Home Explore Help
Register Sign In
giaever.online
/
dnssec-signer
2
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Added source and updated read me

root 6 years ago
parent
3ade5bcb7b
commit
8453f40c8b
2 changed files with 174 additions and 1 deletions
Split View Show Diff Stats
  1. 4 1
      README.md
  2. 170 0
      dnssec-signer

+ 4 - 1
README.md
View File 

@@ -1,3 +1,6 @@
 
 # dnssec-signer
 
 
-DNSSEC sign DNS (Bind9) zones in one command. DNSSEC-ninja!
 
+DNSSEC sign DNS zone(s) in one command. DNSSEC-ninja!
 
+
 
+## Usage?
 
+See source code by now.

+ 170 - 0
dnssec-signer
View File 

@@ -0,0 +1,170 @@
 
+#!/usr/bin/env bash
 
+
 
+#####################################################
 
+# This script require the following
 
+#
 
+# * A path structure like this:
 
+# 	[..path..]/<domainname.tld>/
 
+# * This path contains a zone file named `db`
 
+#
 
+# Your named.conf.local file must link to a
 
+# filed named `db.signed`, e.g
 
+#
 
+# zone "domain.tld" {
 
+# 	type master;
 
+# 	file "[..path..]/domain.tld/db.signed";
 
+# };
 
+#
 
+# USAGE: 
+#
 
+# 1. Make `dnssec-signer` executable:
 
+# 	chmod +x /path/to/dnssec-signer
 
+# 
+# 2. Run:
 
+# 	./path/to/dnssec-signer <domain.tld>
 
+# 3. Or, for every domain in path
 
+# 	./path/to/dnssec-signer
 
+#
 
+######################################################
 
+
 
+######################################################
 
+# 		  START OF CONFIG		     #
 
+######################################################
 
+# SET YOU SYSTEM SPECIFIC DATA (which systemctl e.g) #
 
+
 
+ZONESDIR="/etc/bind/zones"
 
+CHECKZONE=/usr/sbin/named-checkzone
 
+CHECKCONF=/usr/sbin/named-checkconf
 
+KEYGEN=/usr/sbin/dnssec-keygen
 
+SIGNZONE=/usr/sbin/dnssec-signzone
 
+SYSCTL=/bin/systemctl
 
+DNSSERVICE="bind9.service"
 
+
 
+######################################################
 
+# 	   	    END OF CONFIG		     #
 
+######################################################
 
+
 
+# Collect arguments
 
+ZONES="${*}"
 
+IFS=' ', read -r -a ZONES <<< "${ZONES}"
 
+
 
+# Generating keys for zone
 
+# Note, this doesnt check if they exists!
 
+function genkeys {
 
+	ZONE=${1}
 
+	echo "* Generating missing keys for ZONE ${ZONE}"
 
+
 
+	${KEYGEN} -a NSEC3RSASHA1 -b 2048 -n ZONE "${ZONE}"
 
+	if [ $? -ne 0 ]; then
 
+		return 1
 
+	fi
 
+
 
+	${KEYGEN} -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE "${ZONE}"
 
+	if [ $? -ne 0 ]; then
 
+		return 1
 
+	fi
 
+
 
+	return 0
 
+}
 
+
 
+# Sign zone
 
+# The actual signing process.
 
+function sign {
 
+	ZONE="${1}"
 
+	echo " * Signing ZONE ${ZONE}"
 
+
 
+	if ! [ -d "${2}" ]; then
 
+		echo "! Error, path ${2} doesnt exist, abort."
 
+		return 1
 
+	fi
 
+
 
+	cd "${2}"
 
+	echo `pwd`
 
+
 
+	F="db"
 
+
 
+	if ! [ -w "${F}" ]; then
 
+		echo "! Missing $(pwd)/${F}, abort."
 
+		return 1
 
+	fi
 
+
 
+	ZONEF="db.zone"
 
+	ZONEINCF="${ZONEF}.include"
 
+	
+	KEYS=()
 
+	
+	for KEY in $(ls "./"); do
 
+		if [[ "${KEY}" == "K${ZONE}"* ]] && [[ "${KEY}" == *key ]]; then
 
+			KEYS[${#KEYS[@]}]="${KEY}"
 
+		fi
 
+	done
 
+	
+	if [ "${#KEYS[@]}" -ne 2 ]; then
 
+		if [ "${#KEYS[@]}" -ne 0 ]; then
 
+			rm "${KEYS[@]}"
 
+		fi
 
+
 
+		genkeys "${ZONE}"
 
+		if [ $? -ne 0 ]; then
 
+			echo "! Error generating keys, abort."
 
+			return 1
 
+		fi
 
+
 
+		sign "${ZONE}"
 
+		return $?
 
+	fi
 
+
 
+	cat "${F}" > "${ZONEINCF}"
 
+	for KEY in "${KEYS[@]}"; do
 
+		echo "\$INCLUDE ${KEY}" >> "${ZONEINCF}"
 
+	done
 
+
 
+	SALT=$(head -c 1000 /dev/random | sha1sum | cut -b 1-16)
 
+	${SIGNZONE} -A -3 "${SALT}" -N increment -f "${ZONEF}" -o "${ZONE}" -t "${ZONEINCF}"
 
+
 
+	if [ $? -ne 0 ]; then
 
+		echo "! Error signing zone ${ZONE}, abort."
 
+		return 2
 
+	fi
 
+
 
+	echo "* Checking configuration: "
 
+	${CHECKZONE} "${ZONE}" "${ZONEF}"
 
+	if [ $? -ne 0 ]; then
 
+		echo "! Error in configuration for ${ZONE} => ${SONEF}."
 
+		return 2
 
+	fi
 
+	return 0
 
+}
 
+
 
+# Sign zone;
 
+# Checks that dir exists first...
 
+# and ensures we're entering and leaving correctly
 
+function signzone {
 
+	SIGN="${1}"
 
+	CWDIR=$(pwd)
 
+	sign "${1}" "${ZONESDIR}/${SIGN}"
 
+	RET=$?
 
+	cd "${CWDIR}"
 
+	return ${RET}
 
+}
 
+
 
+ERR=0
 
+for ZONE in "${ZONES[@]}"; do
 
+	signzone "${ZONE}"
 
+	if [ $? -eq 2 ]; then
 
+		# To prevent restarting dns if failure
 
+		ERR=1
 
+	fi
 
+done;
 
+
 
+if [ ${ERR} -eq 0 ]; then
 
+	${CHECKCONF}
 
+	if [ $? -ne 0 ]; then
 
+		echo "! Error in configruation, not reloading Bind"
 
+	else
 
+		echo "* Restarting ${DNSSERVICE}"
 
+		${SYSCTL} restart "${DNSSERVICE}"
 
+	fi
 
+else
 
+	echo "Errors in some configurations, not restarting bind."
 
+fi