Mercurial Mercurial > hg > ius > dnstools / changeset
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | raw | zip | gz | bz2 | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
dnssec-sign, dnssec-creatkey - prüfverfahren eingebaut
authorasuess@dns.net.schlittermann.de
Wed, 30 Jun 2010 13:15:11 +0200
changeset 8 a1eefce2bd5e
parent 7 9cad6f1c5505
child 9 c45415af9a4b
dnssec-sign, dnssec-creatkey - prüfverfahren eingebaut
README file | annotate | diff | comparison | revisions
dnssec-creatkey file | annotate | diff | comparison | revisions
dnssec-ls file | annotate | diff | comparison | revisions
dnssec-lskey file | annotate | diff | comparison | revisions
dnssec-sign file | annotate | diff | comparison | revisions
dnstools.conf file | annotate | diff | comparison | revisions
mkdomain file | annotate | diff | comparison | revisions 
--- a/README	Tue Jun 29 09:54:44 2010 +0200
+++ b/README	Wed Jun 30 13:15:11 2010 +0200
@@ -1,7 +1,8 @@
 zonedatei erstellen
 
 - mkdomain kundenname domainname
-- creatkey domainname			# Ab bind 9.6 NSEC3RSASHA1 statt RSASHA1 zum erstellen der keys benutzen
+- dnssec-creatkey
+- dnssec-sign
 - mkready
 
 
@@ -14,16 +15,18 @@
 domainen eintragen
 
 - manuel mit texteditor in master/domainname/domainname
-- update-serial ausfuehren >>>	>>>	>>>	>>>	# evt. erweitern > dnssec-signzone domainname im
-							# entsprechenden verzeichnis (master/domainname)
-							# ausfuehren
-neuen ZSK erstellen
+- update-serial ausfuehren
+- dnssec-sign
+
 
-- creatkey
-- killkeys
+ZSK key-rollover (manuell)
+
+- dnssec-creatkey <domain>
+- dnssec-killkeys
 
 
 neuen KSK erstellen
 
-- creatkey
-- killkeys
+- dnssec-creatkey (manuell)
+- dnssec-killkeys
+
--- a/dnssec-creatkey	Tue Jun 29 09:54:44 2010 +0200
+++ b/dnssec-creatkey	Wed Jun 30 13:15:11 2010 +0200
@@ -1,54 +1,66 @@
 #!/bin/bash
-
-ZONE_DIR="/etc/bind/master"
-ZSKLIVE=60			# ZSK-Schluessellebensdauer in Tagen
+source dnstools.conf
 
-function TEST_ZSK {			# prueft ob es einen ZSK gibt
-	for DOMAIN in $ZONE_DIR/*
+master_dir=$MASTER_DIR
+key_counter_end=$KEY_COUNTER_END
+eingabe=$@
+
+function test_zsk_aenderung {
+	for domain in $eingabe
 	do
-		test -f $DOMAIN/index.zsk || echo ${DOMAIN##/*/}
+		test -d $master_dir/$domain && echo $domain
 	done
 }
 
-function TEST_KSK {			# prueft ob es einen KSK gibt
-	for DOMAIN in $ZONE_DIR/*
+
+function test_zsk_new {			# prueft ob es einen ZSK gibt
+	for zone in $master_dir/*
 	do
-		test -f $DOMAIN/index.ksk || echo ${DOMAIN##/*/}
+		test -f $zone/index.zsk || echo ${zone##/*/}
 	done
 }
 
-function TEST_ZSK_TIME {		# prueft ob der ZSK abgelaufen ist
-	for DOMAIN in $ZONE_DIR/*
+function test_ksk_new {			# prueft ob es einen KSK gibt
+	for zone in $master_dir/*
 	do
-		STARTTIME=`ls $DOMAIN/index.zsk -l --time-style=+%s | cut -d' ' -f6 2>/dev/null`
-		ENDTIME=$[STARTTIME + $[ZSKLIVE * 86400]]
-		NOWTIME=`date +%s`
+		test -f $zone/index.ksk || echo ${zone##/*/}
+	done
+}
 
-		if [ $ENDTIME -le $NOWTIME ]
+function test_zsk_time {		# prueft den keycounter
+	for zone in $master_dir/*
+	do
+		key_counter_end=$1
+		test -f $zone/keycounter || echo 0 > $zone/keycounter
+		key_counter=`< $zone/keycounter`
+	
+		if [ $key_counter_end -le $key_counter ]
 		then
-			echo ${DOMAIN##/*/} 
+			echo ${zone##/*/} 
 		fi
 	done
 }
 
-
-VAR_ZSK_TIME=`TEST_ZSK_TIME`
-VAR_ZSK=`TEST_ZSK`
-VAR_KSK=`TEST_KSK`
+zsk_aenderung=`test_zsk_aenderung`
+zsk_time=`test_zsk_time $key_counter_end`
+zsk_new=`test_zsk_new`
+ksk_new=`test_ksk_new`
 
