# HG changeset patch # User asuess@dns.net.schlittermann.de # Date 1285839351 -7200 # Node ID f5db9f4a3e76b9e504c5f8eb7976b4bcddbaf8ba # Parent d3269961e944092575e7c2ab77cfdc9246398f5b added nagios-plugin, removed readme(look at ius-wiki), some improvement diff -r d3269961e944 -r f5db9f4a3e76 README --- a/README Fri Aug 13 17:00:37 2010 +0200 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,31 +0,0 @@ -Zonedatei erstellen - - zone-mk - - update-zone - - -Zonedatei loeschen - - zone-rm - - update-zone - - -neuen ZSK/KSK erstellen - - dnssec-creatkey - - update-zone - - - - dnssec-killkey (nach der Ablauf des Key-Rollover) - - update-zone - - -Schluessel loeschen - - dnssec-killkey - - update-zone - - -Signatur update - - update-zone - - -Schlüssel update - - dnssec-creatkey - - update-zone diff -r d3269961e944 -r f5db9f4a3e76 dnsnagios/dnssec-check --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/dnsnagios/dnssec-check Thu Sep 30 11:35:51 2010 +0200 @@ -0,0 +1,137 @@ +#! /usr/bin/perl -w + +use strict; + +my $sign_alert_time = 72; # Warnzeit in Stunden +my $sign_critic_time = 12; # Critical-Zeit in Stunden +my $indexserver = "84.19.194.5"; +my $dns_server = "muli.schlittermann.de"; +my $indexzone = "idx.net.schlittermann.de"; +my @sec_zones = (); +my $set_exit = 0; +my (@print_zones, @print_infos); +my $inter_time; +my $count; +my $oldest_time = 9000000000; +my $oldest_name; +my $dsrec; +my $abltime; +my $oldest_ftime; +my $ftime; +chomp( my $unixtime = `date +%s` ); + +# erzeugt liste @sec_zones aus der dig-abfrage +my @digtxt = `dig \@$indexserver $indexzone TXT` or + print "PROBLEM: no results from dig \n" and exit 2; + +# abbruch des skripts wenn dig nicht korrekt antwortet +# ausfiltern der zonen im index mit dnssec unterstuetzung +for (@digtxt) { + chomp; + if (m#status\:.(.*)\,#) { + unless ($1 eq "NOERROR") { + print "PROBLEM: $indexzone not reachable \n"; + exit 2; + } + } + if (m#ZONE::(.*)::sec-on#) { + push @sec_zones, $1; + } +} + +# erstellt $alert_time aus der systemunixzeit und dem +# konfigurationswert in $sign_alert_time +$inter_time = $unixtime + ( 3600 * $sign_alert_time ); +chomp( my $alert_time = `date -d \@$inter_time +%Y%m%d%H`); +# erstellt $critic_time +$inter_time = $unixtime + ( 3600 * $sign_critic_time ); +chomp( my $critic_time = `date -d \@$inter_time +%Y%m%d%H`); + +# durchlauf fuer jede dnssec-zone +for (@sec_zones) { + chomp (my @zone_dig = `dig +dnssec \@$dns_server $_`); + my $zone = $_; + + # parst die ablaufzeit der signatur + for (@zone_dig) { + unless (m#RRSIG.*SOA#) { next;} + s#($zone).*([0-9]{10})([0-9]{4}).*[0-9]{14}.*#$2#; + # ermittelt die naechste ablaufsdomain + if ($oldest_time > $_) { + $oldest_time = $_; + $oldest_name = $zone; + $oldest_ftime = $ftime; + } + # setzt exit 2 wen die critical-time ueberschritten ist + if($_ < $critic_time) { + $set_exit = 2; + push @print_zones, $zone; + last; + } + # setzt exit 1 wen die alert-time ueberschritten ist + if($_ < $alert_time) { + unless ($set_exit == 2) { + $set_exit = 1; + } + push @print_zones, $zone; + last; + } + } + + my @digtest_1 = `dig \@$dns_server $zone +dnssec DNSKEY`; + my @digtest_2 = `dig \@$dns_server $zone +dnssec DS`; + my @digtest_3 = `dig \@$dns_server $zone\.dlv.isc.org`; + + # ermittelt und formatiert die ablaufzeit + for (@digtest_1) { + if (m#RRSIG.