--- a/dnssec-creatkey Thu Aug 12 10:18:58 2010 +0200
+++ b/dnssec-creatkey Fri Aug 13 10:09:37 2010 +0200
@@ -273,3 +273,9 @@
close(ZONE);
}
+
+# "toucht" alle zonen damit der serial erhoht wird und die
+# zone neu signiert wird
+for ( &del_double( @change, @manu ) ) {
+ system "touch $master_dir/$_/$_";
+}
--- a/dnssec-killkey Thu Aug 12 10:18:58 2010 +0200
+++ b/dnssec-killkey Fri Aug 13 10:09:37 2010 +0200
@@ -38,6 +38,7 @@
my $zone;
my @status;
my @auto;
+my @manu;
my @old_zone_content;
my @new_zone_content;
chomp( my $now_time = `date +%s` ); # aktuelle unixzeit
@@ -57,24 +58,27 @@
if ( -e "$zdir/dsset-$zone." ) { unlink "$zdir/dsset-$zone." }
if ( -e "$zdir/keyset-$zone." ) { unlink "$zdir/keyset-$zone." }
for (`ls $master_dir/$zone/K*[key,private]`) { unlink $_ }
- }
-
- open( ZONE, "$master_dir/$zone/$zone" )
- or die "$master_dir/$zone/$zone: $!\n";
- @old_zone_content = <ZONE>;
- close(ZONE);
- for (@old_zone_content) {
- unless (/dnssec-(ksk|zsk)/) {
- push @new_zone_content, $_;
+ print "keys removed \n";
+
+ open( ZONE, "$master_dir/$zone/$zone" )
+ or die "$master_dir/$zone/$zone: $!\n";
+ @old_zone_content = <ZONE>;
+ close(ZONE);
+
+ for (@old_zone_content) {
+ unless (/dnssec-(ksk|zsk)/) {
+ push @new_zone_content, $_;
+ }
}
- }
- open( ZONE, ">$master_dir/$zone/$zone" )
- or die "$master_dir/$zone/$zone: $!\n";
- print ZONE @new_zone_content;
- close(ZONE);
-
+ open( ZONE, ">$master_dir/$zone/$zone" )
+ or die "$master_dir/$zone/$zone: $!\n";
+ print ZONE @new_zone_content;
+ close(ZONE);
+
+ push @manu, $zone;
+ }
}
# beendet den key-rollover
@@ -228,3 +232,10 @@
print "$master_dir/$zone/$zone wurde neu erstellt \n";
}
+
+# "toucht" alle zonen damit der serial erhoht wird und die
+# zone neu signiert wird
+for ( &del_double( @auto, @manu ) ) {
+ system "touch $master_dir/$_/$_";
+}
+
--- a/dnssec-sign Thu Aug 12 10:18:58 2010 +0200
+++ b/dnssec-sign Fri Aug 13 10:09:37 2010 +0200
@@ -41,17 +41,22 @@
my @zone_sig_content;
my $sig_date;
my $kc;
+my $serial_up = 0;
+
+for (@ARGV) {
+ if ( $_ eq "-s" ) {
+ $serial_up = 1;
+ shift @ARGV;
+ }
+}
# prueft zonen aus ARGV und fuegt sie in die liste @manu ein
for (@ARGV) {
chomp( my $zone = `idn --quiet "$_"` );
- if ( -e "$master_dir/$zone" ) {
+ if ( -e "$master_dir/$zone/.keycounter" ) {
push @manu, $zone;
}
- else {
- print "$zone ist keine verwaltete zone \n";
- }
}
chomp( my $unixtime = `date +%s` );
@@ -99,6 +104,34 @@
}
}
+#erhoeht den serial der zone
+for ( &del_double( @auto, @manu ) ) {
+ unless ($serial_up == 1) {
+ last
+ }
+
+ $zone = $_;
+ my @zonefile = ();
+ my $serial;
+
+ open ( ZONEFILE, "$master_dir/$zone/$zone")
+ or die "$master_dir/$zone/$zone: $!\n";
+ @zonefile = <ZONEFILE>;
+ close (ZONEFILE);
+
+ for (@zonefile) {
+ if (m#([0-9]{10}).*;.*serial#) {
+ $serial = $1 + 1;
+ s#(.*)([0-9]{10})(.*)#$1$serial$3#;
+ }
+ }
+
+ open ( ZONEFILE, ">$master_dir/$zone/$zone")
+ or die "$master_dir/$zone/$zone: $!\n";
+ print ZONEFILE @zonefile;
+ close (ZONEFILE);
+}
+
# signiert alle zonen in @auto und @manu und erhoeht den wert in
# der keycounter-datei
for ( &del_double( @auto, @manu ) ) {
--- a/update-serial Thu Aug 12 10:18:58 2010 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,193 +0,0 @@
-#! /usr/bin/perl
-# (c) 1998 Heiko Schlittermann <heiko@datom.de>
-#
-# … work in progress do integrate dnssec (branch suess)
-#
-# Update the serial numbers in zone files
-# The serial number needs to match a specified pattern (see
-# the line marked w/ PATTERN.
