--- a/dnssec-creatkey Thu Dec 02 16:46:17 2010 +0100
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,281 +0,0 @@
-#!/usr/bin/perl -w
-
-use strict;
-use FindBin;
-
-sub del_double {
- my %all;
- grep { $all{$_} = 0 } @_;
- return ( keys %all );
-}
-
-# liest die Konfiguration
-my @configs = ( "$FindBin::Bin/dnstools.conf", "/etc/dnstools.conf" );
-my %config;
-
-for ( grep {-f} @configs ) {
- open( CONFIG, $_ ) or die "Can't open $_: $!\n";
-}
-
-unless ( seek( CONFIG, 0, 0 ) ) {
- die "Can't open config (searched: @configs)\n";
-}
-
-while (<CONFIG>) {
- chomp;
- s/#.*//;
- s/\t//g;
- s/\s//g;
-
- next unless length;
- my ( $cname, $ccont ) = split( /\s*=\s*/, $_, 2 );
- $config{$cname} = $ccont;
-}
-close(CONFIG);
-
-my $master_dir = $config{master_dir};
-my $key_counter_end = $config{key_counter_end};
-my @change;
-my @manu;
-my @index;
-my $zone;
-my $keyname;
-
-# prueft ob eingaben in ARGV domains sind und gibt sie in die liste @manu
-for (@ARGV) {
- chomp( my $zone = `idn --quiet "$_"` );
-
- if ( -d "$master_dir/$zone" ) {
- push( @manu, $zone );
- }
- else {
- print " $zone not exist\n ";
- }
-}
-
-# prueft ob zonen mit schluesselmaterial ueber index- und keycounterdatei
-# verfuegen.
-# legt .index.ksk an falls nicht und gibt die entsprechende zone in die
-# liste @change
-while (<$master_dir/*>) {
- chomp( $zone = $_ );
-
- if ( -f "$zone/.index.zsk"
- and -f "$zone/.index.ksk"
- and -f "$zone/.keycounter" )
- {
- next;
- }
-
- while (<$zone/*>) {
- if (m#^K#) {
- my $file_in_zone = $_;
-
- open( KEY, $_ ) or die "$_: $!\n";
- for (<KEY>) {
- if (m#DNSKEY.257#) {
- $file_in_zone =~ s#(/.*/)(.*).key#$2#;
-
- open( INDEX, ">$zone/.index.ksk" ) or die;
- print INDEX "$file_in_zone\n";
- close(INDEX);
-
- $zone =~ s#($master_dir/)(.*)#$2#;
- push( @change, $zone );
-
- }
- }
- close(KEY);
- }
- }
-}
-
-# gibt alle zonen mit abgelaufenen keycounter in die liste @change
-while (<$master_dir/*>) {
- chomp( $zone = $_ );
- my $key;
-
- unless ( -f "$zone/.keycounter" ) {
- next;
- }
-
- open( KEY, "$zone/.keycounter" ) or die "$zone/.keycounter: $!\n";
- $key = <KEY>;
- close(KEY);
-
- if ( $key_counter_end <= $key ) {
- $zone =~ s#($master_dir/)(.*)#$2#;
- push( @change, $zone );
- }
-}
-
-#erzeugt zsks
-for ( &del_double( @change, @manu ) ) {
- $zone = $_;
-
- chdir "$master_dir/$zone" or die "$master_dir/$zone: $!\n";
- $keyname = `dnssec-keygen -a RSASHA1 -b 512 -n ZONE $zone`;
-
- unless ( -f ".index.zsk" ) {
- @index = ();
- }
- else {
- open( INDEX, ".index.zsk" )
- or die "$master_dir/$zone/.index.zsk: $!\n";
- @index = <INDEX>;
- close(INDEX);
- }
-
- push @index, $keyname;
- if ( @index > 2 ) {
- shift(@index);
- }
-
- open( INDEX, ">.index.zsk" ) or die "$master_dir/$zone/.index.zsk: $!\n";
- print INDEX @index;
- close(INDEX);
-
- chomp($keyname);
- print "$keyname (ZSK) creat for $zone \n";
-
- open( KC, ">.keycounter" ) or die "$master_dir/$zone/keycounter: $!\n";
- print KC "0";
- close(KC);
-}
-
-#erzeugt ksks
-for ( &del_double(@manu) ) {
- $zone = $_;
-
- chdir "$master_dir/$zone" or die "$master_dir/$zone: $!\n";
- $keyname = `dnssec-keygen -a RSASHA1 -b 2048 -f KSK -n ZONE $zone`;
-
- print "creat new KSK for $zone? (no): ";
- unless ( <STDIN> =~ m/^yes/ ) {
- next;
- }
-
- unless ( -f ".index.ksk" ) {
- @index = ();
- }
- else {
-
- open( INDEX, ".index.ksk" )
- or die "$master_dir/$zone/.index.ksk: $!\n";
- @index = <INDEX>;
- close(INDEX);
- }
-
- push @index, $keyname;
- if ( @index > 2 ) {
- shift(@index);
- }
-
- open( INDEX, ">.index.ksk" ) or die "$master_dir/$zone/.index.ksk: $!\n";
- print INDEX @index;
- close(INDEX);
-
- chomp($keyname);
- print "$keyname (KSK) creat for $zone \n";
-}
-
-# loescht alle unbenoetigten schluessel, fuegt die schluessel in
-# die zone-datei
-for ( &del_double( @change, @manu ) ) {
- $zone = $_;
- my @old_zone_content = ();
- my @new_zone_content = ();
- my @kkeylist = ();
- my @zkeylist = ();
- my $file = ();
-
- open( INDEX, "<$master_dir/$zone/.index.zsk" )
- or die "$master_dir/$zone/.index.zsk: $!\n";
- @zkeylist = <INDEX>;
- close(INDEX);
-
- open( INDEX, "<$master_dir/$zone/.index.ksk" )
- or die "$master_dir/$zone/.index.ksk: $!\n";
- @kkeylist = <INDEX>;
- close(INDEX);
-
- open( ZONE, "<$master_dir/$zone/$zone" )
- or die "$master_dir/$zone/$zone: $!\n";
- @old_zone_content = <ZONE>;
- close(ZONE);
-
- # kuerzt die schluessel-bezeichnung aus der indexdatei auf die id um sie
- # besser vergleichen zu koennen.
