#!/usr/bin/bash function prep { ### # User variables, you may edit these variables ### SOURCEDIR="/home/casper/park-admin/playbooks-ansible/roles/dnsserver/files" if [ ! -z "$WORKDIR" ] then echo -e "$OK working directory is $WORKDIR" else WORKDIR="roles/dnsserver/files/dnssec" # you may edit this fi if [ ! -z "$TARGETDIR" ] then echo -e "$OK target directory is $TARGETDIR" else TARGETDIR="/home/casper/park-admin/playbooks-ansible/roles/dnsserver/files/signatures" # you may edit this fi ### # Stop editing, it is ready ### # sortie formatée des logs OK="\e[0m[ \e[92mOK\e[0m ]" ERROR="\e[0m[ \e[91mERROR\e[0m ]" INFO="\e[0m[ \e[93mINFO\e[0m ]" if [ -z "$DOMAIN" ] then echo -e "$ERROR there is no domain to sign" exit 25 fi if [ ! -z "$SUB" ] then SUBDOMAIN="" for i in $SUB do SUBDOMAIN="$SUBDOMAIN ${i}.$DOMAIN" done else SUBDOMAIN="" echo -e "$OK there is no subdomain to sign" fi if [ -e $WORKDIR ] then echo -e "$OK testing root directory" else echo -e "$ERROR root directory is not reacheable, use -d option" exit 1 fi if [ -e $TARGETDIR ] then echo -e "$OK testing target directory" else echo -e "$ERROR target directory is not reacheable, use -t option" exit 1 fi # vérifier si la commande est installée if ( rpm -q bind-dnssec-utils >/dev/null ) then echo -e "$OK all dependancies are installed" else echo -e "$ERROR dependancies are missing" exit 1 fi } function genkey { # GENKEY if [[ $GENKEYLIMIT == 1 ]] then DIRLIST="$SUBDOMAIN" else DIRLIST="$DOMAIN $SUBDOMAIN" fi # générer les clés pushd $WORKDIR/$DOMAIN/ >/dev/null VERSION=$(date +%Y%m%d%H%M%S) for i in $DIRLIST do pushd $i >/dev/null mkdir $VERSION pushd $VERSION >/dev/null # générer une clé Zone Signing Key (ZSK) echo -e "$INFO creating new Zone Signing Key ZSK..." dnssec-keygen -a ED25519 -n ZONE $i # générer une clé Key Signing Key (KSK) echo -e "$INFO creating new Key Signing Key KSK..." dnssec-keygen -f KSK -a ED25519 -n ZONE $i popd >/dev/null popd >/dev/null done popd >/dev/null } function sign { # SIGN # préparer les fichiers pour signature : # ajout des DNSKEY records dans toutes les zones pushd $WORKDIR/$DOMAIN/ >/dev/null pushd $DOMAIN >/dev/null if ( ls |grep 20 >/dev/null ) then VERSION=$(ls |grep 20 |tail -n 1) echo -e "$OK dns keys has been found for signature" else echo -e "$ERROR dns keys has not been found for signature" exit 2 fi popd >/dev/null for i in $DOMAIN $SUBDOMAIN do ZONEFILE="${i}.zone" TMPZONEFILE="${i}.zone.edited" pushd $i >/dev/null cp -f $ZONEFILE $TMPZONEFILE SERIAL=$(/usr/sbin/named-checkzone $i $ZONEFILE | grep -E -ho '[0-9]{10}') NEWSERIAL=$((SERIAL + 1)) echo -e "$OK new serial is: $NEWSERIAL" VERSION=$(ls |grep 20 |tail -n 1) # mise à jour du serial echo -e "$INFO updating serial..." sed -i 's/'$SERIAL'/'$NEWSERIAL'/' $TMPZONEFILE cp -f $TMPZONEFILE $SOURCEDIR/$ZONEFILE # modification de la zone DNS for key in `ls $VERSION/K${i}*.key` do echo -e "$INFO adding DNSKEY records..." echo "\$INCLUDE $key" >> $TMPZONEFILE done popd >/dev/null done # signer les sous-domaines for i in $SUBDOMAIN do ZONEFILE="${i}.zone" TMPZONEFILE="${i}.zone.edited" pushd $i >/dev/null VERSION=$(ls |grep 20 |tail -n 1) echo -e "$INFO making signature of DNS records..." if ( dnssec-signzone -d $VERSION -K $VERSION -N INCREMENT -e +2851200 -o $i -t $TMPZONEFILE ) then echo -e "$OK signature done for $i" else echo -e "$ERROR cannot make signature for $i" exit 3 fi if ( mv ${TMPZONEFILE}.signed $TARGETDIR/${ZONEFILE}.signed ) then echo -e "$OK zone files has moved to the current directory" else echo -e "$ERROR zone files has not moved to the current directory" fi popd >/dev/null done # préparer les