-#
-# ToDo:
-# . test against an md5 sum, not just the date of the stamp file
-# . FIXME: handle `/' in file names (currently only working in
-# the current directory)
-# . optionally reload the named
-
-use strict;
-use warnings;
-
-use File::Basename;
-use File::Copy;
-use FindBin;
-
-my @configs = ( "$FindBin::Bin/dnstools.conf", "/etc/dnstools.conf" );
-my @dnssec_signs
- = ( "$FindBin::Bin/dnssec-sign", "/usr/bin/dnstools/dnssec-sign" );
-my %config;
-my $dnssec_sign;
-my @change_names = ();
-
-foreach ( grep {-f} @configs ) {
- open( CONFIG, $_ ) or die "Can't open $_: $!\n";
-}
-
-unless ( seek( CONFIG, 0, 0 ) ) {
- die "Can't open config (searched: @configs)\n";
-}
-foreach ( grep {-f} @dnssec_signs ) {
- if ( -x $_ ) {
- $dnssec_sign = $_;
- }
- else {
- die "Can't run $_\n";
- }
-}
-
-while (<CONFIG>) {
- chomp;
- s/#.*//;
- s/\t//g;
- s/\s//g;
- next unless length;
- my ( $cname, $ccont ) = split( /\s*=\s*/, $_, 2 );
- $config{$cname} = $ccont;
-}
-close(CONFIG);
-
-my $bind_dir = $config{bind_dir};
-my $conf_dir = $config{zone_conf_dir};
-my $master_dir = $config{master_dir};
-
-my $ME = basename $0;
-my @tmpfiles;
-my $verbose = 0;
-my $opt_yes = 0;
-my @Zones;
-my $file;
-
-sub cleanup() { unlink @tmpfiles; }
-END { cleanup(); }
-
-for (@ARGV) {
- if ( $_ eq "-y" ) {
- $opt_yes = 1;
- shift @ARGV;
- }
-}
-
-@Zones = @ARGV ? @ARGV : glob("$master_dir/*");
-
-MAIN: {
- my $changed;
- my ( $dd, $mm, $yy ) = ( localtime() )[ 3 .. 5 ];
- my $date;
- $mm++;
-
- foreach ( $dd, $mm ) { s/^\d$/0$&/; }
- $yy += 1900;
- $date = "$yy$mm$dd";
-
- while ( my $file = shift @Zones ) {
-
- my $file_basename = basename($file);
-
- $file =~ s#($master_dir)(/.*)#$1$2$2#;
- local ( *I, *O );
- my $done = 0;
-
- my $new = "$file.$$.tmp";
- my $bak = "$file.bak";
- my $stamp = $master_dir . "/.stamp/" . basename($file);
-
- $file =~ /(\.bak|~)$/ and next;
- $file !~ /\./ and next;
-
- $verbose && print "$file:";
-
- if ( -f $stamp && ( ( stat($stamp) )[9] >= ( stat($file) )[9] ) ) {
- $verbose && print " fresh, skipping.\n";
- next;
- }
-
- $done = 0;
- push @tmpfiles, $new;
- open( *I, "<$file" ) or die("Can't open < $file: $!\n");
- open( *O, ">$new" ) or die("Can't open > $new: $!\n");
-
- while (<I>) {
- /^\s+((\d+)(\d{2}))\s*;\s*serial/i and do { # PATTERN
- my ( $sdate, $scount, $serial ) = ( $2, $3, $1 );
- $done = 1;
- print " [$file] serial $sdate$scount";
-
- if ( $date eq $sdate ) { $scount++; }
- else { $sdate = $date; $scount = "00"; }
-
- print " bumping to $sdate$scount";
- s/$serial/$sdate$scount/;
-
- };
- print O;
- }
-
- close(O);
- close(I);
-
- if ($done) {
-
- # copy($file, $bak) or die("Can't copy $file -> $bak: $!\n");
-
- open( I, "<$new" ) or die("Can't open <$new: $!\n");
- open( O, ">$file" ) or die("Can't open >$file: $!\n");
- while (<I>) { print O or die("Can't write to $file: $!\n"); }
- close(I) or die("Can't close $new: $!\n");
- close(O) or die("Can't close $file: $!\n");
-
- unlink $new;
-
- open( O, ">$stamp" ) or die("Can't open >$stamp: $!\n");
