf" ); -my @dnssec_signs = ( "$FindBin::Bin/dnssec-sign", "/usr/bin/dnstools/dnssec-sign"); +my @dnssec_signs + = ( "$FindBin::Bin/dnssec-sign", "/usr/bin/dnstools/dnssec-sign" ); my %config; my $dnssec_sign; +my @change_names = (); foreach ( grep {-f} @configs ) { open( CONFIG, $_ ) or die "Can't open $_: $!\n"; @@ -34,15 +35,14 @@ die "Can't open config (searched: @configs)\n"; } foreach ( grep {-f} @dnssec_signs ) { - if (-x $_) { - $dnssec_sign = $_; - } - else { - die "Can't run $_\n" - } + if ( -x $_ ) { + $dnssec_sign = $_; + } + else { + die "Can't run $_\n"; + } } - while () { chomp; s/#.*//; @@ -69,114 +69,125 @@ END { cleanup(); } for (@ARGV) { - if ($_ eq "-y") { - $opt_yes = 1; - shift @ARGV; - } + if ( $_ eq "-y" ) { + $opt_yes = 1; + shift @ARGV; + } } @Zones = @ARGV ? @ARGV : glob("$master_dir/*"); +MAIN: { + my $changed; + my ( $dd, $mm, $yy ) = ( localtime() )[ 3 .. 5 ]; + my $date; + $mm++; -MAIN: { - my $changed; - my ($dd, $mm, $yy) =(localtime())[3..5]; - my $date; - $mm++; + foreach ( $dd, $mm ) { s/^\d$/0$&/; } + $yy += 1900; + $date = "$yy$mm$dd"; - foreach ($dd, $mm) { s/^\d$/0$&/; } - $yy += 1900; - $date = "$yy$mm$dd"; - + while ( my $file = shift @Zones ) { - while (my $file = shift @Zones) { + my $file_basename = basename($file); - my $file_basename = basename($file); + $file =~ s#($master_dir)(/.*)#$1$2$2#; + local ( *I, *O ); + my $done = 0; - $file =~ s#($master_dir)(/.*)#$1$2$2#; - local (*I, *O); - my $done = 0; + my $new = "$file.$$.tmp"; + my $bak = "$file.bak"; + my $stamp = $master_dir . "/.stamp/" . basename($file); - my $new = "$file.$$.tmp"; - my $bak = "$file.bak"; - my $stamp = $master_dir . "/.stamp/" . basename($file); + $file =~ /(\.bak|~)$/ and next; + $file !~ /\./ and next; + + $verbose && print "$file:"; - $file =~ /(\.bak|~)$/ and next; - $file !~ /\./ and next; - - $verbose && print "$file:"; + if ( -f $stamp && ( ( stat($stamp) )[9] >= ( stat($file) )[9] ) ) { + $verbose && print " fresh, skipping.\n"; + next; + } - - if (-f $stamp && ((stat($stamp))[9] >= (stat($file))[9])) { - $verbose && print " fresh, skipping.\n"; - next; - } + $done = 0; + push @tmpfiles, $new; + open( *I, "<$file" ) or die("Can't open < $file: $!\n"); + open( *O, ">$new" ) or die("Can't open > $new: $!\n"); - $done = 0; - push @tmpfiles, $new; - open(*I, "<$file") or die("Can't open < $file: $!\n"); - open(*O, ">$new") or die("Can't open > $new: $!\n"); + while () { + /^\s+((\d+)(\d{2}))\s*;\s*serial/i and do { # PATTERN + my ( $sdate, $scount, $serial ) = ( $2, $3, $1 ); + $done = 1; + print " [$file] serial $sdate$scount"; + + if ( $date eq $sdate ) { $scount++; } + else { $sdate = $date; $scount = "00"; } - while () { - /^\s+((\d+)(\d{2}))\s*;\s*serial/i and do { # PATTERN - my ($sdate, $scount, $serial) = ($2, $3, $1); - $done = 1; - print " [$file] serial $sdate$scount"; + print " bumping to $sdate$scount"; + s/$serial/$sdate$scount/; - if ($date eq $sdate) { $scount++; } - else { $sdate = $date; $scount = "00"; } + }; + print O; + } + + close(O); + close(I); - print " bumping to $sdate$scount \n"; - s/$serial/$sdate$scount/; + if ($done) { + + # copy($file, $bak) or die("Can't copy $file -> $bak: $!