--- a/dnssec-creatkey Wed Aug 11 11:15:49 2010 +0200
+++ b/dnssec-creatkey Wed Aug 11 14:08:33 2010 +0200
@@ -231,7 +231,7 @@
if ( $file =~ /.*key/ ) {
$file =~ s#/.*/(K.*)#$1#;
- push @new_zone_content, "\$include $file\t\t; dnssec-zsk\n" ;
+ push @new_zone_content, "\$INCLUDE \"$file\"\t\t; dnssec-zsk\n" ;
last;
}
@@ -247,7 +247,7 @@
if ( $file =~ /.*key/ ) {
$file =~ s#/.*/(K.*)#$1#;
- push @new_zone_content, "\$include $file\t\t; dnssec-ksk\n" ;
+ push @new_zone_content, "\$INCLUDE \"$file\"\t\t; dnssec-ksk\n" ;
last;
}
--- a/dnssec-killkey Wed Aug 11 11:15:49 2010 +0200
+++ b/dnssec-killkey Wed Aug 11 14:08:33 2010 +0200
@@ -32,6 +32,8 @@
my $zone;
my @status;
my @auto;
+my @old_zone_content;
+my @new_zone_content;
chomp( my $now_time = `date +%s` ); # aktuelle unixzeit
# prueft zonen aus ARGV und loescht das schluesselmaterial
@@ -182,7 +184,7 @@
if ( $file =~ /.*key/ ) {
$file =~ s#/.*/(K.*)#$1#;
- push @new_zone_content, "\$include $file\t\t; dnssec-zsk\n" ;
+ push @new_zone_content, "\$INCLUDE \"$file\"\t\t; dnssec-zsk\n" ;
last;
}
@@ -198,7 +200,7 @@
if ( $file =~ /.*key/ ) {
$file =~ s#/.*/(K.*)#$1#;
- push @new_zone_content, "\$include $file\t\t; dnssec-ksk\n" ;
+ push @new_zone_content, "\$INCLUDE \"$file\"\t\t; dnssec-ksk\n" ;
last;
}
--- a/dnstools.conf Wed Aug 11 11:15:49 2010 +0200
+++ b/dnstools.conf Wed Aug 11 14:08:33 2010 +0200
@@ -3,7 +3,7 @@
zone_conf_dir = /etc/bind/zones.d
key_counter_end = 20 # Anzahl der Signierungen bis zum Key-Rollover
sign_alert_time = 48 # Warn-Zeitraum vor dem Ablauf einer Zone-Signatur in h
-abl_zeit = 24 # Dauer des Key-Rollover (2 Schluessel) in h
+abl_zeit = 1 # Dauer des Key-Rollover (2 Schluessel) in h
secondary = hh.schlittermann.de
primary = pu.schlittermann.de
#this_host
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/update-serial Wed Aug 11 14:08:33 2010 +0200
@@ -0,0 +1,182 @@
+#! /usr/bin/perl
+# (c) 1998 Heiko Schlittermann <heiko@datom.de>
+#
+# … work in progress do integrate dnssec (branch suess)
+#
+# Update the serial numbers in zone files
+# The serial number needs to match a specified pattern (see
+# the line marked w/ PATTERN.
+#
+# ToDo:
+# . test against an md5 sum, not just the date of the stamp file
+# . FIXME: handle `/' in file names (currently only working in
+# the current directory)
+# . optionally reload the named
+
+
+use strict;
+use warnings;
+
+use File::Basename;
+use File::Copy;
+use FindBin;
+
+my @configs = ( "$FindBin::Bin/dnstools.conf", "/etc/dnstools.conf" );
+my @dnssec_signs = ( "$FindBin::Bin/dnssec-sign", "/usr/bin/dnstools/dnssec-sign");
+my %config;
+my $dnssec_sign;
+
+foreach ( grep {-f} @configs ) {
+ open( CONFIG, $_ ) or die "Can't open $_: $!\n";
+}
+
+unless ( seek( CONFIG, 0, 0 ) ) {
+ die "Can't open config (searched: @configs)\n";
+}
+foreach ( grep {-f} @dnssec_signs ) {
+ if (-x $_) {
+ $dnssec_sign = $_;
+ }
+ else {
+ die "Can't run $_\n"
+ }
+}
+
+
+while (<CONFIG>) {
+ chomp;
+ s/#.*//;
+ s/\t//g;
+ s/\s//g;
+ next unless length;
+ my ( $cname, $ccont ) = split( /\s*=\s*/, $_, 2 );
+ $config{$cname} = $ccont;
+}
+close(CONFIG);
+
+my $bind_dir = $config{bind_dir};
+my $conf_dir = $config{zone_conf_dir};
+my $master_dir = $config{master_dir};