- for ( @kkeylist, @zkeylist ) {
- chomp;
- s#K.*\+.*\+(.*)#$1#;
- }
-
- # filtert alle schluessel aus der zonedatei
- # old_zone_content ==> new_zone_content
- for (@old_zone_content) {
- unless (/dnssec-(zsk|ksk)/) {
- push @new_zone_content, $_;
- }
- }
-
- # prueft alle schluesseldateien (ksk, zsk) ob sie in der jeweiligen
- # indexdatei beschrieben sind. wenn nicht werden sie geloescht.
- for (`ls $master_dir/$zone/K*[key,private]`) {
- chomp;
- $file = $_;
- my $rm_count = 1;
-
- for (@zkeylist) {
-
- if ( $file =~ /$_/ ) {
- $rm_count = 0;
-
- # schluessel die in der indexdatei standen, werden an die
- # zonedatei angehangen.
- if ( $file =~ /.*key/ ) {
-
- $file =~ s#/.*/(K.*)#$1#;
- push @new_zone_content,
- "\$INCLUDE \"$file\"\t\t; dnssec-zsk\n";
-
- last;
- }
- }
- }
- for (@kkeylist) {
-
- if ( $file =~ /$_/ ) {
- $rm_count = 0;
-
- # schluessel die in der indexdatei standen, werden an die
- # zonedatei angehangen.
- if ( $file =~ /.*key/ ) {
-
- $file =~ s#/.*/(K.*)#$1#;
- push @new_zone_content,
- "\$INCLUDE \"$file\"\t\t; dnssec-ksk\n";
-
- last;
- }
- }
- }
-
- #loescht alle unbenoetigten schluessel
- if ( $rm_count == 1 ) {
- unlink "$file";
- }
- }
-
- open( ZONE, ">$master_dir/$zone/$zone" )
- or die "$master_dir/$zone/$zone: $!\n";
- print ZONE @new_zone_content;
- close(ZONE);
-
-}
-
-# "toucht" alle zonen damit der serial erhoeht und die
-# zone neu signiert wird
-for ( &del_double( @change, @manu ) ) {
- system "touch $master_dir/$_/$_";
-}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/dnssec-keytool Fri Dec 03 16:42:12 2010 +0100
@@ -0,0 +1,350 @@
+#!/usr/bin/perl -w
+
+use strict;
+use FindBin;
+
+sub del_double {
+ my %all;
+ grep { $all{$_} = 0 } @_;
+ return ( keys %all );
+}
+
+sub read_conf {
+ # liest die Konfiguration ein
+ my @configs = ( "$FindBin::Bin/dnstools.conf", "/etc/dnstools.conf" );
+ our %config;
+
+ for ( grep {-f} @configs ) {
+ open( CONFIG, $_ ) or die "Can't open $_: $!\n";
+ }
+ unless ( seek( CONFIG, 0, 0 ) ) {
+ die "Can't open config (searched: @configs)\n";
+ }
+ while (<CONFIG>) {
+ chomp;
+ s/#.*//;
+ s/\t//g;
+ s/\s//g;
+
+ next unless length;
+ my ( $cname, $ccont ) = split( /\s*=\s*/, $_, 2 );
+ $config{$cname} = $ccont;
+ }
+ close(CONFIG);
+}
+
+sub read_argv {
+ # wertet argv aus oder gibt die hilfe aus
+ my $arg = shift @ARGV;
+ my $zone;
+ our $do;
+ our @zones;
+ our $master_dir;
+
+ if ( ! defined $arg ) {
+ print " usage: dnssec-keytool <option> zone\n";
+ print " -z erstellt einen neuen ZSK\n";
+ print " -k erstellt je einen neuen ZSK und KSK\n";
+ print " -rm loescht das Schluesselmaterial einer Zone\n";
+ print " -c erstellt bei existierenden ksk konfigurationsdateien\n";
+ print " fuer die dnstools, sowie einen neuen zsk\n";
+ print "\n";
+
+ exit;
+ }
+ elsif ($arg eq "-k") {$do = "ksk";}
+ elsif ($arg eq "-rm") {$do = "rm";}
+ elsif ($arg eq "-c") {$do = "ck";}
+ elsif ($arg eq "-z") {$do = "zsk";}
+ else {
+ print "keine gueltige Option.\n";
+ exit;
+ }
+
+ # prueft die zonen in argv ob es verwaltete zonen sind
+ for (@ARGV) {
+ chomp( $zone = `idn --quiet "$_"` );
+ if ( -e "$master_dir/$zone/$zone" ) {
+ push @zones, $zone;
+ }
+ }
+}
+
+sub rm_keys {
+ our @zones;
+ our $master_dir;
+ my $zone;
+ my @new_zone_content;
+ my @old_zone_content;
+
+ for (@zones) {
+ $zone = $_;
+
+ my $zpf = "$master_dir/$zone";
+ my $ep = 0;
+
+ if ( -e "$zpf/$zone.signed" ) {
+ unlink "$zpf/$zone.signed" and $ep = 1 }
+ if ( -e "$zpf/.keycounter" ) {
+ unlink "$zpf/.keycounter" and $ep = 1 }
+ if ( -e "$zpf/.index.ksk" ) {
+ unlink "$zpf/.index.ksk" and $ep = 1 }
+ if ( -e "$zpf/.index.zsk" ) {
