--- a/README Fri Aug 13 17:00:37 2010 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,31 +0,0 @@
-Zonedatei erstellen
- - zone-mk <kundenname> <domainname>
- - update-zone
-
-
-Zonedatei loeschen
- - zone-rm
- - update-zone
-
-
-neuen ZSK/KSK erstellen
- - dnssec-creatkey <domain>
- - update-zone
-
-
- - dnssec-killkey (nach der Ablauf des Key-Rollover)
- - update-zone
-
-
-Schluessel loeschen
- - dnssec-killkey <domain>
- - update-zone
-
-
-Signatur update
- - update-zone
-
-
-Schlüssel update
- - dnssec-creatkey
- - update-zone
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/dnsnagios/dnssec-check Thu Sep 30 11:35:51 2010 +0200
@@ -0,0 +1,137 @@
+#! /usr/bin/perl -w
+
+use strict;
+
+my $sign_alert_time = 72; # Warnzeit in Stunden
+my $sign_critic_time = 12; # Critical-Zeit in Stunden
+my $indexserver = "84.19.194.5";
+my $dns_server = "muli.schlittermann.de";
+my $indexzone = "idx.net.schlittermann.de";
+my @sec_zones = ();
+my $set_exit = 0;
+my (@print_zones, @print_infos);
+my $inter_time;
+my $count;
+my $oldest_time = 9000000000;
+my $oldest_name;
+my $dsrec;
+my $abltime;
+my $oldest_ftime;
+my $ftime;
+chomp( my $unixtime = `date +%s` );
+
+# erzeugt liste @sec_zones aus der dig-abfrage
+my @digtxt = `dig \@$indexserver $indexzone TXT` or
+ print "PROBLEM: no results from dig \n" and exit 2;
+
+# abbruch des skripts wenn dig nicht korrekt antwortet
+# ausfiltern der zonen im index mit dnssec unterstuetzung
+for (@digtxt) {
+ chomp;
+ if (m#status\:.(.*)\,#) {
+ unless ($1 eq "NOERROR") {
+ print "PROBLEM: $indexzone not reachable \n";
+ exit 2;
+ }
+ }
+ if (m#ZONE::(.*)::sec-on#) {
+ push @sec_zones, $1;
+ }
+}
+
+# erstellt $alert_time aus der systemunixzeit und dem
+# konfigurationswert in $sign_alert_time
+$inter_time = $unixtime + ( 3600 * $sign_alert_time );
+chomp( my $alert_time = `date -d \@$inter_time +%Y%m%d%H`);
+# erstellt $critic_time
+$inter_time = $unixtime + ( 3600 * $sign_critic_time );
+chomp( my $critic_time = `date -d \@$inter_time +%Y%m%d%H`);
+
+# durchlauf fuer jede dnssec-zone
+for (@sec_zones) {
+ chomp (my @zone_dig = `dig +dnssec \@$dns_server $_`);
+ my $zone = $_;
+
+ # parst die ablaufzeit der signatur
+ for (@zone_dig) {
+ unless (m#RRSIG.*SOA#) { next;}
+ s#($zone).*([0-9]{10})([0-9]{4}).*[0-9]{14}.*#$2#;
+ # ermittelt die naechste ablaufsdomain
+ if ($oldest_time > $_) {
+ $oldest_time = $_;
+ $oldest_name = $zone;
+ $oldest_ftime = $ftime;
+ }
+ # setzt exit 2 wen die critical-time ueberschritten ist
+ if($_ < $critic_time) {
+ $set_exit = 2;
+ push @print_zones, $zone;
+ last;
+ }
+ # setzt exit 1 wen die alert-time ueberschritten ist
+ if($_ < $alert_time) {
+ unless ($set_exit == 2) {
+ $set_exit = 1;
+ }
+ push @print_zones, $zone;
+ last;
+ }
+ }
+
+ my @digtest_1 = `dig \@$dns_server $zone +dnssec DNSKEY`;
+ my @digtest_2 = `dig \@$dns_server $zone +dnssec DS`;
+ my @digtest_3 = `dig \@$dns_server $zone\.dlv.isc.org`;
+
+ # ermittelt und formatiert die ablaufzeit
+ for (@digtest_1) {
+ if (m#RRSIG.*DNSKEY.*(\d{4})(\d{2})(\d\d)(\d\d)(\d\d)(\d\d).*(\d{14})#) {
