|
@@ -0,0 +1,170 @@
|
|
|
+#!/usr/bin/env bash
|
|
|
+
|
|
|
+#####################################################
|
|
|
+# This script require the following
|
|
|
+#
|
|
|
+# * A path structure like this:
|
|
|
+# [..path..]/<domainname.tld>/
|
|
|
+# * This path contains a zone file named `db`
|
|
|
+#
|
|
|
+# Your named.conf.local file must link to a
|
|
|
+# filed named `db.signed`, e.g
|
|
|
+#
|
|
|
+# zone "domain.tld" {
|
|
|
+# type master;
|
|
|
+# file "[..path..]/domain.tld/db.signed";
|
|
|
+# };
|
|
|
+#
|
|
|
+# USAGE:
|
|
|
+#
|
|
|
+# 1. Make `dnssec-signer` executable:
|
|
|
+# chmod +x /path/to/dnssec-signer
|
|
|
+#
|
|
|
+# 2. Run:
|
|
|
+# ./path/to/dnssec-signer <domain.tld>
|
|
|
+# 3. Or, for every domain in path
|
|
|
+# ./path/to/dnssec-signer
|
|
|
+#
|
|
|
+######################################################
|
|
|
+
|
|
|
+######################################################
|
|
|
+# START OF CONFIG #
|
|
|
+######################################################
|
|
|
+# SET YOU SYSTEM SPECIFIC DATA (which systemctl e.g) #
|
|
|
+
|
|
|
+ZONESDIR="/etc/bind/zones"
|
|
|
+CHECKZONE=/usr/sbin/named-checkzone
|
|
|
+CHECKCONF=/usr/sbin/named-checkconf
|
|
|
+KEYGEN=/usr/sbin/dnssec-keygen
|
|
|
+SIGNZONE=/usr/sbin/dnssec-signzone
|
|
|
+SYSCTL=/bin/systemctl
|
|
|
+DNSSERVICE="bind9.service"
|
|
|
+
|
|
|
+######################################################
|
|
|
+# END OF CONFIG #
|
|
|
+######################################################
|
|
|
+
|
|
|
+# Collect arguments
|
|
|
+ZONES="${*}"
|
|
|
+IFS=' ', read -r -a ZONES <<< "${ZONES}"
|
|
|
+
|
|
|
+# Generating keys for zone
|
|
|
+# Note, this doesnt check if they exists!
|
|
|
+function genkeys {
|
|
|
+ ZONE=${1}
|
|
|
+ echo "* Generating missing keys for ZONE ${ZONE}"
|
|
|
+
|
|
|
+ ${KEYGEN} -a NSEC3RSASHA1 -b 2048 -n ZONE "${ZONE}"
|
|
|
+ if [ $? -ne 0 ]; then
|
|
|
+ return 1
|
|
|
+ fi
|
|
|
+
|
|
|
+ ${KEYGEN} -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE "${ZONE}"
|
|
|
+ if [ $? -ne 0 ]; then
|
|
|
+ return 1
|
|
|
+ fi
|
|
|
+
|
|
|
+ return 0
|
|
|
+}
|
|
|
+
|
|
|
+# Sign zone
|
|
|
+# The actual signing process.
|
|
|
+function sign {
|
|
|
+ ZONE="${1}"
|
|
|
+ echo " * Signing ZONE ${ZONE}"
|
|
|
+
|
|
|
+ if ! [ -d "${2}" ]; then
|
|
|
+ echo "! Error, path ${2} doesnt exist, abort."
|
|
|
+ return 1
|
|
|
+ fi
|
|
|
+
|
|
|
+ cd "${2}"
|
|
|
+ echo `pwd`
|
|
|
+
|
|
|
+ F="db"
|
|
|
+
|
|
|
+ if ! [ -w "${F}" ]; then
|
|
|
+ echo "! Missing $(pwd)/${F}, abort."