\n"); - }; - print O; - } + open( I, "<$new" ) or die("Can't open <$new: $!\n"); + open( O, ">$file" ) or die("Can't open >$file: $!\n"); + while () { print O or die("Can't write to $file: $!\n"); } + close(I) or die("Can't close $new: $!\n"); + close(O) or die("Can't close $file: $!\n"); - close(O); close(I); - - if ($done) { - # copy($file, $bak) or die("Can't copy $file -> $bak: $!\n"); + unlink $new; - open(I, "<$new") or die("Can't open <$new: $!\n"); - open(O, ">$file") or die("Can't open >$file: $!\n"); - while () { print O or die("Can't write to $file: $!\n"); } - close(I) or die("Can't close $new: $!\n"); - close(O) or die("Can't close $file: $!\n"); + open( O, ">$stamp" ) or die("Can't open >$stamp: $!\n"); + close(O); + $changed++; + + push @change_names, $file_basename; - unlink $new; + } + else { + print " $file: no serial number found: no zone file?"; + } + print "\n"; + } - open(O, ">$stamp") or die("Can't open >$stamp: $!\n"); - close(O); - $changed++; + if ($changed) { + my $pidfile; - # dnssec - new sign - system "$dnssec_sign $file_basename"; - die "$dnssec_sign not found ($!)" if $? == -1; - exit 1 if $?; + # dnssec - new sign + system "$dnssec_sign @change_names"; + die "$dnssec_sign not found ($!)" if $? == -1; + exit 1 if $?; - } else { - print " $file: no serial number found: no zone file?"; - } - print "\n"; - } - - if ($changed) { - my $pidfile; + print + "** Changed $changed files, the nameserver needs to be reloaded!\n"; + foreach ( + qw(/var/run/bind/run/named.pid /var/run/named.pid /etc/named.pid)) + { + -f $_ and $pidfile = $_ and last; + } - print "** Changed $changed files, the nameserver needs to be reloaded!\n"; - foreach (qw(/var/run/bind/run/named.pid /var/run/named.pid /etc/named.pid)) { - -f $_ and $pidfile = $_ and last; } + if ($pidfile) { + if ($opt_yes) { + $_ = "y"; + print "** Nameserver will be reloaded\n"; + } + else { print "** Reload now? [Y/n]: "; $_ = ; } + /^y|^$/i and system "rndc reload"; + } + else { + print + "** No PID of a running named found. Please reload manually.\n"; + } - if ($pidfile) { - if ($opt_yes) { $_ = "y"; print "** Nameserver will be reloaded\n"; } - else { print "** Reload now? [Y/n]: "; $_ = ; } - /^y|^$/i and system "rndc reload"; - } else { - print "** No PID of a running named found. Please reload manually.\n"; - } - - } + } } # vim:ts=4:sw=4:ai:aw: diff -r 5ac92c1ffdf9 -r 1cea07056124 update-zone --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/update-zone Thu Aug 12 10:18:58 2010 +0200 @@ -0,0 +1,124 @@ +#!/usr/bin/perl + +use strict; +use FindBin; + +# liest die Konfiguration ein +my @configs = ( "$FindBin::Bin/dnstools.conf", "/etc/dnstools.conf" ); +my @dnssec_signs + = ( "$FindBin::Bin/dnssec-sign", "/usr/bin/dnstools/dnssec-sign" ); +my %config; +my $dnssec_sign; + +for ( grep {-f} @configs ) { + open( CONFIG, $_ ) or die "Can't open $_: $!