+ unlink "$zpf/.index.zsk" and $ep = 1 }
+ if ( -e "$zpf/dsset-$zone." ) {
+ unlink "$zpf/dsset-$zone." and $ep = 1 }
+ if ( -e "$zpf/keyset-$zone." ) {
+ unlink "$zpf/keyset-$zone." and $ep = 1 }
+
+ for (`ls $zpf/K$zone*`) {
+ chomp($_);
+ print "weg du scheissezwerg $_";
+ unlink ("$_");
+ }
+
+ if ($ep == 1) {
+ print " * $zone: schluesselmaterial entfernt\n";
+ }
+
+ open( ZONE, "$zpf/$zone" )
+ or die "$zpf/$zone: $!\n";
+ @old_zone_content = <ZONE>;
+ close(ZONE);
+
+ for (@old_zone_content) {
+ unless (m#\$INCLUDE.*\"K$zone.*\.key\"#) {
+ push @new_zone_content, $_;
+ }
+ }
+
+ open( ZONE, ">$zpf/$zone" ) or die "$zpf/$zone: $!\n";
+ print ZONE @new_zone_content;
+ close(ZONE);
+ }
+}
+
+sub creat_ksk {
+ our @zones;
+ our $master_dir;
+ my @index;
+ my $zone;
+ my $keyname;
+ my $zpf;
+
+ for (@zones) {
+ $zone = $_;
+ $zpf = "$master_dir/$zone";
+
+ chdir "$zpf" or die "$zpf: $!\n";
+ $keyname = `dnssec-keygen -a RSASHA1 -b 2048 -f KSK -n ZONE $zone`;
+
+ unless ( -f ".index.ksk" ) { @index = ();}
+ else {
+ open( INDEX, ".index.ksk" ) or die "$zpf/.index.ksk: $!\n";
+ @index = <INDEX>;
+ close(INDEX);
+ }
+
+ push @index, $keyname;
+ if ( @index > 2 ) { shift(@index);}
+
+ open( INDEX, ">.index.ksk" ) or die "$zpf/.index.ksk: $!\n";
+ print INDEX @index;
+ close(INDEX);
+
+ chomp($keyname);
+ print " * $zone: neuer KSK $keyname\n";
+
+
+ print "!! DER KSK muss der Chain of Trust veroeffentlicht werden !! \n";
+
+ }
+}
+
+sub creat_zsk {
+ our @zones;
+ our $master_dir;
+ my @index;
+ my $zone;
+ my $keyname;
+ my $zpf;
+
+ for (@zones) {
+ $zone = $_;
+ $zpf = "$master_dir/$zone";
+
+ chdir "$zpf" or die "$zpf: $!\n";
+ $keyname = `dnssec-keygen -a RSASHA1 -b 512 -n ZONE $zone`;
+
+ unless ( -f ".index.zsk" ) { @index = ();}
+ else {
+ open( INDEX, ".index.zsk" ) or die "$zpf/.index.zsk: $!\n";
+ @index = <INDEX>;
+ close(INDEX);
+ }
+
+ push @index, $keyname;
+ if ( @index > 2 ) { shift(@index);}
+
+ open( INDEX, ">.index.zsk" ) or die "$zpf/.index.zsk: $!\n";
+ print INDEX @index;
+ close(INDEX);
+
+ chomp($keyname);
+ print " * $zone: neuer ZSK $keyname\n";
+
+ open( KC, ">.keycounter" ) or die "$zpf/keycounter: $!\n";
+ print KC "0";
+ close(KC);
+
+ }
+}
+
+sub ck_zone {
+ our @zones;
+ our $master_dir;
+ my $zone;
+
+ for (@zones) {
+ $zone = $_;
+ my $zpf = "$master_dir/$zone";
+ my $keyfile;
+ my @content;
+ my @keylist;
+
+ for (<$zpf/*>) {
+ if (m#(K$zone.*\.key)#) {
+ $keyfile = $1;
+ open (KEYFILE, "<$zpf/$keyfile");
+ @content = <KEYFILE>;
+ close (KEYFILE);
+ for (@content) {
+ if (m#DNSKEY.257#) {
+ push @keylist, $keyfile;
+ }
+ }
+ }
+ }
+
+ open( INDEX, ">.index.ksk" ) or die "$zpf/.index.ksk: $!\n";
+ for (@keylist) {
+ s#\.key##;
+ print INDEX "$_\n";
+ }
+ close(INDEX);
+
+ print " * $zone: neue .index.ksk erzeugt\n";
+
+ if (-f "$zpf/.index.zsk") {
+ unlink ("$zpf/.index.zsk") or die "$zpf/.index.zsk: $!\n";
+ }
+ }
+}
+
+sub post_creat {
+ our @zones;
+ our $master_dir;
+
+ for (@zones) {
+ my $zone = $_;
+ `touch $master_dir/$zone/$zone`;
+
+ &kill_useless_keys($zone);
+ &key_to_zonefile($zone);
+ }
+
+}
+
+sub kill_useless_keys {
+ # die funktion loescht alle schluessel die nicht in der index.zsk
+ # der uebergebenen zone stehen
+ our $master_dir;
+ my $zone = $_[0];
+ my @keylist = ();
+ my $zpf = "$master_dir/$zone";
+
+ open (INDEX, "<$zpf/.index.zsk") or die "$zpf/.index.zsk: $!\n";
+ @keylist = <INDEX>;
+ close(INDEX);
+ open (INDEX, "<$zpf/.index.ksk") or die "$zpf/.index.ksk: $!\n";
+ push @keylist, <INDEX>;
+
+ # kuerzt die schluessel-bezeichnung aus der indexdatei auf die id um sie
+ # besser vergleichen zu koennen.