*DNSKEY.*(\d{4})(\d{2})(\d\d)(\d\d)(\d\d)(\d\d).*(\d{14})#) { + $ftime = "$3.$2.$1 $4:$5"; + last; + } + } + # setzt die zeit fuer die naechste ablaufsdomain + if ($oldest_name eq $zone) { + $oldest_ftime = $ftime; + } + + # zskanzahl + my $zskcount = 0; + for (@digtest_1) { + if (m#DNSKEY.*256#) { + $zskcount ++; + } + } + # kskanzahl + my $kskcount = 0; + for (@digtest_1) { + if (m#DNSKEY.*257#) { + $kskcount ++; + } + } + # ds-test + for (@digtest_2) { + if (m#IN.*RRSIG.*DS.*(\d{14}).*(\d{14}).*(\s)([a-z]{0,100}\.)(\s).*#) { + print "DSDS ($4) "; + } + } + # dlv-check + for (@digtest_3) { + if (m#NOERROR#) { + $dsrec = "dlv"; + } + } + push @print_infos, "$zone - $zskcount - $kskcount - $dsrec - $ftime \n"; + $count ++; +} + +#print @print_infos;# @print_infos enthält mehr informationen + +# Ausgabe und Ende +if ($set_exit == 0) { + print "OK: $count DNSSEC-Zones checked; "; + print "next end is $oldest_name at $oldest_ftime \n"; +} +if ($set_exit == 1) { print "WARNING: "} +if ($set_exit == 2) { print "CRITICAL: "} +print "@print_zones ($oldest_ftime)\n"; +exit $set_exit; diff -r d3269961e944 -r f5db9f4a3e76 dnssec-creatkey --- a/dnssec-creatkey Fri Aug 13 17:00:37 2010 +0200 +++ b/dnssec-creatkey Thu Sep 30 11:35:51 2010 +0200 @@ -274,7 +274,7 @@ } -# "toucht" alle zonen damit der serial erhoht wird und die +# "toucht" alle zonen damit der serial erhoeht und die # zone neu signiert wird for ( &del_double( @change, @manu ) ) { system "touch $master_dir/$_/$_"; diff -r d3269961e944 -r f5db9f4a3e76 dnstools.conf --- a/dnstools.conf Fri Aug 13 17:00:37 2010 +0200 +++ b/dnstools.conf Thu Sep 30 11:35:51 2010 +0200 @@ -1,12 +1,16 @@ -bind_dir = /etc/bind -master_dir = /etc/bind/master -zone_conf_dir = /etc/bind/zones.d -key_counter_end = 20 # Anzahl der Signierungen bis zum Key-Rollover -sign_alert_time = 48 # Warn-Zeitraum vor dem Ablauf einer Zone-Signatur in h -abl_zeit = 1 # Dauer des Key-Rollover (2 Schluessel) in h +bind_dir = /etc/bind # bind-Hauptverzeichnis +master_dir = /etc/bind/master # Verzeichnis für die einzelnen Zonen-Verzeichnisse +zone_conf_dir = /etc/bind/zones.d # Verzeichnis für die Zonen-Konfigurationdateien + +key_counter_end = 20 # Anzahl der Signierungen bis zum Key-Rollover +sign_alert_time = 72 # Warn-Zeitraum vor dem Ablauf einer Zone-Signatur in h +abl_zeit = 24 # Dauer des Key-Rollover (2 Schluessel) in h + secondary = hh.schlittermann.de primary = pu.schlittermann.de -indexzone = index.zone.eins.lan + +indexzone = idx.net.schlittermann.de # Name der Indexdatei + #this_host #this_ip #this_domain diff -r d3269961e944 -r f5db9f4a3e76 update-index --- a/update-index Fri Aug 13 17:00:37 2010 +0200 +++ b/update-index Thu Sep 30 11:35:51 2010 +0200 @@ -53,8 +53,13 @@ for my $dir ( glob "$master_dir/*" ) { $zone = basename($dir); + my $info_end = "::sec-off"; - $iz_line = "\t\tIN TXT\t\t\"ZONE::$zone\"\n"; + if (-e "$dir/.keycounter") { + $info_end = "::sec-on"; + } + + $iz_line = "\t\tIN TXT\t\t\"ZONE::$zone$info_end\"\n"; push @iz_content_new, $iz_line; } diff -r d3269961e944 -r f5db9f4a3e76 update-zone --- a/update-zone Fri Aug 13 17:00:37 2010 +0200 +++ b/update-zone Thu Sep 30 11:35:51 2010 +0200 @@ -21,6 +21,12 @@ use FindBin; my @configs = ( "$FindBin::Bin/dnstools.conf", "/etc/dnstools.conf" ); +my @dnssec_killkeys + = ( "$FindBin::Bin/dnssec-killkey", "/usr/bin/dnstools/dnssec-killkey" ); +my $dnssec_killkey; +my @dnssec_creatkeys + = ( "$FindBin::Bin/dnssec-creatkey", "/usr/bin/dnstools/dnssec-creatkey" ); +my $dnssec_creatkey; my @dnssec_signs = ( "$FindBin::Bin/dnssec-sign", "/usr/bin/dnstools/dnssec-sign" ); my %config; @@ -34,6 +40,22 @@ unless ( seek( CONFIG, 0, 0 ) ) { die "Can't open config (searched: @configs)\n"; } +foreach ( grep {-f} @dnssec_killkeys ) { + if ( -x $_ ) { + $dnssec_killkey = $_; + } + else { + die "Can't run $_\n"; + } +} +foreach ( grep {-f} @dnssec_creatkeys ) { + if ( -x $_ ) { + $dnssec_creatkey = $_; + } + else { + die "Can't run $_\n"; + } +} foreach ( grep {-f} @dnssec_signs ) { if ( -x $_ ) { $dnssec_sign = $_; @@ -65,6 +87,7 @@ my @Zones; my $file; + sub cleanup() { unlink @tmpfiles; } END { cleanup(); } @@ -78,7 +101,7 @@ @Zones = @ARGV ? @ARGV : glob("$master_dir/*"); MAIN: { - my $changed; + my $changed = 0; my ( $dd, $mm, $yy ) = ( localtime() )[ 3 .. 5 ]; my $date; $mm++; @@ -109,12 +132,12 @@ print "$2 ==> $2.signed\n"; $_ = "$1$2.signed$3\n"; } + } - open( FILE, ">$conf_file" ) or die "$conf_file: $!\n"; - print FILE @c_content; - close(FILE); - - } + open( FILE, ">$conf_file" ) or die "$conf_file: $!\n"; + print FILE @c_content; + close(FILE); + } else { @@ -136,6 +159,7 @@ } # erzeugt eine named.conf-datei aus den entsprechenden vorlagen. + print "** creat named.conf.zones **\n"; open( TO, ">$bind_dir/named.conf.zones" ) or die "$bind_dir/named.conf.zones: $!\n"; while (<$conf_dir/*>) { @@ -145,7 +169,20 @@ } close(TO); + # aufruf von sign-killkey + print "** execute dnssec-killkey for keyrollover **\n"; + system "$dnssec_killkey"; + die "$dnssec_killkey not found ($!)" if $? == -1; + exit 1 if $?; + + # aufruf von sign-creatkey + print "** execute dnssec-creatkey for keyrollover **\n"; + system "$dnssec_creatkey"; + die "$dnssec_creatkey not found ($!)" if $? == -1; + exit 1 if $?; + # update-serial + print "** update serial **\n"; foreach ( $dd, $mm ) { s/^\d$/0$&/; } $yy += 1900; $date = "$yy$mm$dd"; @@ -221,8 +258,10 @@ my $pidfile; - print - "** Changed $changed files, the nameserver needs to be reloaded!\n"; + unless ($changed == 0) { + print "Changed $changed files.\n"; + } + foreach ( qw(/var/run/bind/run/named.pid /var/run/named.pid /etc/named.pid)) { @@ -230,6 +269,7 @@ } # dnssec-sign aufruf fuer geanderten domains + print "** execute dnssec-sign **\n"; system "$dnssec_sign @change_names"; die "$dnssec_sign not found ($!)" if $? == -1; exit 1 if $?; diff -r d3269961e944 -r f5db9f4a3e76 zone-ls --- a/zone-ls Fri Aug 13 17:00:37 2010 +0200 +++ b/zone-ls Thu Sep 30 11:35:51 2010 +0200 @@ -36,7 +36,7 @@ die "$master_dir: $!\n"; } -printf "%-25s %-8s %1s/%1s %3s %7s\n", "Domain", "Status", "ZSK", "KSK", +printf "%-35s %-8s %1s/%1s %3s %7s\n", "Domain", "Status", "ZSK", "KSK", "Used", "Sig-end"; for my $dir ( glob "$master_dir/*" ) { @@ -93,7 +93,7 @@ } continue { - printf "%-25s %-8s %1d/%1d %5d %19s\n", $zone, $info_status, $info_zsk, + printf "%-35s %-8s %1d/%1d %5d %19s\n", $zone, $info_status, $info_zsk, $info_ksk, $info_kc, $info_end; }