\n"; +} +unless ( seek( CONFIG, 0, 0 ) ) { + die "Can't open config (searched: @configs)\n"; +} + +for ( grep {-f} @dnssec_signs ) { + if ( -x $_ ) { + $dnssec_sign = $_; + } + else { + die "Can't run $_\n"; + } +} + +while () { + chomp; + s/#.*//; + s/\t//g; + s/\s//g; + next unless length; + my ( $cname, $ccont ) = split( /\s*=\s*/, $_, 2 ); + $config{$cname} = $ccont; +} +close(CONFIG); + +my $bind_dir = $config{bind_dir}; +my $conf_dir = $config{zone_conf_dir}; +my $master_dir = $config{master_dir}; + +unless ( -d $master_dir and -r $master_dir ) { + die "$master_dir: $!\n"; +} + +unless ( -d $bind_dir and -r $bind_dir ) { + die "$bind_dir: $!\n"; +} + +# dnssec - new sign +system "$dnssec_sign"; +die "$dnssec_sign not found ($!)" if $? == -1; +exit 1 if $?; + + +# prueft jede domain, die ein verzeichnis in $master_dir hat, ob es eine +# datei $zone_file.signed gibt und ob diese datei in $config_file eingetragen +# ist. +# passt die eintraege in $config_file falls noetig an. +while (<$master_dir/*>) { + s#($master_dir/)(.*)#$2#; + my $zone = $_; + + my $zone_file = "$master_dir/$zone/$zone"; + my $conf_file = "$conf_dir/$zone"; + my @c_content; + + unless ( -f "$conf_file" ) { + die "$conf_file: $! \n"; + } + + if ( -f "$zone_file.signed" ) { + + open( FILE, "<$conf_file" ) or die "$conf_file: $!\n"; + @c_content = ; + close(FILE); + + for (@c_content) { + if (m{(.*)($zone_file)(";)}) { + print "$2 ==> $2.signed\n"; + $_ = "$1$2.signed$3\n"; + } + + open( FILE, ">$conf_file" ) or die "$conf_file: $!\n"; + print FILE @c_content; + close(FILE); + + } + } + else { + + open( FILE, "<$conf_file" ) or die "$conf_file: $!\n"; + @c_content = ; + close(FILE); + + for (@c_content) { + if (m{(.*)($zone_file)\.signed(.*)}) { + print "$2.signed ==> $2\n"; + $_ = "$1$2$3\n"; + } + } + + open( FILE, ">$conf_file" ) or die "$conf_file: $!\n"; + print FILE @c_content; + close(FILE); + } +} + +# erzeugt eine named.conf-datei aus den entsprechenden vorlagen. +open( TO, ">$bind_dir/named.conf.zones" ) + or die "$bind_dir/named.conf.zones: $!\n"; +while (<$conf_dir/*>) { + open( FROM, "$_" ) or die "$_: $! \n"; + print TO ; + close(FROM); +} +close(TO); + + +system "named-checkconf"; +system "named-checkconf -z"; +system "rndc reload"; diff -r 5ac92c1ffdf9 -r 1cea07056124 zone-ls --- a/zone-ls Wed Aug 11 14:08:33 2010 +0200 +++ b/zone-ls Thu Aug 12 10:18:58 2010 +0200 @@ -36,7 +36,8 @@ die "$master_dir: $!\n"; } -printf "%-25s %-8s %1s/%1s %3s %7s\n", "Domain", "Status", "ZSK", "KSK", "Used", "Sig-end"; +printf "%-25s %-8s %1s/%1s %3s %7s\n", "Domain", "Status", "ZSK", "KSK", + "Used", "Sig-end"; for my $dir ( glob "$master_dir/*" ) { @@ -48,7 +49,7 @@ if (/root-servers/) { $info_status = "FAILED"; last; - } + } } if ( not -f "$dir/.index.zsk" ) { @@ -92,7 +93,8 @@ } continue { - printf "%-25s %-8s %1d/%1d %5d %19s\n", $zone, $info_status, $info_zsk, $info_ksk, $info_kc, + printf "%-25s %-8s %1d/%1d %5d %19s\n", $zone, $info_status, $info_zsk, + $info_ksk, $info_kc, $info_end; }