+ $ftime = "$3.$2.$1 $4:$5";
+ last;
+ }
+ }
+ # setzt die zeit fuer die naechste ablaufsdomain
+ if ($oldest_name eq $zone) {
+ $oldest_ftime = $ftime;
+ }
+
+ # zskanzahl
+ my $zskcount = 0;
+ for (@digtest_1) {
+ if (m#DNSKEY.*256#) {
+ $zskcount ++;
+ }
+ }
+ # kskanzahl
+ my $kskcount = 0;
+ for (@digtest_1) {
+ if (m#DNSKEY.*257#) {
+ $kskcount ++;
+ }
+ }
+ # ds-test
+ for (@digtest_2) {
+ if (m#IN.*RRSIG.*DS.*(\d{14}).*(\d{14}).*(\s)([a-z]{0,100}\.)(\s).*#) {
+ print "DSDS ($4) ";
+ }
+ }
+ # dlv-check
+ for (@digtest_3) {
+ if (m#NOERROR#) {
+ $dsrec = "dlv";
+ }
+ }
+ push @print_infos, "$zone - $zskcount - $kskcount - $dsrec - $ftime \n";
+ $count ++;
+}
+
+#print @print_infos;# @print_infos enthält mehr informationen
+
+# Ausgabe und Ende
+if ($set_exit == 0) {
+ print "OK: $count DNSSEC-Zones checked; ";
+ print "next end is $oldest_name at $oldest_ftime \n";
+}
+if ($set_exit == 1) { print "WARNING: "}
+if ($set_exit == 2) { print "CRITICAL: "}
+print "@print_zones ($oldest_ftime)\n";
+exit $set_exit;
--- a/dnssec-creatkey Fri Aug 13 17:00:37 2010 +0200
+++ b/dnssec-creatkey Thu Sep 30 11:35:51 2010 +0200
@@ -274,7 +274,7 @@
}
-# "toucht" alle zonen damit der serial erhoht wird und die
+# "toucht" alle zonen damit der serial erhoeht und die
# zone neu signiert wird
for ( &del_double( @change, @manu ) ) {
system "touch $master_dir/$_/$_";
--- a/dnstools.conf Fri Aug 13 17:00:37 2010 +0200
+++ b/dnstools.conf Thu Sep 30 11:35:51 2010 +0200
@@ -1,12 +1,16 @@
-bind_dir = /etc/bind
-master_dir = /etc/bind/master
-zone_conf_dir = /etc/bind/zones.d
-key_counter_end = 20 # Anzahl der Signierungen bis zum Key-Rollover
-sign_alert_time = 48 # Warn-Zeitraum vor dem Ablauf einer Zone-Signatur in h
-abl_zeit = 1 # Dauer des Key-Rollover (2 Schluessel) in h
+bind_dir = /etc/bind # bind-Hauptverzeichnis
+master_dir = /etc/bind/master # Verzeichnis für die einzelnen Zonen-Verzeichnisse
+zone_conf_dir = /etc/bind/zones.d # Verzeichnis für die Zonen-Konfigurationdateien
+
+key_counter_end = 20 # Anzahl der Signierungen bis zum Key-Rollover
+sign_alert_time = 72 # Warn-Zeitraum vor dem Ablauf einer Zone-Signatur in h
+abl_zeit = 24 # Dauer des Key-Rollover (2 Schluessel) in h
+
secondary = hh.schlittermann.de
primary = pu.schlittermann.de
-indexzone = index.zone.eins.lan
+
+indexzone = idx.net.schlittermann.de # Name der Indexdatei
+
#this_host
#this_ip
#this_domain
--- a/update-index Fri Aug 13 17:00:37 2010 +0200
+++ b/update-index Thu Sep 30 11:35:51 2010 +0200
@@ -53,8 +53,13 @@
for my $dir ( glob "$master_dir/*" ) {
$zone = basename($dir);
+ my $info_end = "::sec-off";
- $iz_line = "\t\tIN TXT\t\t\"ZONE::$zone\"\n";
+ if (-e "$dir/.keycounter") {
+ $info_end = "::sec-on";
+ }
+
+ $iz_line = "\t\tIN TXT\t\t\"ZONE::$zone$info_end\"\n";
push @iz_content_new, $iz_line;
}
--- a/update-zone Fri Aug 13 17:00:37 2010 +0200
+++ b/update-zone Thu Sep 30 11:35:51 2010 +0200
@@ -21,6 +21,12 @@
use FindBin;
my @configs = ( "$FindBin::Bin/dnstools.conf", "/etc/dnstools.conf" );
+my @dnssec_killkeys