+ for ( @keylist ) {
+ chomp;
+ s#K.*\+.*\+(.*)#$1#;
+ }
+
+ # prueft alle schluesseldateien (ksk, zsk) ob sie in der jeweiligen
+ # indexdatei beschrieben sind. wenn nicht werden sie geloescht.
+ for (`ls $master_dir/$zone/K*[key,private]`) {
+ chomp;
+ my $file = $_;
+ my $rm_count = 1;
+ my $keyname;
+ for (@keylist) {
+ if ( $file =~ /$_/ ) { $rm_count = 0;}
+ }
+ if ($rm_count == 1) {
+ unlink "$file";
+ if ($file =~ /$zpf\/(.*\.key)/ ) {
+ print " * $zone: Schluessel $1 entfernt \n";
+ }
+ }
+ }
+}
+
+sub key_to_zonefile {
+ # die funktion fugt alle schluessel in eine zonedatei
+ our $master_dir;
+ my $zone = $_[0];
+ my $zpf = "$master_dir/$zone";
+ my @old_content;
+ my @new_content = ();
+
+ open(ZONEFILE, "<$zpf/$zone");
+ @old_content = <ZONEFILE>;
+ close(ZONEFILE);
+
+ for (@old_content) {
+ unless (m#INCLUDE.*key#) { push @new_content, $_; }
+ }
+
+ for (<$zpf/*>) {
+ if (m#(.*\/)(K.*\.key)#) {
+ push @new_content, "\$INCLUDE \"$2\"\n";
+ }
+ }
+ open( ZONEFILE, ">$zpf/$zone" ) or die "$zpf/$zone: $!\n";
+ print ZONEFILE @new_content;
+ close(ZONEFILE);
+}
+
+
+&read_conf;
+
+our %config;
+our $do; # arbeitsschritte aus argv
+our @zones; # liste der zonen in argv
+our $master_dir = $config{master_dir};
+our $bind_dir = $config{bind_dir};
+our $conf_dir = $config{zone_conf_dir};
+our $sign_alert_time = $config{sign_alert_time};
+our $indexzone = $config{indexzone};
+our $key_counter_end = $config{key_counter_end};
+our $ablauf_zeit = $config{abl_zeit};
+
+&read_argv;
+
+unless (@zones) {exit;} # beendet das programm, wurden keine
+ # gueltigen zonen uebergeben
+
+if ($do eq "rm") { &rm_keys; exit;}
+if ($do eq "ck") { &ck_zone;}
+if ($do eq "ksk") { &creat_ksk; }
+
+&creat_zsk;
+&post_creat;
+
+
--- a/dnssec-killkey Thu Dec 02 16:46:17 2010 +0100
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,254 +0,0 @@
-#!/usr/bin/perl -w
-
-use strict;
-use FindBin;
-
-sub del_double {
- my %all;
- grep { $all{$_} = 0 } @_;
- return ( keys %all );
-}
-
-# liest die Konfiguration ein
-my @configs = ( "$FindBin::Bin/dnstools.conf", "/etc/dnstools.conf" );
-my %config;
-
-for ( grep {-f} @configs ) {
- open( CONFIG, $_ ) or die "Can't open $_: $!\n";
-}
-
-unless ( seek( CONFIG, 0, 0 ) ) {
- die "Can't open config (searched: @configs)\n";
-}
-
-while (<CONFIG>) {
- chomp;
- s/#.*//;
- s/\t//g;
- s/\s//g;
-
- next unless length;
- my ( $cname, $ccont ) = split( /\s*=\s*/, $_, 2 );
- $config{$cname} = $ccont;
-}
-close(CONFIG);
-
-my $master_dir = $config{master_dir};
-my $ablauf_zeit = $config{abl_zeit};
-my $zone;
-my @status;
-my @auto;
-my @manu;
-my @old_zone_content;
-my @new_zone_content;
-chomp( my $now_time = `date +%s` ); # aktuelle unixzeit
-
-# prueft zonen aus ARGV und loescht das schluesselmaterial
-for (@ARGV) {
- chomp( $zone = `idn --quiet $_` );
- my $zdir = "$master_dir/$zone";
- my $ep = 0;
-
- unless ( -e "$master_dir/$zone" ) {
- print "$zone ist keine verwaltete zone \n";
- }
- else {
- if ( -e "$zdir/$zone.signed" ) {
- unlink "$zdir/$zone.signed" and $ep = 1 }
- if ( -e "$zdir/.keycounter" ) {
- unlink "$zdir/.keycounter" and $ep = 1 }
- if ( -e "$zdir/.index.ksk" ) {
- unlink "$zdir/.index.ksk" and $ep = 1 }
- if ( -e "$zdir/.index.zsk" ) {
- unlink "$zdir/.index.zsk" and $ep = 1 }
- if ( -e "$zdir/dsset-$zone." ) {
- unlink "$zdir/dsset-$zone." and $ep = 1 }
- if ( -e "$zdir/keyset-$zone." ) {
- unlink "$zdir/keyset-$zone." and $ep = 1 }
-
- for (`ls $master_dir/$zone/K*[key,private]`) {
- unlink $_ and $ep = 1
- }
-
- if ($ep == 1) {
- print "$zone: keys removed\n";
- }
