# HG changeset patch # User asuess@dns.net.schlittermann.de # Date 1281528513 -7200 # Node ID 5ac92c1ffdf921bf2a69b7d73eaf3d260a9b2828 # Parent ef4b45dd761864dbd47f332af35a83b2499a987e improvement, added update-serial diff -r ef4b45dd7618 -r 5ac92c1ffdf9 dnssec-creatkey --- a/dnssec-creatkey Wed Aug 11 11:15:49 2010 +0200 +++ b/dnssec-creatkey Wed Aug 11 14:08:33 2010 +0200 @@ -231,7 +231,7 @@ if ( $file =~ /.*key/ ) { $file =~ s#/.*/(K.*)#$1#; - push @new_zone_content, "\$include $file\t\t; dnssec-zsk\n" ; + push @new_zone_content, "\$INCLUDE \"$file\"\t\t; dnssec-zsk\n" ; last; } @@ -247,7 +247,7 @@ if ( $file =~ /.*key/ ) { $file =~ s#/.*/(K.*)#$1#; - push @new_zone_content, "\$include $file\t\t; dnssec-ksk\n" ; + push @new_zone_content, "\$INCLUDE \"$file\"\t\t; dnssec-ksk\n" ; last; } diff -r ef4b45dd7618 -r 5ac92c1ffdf9 dnssec-killkey --- a/dnssec-killkey Wed Aug 11 11:15:49 2010 +0200 +++ b/dnssec-killkey Wed Aug 11 14:08:33 2010 +0200 @@ -32,6 +32,8 @@ my $zone; my @status; my @auto; +my @old_zone_content; +my @new_zone_content; chomp( my $now_time = `date +%s` ); # aktuelle unixzeit # prueft zonen aus ARGV und loescht das schluesselmaterial @@ -182,7 +184,7 @@ if ( $file =~ /.*key/ ) { $file =~ s#/.*/(K.*)#$1#; - push @new_zone_content, "\$include $file\t\t; dnssec-zsk\n" ; + push @new_zone_content, "\$INCLUDE \"$file\"\t\t; dnssec-zsk\n" ; last; } @@ -198,7 +200,7 @@ if ( $file =~ /.*key/ ) { $file =~ s#/.*/(K.*)#$1#; - push @new_zone_content, "\$include $file\t\t; dnssec-ksk\n" ; + push @new_zone_content, "\$INCLUDE \"$file\"\t\t; dnssec-ksk\n" ; last; } diff -r ef4b45dd7618 -r 5ac92c1ffdf9 dnstools.conf --- a/dnstools.conf Wed Aug 11 11:15:49 2010 +0200 +++ b/dnstools.conf Wed Aug 11 14:08:33 2010 +0200 @@ -3,7 +3,7 @@ zone_conf_dir = /etc/bind/zones.d key_counter_end = 20 # Anzahl der Signierungen bis zum Key-Rollover sign_alert_time = 48 # Warn-Zeitraum vor dem Ablauf einer Zone-Signatur in h -abl_zeit = 24 # Dauer des Key-Rollover (2 Schluessel) in h +abl_zeit = 1 # Dauer des Key-Rollover (2 Schluessel) in h secondary = hh.schlittermann.de primary = pu.schlittermann.de #this_host diff -r ef4b45dd7618 -r 5ac92c1ffdf9 update-serial --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/update-serial Wed Aug 11 14:08:33 2010 +0200 @@ -0,0 +1,182 @@ +#! /usr/bin/perl +# (c) 1998 Heiko Schlittermann +# +# … work in progress do integrate dnssec (branch suess) +# +# Update the serial numbers in zone files +# The serial number needs to match a specified pattern (see +# the line marked w/ PATTERN. +# +# ToDo: +# . test against an md5 sum, not just the date of the stamp file +# . FIXME: handle `/' in file names (currently only working in +# the current directory) +# . optionally reload the named + + +use strict; +use warnings; + +use File::Basename; +use File::Copy; +use FindBin; + +my @configs = ( "$FindBin::Bin/dnstools.conf", "/etc/dnstools.conf" ); +my @dnssec_signs = ( "$FindBin::Bin/dnssec-sign", "/usr/bin/dnstools/dnssec-sign"); +my %config; +my $dnssec_sign; + +foreach ( grep {-f} @configs ) { + open( CONFIG, $_ ) or die "Can't open $_: $!\n"; +} + +unless ( seek( CONFIG, 0, 0 ) ) { + die "Can't open config (searched: @configs)\n"; +} +foreach ( grep {-f} @dnssec_signs ) { + if (-x $_) { + $dnssec_sign = $_; + } + else { + die "Can't run $_\n" + } +} + + +while () { + chomp; + s/#.