diff options
author | Matthieu Saulnier <casper@casperlefantom.net> | 2019-09-28 19:54:32 +0200 |
---|---|---|
committer | Matthieu Saulnier <casper@casperlefantom.net> | 2019-09-28 19:54:32 +0200 |
commit | c547a3ce8a9bdc721ca313ae72f9ae887a0b099c (patch) | |
tree | e354d3bb05c1d0551fd738688363c3f211207dac | |
parent | e585163c8b77390c5573fbf18ed2b4998d21c0d2 (diff) | |
download | playbooks-ansible-c547a3ce8a9bdc721ca313ae72f9ae887a0b099c.tar.gz playbooks-ansible-c547a3ce8a9bdc721ca313ae72f9ae887a0b099c.tar.xz playbooks-ansible-c547a3ce8a9bdc721ca313ae72f9ae887a0b099c.zip |
Add the DNSSEC feature
-rw-r--r-- | .gitignore | 1 | ||||
-rwxr-xr-x | bin/dnssec-sign.sh | 372 | ||||
-rw-r--r-- | roles/dnsserver/tasks/config.yml | 14 | ||||
-rw-r--r-- | roles/dnsserver/templates/named.conf.j2 | 8 | ||||
-rw-r--r-- | roles/dnsserver/vars/main.yml | 2 |
5 files changed, 397 insertions, 0 deletions
@@ -1,6 +1,7 @@ roles/diagnostics/files/aidedb-hash roles/dnsserver/vars/keys.yml roles/dnsserver/files/dnssec +roles/dnsserver/files/signatures roles/torrelay/vars/email.yml roles/torrelay/vars/keys.yml roles/torrelay/files/rendezvous diff --git a/bin/dnssec-sign.sh b/bin/dnssec-sign.sh new file mode 100755 index 0000000..88f25e5 --- /dev/null +++ b/bin/dnssec-sign.sh @@ -0,0 +1,372 @@ +#!/usr/bin/bash + + + +function prep { + ### + # User variables, you may edit these variables + ### + if [ ! -z "$WORKDIR" ] + then + echo -e "$OK working directory is $WORKDIR" + else + WORKDIR="roles/dnsserver/files/dnssec" # you may edit this + fi + + if [ ! -z "$TARGETDIR" ] + then + echo -e "$OK target directory is $TARGETDIR" + else + TARGETDIR="/home/casper/park-admin/playbooks-ansible/roles/dnsserver/files/signatures" # you may edit this + fi + + PEPPERANDSALT=$(head -c 1000 /dev/random |sha1sum |cut -b 1-16) + ### + # Stop editing, it is ready + ### + + # sortie formatée des logs + OK="\e[0m[ \e[92mOK\e[0m ]" + ERROR="\e[0m[ \e[91mERROR\e[0m ]" + INFO="\e[0m[ \e[93mINFO\e[0m ]" + + if [ -z "$DOMAIN" ] + then + echo -e "$ERROR there is no domain to sign" + exit 25 + fi + + + if [ ! -z "$SUB" ] + then + SUBDOMAIN="" + for i in $SUB + do + SUBDOMAIN="$SUBDOMAIN ${i}.$DOMAIN" + done + else + SUBDOMAIN="" + echo -e "$OK there is no subdomain to sign" + fi + + + if [ -e $WORKDIR ] + then + echo -e "$OK testing root directory" + else + echo -e "$ERROR root directory is not reacheable, use -d option" + exit 1 + fi + + + if [ -e $TARGETDIR ] + then + echo -e "$OK testing target directory" + else + echo -e "$ERROR target directory is not reacheable, use -t option" + exit 1 + fi + + + # vérifier si la commande est installée + if ( rpm -q bind-dnssec-utils >/dev/null ) + then + echo -e "$OK all dependancies are installed" + else + echo -e "$ERROR dependancies are missing" + exit 1 + fi +} + + + +function genkey { + # GENKEY + # générer les clés + pushd $WORKDIR/$DOMAIN/ >/dev/null + VERSION=$(date +%Y%m%d%H%M%S) + + for i in $DOMAIN $SUBDOMAIN + do + + pushd $i >/dev/null + + mkdir $VERSION + pushd $VERSION >/dev/null + + # générer une clé Zone Signing Key (ZSK) + echo -e "$INFO creating new Zone Signing Key ZSK..." + dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE $i + + # générer une clé Key Signing Key (KSK) + echo -e "$INFO creating new Key Signing Key KSK..." + dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE $i + popd >/dev/null + popd >/dev/null + + done + popd >/dev/null +} + + + +function sign { + # SIGN + # préparer les fichiers pour signature : + # ajout des DNSKEY records dans toutes les zones + pushd $WORKDIR/$DOMAIN/ >/dev/null + pushd $DOMAIN >/dev/null + if ( ls |grep 20 >/dev/null ) + then + VERSION=$(ls |grep 20 |tail -n 1) + echo -e "$OK dns keys has been found for signature" + else + echo -e "$ERROR dns keys has not been found for signature" + exit 2 + fi + popd >/dev/null + + for i in $DOMAIN $SUBDOMAIN + do + + ZONEFILE="${i}.zone" + TMPZONEFILE="${i}.zone.edited" + pushd $i >/dev/null + + cp -f $ZONEFILE $TMPZONEFILE + + SERIAL=$(/usr/sbin/named-checkzone $i $ZONEFILE | egrep -ho '[0-9]{10}') + NEWSERIAL=$((SERIAL + 1)) + echo -e "$OK new serial is: $NEWSERIAL" + VERSION=$(ls |grep 20 |tail -n 1) + + for key in `ls $VERSION/K${i}*.key` + do + echo -e "$INFO adding DNSKEY records..." + echo "\$INCLUDE $key" >> $TMPZONEFILE + done + + # mise à jour du serial + echo -e "$INFO updating serial..." + sed -i 's/'$SERIAL'/'$NEWSERIAL'/' $TMPZONEFILE + popd >/dev/null + + done + + + # signer les sous-domaines + for i in $SUBDOMAIN + do + + ZONEFILE="${i}.zone" + TMPZONEFILE="${i}.zone.edited" + pushd $i >/dev/null + + VERSION=$(ls |grep 20 |tail -n 1) + echo -e "$INFO making signature of DNS records..." + if ( dnssec-signzone -d $VERSION -K $VERSION -3 $PEPPERANDSALT -A -N INCREMENT -o $i -t $TMPZONEFILE ) + then + echo -e "$OK signature done for $i" + else + echo -e "$ERROR cannot make signature for $i" + exit 3 + fi + + if ( mv ${TMPZONEFILE}.signed $TARGETDIR/${ZONEFILE}.signed ) + then + echo -e "$OK zone files has moved to the current directory" + else + echo -e "$ERROR zone files has not moved to the current directory" + fi + popd >/dev/null + + done + + + # préparer les fichiers pour signature : + # ajout des DS records dans la zone principale + for i in $DOMAIN + do + + ZONEFILE="${i}.zone" + TMPZONEFILE="${i}.zone.edited" + pushd $i >/dev/null + + for j in $SUBDOMAIN + do + + pushd ../$j/ >/dev/null + VERSION=$(ls |grep 20 |tail -n 1) + popd >/dev/null + DSSET=$(ls ../$j/$VERSION/dsset-*) + + echo -e "$INFO adding DS records..." + echo "\$INCLUDE $DSSET" >> $TMPZONEFILE + + done + popd >/dev/null + + done + + + # signer les domaines principaux + for i in $DOMAIN + do + + ZONEFILE="${i}.zone" + TMPZONEFILE="${i}.zone.edited" + pushd $i >/dev/null + + VERSION=$(ls |grep 20 |tail -n 1) + echo -e "$INFO making signature of DNS records..." + if ( dnssec-signzone -d $VERSION -K $VERSION -3 $PEPPERANDSALT -A -N INCREMENT -o $i -t $TMPZONEFILE ) + then + echo -e "$OK signature done for $i" + else + echo -e "$ERROR cannot make signature for $i" + exit 3 + fi + + if ( mv ${TMPZONEFILE}.signed $TARGETDIR/${ZONEFILE}.signed ) + then + echo -e "$OK zone files has moved to the current directory" + else + echo -e "$ERROR zone files has not moved to the current directory" + fi + + # print DS records for the Registrar + KEYTAG1=$(head -1 $VERSION/dsset-* |awk '{ print $4 }') + ALGO1=$(head -1 $VERSION/dsset-* |awk '{ print $5 }') + TDIGEST1=$(head -1 $VERSION/dsset-* |awk '{ print $6 }') + DIGEST1=$(head -1 $VERSION/dsset-* |awk '{ print $7 }') + + KEYTAG2=$(tail -1 $VERSION/dsset-* |awk '{ print $4 }') + ALGO2=$(tail -1 $VERSION/dsset-* |awk '{ print $5 }') + TDIGEST2=$(tail -1 $VERSION/dsset-* |awk '{ print $6 }') + DIGEST2=$(tail -1 $VERSION/dsset-* |awk '{ print $7 $8 }') + + echo -e "$OK Registrar informations for $i" + echo -e "$OK DS record #1" + echo -e "$OK DS record KEY TAG: $KEYTAG1" + echo -e "$OK DS record ALGO: $ALGO1" + echo -e "$OK DS record DIGEST TYPE: $TDIGEST1" + echo -e "$OK DS record DIGEST: $DIGEST1" + + echo -e "$OK DS record #2" + echo -e "$OK DS record KEY TAG: $KEYTAG2" + echo -e "$OK DS record ALGO: $ALGO2" + echo -e "$OK DS record DIGEST TYPE: $TDIGEST2" + echo -e "$OK DS record DIGEST: $DIGEST2" + popd >/dev/null + + done + popd >/dev/null +} + + + +function help { + echo "Usage:" + echo " $(basename $0)" + echo " $(basename $0) -g|--genkey [-d <working directory>] [-t <target directory>] <main domain> [subdomain list...]" + echo " $(basename $0) -s|--sign-zone [-d <working directory>] [-t <target directory>] <main domain> [subdomain list...]" + echo "" + echo "Options:" + echo " -g: Generate new keys in a versonned subdirectory" + echo " -s: Sign zone files using existing keys in a versonned subdirectory" + echo " -d directory:" + echo " Working directory for generating new keys, key versionning, storage," + echo " and look for original zone files" + echo " -t directory:" + echo " Target directory to push signed zone files only" + echo "" + echo "Arguments:" + echo " main domain: example.net or super-domain.org" + echo " subdomain list: intranet proxy home cdn mirror etc..." + exit 25 +} + + +### +# User command-line options +### + +# If no argument provided by command-line, use default +if [[ $# -eq 0 ]] +then + help +fi + +while [[ $# -gt 0 ]] +do + case "$1" in + -d) + case $2 in + ""|-*) + echo -e "$ERROR you must specify path directory" + exit 25 ;; + *) + WORKDIR="$2" + shift 2 ;; + esac + ;; + -t) + case $2 in + ""|-*) + echo -e "$ERROR you must specify path directory" + exit 25 ;; + *) + TARGETDIR="$2" + shift 2 ;; + esac + ;; + -g|--genkey) + GENKEY=1 + shift + ;; + -s|--sign-zone) + SIGN=1 + shift + ;; + *) + DOMAIN="$1" + shift + while [[ $# -gt 0 ]] + do + case $1 in + -*) + echo -e "$ERROR parser: option is not expected here" + exit 25 ;; + "") + SUB="" + shift ;; + *) + SUB="$SUB $1" + shift ;; + esac + done + ;; + esac +done +### +# End +### + + +# main function +if [[ $GENKEY == 1 ]] && [[ $SIGN == 1 ]] +then + prep + genkey + sign +elif [[ $GENKEY == 1 ]] +then + prep + genkey +elif [[ $SIGN == 1 ]] +then + prep + sign +else + help +fi diff --git a/roles/dnsserver/tasks/config.yml b/roles/dnsserver/tasks/config.yml index 9878bbb..85ab046 100644 --- a/roles/dnsserver/tasks/config.yml +++ b/roles/dnsserver/tasks/config.yml @@ -6,6 +6,7 @@ group: named mode: 0640 notify: restart named + tags: keys - name: Configuration de rndc template: @@ -25,3 +26,16 @@ when: dnsslavelist is defined notify: reload named with_items: "{{ zonelist }}" + tags: keys + +- name: Installation des fichiers de zone signées + copy: + src: "signatures/{{ item }}.zone.signed" + dest: /var/named/ + owner: root + group: named + mode: 0640 + when: dnsslavelist is defined + notify: reload named + with_items: "{{ zonelist }}" + tags: keys diff --git a/roles/dnsserver/templates/named.conf.j2 b/roles/dnsserver/templates/named.conf.j2 index 422f4d1..6be7130 100644 --- a/roles/dnsserver/templates/named.conf.j2 +++ b/roles/dnsserver/templates/named.conf.j2 @@ -154,11 +154,19 @@ zone "{{ item }}" IN { {% if dnsslavelist is defined %} type master; allow-transfer { transferlist; }; +{%- if dnssec is defined and dnssec == "1" %} + file "{{ item }}.zone.signed"; +{% else %} file "{{ item }}.zone"; +{% endif -%} notify yes; {% else %} type slave; +{%- if dnssec is defined and dnssec == "1" %} + file "{{ item }}.zone.signed"; +{% else %} file "{{ item }}.zone"; +{% endif -%} masters { {% for item in masterlist %}{{ item }}; {% endfor %} }; {% endif %} }; diff --git a/roles/dnsserver/vars/main.yml b/roles/dnsserver/vars/main.yml index 0563e78..c5dbfbe 100644 --- a/roles/dnsserver/vars/main.yml +++ b/roles/dnsserver/vars/main.yml @@ -1,3 +1,5 @@ +dnssec: "1" + masterlist: - 163.172.211.128 - "2001:bc8:3fec:b00:b007::" |