- close(O);
- $changed++;
-
- push @change_names, $file_basename;
-
- }
- else {
- print " $file: no serial number found: no zone file?";
- }
- print "\n";
- }
-
- if ($changed) {
- my $pidfile;
-
- # dnssec - new sign
- system "$dnssec_sign @change_names";
- die "$dnssec_sign not found ($!)" if $? == -1;
- exit 1 if $?;
-
- print
- "** Changed $changed files, the nameserver needs to be reloaded!\n";
- foreach (
- qw(/var/run/bind/run/named.pid /var/run/named.pid /etc/named.pid))
- {
- -f $_ and $pidfile = $_ and last;
- }
-
- if ($pidfile) {
- if ($opt_yes) {
- $_ = "y";
- print "** Nameserver will be reloaded\n";
- }
- else { print "** Reload now? [Y/n]: "; $_ = <STDIN>; }
- /^y|^$/i and system "rndc reload";
- }
- else {
- print
- "** No PID of a running named found. Please reload manually.\n";
- }
-
- }
-}
-
-# vim:ts=4:sw=4:ai:aw:
--- a/update-zone Thu Aug 12 10:18:58 2010 +0200
+++ b/update-zone Fri Aug 13 10:09:37 2010 +0200
@@ -1,23 +1,40 @@
-#!/usr/bin/perl
+#! /usr/bin/perl
+# (c) 1998 Heiko Schlittermann <heiko@datom.de>
+#
+# … work in progress do integrate dnssec (branch suess)
+#
+# Update the serial numbers in zone files
+# The serial number needs to match a specified pattern (see
+# the line marked w/ PATTERN.
+#
+# ToDo:
+# . test against an md5 sum, not just the date of the stamp file
+# . FIXME: handle `/' in file names (currently only working in
+# the current directory)
+# . optionally reload the named
use strict;
+use warnings;
+
+use File::Basename;
+use File::Copy;
use FindBin;
-# liest die Konfiguration ein
my @configs = ( "$FindBin::Bin/dnstools.conf", "/etc/dnstools.conf" );
my @dnssec_signs
= ( "$FindBin::Bin/dnssec-sign", "/usr/bin/dnstools/dnssec-sign" );
my %config;
my $dnssec_sign;
+my @change_names = ();
-for ( grep {-f} @configs ) {
+foreach ( grep {-f} @configs ) {
open( CONFIG, $_ ) or die "Can't open $_: $!\n";
}
+
unless ( seek( CONFIG, 0, 0 ) ) {
die "Can't open config (searched: @configs)\n";
}
-
-for ( grep {-f} @dnssec_signs ) {
+foreach ( grep {-f} @dnssec_signs ) {
if ( -x $_ ) {
$dnssec_sign = $_;
}
@@ -41,84 +58,202 @@
my $conf_dir = $config{zone_conf_dir};
my $master_dir = $config{master_dir};
-unless ( -d $master_dir and -r $master_dir ) {
- die "$master_dir: $!\n";
+my $ME = basename $0;
+my @tmpfiles;
+my $verbose = 0;
+my $opt_yes = 0;
+my @Zones;
+my $file;
+
+sub cleanup() { unlink @tmpfiles; }
+END { cleanup(); }
+
+for (@ARGV) {
+ if ( $_ eq "-y" ) {
+ $opt_yes = 1;
+ shift @ARGV;
+ }
}
-unless ( -d $bind_dir and -r $bind_dir ) {
- die "$bind_dir: $!\n";
-}
+@Zones = @ARGV ? @ARGV : glob("$master_dir/*");
-# dnssec - new sign
-system "$dnssec_sign";
-die "$dnssec_sign not found ($!)" if $? == -1;
-exit 1 if $?;
+MAIN: {
+ my $changed;
+ my ( $dd, $mm, $yy ) = ( localtime() )[ 3 .. 5 ];
+ my $date;
+ $mm++;
-# prueft jede domain, die ein verzeichnis in $master_dir hat, ob es eine
-# datei $zone_file.signed gibt und ob diese datei in $config_file eingetragen
-# ist.
