--- a/dnssec-creatkey Tue Aug 10 16:38:46 2010 +0200
+++ b/dnssec-creatkey Wed Aug 11 11:15:49 2010 +0200
@@ -180,17 +180,18 @@
$zone = $_;
my @old_zone_content = ();
my @new_zone_content = ();
- my @keylist = ();
+ my @kkeylist = ();
+ my @zkeylist = ();
my $file = ();
open( INDEX, "<$master_dir/$zone/.index.zsk" )
or die "$master_dir/$zone/.index.zsk: $!\n";
- @keylist = <INDEX>;
+ @zkeylist = <INDEX>;
close(INDEX);
open( INDEX, "<$master_dir/$zone/.index.ksk" )
or die "$master_dir/$zone/.index.ksk: $!\n";
- push @keylist, <INDEX>;
+ @kkeylist = <INDEX>;
close(INDEX);
open( ZONE, "<$master_dir/$zone/$zone" )
@@ -200,7 +201,7 @@
# kuerzt die schluessel-bezeichnung aus der indexdatei auf die id um sie
# besser vergleichen zu koennen.
- for (@keylist) {
+ for (@kkeylist, @zkeylist) {
chomp;
s#K.*\+.*\+(.*)#$1#;
}
@@ -208,7 +209,7 @@
# filtert alle schluessel aus der zonedatei
# old_zone_content ==> new_zone_content
for (@old_zone_content) {
- unless (/IN\sDNSKEY/) {
+ unless (/dnssec-(zsk|ksk)/) {
push @new_zone_content, $_;
}
}
@@ -220,7 +221,7 @@
$file = $_;
my $rm_count = 1;
- for (@keylist) {
+ for (@zkeylist) {
if ( $file =~ /$_/ ) {
$rm_count = 0;
@@ -228,9 +229,25 @@
# schluessel die in der indexdatei standen, werden an die
# zonedatei angehangen.
if ( $file =~ /.*key/ ) {
- open( KEYFILE, "<$file" ) or next "$file: $!\n";
- push @new_zone_content, <KEYFILE>;
- close(KEYFILE);
+
+ $file =~ s#/.*/(K.*)#$1#;
+ push @new_zone_content, "\$include $file\t\t; dnssec-zsk\n" ;
+
+ last;
+ }
+ }
+ }
+ for (@kkeylist) {
+
+ if ( $file =~ /$_/ ) {
+ $rm_count = 0;
+
+ # schluessel die in der indexdatei standen, werden an die
+ # zonedatei angehangen.
+ if ( $file =~ /.*key/ ) {
+
+ $file =~ s#/.*/(K.*)#$1#;
+ push @new_zone_content, "\$include $file\t\t; dnssec-ksk\n" ;
last;
}
--- a/dnssec-killkey Tue Aug 10 16:38:46 2010 +0200
+++ b/dnssec-killkey Wed Aug 11 11:15:49 2010 +0200
@@ -50,6 +50,23 @@
if ( -e "$zdir/keyset-$zone." ) { unlink "$zdir/keyset-$zone." }
for (`ls $master_dir/$zone/K*[key,private]`) { unlink $_ }
}
+
+ open( ZONE, "$master_dir/$zone/$zone" )
+ or die "$master_dir/$zone/$zone: $!\n";
+ @old_zone_content = <ZONE>;
+ close(ZONE);
+
+ for (@old_zone_content) {
+ unless (/dnssec-(ksk|zsk)/) {
+ push @new_zone_content, $_;
+ }
+ }
+
+ open( ZONE, ">$master_dir/$zone/$zone" )
+ or die "$master_dir/$zone/$zone: $!\n";
+ print ZONE @new_zone_content;
+ close(ZONE);
+
}
# beendet den key-rollover
@@ -114,17 +131,18 @@
my $zone = $_;
my @old_zone_content = ();
my @new_zone_content = ();
- my @keylist = ();
+ my @kkeylist = ();
+ my @zkeylist = ();
my $file;
open( INDEX, "$master_dir/$zone/.index.zsk" )
or die "$master_dir/$zone/.index.zsk: $!\n";
- @keylist = <INDEX>;
+ @zkeylist = <INDEX>;
close(INDEX);
open( INDEX, "$master_dir/$zone/.index.ksk" )
or die "$master_dir/$zone/.index.ksk: $!\n";
- push @keylist, <INDEX>;
+ @kkeylist = <INDEX>;
close(INDEX);
open( ZONE, "$master_dir/$zone/$zone" )
@@ -134,7 +152,7 @@
# kuerzt die schluessel-bezeichnung aus der indexdatei auf die
# id um sie besser vergleichen zu koennen.
- for (@keylist) {
+ for (@kkeylist, @zkeylist) {
chomp;
s#K.*\+.*\+(.*)#$1#;
}
@@ -142,7 +160,7 @@
# filtert alle schluessel aus der zonedatei
# old_zone_content ==> new_zone_content
for (@old_zone_content) {
- unless (/IN\sDNSKEY/) {
+ unless (/dnssec-(ksk|zsk)/) {
push @new_zone_content, $_;
}
}
@@ -154,7 +172,7 @@
$file = $_;
my $rm_count = 1;
- for (@keylist) {
+ for (@zkeylist) {
if ( $file =~ /$_/ ) {
$rm_count = 0;
@@ -162,9 +180,25 @@
# schluessel die in der indexdatei standen, werden an die
# zonedatei angehangen.
if ( $file =~ /.*key/ ) {
- open( KEYFILE, "$file" ) or die "$file: $!\n";
- push @new_zone_content, <KEYFILE>;
- close(KEYFILE);
+
+ $file =~ s#/.*/(K.*)#$1#;
+ push @new_zone_content, "\$include $file\t\t; dnssec-zsk\n" ;
+
+ last;
+ }
+ }
+ }
+ for (@kkeylist) {
+
+ if ( $file =~ /$_/ ) {
+ $rm_count = 0;
+
+ # schluessel die in der indexdatei standen, werden an die
+ # zonedatei angehangen.
+ if ( $file =~ /.*key/ ) {
+
+ $file =~ s#/.*/(K.*)#$1#;
+ push @new_zone_content, "\$include $file\t\t; dnssec-ksk\n" ;
last;
}
--- a/dnstools.conf Tue Aug 10 16:38:46 2010 +0200
+++ b/dnstools.conf Wed Aug 11 11:15:49 2010 +0200
@@ -1,9 +1,9 @@
bind_dir = /etc/bind
master_dir = /etc/bind/master
zone_conf_dir = /etc/bind/zones.d
-key_counter_end = 5 # Anzahl der Signierungen bis zum Key-Rollover
+key_counter_end = 20 # Anzahl der Signierungen bis zum Key-Rollover
sign_alert_time = 48 # Warn-Zeitraum vor dem Ablauf einer Zone-Signatur in h
-abl_zeit = 48 # Dauer des Key-Rollover (2 Schluessel) in h
+abl_zeit = 24 # Dauer des Key-Rollover (2 Schluessel) in h
secondary = hh.schlittermann.de
primary = pu.schlittermann.de
#this_host