+ = ( "$FindBin::Bin/dnssec-killkey", "/usr/bin/dnstools/dnssec-killkey" );
+my $dnssec_killkey;
+my @dnssec_creatkeys
+ = ( "$FindBin::Bin/dnssec-creatkey", "/usr/bin/dnstools/dnssec-creatkey" );
+my $dnssec_creatkey;
my @dnssec_signs
= ( "$FindBin::Bin/dnssec-sign", "/usr/bin/dnstools/dnssec-sign" );
my %config;
@@ -34,6 +40,22 @@
unless ( seek( CONFIG, 0, 0 ) ) {
die "Can't open config (searched: @configs)\n";
}
+foreach ( grep {-f} @dnssec_killkeys ) {
+ if ( -x $_ ) {
+ $dnssec_killkey = $_;
+ }
+ else {
+ die "Can't run $_\n";
+ }
+}
+foreach ( grep {-f} @dnssec_creatkeys ) {
+ if ( -x $_ ) {
+ $dnssec_creatkey = $_;
+ }
+ else {
+ die "Can't run $_\n";
+ }
+}
foreach ( grep {-f} @dnssec_signs ) {
if ( -x $_ ) {
$dnssec_sign = $_;
@@ -65,6 +87,7 @@
my @Zones;
my $file;
+
sub cleanup() { unlink @tmpfiles; }
END { cleanup(); }
@@ -78,7 +101,7 @@
@Zones = @ARGV ? @ARGV : glob("$master_dir/*");
MAIN: {
- my $changed;
+ my $changed = 0;
my ( $dd, $mm, $yy ) = ( localtime() )[ 3 .. 5 ];
my $date;
$mm++;
@@ -109,12 +132,12 @@
print "$2 ==> $2.signed\n";
$_ = "$1$2.signed$3\n";
}
+ }
- open( FILE, ">$conf_file" ) or die "$conf_file: $!\n";
- print FILE @c_content;
- close(FILE);
-
- }
+ open( FILE, ">$conf_file" ) or die "$conf_file: $!\n";
+ print FILE @c_content;
+ close(FILE);
+
}
else {
@@ -136,6 +159,7 @@
}
# erzeugt eine named.conf-datei aus den entsprechenden vorlagen.
+ print "** creat named.conf.zones **\n";
open( TO, ">$bind_dir/named.conf.zones" )
or die "$bind_dir/named.conf.zones: $!\n";
while (<$conf_dir/*>) {
@@ -145,7 +169,20 @@
}
close(TO);
+ # aufruf von sign-killkey
+ print "** execute dnssec-killkey for keyrollover **\n";
+ system "$dnssec_killkey";
+ die "$dnssec_killkey not found ($!)" if $? == -1;
+ exit 1 if $?;
+
+ # aufruf von sign-creatkey
+ print "** execute dnssec-creatkey for keyrollover **\n";
+ system "$dnssec_creatkey";
+ die "$dnssec_creatkey not found ($!)" if $? == -1;
+ exit 1 if $?;
+
# update-serial
+ print "** update serial **\n";
foreach ( $dd, $mm ) { s/^\d$/0$&/; }
$yy += 1900;
$date = "$yy$mm$dd";
@@ -221,8 +258,10 @@
my $pidfile;
- print
- "** Changed $changed files, the nameserver needs to be reloaded!\n";
+ unless ($changed == 0) {
+ print "Changed $changed files.\n";
+ }
+
foreach (
qw(/var/run/bind/run/named.pid /var/run/named.pid /etc/named.pid))
{
@@ -230,6 +269,7 @@
}
# dnssec-sign aufruf fuer geanderten domains
+ print "** execute dnssec-sign **\n";
system "$dnssec_sign @change_names";
die "$dnssec_sign not found ($!)" if $? == -1;
exit 1 if $?;
--- a/zone-ls Fri Aug 13 17:00:37 2010 +0200
+++ b/zone-ls Thu Sep 30 11:35:51 2010 +0200
@@ -36,7 +36,7 @@
die "$master_dir: $!\n";
}
-printf "%-25s %-8s %1s/%1s %3s %7s\n", "Domain", "Status", "ZSK", "KSK",
+printf "%-35s %-8s %1s/%1s %3s %7s\n", "Domain", "Status", "ZSK", "KSK",
"Used", "Sig-end";
for my $dir ( glob "$master_dir/*" ) {
@@ -93,7 +93,7 @@
}
continue {
- printf "%-25s %-8s %1d/%1d %5d %19s\n", $zone, $info_status, $info_zsk,
+ printf "%-35s %-8s %1d/%1d %5d %19s\n", $zone, $info_status, $info_zsk,
$info_ksk, $info_kc,
$info_end;
}