-# passt die eintraege in $config_file falls noetig an.
-while (<$master_dir/*>) {
- s#($master_dir/)(.*)#$2#;
- my $zone = $_;
+ # fuehrt automatische aktuallisierungen der zonen durch
+ system "$dnssec_sign";
+
+ # prueft jede domain, die ein verzeichnis in $master_dir hat, ob sie
+ # dnssec nutzt.
+ # passt die eintraege in $config_file falls noetig an.
+ while (<$master_dir/*>) {
+ s#($master_dir/)(.*)#$2#;
+ my $zone = $_;
- my $zone_file = "$master_dir/$zone/$zone";
- my $conf_file = "$conf_dir/$zone";
- my @c_content;
+ my $zone_file = "$master_dir/$zone/$zone";
+ my $conf_file = "$conf_dir/$zone";
+ my @c_content;
+
+ unless ( -f "$conf_file" ) {
+ die "$conf_file: $! \n";
+ }
+
+ if ( -e "$master_dir/$zone/.keycounter" ) {
+
+ open( FILE, "<$conf_file" ) or die "$conf_file: $!\n";
+ @c_content = <FILE>;
+ close(FILE);
- unless ( -f "$conf_file" ) {
- die "$conf_file: $! \n";
- }
+ for (@c_content) {
+ if (m{(.*)($zone_file)(";)}) {
+ print "$2 ==> $2.signed\n";
+ $_ = "$1$2.signed$3\n";
+ }
- if ( -f "$zone_file.signed" ) {
+ open( FILE, ">$conf_file" ) or die "$conf_file: $!\n";
+ print FILE @c_content;
+ close(FILE);
- open( FILE, "<$conf_file" ) or die "$conf_file: $!\n";
- @c_content = <FILE>;
- close(FILE);
+ }
+ }
+ else {
+
+ open( FILE, "<$conf_file" ) or die "$conf_file: $!\n";
+ @c_content = <FILE>;
+ close(FILE);
- for (@c_content) {
- if (m{(.*)($zone_file)(";)}) {
- print "$2 ==> $2.signed\n";
- $_ = "$1$2.signed$3\n";
+ for (@c_content) {
+ if (m{(.*)($zone_file)\.signed(.*)}) {
+ print "$2.signed ==> $2\n";
+ $_ = "$1$2$3\n";
+ }
}
-
+
open( FILE, ">$conf_file" ) or die "$conf_file: $!\n";
print FILE @c_content;
close(FILE);
-
}
}
- else {
+
+ # erzeugt eine named.conf-datei aus den entsprechenden vorlagen.
