giaever.online
/
dnssec-signer


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170
							#!/usr/bin/env bash

#####################################################
# This script require the following
#
# * A path structure like this:
# 	[..path..]/<domainname.tld>/
# * This path contains a zone file named `db`
#
# Your named.conf.local file must link to a
# filed named `db.signed`, e.g
#
# zone "domain.tld" {
# 	type master;
# 	file "[..path..]/domain.tld/db.signed";
# };
#
# USAGE: 
#
# 1. Make `dnssec-signer` executable:
# 	chmod +x /path/to/dnssec-signer
# 
# 2. Run:
# 	./path/to/dnssec-signer <domain.tld>
# 3. Or, for every domain in path
# 	./path/to/dnssec-signer
#
######################################################

######################################################
# 		  START OF CONFIG		     #
######################################################
# SET YOU SYSTEM SPECIFIC DATA (which systemctl e.g) #

ZONESDIR="/etc/bind/zones"
CHECKZONE=/usr/sbin/named-checkzone
CHECKCONF=/usr/sbin/named-checkconf
KEYGEN=/usr/sbin/dnssec-keygen
SIGNZONE=/usr/sbin/dnssec-signzone
SYSCTL=/bin/systemctl
DNSSERVICE="bind9.service"

######################################################
# 	   	    END OF CONFIG		     #
######################################################

# Collect arguments
ZONES="${*}"
IFS=' ', read -r -a ZONES <<< "${ZONES}"

# Generating keys for zone
# Note, this doesnt check if they exists!
function genkeys {
	ZONE=${1}
	echo "* Generating missing keys for ZONE ${ZONE}"

	${KEYGEN} -a NSEC3RSASHA1 -b 2048 -n ZONE "${ZONE}"
	if [ $? -ne 0 ]; then
		return 1
	fi

	${KEYGEN} -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE "${ZONE}"
	if [ $? -ne 0 ]; then
		return 1
	fi

	return 0
}

# Sign zone
# The actual signing process.
function sign {
	ZONE="${1}"
	echo " * Signing ZONE ${ZONE}"

	if ! [ -d "${2}" ]; then
		echo "! Error, path ${2} doesnt exist, abort."
		return 1
	fi

	cd "${2}"
	echo `pwd`

	F="db"

	if ! [ -w "${F}" ]; then
		echo "! Missing $(pwd)/${F}, abort."
		return 1
	fi

	ZONEF="db.zone"
	ZONEINCF="${ZONEF}.include"
	
	KEYS=()
	
	for KEY in $(ls "./"); do
		if [[ "${KEY}" == "K${ZONE}"* ]] && [[ "${KEY}" == *key ]]; then
			KEYS[${#KEYS[@]}]="${KEY}"
		fi
	done
	
	if [ "${#KEYS[@]}" -ne 2 ]; then
		if [ "${#KEYS[@]}" -ne 0 ]; then
			rm "${KEYS[@]}"
		fi

		genkeys "${ZONE}"
		if [ $? -ne 0 ]; then
			echo "! Error generating keys, abort."
			return 1
		fi

		sign "${ZONE}"
		return $?
	fi

	cat "${F}" > "${ZONEINCF}"
	for KEY in "${KEYS[@]}"; do
		echo "\$INCLUDE ${KEY}" >> "${ZONEINCF}"
	done

	SALT=$(head -c 1000 /dev/random | sha1sum | cut -b 1-16)
	${SIGNZONE} -A -3 "${SALT}" -N increment -f "${ZONEF}" -o "${ZONE}" -t "${ZONEINCF}"

	if [ $? -ne 0 ]; then
		echo "! Error signing zone ${ZONE}, abort."
		return 2
	fi

	echo "* Checking configuration: "
	${CHECKZONE} "${ZONE}" "${ZONEF}"
	if [ $? -ne 0 ]; then
		echo "! Error in configuration for ${ZONE} => ${SONEF}."
		return 2
	fi
	return 0
}

# Sign zone;
# Checks that dir exists first...
# and ensures we're entering and leaving correctly
function signzone {
	SIGN="${1}"
	CWDIR=$(pwd)
	sign "${1}" "${ZONESDIR}/${SIGN}"
	RET=$?
	cd "${CWDIR}"
	return ${RET}
}

ERR=0
for ZONE in "${ZONES[@]}"; do
	signzone "${ZONE}"
	if [ $? -eq 2 ]; then
		# To prevent restarting dns if failure
		ERR=1
	fi
done;

if [ ${ERR} -eq 0 ]; then
	${CHECKCONF}
	if [ $? -ne 0 ]; then
		echo "! Error in configruation, not reloading Bind"
	else
		echo "* Restarting ${DNSSERVICE}"
		${SYSCTL} restart "${DNSSERVICE}"
	fi
else
	echo "Errors in some configurations, not restarting bind."
fi