 
-for NEW_ZSK_ZONE in $VAR_ZSK $VAR_ZSK_TIME	# Erstellt ZSK
+for NEW_ZSK_ZONE in $zsk_new $zsk_time $zsk_aenderung	# Erstellt ZSK
 do
-	cd $ZONE_DIR/$NEW_ZSK_ZONE
+	cd $master_dir/$NEW_ZSK_ZONE
 	echo "erzeugt zsk fuer" $NEW_ZSK_ZONE
 	dnssec-keygen -a RSASHA1 -b 512 -n ZONE $NEW_ZSK_ZONE >> index.zsk
 	INDEX_ZSK=$( tail -n2 index.zsk )
 	echo $INDEX_ZSK | fmt -w1 > index.zsk
+
+	echo 0 > keycounter	
 done
 
-for NEW_KSK_ZONE in $VAR_KSK		# Erstellt KSK
+for NEW_KSK_ZONE in $ksk_new		# Erstellt KSK
 do	
-	cd $ZONE_DIR/$NEW_KSK_ZONE
+	cd $master_dir/$NEW_KSK_ZONE
 	echo "erzeugt ksk fuer" $NEW_KSK_ZONE
 	dnssec-keygen -a RSASHA1 -b 2048 -f KSK -n ZONE $NEW_KSK_ZONE >> index.ksk
 	INDEX_KSK=$( tail -n2 index.ksk )
@@ -57,9 +69,9 @@
 
 
 
-for ZONE in $VAR_ZSK $VAR_KSK $VAR_ZSKTIME
+for ZONE in $zsk_time $zsk_new $ksk_new $zsk_aenderung
 do
-	cd $ZONE_DIR/$ZONE
+	cd $master_dir/$ZONE
 
 	#loescht alle Schluessel die nicht in der indexdatei stehen
 	rm $(ls K*[key,private] | grep -v "`cat index.zsk`" | grep -v "`cat index.ksk`") 2> /dev/null
--- a/dnssec-ls	Tue Jun 29 09:54:44 2010 +0200
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,22 +0,0 @@
-#!/bin/bash
-
-ZONE_DIR="/etc/bind/master"
-ZSKLIVE=60			# ZSK-Schluessellebensdauer in Tagen
-KSKLIVE=360			# KSK-Schluessellebensdauer in Tagen
-
-
-for DOMAIN in $ZONE_DIR/*
-do
-
-	STARTTIME=`ls $DOMAIN/index.zsk -l --time-style=+%s | cut -d' ' -f6`
-	Z_ENDTIME=$[STARTTIME + $[ZSKLIVE * 86400]]
-	echo ${DOMAIN##/*/} index.zsk `date -d @$Z_ENDTIME +%d.%m.%Y` | tr ' ' '\t'
-
-	STARTTIME=`ls $DOMAIN/index.ksk -l --time-style=+%s | cut -d' ' -f6`
-	K_ENDTIME=$[STARTTIME + $[KSKLIVE * 86400]]
-	echo ${DOMAIN##/*/} index.ksk `date -d @$K_ENDTIME +%d.%m.%Y` | tr ' ' '\t'
-done
-
-
-	#echo Ablauf $INDEX `date -d @$ENDTIME +%Y%m%d000000`
-
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/dnssec-lskey	Wed Jun 30 13:15:11 2010 +0200
@@ -0,0 +1,23 @@
+#!/bin/bash
+source ./dnstools.conf
+
+master_dir=$MASTER_DIR
+zsklive=$ZSKLIVE			# ZSK-Schluessellebensdauer in Tagen
+ksklive=$KSKLIVE			# KSK-Schluessellebensdauer in Tagen
+
+
+for domain in $master_dir/*
+do
+
+	start_time=`ls $domain/index.zsk -l --time-style=+%s | cut -d' ' -f6`
+	z_end_time=$[start_time + $[zsklive * 86400]]
+	echo ${domain##/*/} index.zsk `date -d @$z_end_time +%d.%m.%Y` | tr ' ' '\t'
+
+	start_time=`ls $domain/index.ksk -l --time-style=+%s | cut -d' ' -f6`
+	k_end_time=$[start_time + $[ksklive * 86400]]
+	echo ${domain##/*/} index.ksk `date -d @$k_end_time +%d.%m.%Y` | tr ' ' '\t'
+done
+
+
+	#echo Ablauf $INDEX `date -d @$ENDTIME +%Y%m%d000000`
+
--- a/dnssec-sign	Tue Jun 29 09:54:44 2010 +0200
+++ b/dnssec-sign	Wed Jun 30 13:15:11 2010 +0200
@@ -1,26 +1,56 @@
 #!/bin/bash
+source ./dnstools.conf
+master_dir=$MASTER_DIR
 
-ZONE_DIR="/etc/bind/master"
-ZSKLIVE=60
+function time_out {			#prüft den ablauf der signatur
+	unowtime=`date +%s`
+	alerttime=`date -d @$[unowtime - $[ 3600 * $SIGN_ALERT_TIME  ] ] +%Y%m%d%H`
 