+ open( TO, ">$bind_dir/named.conf.zones" )
+ or die "$bind_dir/named.conf.zones: $!\n";
+ while (<$conf_dir/*>) {
+ open( FROM, "$_" ) or die "$_: $! \n";
+ print TO <FROM>;
+ close(FROM);
+ }
+ close(TO);
- open( FILE, "<$conf_file" ) or die "$conf_file: $!\n";
- @c_content = <FILE>;
- close(FILE);
+ # update-serial
+ foreach ( $dd, $mm ) { s/^\d$/0$&/; }
+ $yy += 1900;
+ $date = "$yy$mm$dd";
+
+ while ( my $file = shift @Zones ) {
+
+ my $file_basename = basename($file);
+
+ $file =~ s#($master_dir)(/.*)#$1$2$2#;
+ local ( *I, *O );
+ my $done = 0;
+
+ my $new = "$file.$$.tmp";
+ my $bak = "$file.bak";
+ my $stamp = $master_dir . "/.stamp/" . basename($file);
- for (@c_content) {
- if (m{(.*)($zone_file)\.signed(.*)}) {
- print "$2.signed ==> $2\n";
- $_ = "$1$2$3\n";
- }
+ $file =~ /(\.bak|~)$/ and next;
+ $file !~ /\./ and next;
+
+ $verbose && print "$file:";
+
+ if ( -f $stamp && ( ( stat($stamp) )[9] >= ( stat($file) )[9] ) ) {
+ $verbose && print " fresh, skipping.\n";
+ next;
+ }
+
+ $done = 0;
+ push @tmpfiles, $new;
+ open( *I, "<$file" ) or die("Can't open < $file: $!\n");
+ open( *O, ">$new" ) or die("Can't open > $new: $!\n");
+
+ while (<I>) {
+ /^\s+((\d+)(\d{2}))\s*;\s*serial/i and do { # PATTERN
+ my ( $sdate, $scount, $serial ) = ( $2, $3, $1 );
+ $done = 1;
+ print " [$file] serial $sdate$scount";
+
+ if ( $date eq $sdate ) { $scount++; }
+ else { $sdate = $date; $scount = "00"; }
+
+ print " bumping to $sdate$scount";
+ s/$serial/$sdate$scount/;
+
+ };
+ print O;
}
- open( FILE, ">$conf_file" ) or die "$conf_file: $!\n";
- print FILE @c_content;
- close(FILE);
+ close(O);
+ close(I);
+
+ if ($done) {
+
+ open( I, "<$new" ) or die("Can't open <$new: $!\n");
+ open( O, ">$file" ) or die("Can't open >$file: $!\n");
+ while (<I>) { print O or die("Can't write to $file: $!\n"); }
+ close(I) or die("Can't close $new: $!\n");
+ close(O) or die("Can't close $file: $!\n");
+
+ unlink $new;
+
+ open( O, ">$stamp" ) or die("Can't open >$stamp: $!\n");
+ close(O);
+ $changed++;
+
+ push @change_names, $file_basename;
+
+ }
+ else {
+ print " $file: no serial number found: no zone file?";
+ }
+ print "\n";
}
+
+ if ($changed) {
+ my $pidfile;
+
+
+ print
+ "** Changed $changed files, the nameserver needs to be reloaded!\n";
+ foreach (
+ qw(/var/run/bind/run/named.pid /var/run/named.pid /etc/named.pid))
+ {
+ -f $_ and $pidfile = $_ and last;
+ }
+
+ # dnssec-sign aufruf fuer geanderten domains
+ system "$dnssec_sign @change_names";
+ die "$dnssec_sign not found ($!)" if $? == -1;
+ exit 1 if $?;
+
+ if ($pidfile) {
+ if ($opt_yes) {
+ $_ = "y";
+ print "** Nameserver will be reloaded\n";
+ }
+ else { print "** Reload now? [Y/n]: "; $_ = <STDIN>; }
+ /^y|^$/i and system "rndc reload";
+ }
+ else {
+ print
+ "** No PID of a running named found. Please reload manually.\n";
+ }
+
+ }
+
}
-# erzeugt eine named.conf-datei aus den entsprechenden vorlagen.
-open( TO, ">$bind_dir/named.conf.zones" )
- or die "$bind_dir/named.conf.zones: $!\n";
-while (<$conf_dir/*>) {
- open( FROM, "$_" ) or die "$_: $! \n";
- print TO <FROM>;
- close(FROM);
-}
-close(TO);
-
-
-system "named-checkconf";
-system "named-checkconf -z";
-system "rndc reload";