# HG changeset patch # User Heiko Schlittermann # Date 1293657040 -3600 # Node ID 8a85723f4b5329a765b08291cf3637e7012a5b5e # Parent 2c45d68844bfc1489aa3aaf3026a10713e72bd6f [savepoint] diff -r 2c45d68844bf -r 8a85723f4b53 update-serial.pl --- a/update-serial.pl Wed Dec 29 12:02:01 2010 +0100 +++ b/update-serial.pl Wed Dec 29 22:10:40 2010 +0100 @@ -21,6 +21,7 @@ sub need_rollover(); sub done_rollover(); sub begin_rollover(@); +sub kill_useless_keys($); sub sign_zone; sub update_serial; @@ -28,7 +29,6 @@ sub file_entry; sub server_reload; sub key_to_zonefile; -sub kill_useless_keys; sub end_ro; my %config; @@ -38,6 +38,7 @@ GetOptions( "sign-alert-time=i" => \$opt{sign_alert_time}, + "key-counter-end=i" => \$opt{key_counter_end}, "h|help" => sub { pod2usage(-exit 0, -verbose => 1) }, "m|man" => sub { pod2usage( @@ -68,19 +69,18 @@ ### @candidates ### @need_rollover ### @done_rollover - begin_rollover(@need_rollover); # eine rollover-beginn-sequenz exit; if (@end_ro_list) { - end_ro; # eine rollover-end-squenz + end_ro; # eine rollover-end-squenz } if (@new_serial) { #--update_index; # index zone aktuallisieren - update_serial; # serial aktuallisieren - sign_zone; # zone signieren + update_serial; # serial aktuallisieren + sign_zone; # zone signieren } file_entry; # bearbeitet die file-eintraege der konfigurations-datei @@ -435,29 +435,46 @@ #?? for (uniq(@begin_ro_list)) { foreach my $zone (@zones) { - #erzeugt zsks - my $dir = "$config{master_dir}/$zone"; - my @keys; + # erzeugt zsks + my $dir = "$config{master_dir}/$zone"; + my ($keyname, @keys); + + { # need to change the direcoty, thus some more effort + # alternativly: $keyname = `cd $dir && dnssec-keygen ...`; + # would do, but is more fragile on shell meta characters - chomp(my $keyname = `cd $dir && dnssec-keygen -a RSASHA1 -b 512 -n ZONE $zone`); + open(my $keygen, "-|") or do { + chdir $dir or die "Can't chdir to $dir: $!\n"; + exec "dnssec-keygen", + -a => "RSASHA1", + -b => 512, + -n => "ZONE", + $zone; + die "Can't exec: $!"; + }; + chomp($keyname = <$keygen>); + close($keygen) or die "dnssec-keygen failed: $@"; + } open(my $fh, "+<$dir/.index.zsk") or die "$dir/.index.zsk: $!\n"; chomp(@keys = <$fh>); - push @keys, $keyname; - shift @keys if @keys > 2; + ### @keys - seek($fh, 0, 0) or die "seek"; # FIXME - truncate($fh, 0) or die "truncate"; # FIXME + push @keys, $keyname; + shift @keys if @keys > 2; + + seek($fh, 0, 0) or die "seek"; # FIXME + truncate($fh, 0) or die "truncate"; # FIXME print $fh join "\n" => @keys; print " * $zone: neuer ZSK $keyname erstellt\n"; open($fh, ">$dir/.keycounter") or die "$dir/.keycounter: $!\n"; say $fh 0; - close($fh); + close($fh); - &kill_useless_keys($zone); + kill_useless_keys($zone); &key_to_zonefile($zone); push @r, $zone; } @@ -491,43 +508,30 @@ close(ZONEFILE); } -sub kill_useless_keys { +sub kill_useless_keys($) { # die funktion loescht alle schluessel die nicht in der index.zsk # der uebergebenen zone stehen - my $zone = $_[0]; - my @keylist = (); - my $zpf = "$config{master_dir}/$zone"; + my $zone = shift; + + my @keys = (); + my $dir = "$config{master_dir}/$zone"; - open(INDEX, "<$zpf/.index.zsk") or die "$zpf/.index.zsk: $!\n"; - @keylist = ; - close(INDEX); - open(INDEX, "<$zpf/.index.ksk") or die "$zpf/.index.ksk: $!\n"; - push @keylist, ; + { + # collect the keys and cut everything except the key id + open(my $zsk, "<$dir/.index.zsk") or die "$dir/.index.zsk: $!\n"; + open(my $ksk, "<$dir/.index.ksk") or die "$dir/.index.ksk: $!\n"; + @keys = map { basename $_, ".private", ".key" } (<$zsk>, <$ksk>); + } - # kuerzt die schluessel-bezeichnung aus der indexdatei auf die id um sie - # besser vergleichen zu koennen. - for (@keylist) { - chomp; - s#K.*\+.*\+(.*)#$1#; - } + ### @keys # prueft alle schluesseldateien (ksk, zsk) ob sie in der jeweiligen # indexdatei beschrieben sind. wenn nicht werden sie geloescht. - for (grep /(?:key|private)$/ => glob "$config{master_dir}/$zone/K*") { - chomp; - my $file = $_; - my $rm_count = 1; - my $keyname; - for (@keylist) { - if ($file =~ /$_/) { $rm_count = 0; } - } - if ($rm_count == 1) { - unlink "$file"; - if ($file =~ /$zpf\/(.*\.key)/) { - print " * $zone: Schluessel $1 entfernt \n"; - } - } + # ---- <><><><> + for my $file (grep /(?:key|private)$/ => glob "$config{master_dir}/$zone/K*") { + $file = basename $file, ".private", ".key"; + unlink "$file.key", "$file.private" if $file ~~ @keys; } } @@ -555,7 +559,7 @@ print INDEX $last_key; close(INDEX); } - &kill_useless_keys($zone); + kill_useless_keys($zone); &key_to_zonefile($zone); push @new_serial, $zone; } @@ -582,6 +586,10 @@ =item B<--sign-alert-time> I +=item B<--key-counter-end> I + +Maximum number if key usages. + =back