# HG changeset patch # User asuess@dns.net.schlittermann.de # Date 1291390932 -3600 # Node ID d50f6874b7abb77a1a14f4e66e053ce496e4e245 # Parent d3158de72598127f15be91315489434d3adabe09 added keytool, removed a lot diff -r d3158de72598 -r d50f6874b7ab dnssec-creatkey --- a/dnssec-creatkey Thu Dec 02 16:46:17 2010 +0100 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,281 +0,0 @@ -#!/usr/bin/perl -w - -use strict; -use FindBin; - -sub del_double { - my %all; - grep { $all{$_} = 0 } @_; - return ( keys %all ); -} - -# liest die Konfiguration -my @configs = ( "$FindBin::Bin/dnstools.conf", "/etc/dnstools.conf" ); -my %config; - -for ( grep {-f} @configs ) { - open( CONFIG, $_ ) or die "Can't open $_: $!\n"; -} - -unless ( seek( CONFIG, 0, 0 ) ) { - die "Can't open config (searched: @configs)\n"; -} - -while () { - chomp; - s/#.*//; - s/\t//g; - s/\s//g; - - next unless length; - my ( $cname, $ccont ) = split( /\s*=\s*/, $_, 2 ); - $config{$cname} = $ccont; -} -close(CONFIG); - -my $master_dir = $config{master_dir}; -my $key_counter_end = $config{key_counter_end}; -my @change; -my @manu; -my @index; -my $zone; -my $keyname; - -# prueft ob eingaben in ARGV domains sind und gibt sie in die liste @manu -for (@ARGV) { - chomp( my $zone = `idn --quiet "$_"` ); - - if ( -d "$master_dir/$zone" ) { - push( @manu, $zone ); - } - else { - print " $zone not exist\n "; - } -} - -# prueft ob zonen mit schluesselmaterial ueber index- und keycounterdatei -# verfuegen. -# legt .index.ksk an falls nicht und gibt die entsprechende zone in die -# liste @change -while (<$master_dir/*>) { - chomp( $zone = $_ ); - - if ( -f "$zone/.index.zsk" - and -f "$zone/.index.ksk" - and -f "$zone/.keycounter" ) - { - next; - } - - while (<$zone/*>) { - if (m#^K#) { - my $file_in_zone = $_; - - open( KEY, $_ ) or die "$_: $!\n"; - for () { - if (m#DNSKEY.257#) { - $file_in_zone =~ s#(/.*/)(.*).key#$2#; - - open( INDEX, ">$zone/.index.ksk" ) or die; - print INDEX "$file_in_zone\n"; - close(INDEX); - - $zone =~ s#($master_dir/)(.*)#$2#; - push( @change, $zone ); - - } - } - close(KEY); - } - } -} - -# gibt alle zonen mit abgelaufenen keycounter in die liste @change -while (<$master_dir/*>) { - chomp( $zone = $_ ); - my $key; - - unless ( -f "$zone/.keycounter" ) { - next; - } - - open( KEY, "$zone/.keycounter" ) or die "$zone/.keycounter: $!\n"; - $key = ; - close(KEY); - - if ( $key_counter_end <= $key ) { - $zone =~ s#($master_dir/)(.*)#$2#; - push( @change, $zone ); - } -} - -#erzeugt zsks -for ( &del_double( @change, @manu ) ) { - $zone = $_; - - chdir "$master_dir/$zone" or die "$master_dir/$zone: $!\n"; - $keyname = `dnssec-keygen -a RSASHA1 -b 512 -n ZONE $zone`; - - unless ( -f ".index.zsk" ) { - @index = (); - } - else { - open( INDEX, ".index.zsk" ) - or die "$master_dir/$zone/.index.zsk: $!\n"; - @index = ; - close(INDEX); - } - - push @index, $keyname; - if ( @index > 2 ) { - shift(@index); - } - - open( INDEX, ">.index.zsk" ) or die "$master_dir/$zone/.index.zsk: $!\n"; - print INDEX @index; - close(INDEX); - - chomp($keyname); - print "$keyname (ZSK) creat for $zone \n"; - - open( KC, ">.keycounter" ) or die "$master_dir/$zone/keycounter: $!\n"; - print KC "0"; - close(KC); -} - -#erzeugt ksks -for ( &del_double(@manu) ) { - $zone = $_; - - chdir "$master_dir/$zone" or die "$master_dir/$zone: $!\n"; - $keyname = `dnssec-keygen -a RSASHA1 -b 2048 -f KSK -n ZONE $zone`; - - print "creat new KSK for $zone? (no): "; - unless ( =~ m/^yes/ ) { - next; - } - - unless ( -f ".index.ksk" ) { - @index = (); - } - else { - - open( INDEX, ".index.ksk" ) - or die "$master_dir/$zone/.index.ksk: $!