123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170 |
- #!/usr/bin/env bash
- #####################################################
- # This script require the following
- #
- # * A path structure like this:
- # [..path..]/<domainname.tld>/
- # * This path contains a zone file named `db`
- #
- # Your named.conf.local file must link to a
- # filed named `db.signed`, e.g
- #
- # zone "domain.tld" {
- # type master;
- # file "[..path..]/domain.tld/db.signed";
- # };
- #
- # USAGE:
- #
- # 1. Make `dnssec-signer` executable:
- # chmod +x /path/to/dnssec-signer
- #
- # 2. Run:
- # ./path/to/dnssec-signer <domain.tld>
- # 3. Or, for every domain in path
- # ./path/to/dnssec-signer
- #
- ######################################################
- ######################################################
- # START OF CONFIG #
- ######################################################
- # SET YOU SYSTEM SPECIFIC DATA (which systemctl e.g) #
- ZONESDIR="/etc/bind/zones"
- CHECKZONE=/usr/sbin/named-checkzone
- CHECKCONF=/usr/sbin/named-checkconf
- KEYGEN=/usr/sbin/dnssec-keygen
- SIGNZONE=/usr/sbin/dnssec-signzone
- SYSCTL=/bin/systemctl
- DNSSERVICE="bind9.service"
- ######################################################
- # END OF CONFIG #
- ######################################################
- # Collect arguments
- ZONES="${*}"
- IFS=' ', read -r -a ZONES <<< "${ZONES}"
- # Generating keys for zone
- # Note, this doesnt check if they exists!
- function genkeys {
- ZONE=${1}
- echo "* Generating missing keys for ZONE ${ZONE}"
- ${KEYGEN} -a NSEC3RSASHA1 -b 2048 -n ZONE "${ZONE}"
- if [ $? -ne 0 ]; then
- return 1
- fi
- ${KEYGEN} -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE "${ZONE}"
- if [ $? -ne 0 ]; then
- return 1
- fi
- return 0
- }
- # Sign zone
- # The actual signing process.
- function sign {
- ZONE="${1}"
- echo " * Signing ZONE ${ZONE}"
- if ! [ -d "${2}" ]; then
- echo "! Error, path ${2} doesnt exist, abort."
- return 1
- fi
- cd "${2}"
- echo `pwd`
- F="db"
- if ! [ -w "${F}" ]; then
- echo "! Missing $(pwd)/${F}, abort."
- return 1
- fi
- ZONEF="db.zone"
- ZONEINCF="${ZONEF}.include"
-
- KEYS=()
-
- for KEY in $(ls "./"); do
- if [[ "${KEY}" == "K${ZONE}"* ]] && [[ "${KEY}" == *key ]]; then
- KEYS[${#KEYS[@]}]="${KEY}"
- fi
- done
-
- if [ "${#KEYS[@]}" -ne 2 ]; then
- if [ "${#KEYS[@]}" -ne 0 ]; then
- rm "${KEYS[@]}"
- fi
- genkeys "${ZONE}"
- if [ $? -ne 0 ]; then
- echo "! Error generating keys, abort."
- return 1
- fi
- sign "${ZONE}"
- return $?
- fi
- cat "${F}" > "${ZONEINCF}"
- for KEY in "${KEYS[@]}"; do
- echo "\$INCLUDE ${KEY}" >> "${ZONEINCF}"
- done
- SALT=$(head -c 1000 /dev/random | sha1sum | cut -b 1-16)
- ${SIGNZONE} -A -3 "${SALT}" -N increment -f "${ZONEF}" -o "${ZONE}" -t "${ZONEINCF}"
- if [ $? -ne 0 ]; then
- echo "! Error signing zone ${ZONE}, abort."
- return 2
- fi
- echo "* Checking configuration: "
- ${CHECKZONE} "${ZONE}" "${ZONEF}"
- if [ $? -ne 0 ]; then
- echo "! Error in configuration for ${ZONE} => ${SONEF}."
- return 2
- fi
- return 0
- }
- # Sign zone;
- # Checks that dir exists first...
- # and ensures we're entering and leaving correctly
- function signzone {
- SIGN="${1}"
- CWDIR=$(pwd)
- sign "${1}" "${ZONESDIR}/${SIGN}"
- RET=$?
- cd "${CWDIR}"
- return ${RET}
- }
- ERR=0
- for ZONE in "${ZONES[@]}"; do
- signzone "${ZONE}"
- if [ $? -eq 2 ]; then
- # To prevent restarting dns if failure
- ERR=1
- fi
- done;
- if [ ${ERR} -eq 0 ]; then
- ${CHECKCONF}
- if [ $? -ne 0 ]; then
- echo "! Error in configruation, not reloading Bind"
- else
- echo "* Restarting ${DNSSERVICE}"
- ${SYSCTL} restart "${DNSSERVICE}"
- fi
- else
- echo "Errors in some configurations, not restarting bind."
- fi
|