-function AENDERUNG {
-	for DOMAIN in $ZONE_DIR/*
-	do
-		find $DOMAIN -name "*.signed" -mmin -1440 >/dev/null && echo $DOMAIN
+	for zone in $master_dir/*
+	do	
+		domain=${zone##/*/}
+		if [ -f $zone/$domain.signed ]
+		then
+			endtime=`cat $zone/$domain.signed | egrep 'DNSKEY' | egrep '[0-9]{14}' | head -n1 | cut -d" " -f5 | cut -c 1-10`
+		fi
+
+		if [ $endtime ]
+		then
+			if [ $alerttime -ge $endtime ]
+			then
+				echo $zone
+			fi
+		fi
 	done
 }
 
-AENDERUNG
-
-for ZONE in `AENDERUNG`
-do
-	cd $ZONE
+function new_sign {		# prüft nach der ersten signatur
+	for zone in $master_dir/*
+	do
+		if [ `< $zone/keycounter` -le 0 ]
+		then
+			echo $zone
+		fi
+	done
+}
 
-	DOMAIN=${ZONE##/*/}
+function aenderung {		# manuelle eingabe
+	for domain in $@
+	do
+		test -d $master_dir/$domain && echo $master_dir/$domain
+	done
+}
 
-	STARTTIME=`ls index.zsk -l --time-style=+%s | cut -d' ' -f6`
-	ENDTIME=$[STARTTIME + $[ZSKLIVE * 86400]]
+zone_aenderung=`aenderung $@`
+zone_new_sign=`new_sign`
+zone_time_out=`time_out`
 
-	dnssec-signzone -e `date -d @$ENDTIME +%Y%m%d000000` $DOMAIN
+for zone in $zone_aenderung $zone_new_sign $zone_time_out
+do
+	cd $zone
+	domain=${zone##/*/}
+	dnssec-signzone $domain
 
+	key_counter=`< keycounter`
+	echo $[ key_counter + 1 ] > keycounter
 done
--- a/dnstools.conf	Tue Jun 29 09:54:44 2010 +0200
+++ b/dnstools.conf	Wed Jun 30 13:15:11 2010 +0200
@@ -3,4 +3,11 @@
 THIS_HOST=
 THIS_IP=
 THIS_DOMAIN=
-
+SECONDARY_IP=
+HOSTMASTER=
+MASTER_DIR=/etc/bind/master
+ZONE_CONF_DIR=/etc/bind/zones.d
+ZSKLIVE=60				# ZSK-Schluessellebensdauer in Tagen
+KSKLIVE=360				# KSK-Schluessellebensdauer in Tagen
+KEY_COUNTER_END=5			# Anzahl der maximalen Signierungen bis zum Key-Rollover
+SIGN_ALERT_TIME=48			# Warn-Zeitraum vor dem ablauf einer Zone-Signatur in Stunden
--- a/mkdomain	Tue Jun 29 09:54:44 2010 +0200
+++ b/mkdomain	Wed Jun 30 13:15:11 2010 +0200
@@ -12,7 +12,6 @@
 	exit
 fi
 
-
 customer="$1"; shift
 start=$(date -I)
 
@@ -20,21 +19,29 @@
 source dnstools.conf
 
 secondary=$SECONDARY
-secondary_ip=${secondary_ip=$(dig +short $secondary)}
+secondary_ip=${SECONDARY_IP:-$(dig +short $secondary)}
 
 this_host=${THIS_HOST:-$(hostname -f)}
 this_ip=${THIS_IP:-$(hostname -i)}
 this_domain=${THIS_DOMAIN:-$(hostname -d)}
 primary=${PRIMARY:-$this_host}
 
-hostmaster=${hostmaster="hostmaster.$this_domain"}
+hostmaster=${HOSTMASTER:-"hostmaster.$this_domain"}
+
+zone_conf_dir=${ZONE_CONF_DIR:-/etc/bind/zones.d}
+master_dir=${MASTER_DIR:-/etc/bind/master}
 
-primary_dir=${primary_dir=/etc/bind/zones.d}
-master_dir=${master_dir=/etc/bind/master}
+if [ ! -d $master_dir ]
+then
+	echo $master_dir nicht gefunden
+	exit 1
+fi
 
-test -d $primary_dir || mkdir $primary_dir
-test -d $master_dir || mkdir $master_dir
-
+if [ ! -d $zone_conf_dir ]
+then
+	echo $zone_conf_dir nicht gefunden
+	exit 1
+fi
 
 # debug option
 if test $opt_debug; then
@@ -44,7 +51,7 @@
 primary:		$primary
 secondary:		$secondary [$secondary_ip]
 hostmaster:		$hostmaster
-primary directory:	$primary_dir
+zone config directory:	$zone_conf_dir
 xxx
 	exit
 fi
@@ -55,7 +62,7 @@
 	test -d $master_dir/$domain || mkdir $master_dir/$domain
 
 	zonefile=$master_dir/$domain/$domain
-	config=$primary_dir/$domain
+	config=$zone_conf_dir/$domain
 
 	echo "$domain ($utf8domain)"
ius/dnstools