\n"; - @index = ; - close(INDEX); - } - - push @index, $keyname; - if ( @index > 2 ) { - shift(@index); - } - - open( INDEX, ">.index.ksk" ) or die "$master_dir/$zone/.index.ksk: $!\n"; - print INDEX @index; - close(INDEX); - - chomp($keyname); - print "$keyname (KSK) creat for $zone \n"; -} - -# loescht alle unbenoetigten schluessel, fuegt die schluessel in -# die zone-datei -for ( &del_double( @change, @manu ) ) { - $zone = $_; - my @old_zone_content = (); - my @new_zone_content = (); - my @kkeylist = (); - my @zkeylist = (); - my $file = (); - - open( INDEX, "<$master_dir/$zone/.index.zsk" ) - or die "$master_dir/$zone/.index.zsk: $!\n"; - @zkeylist = ; - close(INDEX); - - open( INDEX, "<$master_dir/$zone/.index.ksk" ) - or die "$master_dir/$zone/.index.ksk: $!\n"; - @kkeylist = ; - close(INDEX); - - open( ZONE, "<$master_dir/$zone/$zone" ) - or die "$master_dir/$zone/$zone: $!\n"; - @old_zone_content = ; - close(ZONE); - - # kuerzt die schluessel-bezeichnung aus der indexdatei auf die id um sie - # besser vergleichen zu koennen. - for ( @kkeylist, @zkeylist ) { - chomp; - s#K.*\+.*\+(.*)#$1#; - } - - # filtert alle schluessel aus der zonedatei - # old_zone_content ==> new_zone_content - for (@old_zone_content) { - unless (/dnssec-(zsk|ksk)/) { - push @new_zone_content, $_; - } - } - - # prueft alle schluesseldateien (ksk, zsk) ob sie in der jeweiligen - # indexdatei beschrieben sind. wenn nicht werden sie geloescht. - for (`ls $master_dir/$zone/K*[key,private]`) { - chomp; - $file = $_; - my $rm_count = 1; - - for (@zkeylist) { - - if ( $file =~ /$_/ ) { - $rm_count = 0; - - # schluessel die in der indexdatei standen, werden an die - # zonedatei angehangen. - if ( $file =~ /.*key/ ) { - - $file =~ s#/.*/(K.*)#$1#; - push @new_zone_content, - "\$INCLUDE \"$file\"\t\t; dnssec-zsk\n"; - - last; - } - } - } - for (@kkeylist) { - - if ( $file =~ /$_/ ) { - $rm_count = 0; - - # schluessel die in der indexdatei standen, werden an die - # zonedatei angehangen. - if ( $file =~ /.*key/ ) { - - $file =~ s#/.*/(K.*)#$1#; - push @new_zone_content, - "\$INCLUDE \"$file\"\t\t; dnssec-ksk\n"; - - last; - } - } - } - - #loescht alle unbenoetigten schluessel - if ( $rm_count == 1 ) { - unlink "$file"; - } - } - - open( ZONE, ">$master_dir/$zone/$zone" ) - or die "$master_dir/$zone/$zone: $!\n"; - print ZONE @new_zone_content; - close(ZONE); - -} - -# "toucht" alle zonen damit der serial erhoeht und die -# zone neu signiert wird -for ( &del_double( @change, @manu ) ) { - system "touch $master_dir/$_/$_"; -} diff -r d3158de72598 -r d50f6874b7ab dnssec-keytool --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/dnssec-keytool Fri Dec 03 16:42:12 2010 +0100 @@ -0,0 +1,350 @@ +#!/usr/bin/perl -w + +use strict; +use FindBin; + +sub del_double { + my %all; + grep { $all{$_} = 0 } @_; + return ( keys %all ); +} + +sub read_conf { + # liest die Konfiguration ein + my @configs = ( "$FindBin::Bin/dnstools.conf", "/etc/dnstools.conf" ); + our %config; + + for ( grep {-f} @configs ) { + open( CONFIG, $_ ) or die "Can't open $_: $!\n"; + } + unless ( seek( CONFIG, 0, 0 ) ) { + die "Can't open config (searched: @configs)\n"; + } + while () { + chomp; + s/#.*//; + s/\t//g; + s/\s//g; + + next unless length; + my ( $cname, $ccont ) = split( /\s*=\s*/, $_, 2 ); + $config{$cname} = $ccont; + } + close(CONFIG); +} + +sub read_argv { + # wertet argv aus oder gibt die hilfe aus + my $arg = shift @ARGV; + my $zone; + our $do; + our @zones; + our $master_dir; + + if ( ! defined $arg ) { + print " usage: dnssec-keytool