-
- open( ZONE, "$master_dir/$zone/$zone" )
- or die "$master_dir/$zone/$zone: $!\n";
- @old_zone_content = <ZONE>;
- close(ZONE);
-
- for (@old_zone_content) {
- unless (/dnssec-(ksk|zsk)/) {
- push @new_zone_content, $_;
- }
- }
-
- open( ZONE, ">$master_dir/$zone/$zone" )
- or die "$master_dir/$zone/$zone: $!\n";
- print ZONE @new_zone_content;
- close(ZONE);
-
- push @manu, $zone;
- }
-}
-
-# beendet den key-rollover
-for (<$master_dir/*>) {
- $zone = $_;
- $zone =~ s#($master_dir/)(.*)#$2#;
-
- my @index = ();
- my $index_wc;
-
- # prueft nach der ".index.zsk"-datei und erstellt den zeitpunkt
- # an dem das key-rollover endet. - $status[9]
- if ( -e "$master_dir/$zone/.index.zsk" ) {
- @status = stat("$master_dir/$zone/.index.zsk");
- $status[9] += ( 3600 * $ablauf_zeit );
- }
- else {
- next;
- }
-
- # prueft ob das key-rollover-ende erreicht ist
- unless ( $status[9] < $now_time ) {
- next;
- }
-
- # prueft die anzahl der schluessel in der ".index.zsk"
- # loescht alte schluessel
- open( INDEX, "$master_dir/$zone/.index.zsk" )
- or die "$master_dir/$zone/.index.zsk: $!\n";
- @index = <INDEX>;
- $index_wc = @index;
- close(INDEX);
- if ( $index_wc > 1 ) {
- open( INDEX, ">$master_dir/$zone/.index.zsk" )
- or die "$master_dir/$zone/.index.zsk: $!\n";
- print INDEX $index[1];
- close(INDEX);
- push @auto, $zone;
- }
-
- # prueft die anzahl der schluessel in der ".index.ksk"
- # loescht alte schluessel
- open( INDEX, "$master_dir/$zone/.index.ksk" )
- or die "$master_dir/$zone/.index.ksk: $!\n";
- @index = <INDEX>;
- $index_wc = @index;
- close(INDEX);
- if ( $index_wc > 1 ) {
- open( INDEX, ">$master_dir/$zone/.index.ksk" )
- or die "$master_dir/$zone/.index.ksk: $!\n";
- print INDEX $index[1];
- close(INDEX);
- push @auto, $zone;
- }
-
-}
-
-# nach abgeschlossenem key-rollover werden fuer die entsprechende zone
-# unbenoetigte schluessel entfernt und die vorhandenen schluessel in die
-# zonedatei geschrieben.
-for ( &del_double(@auto) ) {
- my $zone = $_;
- my @old_zone_content = ();
- my @new_zone_content = ();
- my @kkeylist = ();
- my @zkeylist = ();
- my $file;
-
- open( INDEX, "$master_dir/$zone/.index.zsk" )
- or die "$master_dir/$zone/.index.zsk: $!\n";
- @zkeylist = <INDEX>;
- close(INDEX);
-
- open( INDEX, "$master_dir/$zone/.index.ksk" )
- or die "$master_dir/$zone/.index.ksk: $!\n";
- @kkeylist = <INDEX>;
- close(INDEX);
-
- open( ZONE, "$master_dir/$zone/$zone" )
- or die "$master_dir/$zone/$zone: $!\n";
- @old_zone_content = <ZONE>;
- close(ZONE);
-
- # kuerzt die schluessel-bezeichnung aus der indexdatei auf die
- # id um sie besser vergleichen zu koennen.
- for ( @kkeylist, @zkeylist ) {
- chomp;
- s#K.*\+.*\+(.*)#$1#;
- }
-
- # filtert alle schluessel aus der zonedatei
- # old_zone_content ==> new_zone_content
- for (@old_zone_content) {
- unless (/dnssec-(ksk|zsk)/) {
- push @new_zone_content, $_;
- }
- }
-
- # prueft alle schluesseldateien (ksk, zsk) ob sie in der jeweiligen
- # indexdatei beschrieben sind. wenn nicht werden sie geloescht.
- for (`ls $master_dir/$zone/K*[key,private]`) {
- chomp;
- $file = $_;
- my $rm_count = 1;
-
- for (@zkeylist) {
-
- if ( $file =~ /$_/ ) {
- $rm_count = 0;
-
- # schluessel die in der indexdatei standen, werden an die
- # zonedatei angehangen.
- if ( $file =~ /.*key/ ) {
-
- $file =~ s#/.*/(K.*)#$1#;
- push @new_zone_content,
- "\$INCLUDE \"$file\"\t\t; dnssec-zsk\n";
-
- last;
- }
- }
- }
- for (@kkeylist) {
-
- if ( $file =~ /$_/ ) {
- $rm_count = 0;
-
- # schluessel die in der indexdatei standen, werden an die
- # zonedatei angehangen.