|
|
|
+ return 1
|
|
|
+ fi
|
|
|
+
|
|
|
+ ZONEF="db.zone"
|
|
|
+ ZONEINCF="${ZONEF}.include"
|
|
|
+
|
|
|
+ KEYS=()
|
|
|
+
|
|
|
+ for KEY in $(ls "./"); do
|
|
|
+ if [[ "${KEY}" == "K${ZONE}"* ]] && [[ "${KEY}" == *key ]]; then
|
|
|
+ KEYS[${#KEYS[@]}]="${KEY}"
|
|
|
+ fi
|
|
|
+ done
|
|
|
+
|
|
|
+ if [ "${#KEYS[@]}" -ne 2 ]; then
|
|
|
+ if [ "${#KEYS[@]}" -ne 0 ]; then
|
|
|
+ rm "${KEYS[@]}"
|
|
|
+ fi
|
|
|
+
|
|
|
+ genkeys "${ZONE}"
|
|
|
+ if [ $? -ne 0 ]; then
|
|
|
+ echo "! Error generating keys, abort."
|
|
|
+ return 1
|
|
|
+ fi
|
|
|
+
|
|
|
+ sign "${ZONE}"
|
|
|
+ return $?
|
|
|
+ fi
|
|
|
+
|
|
|
+ cat "${F}" > "${ZONEINCF}"
|
|
|
+ for KEY in "${KEYS[@]}"; do
|
|
|
+ echo "\$INCLUDE ${KEY}" >> "${ZONEINCF}"
|
|
|
+ done
|
|
|
+
|
|
|
+ SALT=$(head -c 1000 /dev/random | sha1sum | cut -b 1-16)
|
|
|
+ ${SIGNZONE} -A -3 "${SALT}" -N increment -f "${ZONEF}" -o "${ZONE}" -t "${ZONEINCF}"
|
|
|
+
|
|
|
+ if [ $? -ne 0 ]; then
|
|
|
+ echo "! Error signing zone ${ZONE}, abort."
|
|
|
+ return 2
|
|
|
+ fi
|
|
|
+
|
|
|
+ echo "* Checking configuration: "
|
|
|
+ ${CHECKZONE} "${ZONE}" "${ZONEF}"
|
|
|
+ if [ $? -ne 0 ]; then
|
|
|
+ echo "! Error in configuration for ${ZONE} => ${SONEF}."
|
|
|
+ return 2
|
|
|
+ fi
|
|
|
+ return 0
|
|
|
+}
|
|
|
+
|
|
|
+# Sign zone;
|
|
|
+# Checks that dir exists first...
|
|
|
+# and ensures we're entering and leaving correctly
|
|
|
+function signzone {
|
|
|
+ SIGN="${1}"
|
|
|
+ CWDIR=$(pwd)
|
|
|
+ sign "${1}" "${ZONESDIR}/${SIGN}"
|
|
|
+ RET=$?
|
|
|
+ cd "${CWDIR}"
|
|
|
+ return ${RET}
|
|
|
+}
|
|
|
+
|
|
|
+ERR=0
|
|
|
+for ZONE in "${ZONES[@]}"; do
|
|
|
+ signzone "${ZONE}"
|
|
|
+ if [ $? -eq 2 ]; then
|
|
|
+ # To prevent restarting dns if failure
|
|
|
+ ERR=1
|
|
|
+ fi
|
|
|
+done;
|
|
|
+
|
|
|
+if [ ${ERR} -eq 0 ]; then
|
|
|
+ ${CHECKCONF}
|
|
|
+ if [ $? -ne 0 ]; then
|
|
|
+ echo "! Error in configruation, not reloading Bind"
|
|
|
+ else
|
|
|
+ echo "* Restarting ${DNSSERVICE}"
|
|
|
+ ${SYSCTL} restart "${DNSSERVICE}"
|
|
|
+ fi
|
|
|
+else
|
|
|
+ echo "Errors in some configurations, not restarting bind."
|
|
|
+fi
|