*//; + s/\t//g; + s/\s//g; + next unless length; + my ( $cname, $ccont ) = split( /\s*=\s*/, $_, 2 ); + $config{$cname} = $ccont; +} +close(CONFIG); + +my $bind_dir = $config{bind_dir}; +my $conf_dir = $config{zone_conf_dir}; +my $master_dir = $config{master_dir}; + +my $ME = basename $0; +my @tmpfiles; +my $verbose = 0; +my $opt_yes = 0; +my @Zones; +my $file; + +sub cleanup() { unlink @tmpfiles; } +END { cleanup(); } + +for (@ARGV) { + if ($_ eq "-y") { + $opt_yes = 1; + shift @ARGV; + } +} + +@Zones = @ARGV ? @ARGV : glob("$master_dir/*"); + + +MAIN: { + my $changed; + my ($dd, $mm, $yy) =(localtime())[3..5]; + my $date; + $mm++; + + foreach ($dd, $mm) { s/^\d$/0$&/; } + $yy += 1900; + $date = "$yy$mm$dd"; + + + while (my $file = shift @Zones) { + + my $file_basename = basename($file); + + $file =~ s#($master_dir)(/.*)#$1$2$2#; + local (*I, *O); + my $done = 0; + + my $new = "$file.$$.tmp"; + my $bak = "$file.bak"; + my $stamp = $master_dir . "/.stamp/" . basename($file); + + $file =~ /(\.bak|~)$/ and next; + $file !~ /\./ and next; + + $verbose && print "$file:"; + + + if (-f $stamp && ((stat($stamp))[9] >= (stat($file))[9])) { + $verbose && print " fresh, skipping.\n"; + next; + } + + $done = 0; + push @tmpfiles, $new; + open(*I, "<$file") or die("Can't open < $file: $!\n"); + open(*O, ">$new") or die("Can't open > $new: $!\n"); + + while () { + /^\s+((\d+)(\d{2}))\s*;\s*serial/i and do { # PATTERN + my ($sdate, $scount, $serial) = ($2, $3, $1); + $done = 1; + print " [$file] serial $sdate$scount"; + + if ($date eq $sdate) { $scount++; } + else { $sdate = $date; $scount = "00"; } + + print " bumping to $sdate$scount \n"; + s/$serial/$sdate$scount/; + + }; + print O; + } + + close(O); close(I); + + if ($done) { + # copy($file, $bak) or die("Can't copy $file -> $bak: $!\n"); + + open(I, "<$new") or die("Can't open <$new: $!\n"); + open(O, ">$file") or die("Can't open >$file: $!\n"); + while () { print O or die("Can't write to $file: $!\n"); } + close(I) or die("Can't close $new: $!\n"); + close(O) or die("Can't close $file: $!\n"); + + unlink $new; + + open(O, ">$stamp") or die("Can't open >$stamp: $!\n"); + close(O); + $changed++; + + # dnssec - new sign + system "$dnssec_sign $file_basename"; + die "$dnssec_sign not found ($!)" if $? == -1; + exit 1 if $?; + + } else { + print " $file: no serial number found: no zone file?"; + } + print "\n"; + } + + if ($changed) { + my $pidfile; + + print "** Changed $changed files, the nameserver needs to be reloaded!\n"; + foreach (qw(/var/run/bind/run/named.pid /var/run/named.pid /etc/named.pid)) { + -f $_ and $pidfile = $_ and last; } + + if ($pidfile) { + if ($opt_yes) { $_ = "y"; print "** Nameserver will be reloaded\n"; } + else { print "** Reload now? [Y/n]: "; $_ = ; } + /^y|^$/i and system "rndc reload"; + } else { + print "** No PID of a running named found. Please reload manually.\n"; + } + + } +} + +# vim:ts=4:sw=4:ai:aw: diff -r ef4b45dd7618 -r 5ac92c1ffdf9 zone-mk --- a/zone-mk Wed Aug 11 11:15:49 2010 +0200 +++ b/zone-mk Wed Aug 11 14:08:33 2010 +0200 @@ -31,14 +31,14 @@ open( TEMPCONF, $_ ) or die "Can't open $_: $!\n"; } unless ( seek( TEMPCONF, 0, 0 ) ) { - die "Can't open config (searched: @templc)\n"; + die "Can't open template (searched: @templc)\n"; } for ( grep {-f} @templz ) { open( TEMPZONE, $_ ) or die "Can't open $_: $!\n"; } unless ( seek( TEMPZONE, 0, 0 ) ) { - die "Can't open config (searched: @templz)\n"; + die "Can't open template (searched: @templz)\n"; } while () {