- if ( $file =~ /.*key/ ) {
-
- $file =~ s#/.*/(K.*)#$1#;
- push @new_zone_content,
- "\$INCLUDE \"$file\"\t\t; dnssec-ksk\n";
-
- last;
- }
- }
- }
-
- #loescht alle unbenoetigten schluessel
- if ( $rm_count == 1 ) {
- print `rm -f $file`;
- }
- }
-
- open( ZONE, ">$master_dir/$zone/$zone" )
- or die "$master_dir/$zone/$zone: $!\n";
- print ZONE @new_zone_content;
- close(ZONE);
-
- print "$master_dir/$zone/$zone wurde neu erstellt \n";
-}
-
-# "toucht" alle zonen damit der serial erhoht wird und die
-# zone neu signiert wird
-for ( &del_double( @auto, @manu ) ) {
- system "touch $master_dir/$_/$_";
-}
-
--- a/dnssec-sign Thu Dec 02 16:46:17 2010 +0100
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,131 +0,0 @@
-#!/usr/bin/perl
-
-use strict;
-use warnings;
-use FindBin;
-
-sub del_double {
- my %all;
- grep { $all{$_} = 0 } @_;
- return ( keys %all );
-}
-
-# liest die Konfiguration ein
-my @configs = ( "$FindBin::Bin/dnstools.conf", "/etc/dnstools.conf" );
-my %config;
-
-for ( grep {-f} @configs ) {
- open( CONFIG, $_ ) or die "Can't open $_: $!\n";
-}
-
-unless ( seek( CONFIG, 0, 0 ) ) {
- die "Can't open config (searched: @configs)\n";
-}
-
-while (<CONFIG>) {
- chomp;
- s/#.*//;
- s/\t//g;
- s/\s//g;
-
- next unless length;
- my ( $cname, $ccont ) = split( /\s*=\s*/, $_, 2 );
- $config{$cname} = $ccont;
-}
-close(CONFIG);
-
-my $master_dir = $config{master_dir};
-my $sign_alert_time = $config{sign_alert_time};
-my $zone;
-my ( @manu, @auto );
-my @zone_sig_content;
-my $sig_date;
-my $kc;
-my $serial_up = 0;
-
-for (@ARGV) {
- if ( $_ eq "-s" ) {
- $serial_up = 1;
- shift @ARGV;
- }
-}
-
-# prueft zonen aus ARGV und fuegt sie in die liste @manu ein
-for (@ARGV) {
- chomp( my $zone = `idn --quiet "$_"` );
-
- if ( -e "$master_dir/$zone/.keycounter" ) {
- push @manu, $zone;
- }
-}
-
-chomp( my $unixtime = `date +%s` );
-$unixtime = $unixtime + ( 3600 * $sign_alert_time );
-my $time = `date -d \@$unixtime +%Y%m%d%H`;
-
-# vergleicht fuer alle zonen im ordner $master_dir mit einer
-# <zone>.signed-datei den zeitpunkt in $time mit dem ablaufdatum der
-# signatur, welcher aus der datei <zone>.signed ausgelesen wird.
-for (<$master_dir/*>) {
- s#($master_dir/)(.*)#$2#;
- $zone = $_;
-
- if ( -e "$master_dir/$zone/$zone.signed" ) {
-
- open( ZONE, "$master_dir/$zone/$zone.signed" );
- @zone_sig_content = <ZONE>;
- close(ZONE);
-
- for (@zone_sig_content) {
- if (m#SOA.*[0-9]{14}#) {
- s#.*([0-9]{10})([0-9]{4}).*#$1#;
- if ( $_ < $time ) {
- push @auto, $zone;
- `touch $master_dir/$zone/$zone`
- }
- }
- }
- }
-}
-
-#gibt zonen mit schluessel aber ohne signatur in die liste @auto
-#for (<$master_dir/*>) {
-# s#($master_dir/)(.*)#$2#;
-# $zone = $_;
-#
-# if ( -e "$master_dir/$zone/.keycounter" ) {
-#
-# open( KC, "$master_dir/$zone/.keycounter" );
-# $kc = <KC>;
-# close(KC);
-#
-# if ( $kc < 1 ) {
-# push @auto, $zone;
-# }
-# }
-#}
-
-# signiert alle zonen in @auto und @manu und erhoeht den wert in
-# der keycounter-datei
-for ( &del_double( @auto, @manu ) ) {
- $zone = $_;
-
- chdir "$master_dir/$zone";
-
- if (`dnssec-signzone $zone 2>/dev/null`) {
- print "$zone neu signiert \n";
-
- open( KC, "$master_dir/$zone/.keycounter" );
- $kc = <KC>;
- close(KC);
- $kc += 1;
- open( KC, ">$master_dir/$zone/.keycounter" );
- print KC $kc;
- close(KC);
-
- }
- else {
- print "$zone konnte nicht signiert werden \n";
- }
-}
-
--- a/update-index Thu Dec 02 16:46:17 2010 +0100
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,73 +0,0 @@
-#! /usr/bin/perl
-
-use strict;
-use warnings;
-use File::Basename;
-use FindBin;
-
-# liest die Konfiguration
-my @configs = ( "$FindBin::Bin/dnstools.conf", "/etc/dnstools.conf" );
-my %config;
-
-for ( grep {-f} @configs ) {
- open( CONFIG, $_ ) or die "Can't open $_: $!\n";
-}
-
-unless ( seek( CONFIG, 0, 0 ) ) {
- die "Can't open config (searched: @configs)\n";
-}
-
-while (<CONFIG>) {
- chomp;