+
+my $ME = basename $0;
+my @tmpfiles;
+my $verbose = 0;
+my $opt_yes = 0;
+my @Zones;
+my $file;
+
+sub cleanup() { unlink @tmpfiles; }
+END { cleanup(); }
+
+for (@ARGV) {
+ if ($_ eq "-y") {
+ $opt_yes = 1;
+ shift @ARGV;
+ }
+}
+
+@Zones = @ARGV ? @ARGV : glob("$master_dir/*");
+
+
+MAIN: {
+ my $changed;
+ my ($dd, $mm, $yy) =(localtime())[3..5];
+ my $date;
+ $mm++;
+
+ foreach ($dd, $mm) { s/^\d$/0$&/; }
+ $yy += 1900;
+ $date = "$yy$mm$dd";
+
+
+ while (my $file = shift @Zones) {
+
+ my $file_basename = basename($file);
+
+ $file =~ s#($master_dir)(/.*)#$1$2$2#;
+ local (*I, *O);
+ my $done = 0;
+
+ my $new = "$file.$$.tmp";
+ my $bak = "$file.bak";
+ my $stamp = $master_dir . "/.stamp/" . basename($file);
+
+ $file =~ /(\.bak|~)$/ and next;
+ $file !~ /\./ and next;
+
+ $verbose && print "$file:";
+
+
+ if (-f $stamp && ((stat($stamp))[9] >= (stat($file))[9])) {
+ $verbose && print " fresh, skipping.\n";
+ next;
+ }
+
+ $done = 0;
+ push @tmpfiles, $new;
+ open(*I, "<$file") or die("Can't open < $file: $!\n");
+ open(*O, ">$new") or die("Can't open > $new: $!\n");
+
+ while (<I>) {
+ /^\s+((\d+)(\d{2}))\s*;\s*serial/i and do { # PATTERN
+ my ($sdate, $scount, $serial) = ($2, $3, $1);
+ $done = 1;
+ print " [$file] serial $sdate$scount";
+
+ if ($date eq $sdate) { $scount++; }
+ else { $sdate = $date; $scount = "00"; }
+
+ print " bumping to $sdate$scount \n";
+ s/$serial/$sdate$scount/;
+
+ };
+ print O;
+ }
+
+ close(O); close(I);
+
+ if ($done) {
+ # copy($file, $bak) or die("Can't copy $file -> $bak: $!\n");
+
+ open(I, "<$new") or die("Can't open <$new: $!\n");
+ open(O, ">$file") or die("Can't open >$file: $!\n");
+ while (<I>) { print O or die("Can't write to $file: $!\n"); }
+ close(I) or die("Can't close $new: $!\n");
+ close(O) or die("Can't close $file: $!\n");
+
+ unlink $new;
+
+ open(O, ">$stamp") or die("Can't open >$stamp: $!\n");
+ close(O);
+ $changed++;
+
+ # dnssec - new sign
+ system "$dnssec_sign $file_basename";
+ die "$dnssec_sign not found ($!)" if $? == -1;
+ exit 1 if $?;
+
+ } else {
+ print " $file: no serial number found: no zone file?";
+ }
+ print "\n";
+ }
+
+ if ($changed) {
+ my $pidfile;
+
+ print "** Changed $changed files, the nameserver needs to be reloaded!\n";
+ foreach (qw(/var/run/bind/run/named.pid /var/run/named.pid /etc/named.pid)) {
+ -f $_ and $pidfile = $_ and last; }
+
+ if ($pidfile) {
+ if ($opt_yes) { $_ = "y"; print "** Nameserver will be reloaded\n"; }
+ else { print "** Reload now? [Y/n]: "; $_ = <STDIN>; }
+ /^y|^$/i and system "rndc reload";
+ } else {
+ print "** No PID of a running named found. Please reload manually.\n";
+ }
+
+ }
+}
+
+# vim:ts=4:sw=4:ai:aw:
--- a/zone-mk Wed Aug 11 11:15:49 2010 +0200
+++ b/zone-mk Wed Aug 11 14:08:33 2010 +0200
@@ -31,14 +31,14 @@
open( TEMPCONF, $_ ) or die "Can't open $_: $!\n";
}
unless ( seek( TEMPCONF, 0, 0 ) ) {
- die "Can't open config (searched: @templc)\n";
+ die "Can't open template (searched: @templc)\n";
}
for ( grep {-f} @templz ) {
open( TEMPZONE, $_ ) or die "Can't open $_: $!\n";
}
unless ( seek( TEMPZONE, 0, 0 ) ) {
- die "Can't open config (searched: @templz)\n";
+ die "Can't open template (searched: @templz)\n";
}
while (<CONFIG>) {