# HG changeset patch # User Heiko Schlittermann # Date 1295996746 -3600 # Node ID 3c725372a1ceaa7e5459a8573bb83a4a61427cf0 # Parent 0c9f37c94f0ce2851f29a4d7ea0289e42419310d --zsk working diff -r 0c9f37c94f0c -r 3c725372a1ce bin/dnssec-keytool --- a/bin/dnssec-keytool Tue Jan 25 23:52:02 2011 +0100 +++ b/bin/dnssec-keytool Wed Jan 26 00:05:46 2011 +0100 @@ -7,69 +7,68 @@ use Getopt::Long; use Pod::Usage; use File::Basename; +use Net::LibIDN qw(:all); use if $ENV{DEBUG} => "Smart::Comments"; use DNStools::Config qw(get_config); my $ME = basename $0; -sub read_conf(@); -sub read_argv($); sub rm_keys($@); -sub ck_zone($@); +sub check_zone($@); sub create_ksk($@); -sub create_zsk($@); +sub create_zsk(@); sub post_create($@); +my $CHARSET = "UTF-8"; +my %cf; + MAIN: { - ### reading config - my %conf = get_config(); - - my ($cmd, @zones) = read_argv($conf{master_dir}); - given ($cmd) { - when ("rm") { rm_keys($conf{master_dir}, @zones); exit } - when ("ck") { ck_zone($conf{master_dir}, @zones) } - when ("ksk") { create_ksk($conf{master_dir}, @zones) } - }; + %cf = get_config(); + my $cmd; - create_zsk($conf{master_dir}, @zones); - post_create($conf{master_dir}, @zones); -} - -sub read_argv ($) { - my ($master_dir) = @_; - my ($cmd, @zones); # return + system("command -v dnssec-keygen &>/dev/null"); + die "$ME: command 'dnssec-keygen' not found in $ENV{PATH}\n" if $?; GetOptions( - "zsk" => sub { $cmd = "zsk" }, - "ksk" => sub { $cmd = "ksk" }, - "rm" => sub { $cmd = "rm" }, - "ck|check" => sub { $cmd = "ck" }, - "h|help" => sub { pod2usage(-exitvalue => 0, -verbose => 1) }, + "zsk" => sub { push @$cmd => "zsk" }, + "ksk" => sub { push @$cmd => "ksk" }, + "rm" => sub { push @$cmd => "rm" }, + "check" => sub { $cmd = "check" }, + "h|help" => sub { pod2usage(-exit => 0, -verbose => 1) }, "m|man" => sub { pod2usage( - -exitvalue => 0, + -exit => 0, -noperldoc => system("perldoc -V &>/dev/null"), -verbose => 2 ); }, ) and @ARGV + and @$cmd == 1 + and $cmd = $cmd->[0] or pod2usage; - # checks the zones in argv if there are managed zones - foreach (@ARGV) { - chomp(my $zone = `idn --quiet "$_"`); + # checks the zones in argv if they're managed ones + my @zones; + foreach my $utf8zone (@ARGV) { + my $zone = idn_to_ascii($utf8zone, $CHARSET); die "zone $zone is not managed\n" - if not -f "$master_dir/$zone/$zone"; + if not -f "$cf{master_dir}/$zone/$zone"; push @zones, $zone; } - return ($cmd, @zones); + + given ($cmd) { + when ("zsk") { exit create_zsk(@zones) }; + #when ("ksk") { return create_ksk(@zones) }; + #when ("check") { return check_zone(@zones) }; + #when ("rm") { return rm_keys(@zones) }; + default { die "not implemented\n" }; + }; } - sub rm_keys ($@) { # deletes all the keys were handed over -rm in argv @@ -109,11 +108,12 @@ print " * $zone: removed key-set\n"; } - open(my $old, "$zpf/$zone") or die "$zpf/$zone: $!\n"; - my $fh = File::Temp->new(DIR => $zpf) or die "Can't create tmpfile: $!\n"; - print $fh grep { not /^\s*\$INCLUDE.*"K$zone.*\.key"/i } <$old>; - rename($fh->filename => "$zpf/$zone") - or die "Can't rename " . $fh->filename . " to $zpf/$zone: $!\n"; + open(my $old, "$zpf/$zone") or die "$zpf/$zone: $!\n"; + my $fh = File::Temp->new(DIR => $zpf) + or die "Can't create tmpfile: $!\n"; + print $fh grep { not /^\s*\$INCLUDE.*"K$zone.*\.key"/i } <$old>; + rename($fh->filename => "$zpf/$zone") + or die "Can't rename " . $fh->filename . " to $zpf/$zone: $!\n"; } } @@ -156,48 +156,37 @@ } } -sub create_zsk ($@) { - my ($master_dir, @zone) = @_; - my @index; +sub create_zsk (@) { + my @zones = @_; + my $keyname; - for (@zone) { - my $zone = $_; - my $zpf = "$master_dir/$zone"; + foreach my $zone (@zones) { + my $dir = "$cf{master_dir}/$zone"; - $keyname = `cd $zpf && dnssec-keygen -a RSASHA1 -b 512 -n ZONE $zone`; + chomp($keyname = `cd $dir && dnssec-keygen -a RSASHA1 -b 512 -n ZONE $zone`); - unless (-f "$zpf/.index.zsk") { - @index = (); - } - else { - open(INDEX, "$zpf/.index.zsk") or die "$zpf/.index.zsk: $!\n"; - @index = ; - close(INDEX); - } + my @index; + open(my $idx, "+>>", "$dir/.index.zsk") or die "Can't open $dir/.index.zsk: $!\n"; + seek($idx, 0, 0); + chomp(@index = <$idx>); push @index, $keyname; - if (@index > 2) { shift(@index); } + shift @index if @index > 2; + + truncate($idx, 0); + print $idx join "\n" => @index, ""; + close($idx); - { - my $fh = File::Temp->new(DIR => "$zpf") - or die "Can't create tmpdir: $!\n"; - print $fh join "" => @index, ""; - rename($fh->filename => "$zpf/.index.zsk") - or die "Can't rename " - . $fh->filename - . " to $zpf/.index.zsk: $!\n"; - } - chomp($keyname); - print " * $zone: new ZSK $keyname\n"; + say "$zone: new ZSK $keyname"; - open(KC, ">$zpf/.keycounter") or die "$zpf/keycounter: $!\n"; - print KC "0"; - close(KC); + open(my $kc, ">", "$dir/.keycounter") or die "$dir/.keycounter: $!\n"; + print $kc "0\n"; + close($kc); } } -sub ck_zone ($@) { +sub check_zone ($@) { my ($master_dir, @zone) = @_; for (@zone) { @@ -320,11 +309,11 @@ =head1 NAME -dnssec-keytool + dnssec-keytool - key management =head1 SYNOPSIS -dnssec-keytool {-z|-k|-r|-c} zone + dnssec-keytool {--zsk|--ksk|--rm|--check} zone... =head1 DESCRIPTION @@ -334,13 +323,21 @@ =over -=item B<-z> created a new ZSK +=item B<--zsk> + +Create a new ZSK for the zones. -=item B<-k> created a new ZSK and KSK +=item B<--ksk> + +Create a new KSK for the zones. -=item B<-r> delete the key-set of a zone +=item B<--rm> + +Remote all key material from the zones. -=item B<-c> created configuration files for the dnstools and a new ZSK for an existing KSK +=item B<--check> + +??? =back