- s/#.*//;
- s/\t//g;
- s/\s//g;
- next unless length;
- my ( $cname, $ccont ) = split( /\s*=\s*/, $_, 2 );
- $config{$cname} = $ccont;
-}
-close(CONFIG);
-
-my $master_dir = $config{master_dir};
-my $indexzone = $config{indexzone};
-my @iz_content_old = ();
-my @iz_content_new = ();
-my $iz_line;
-my $zone;
-
-unless ( -d $master_dir and -r $master_dir ) {
- die "$master_dir: $!\n";
-}
-
-open (INDEXZONE, "$master_dir/$indexzone/$indexzone")
- or die "$master_dir/$indexzone/$indexzone: $!\n";
-@iz_content_old = <INDEXZONE>,
-close (INDEXZONE);
-
-for (@iz_content_old) {
- unless (m#ZONE::#) {
- push @iz_content_new, $_;
- }
-}
-
-
-for my $dir ( glob "$master_dir/*" ) {
- $zone = basename($dir);
- my $info_end = "::sec-off";
-
- if (-e "$dir/.keycounter") {
- $info_end = "::sec-on";
- }
-
- $iz_line = "\t\tIN TXT\t\t\"ZONE::$zone$info_end\"\n";
-
- push @iz_content_new, $iz_line;
-}
-
-
-open (INDEXZONE, ">$master_dir/$indexzone/$indexzone")
- or die "$master_dir/$indexzone/$indexzone: $!\n";
-print INDEXZONE @iz_content_new;
-close (INDEXZONE);
-
-print "index domain $indexzone updated \n";
--- a/update-serial Thu Dec 02 16:46:17 2010 +0100
+++ b/update-serial Fri Dec 03 16:42:12 2010 +0100
@@ -412,6 +412,7 @@
}
sub key_to_zonefile {
+ # die funktion fugt alle schluessel in eine zonedatei
our $master_dir;
my $zone = $_[0];
my $zpf = "$master_dir/$zone";
--- a/update-zone Thu Dec 02 16:46:17 2010 +0100
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,298 +0,0 @@
-#! /usr/bin/perl
-# (c) 1998 Heiko Schlittermann <heiko@datom.de>
-#
-# … work in progress do integrate dnssec (branch suess)
-#
-# Update the serial numbers in zone files
-# The serial number needs to match a specified pattern (see
-# the line marked w/ PATTERN.
-#
-# ToDo:
-# . test against an md5 sum, not just the date of the stamp file
-# . FIXME: handle `/' in file names (currently only working in
-# the current directory)
-# . optionally reload the named
-
-use strict;
-use warnings;
-
-use File::Basename;
-use File::Copy;
-use FindBin;
-
-my @configs = ( "$FindBin::Bin/dnstools.conf", "/etc/dnstools.conf" );
-my @dnssec_killkeys
- = ( "$FindBin::Bin/dnssec-killkey", "/usr/bin/dnstools/dnssec-killkey" );
-my $dnssec_killkey;
-my @dnssec_creatkeys
- = ( "$FindBin::Bin/dnssec-creatkey", "/usr/bin/dnstools/dnssec-creatkey" );
-my $dnssec_creatkey;
-my @dnssec_signs
- = ( "$FindBin::Bin/dnssec-sign", "/usr/bin/dnstools/dnssec-sign" );
-my %config;
-my $dnssec_sign;
-my @change_names = ();
-
-foreach ( grep {-f} @configs ) {
- open( CONFIG, $_ ) or die "Can't open $_: $!\n";
-}
-
-unless ( seek( CONFIG, 0, 0 ) ) {
- die "Can't open config (searched: @configs)\n";
-}
-foreach ( grep {-f} @dnssec_killkeys ) {
- if ( -x $_ ) {
- $dnssec_killkey = $_;
- }
- else {
- die "Can't run $_\n";
- }
-}
-foreach ( grep {-f} @dnssec_creatkeys ) {
- if ( -x $_ ) {
- $dnssec_creatkey = $_;
- }
- else {
- die "Can't run $_\n";
- }
-}
-foreach ( grep {-f} @dnssec_signs ) {
- if ( -x $_ ) {
- $dnssec_sign = $_;
- }
- else {
- die "Can't run $_\n";
- }
-}
-
-while (<CONFIG>) {
- chomp;
- s/#.*//;
- s/\t//g;
- s/\s//g;
- next unless length;
- my ( $cname, $ccont ) = split( /\s*=\s*/, $_, 2 );
- $config{$cname} = $ccont;
-}
-close(CONFIG);
-
-my $bind_dir = $config{bind_dir};
-my $conf_dir = $config{zone_conf_dir};
-my $master_dir = $config{master_dir};
-
-my $ME = basename $0;
-my @tmpfiles;
-my $verbose = 0;
-my $opt_yes = 0;
-my @Zones;
-my $file;
-
-
-sub cleanup() { unlink @tmpfiles; }
-END { cleanup(); }
-
-for (@ARGV) {
- if ( $_ eq "-y" ) {
- $opt_yes = 1;
- shift @ARGV;
- }
-}
-
-@Zones = @ARGV ? @ARGV : glob("$master_dir/*");
-
-MAIN: {
- my $changed = 0;
- my ( $dd, $mm, $yy ) = ( localtime() )[ 3 .. 5 ];
- my $date;
- $mm++;
-
- # prueft jede domain, die ein verzeichnis in $master_dir hat, ob sie
- # dnssec nutzt.
- # passt die eintraege in $config_file falls noetig an.