fichiers pour signature : # ajout des DS records dans la zone principale for i in $DOMAIN do ZONEFILE="${i}.zone" TMPZONEFILE="${i}.zone.edited" pushd $i >/dev/null for j in $SUBDOMAIN do pushd ../$j/ >/dev/null VERSION=$(ls |grep 20) for m in $VERSION do DSSET=$(ls $m/dsset-*) echo -e "$INFO adding DS records..." echo "\$INCLUDE ../$j/$DSSET" >> ../$i/$TMPZONEFILE done popd >/dev/null done popd >/dev/null done # signer les domaines principaux for i in $DOMAIN do ZONEFILE="${i}.zone" TMPZONEFILE="${i}.zone.edited" pushd $i >/dev/null VERSION=$(ls |grep 20 |tail -n 1) echo -e "$INFO making signature of DNS records..." if ( dnssec-signzone -d $VERSION -K $VERSION -N INCREMENT -e +2851200 -o $i -t $TMPZONEFILE ) then echo -e "$OK signature done for $i" else echo -e "$ERROR cannot make signature for $i" exit 3 fi if ( mv ${TMPZONEFILE}.signed $TARGETDIR/${ZONEFILE}.signed ) then echo -e "$OK zone files has moved to the current directory" else echo -e "$ERROR zone files has not moved to the current directory" fi # print DS records for the Registrar KEYTAG1=$(head -1 $VERSION/dsset-* |awk '{ print $4 }') ALGO1=$(head -1 $VERSION/dsset-* |awk '{ print $5 }') TDIGEST1=$(head -1 $VERSION/dsset-* |awk '{ print $6 }') DIGEST1=$(head -1 $VERSION/dsset-* |awk '{ print $7 }') KEYTAG2=$(tail -1 $VERSION/dsset-* |awk '{ print $4 }') ALGO2=$(tail -1 $VERSION/dsset-* |awk '{ print $5 }') TDIGEST2=$(tail -1 $VERSION/dsset-* |awk '{ print $6 }') DIGEST2=$(tail -1 $VERSION/dsset-* |awk '{ print $7 $8 }') echo -e "$OK Registrar informations for $i" echo -e "$OK DS record #1" echo -e "$OK DS record KEY TAG: $KEYTAG1" echo -e "$OK DS record ALGO: $ALGO1" echo -e "$OK DS record DIGEST TYPE: $TDIGEST1" echo -e "$OK DS record DIGEST: $DIGEST1" echo -e "$OK DS record #2" echo -e "$OK DS record KEY TAG: $KEYTAG2" echo -e "$OK DS record ALGO: $ALGO2" echo -e "$OK DS record DIGEST TYPE: $TDIGEST2" echo -e "$OK DS record DIGEST: $DIGEST2" popd >/dev/null done popd >/dev/null } function help { echo "Usage:" echo " $(basename $0)" echo " $(basename $0) -g|--genkey [-l|--limit] [-d ] [-t ]
[subdomain list...]" echo " $(basename $0) -s|--sign-zone [-d ] [-t ]
[subdomain list...]" echo "" echo "Options:" echo " -g: Generate new keys in a versonned subdirectory" echo " -l: Generate new keys for subdomains only" echo " -s: Sign zone files using existing keys in a versonned subdirectory" echo " -d directory:" echo " Working directory for generating new keys, key versionning, storage," echo " and look for original zone files" echo " -t directory:" echo " Target directory to push signed zone files only" echo "" echo "Arguments:" echo " main domain: example.net or super-domain.org" echo " subdomain list: intranet proxy home cdn mirror etc..." exit 25 } ### # User command-line options ### # If no argument provided by command-line, use default if [[ $# -eq 0 ]] then help fi while [[ $# -gt 0 ]] do case "$1" in -d) case $2 in ""|-*) echo -e "$ERROR you must specify path directory" exit 25 ;; *) WORKDIR="$2" shift 2 ;; esac ;; -t) case $2 in ""|-*) echo -e "$ERROR you must specify path directory" exit 25 ;; *) TARGETDIR="$2" shift 2 ;; esac ;; -g|--genkey) GENKEY=1 shift ;; -l|--limit) GENKEYLIMIT=1 shift ;; -s|--sign-zone) SIGN=1 shift ;; *) DOMAIN="$1" shift while [[ $# -gt 0 ]] do case $1 in -*) echo -e "$ERROR parser: option is not expected here" exit 25 ;; "") SUB="" shift ;; *) SUB="$SUB $1" shift ;; esac done ;; esac done ### # End ### # main function if [[ $GENKEY == 1 ]] && [[ $SIGN == 1 ]] then prep genkey sign elif [[ $GENKEY == 1 ]] then prep genkey elif [[ $SIGN == 1 ]] then prep sign else help fi