- while (<$master_dir/*>) {
- s#($master_dir/)(.*)#$2#;
- my $zone = $_;
-
- my $zone_file = "$master_dir/$zone/$zone";
- my $conf_file = "$conf_dir/$zone";
- my @c_content;
-
- unless ( -f "$conf_file" ) {
- die "$conf_file: $! \n";
- }
-
- if ( -e "$master_dir/$zone/.keycounter" ) {
-
- open( FILE, "<$conf_file" ) or die "$conf_file: $!\n";
- @c_content = <FILE>;
- close(FILE);
-
- for (@c_content) {
- if (m{(.*)($zone_file)(";)}) {
- print "$2 ==> $2.signed\n";
- $_ = "$1$2.signed$3\n";
- }
- }
-
- open( FILE, ">$conf_file" ) or die "$conf_file: $!\n";
- print FILE @c_content;
- close(FILE);
-
- }
- else {
-
- open( FILE, "<$conf_file" ) or die "$conf_file: $!\n";
- @c_content = <FILE>;
- close(FILE);
-
- for (@c_content) {
- if (m{(.*)($zone_file)\.signed(.*)}) {
- print "$2.signed ==> $2\n";
- $_ = "$1$2$3\n";
- }
- }
-
- open( FILE, ">$conf_file" ) or die "$conf_file: $!\n";
- print FILE @c_content;
- close(FILE);
- }
- }
-
- # erzeugt eine named.conf-datei aus den entsprechenden vorlagen.
- print "** creat named.conf.zones **\n";
- open( TO, ">$bind_dir/named.conf.zones" )
- or die "$bind_dir/named.conf.zones: $!\n";
- while (<$conf_dir/*>) {
- open( FROM, "$_" ) or die "$_: $! \n";
- print TO <FROM>;
- close(FROM);
- }
- close(TO);
-
- # aufruf von dnssec-killkey
- print "** execute dnssec-killkey for keyrollover **\n";
- system "$dnssec_killkey";
- die "$dnssec_killkey not found ($!)" if $? == -1;
- exit 1 if $?;
-
- # aufruf von dnssec-creatkey
- print "** execute dnssec-creatkey for keyrollover **\n";
- system "$dnssec_creatkey";
- die "$dnssec_creatkey not found ($!)" if $? == -1;
- exit 1 if $?;
-
- # aufruf von dnssec-sign
- print "** execute dnssec-sign for sign-update **\n";
- system "$dnssec_sign";
- die "$dnssec_sign not found ($!)" if $? == -1;
- exit 1 if $?;
-
- # update-serial
- print "** update serial **\n";
- foreach ( $dd, $mm ) { s/^\d$/0$&/; }
- $yy += 1900;
- $date = "$yy$mm$dd";
-
- while ( my $file = shift @Zones ) {
-
- my $file_basename = basename($file);
-
- $file =~ s#($master_dir)(/.*)#$1$2$2#;
- local ( *I, *O );
- my $done = 0;
-
- my $new = "$file.$$.tmp";
- my $bak = "$file.bak";
- my $stamp = $master_dir . "/.stamp/" . basename($file);
-
- $file =~ /(\.bak|~)$/ and next;
- $file !~ /\./ and next;
-
- $verbose && print "$file:";
-
- if ( -f $stamp && ( ( stat($stamp) )[9] >= ( stat($file) )[9] ) ) {
- $verbose && print " fresh, skipping.\n";
- next;
- }
-
- $done = 0;
- push @tmpfiles, $new;
- open( *I, "<$file" ) or die("Can't open < $file: $!\n");
- open( *O, ">$new" ) or die("Can't open > $new: $!\n");
-
- while (<I>) {
- /^\s+((\d+)(\d{2}))\s*;\s*serial/i and do { # PATTERN
- my ( $sdate, $scount, $serial ) = ( $2, $3, $1 );
- $done = 1;
- print " [$file] serial $sdate$scount";
-
- if ( $date eq $sdate ) { $scount++; }
- else { $sdate = $date; $scount = "00"; }
-
- print " bumping to $sdate$scount";
- s/$serial/$sdate$scount/;
-
- };
- print O;
- }
-
- close(O);
- close(I);
-
- if ($done) {
-
- open( I, "<$new" ) or die("Can't open <$new: $!\n");
- open( O, ">$file" ) or die("Can't open >$file: $!\n");
- while (<I>) { print O or die("Can't write to $file: $!\n"); }
- close(I) or die("Can't close $new: $!\n");
- close(O) or die("Can't close $file: $!\n");
-
- unlink $new;
-
- open( O, ">$stamp" ) or die("Can't open >$stamp: $!\n");
- close(O);
- $changed++;
-
- push @change_names, $file_basename;
-
- }
- else {
- print " $file: no serial number found: no zone file?";
- }
- print "\n";
- }
-
- my $pidfile;
-
- unless ($changed == 0) {
- print "Changed $changed files.\n";
- }
-
- foreach (
- qw(/var/run/bind/run/named.pid /var/run/named.pid /etc/named.pid))
- {
- -f $_ and $pidfile = $_ and last;
- }
-
- # dnssec-sign aufruf fuer geanderten domains
- print "** execute dnssec-sign **\n";
- system "$dnssec_sign @change_names";
- die "$dnssec_sign not found ($!)" if $? == -1;
- exit 1 if $?;
-
- if ($pidfile) {
- if ($opt_yes) {
- $_ = "y";
- print "** Nameserver will be reloaded\n";
- }
- else { print "** Reload now? [Y/n]: "; $_ = <STDIN>; }
- /^y|^$/i and system "rndc reload";
- }
- else {
- print
- "** No PID of a running named found. Please reload manually.\n";
-
- }
-
-}
-