DNSSEC: Key management scripts

diff --git a/bin/key-gen b/bin/key-gen
new file mode 100755 (executable)
index 0000000..686e8ca
--- /dev/null
+++ b/bin/key-gen
@@ -0,0 +1,17 @@
+#!/bin/sh
+# NSC -- DNSSEC key generator
+# (c) 2019 Martin Mares <mj@ucw.cz>
+
+set -e
+. bin/shell-env
+
+if [ -z "$1" ] ; then
+       echo >&2 "Usage: $0 <domain> [<extra-keygen-params>]"
+       exit 1
+fi
+D="$1"
+shift
+
+mkdir -p $KEYDIR/$D
+dnssec-keygen $KEYGEN_OPTIONS -K $KEYDIR/$D "$@" $D
+bin/key-update $D

diff --git a/bin/key-update b/bin/key-update
new file mode 100755 (executable)
index 0000000..b033eba
--- /dev/null
+++ b/bin/key-update
@@ -0,0 +1,44 @@
+#!/bin/bash
+# NSC -- DNSSEC key hash updater
+# (c) 2019 Martin Mares <mj@ucw.cz>
+
+set -e
+shopt -s nullglob
+. bin/shell-env
+
+if [ $# -gt 1 ] ; then
+       echo >&2 "Usage: $0 [<domain>]"
+       exit 1
+fi
+
+update ()
+{
+       local D=$1
+       local K=$KEYDIR/$D
+       local H=$K.hash
+       cat $K/*.key | sha1sum | cut -f1 -d' ' >$H.new
+       if [ ! -f $H ] || ! cmp -s $H $H.new ; then
+               echo "** $D: New key hash"
+               mv $H.new $H
+       else
+               echo "-- $D: No change"
+               rm $H.new
+       fi
+}
+
+if [ -z "$1" ] ; then
+       for DD in $KEYDIR/* ; do
+               if [ -d "$DD" ] ; then
+                       update $(basename $DD)
+               fi
+       done
+       for H in $KEYDIR/*.hash ; do
+               B=$(basename $H .hash)
+               if [ ! -d $KEYDIR/$B ] ; then
+                       echo "## $B: Deleted obsolete hash"
+                       rm $H
+               fi
+       done
+else
+       update $1
+fi

diff --git a/bin/nsconfig b/bin/nsconfig
index 5110b1f7cf384d92c01e7a42262f5c47fcaec2c2..676651d314621f76aabb6e17fabc6efbd6885531 100755 (executable)
--- a/bin/nsconfig
+++ b/bin/nsconfig
@@ -1,6 +1,6 @@
 #!/bin/sh
 # NSC -- Makefile & Config file build script
-# (c) 1997--2008 Martin Mares <mj@ucw.cz>
+# (c) 1997--2019 Martin Mares <mj@ucw.cz>
 
 set -e
 
@@ -12,7 +12,7 @@ if [ ! -f $DOMAINS ] ; then
        exit 1
        fi
 
-mkdir -p zone bak hash ver
+mkdir -p zone bak hash ver keys dss
 $M4 m4/mkconf.m4 $DOMAINS >named.conf
 $M4 m4/mkmf.m4 $DOMAINS >Makefile
 $M4 -DM4=$M4 m4/mkshell-env.m4 >bin/shell-env

diff --git a/m4/dnslib.m4 b/m4/dnslib.m4
index a4313805a4da44dbdac9ff58333045856008cd2f..b09d4d1df669b7deba93e8172eb3b06250cbf4e8 100644 (file)
--- a/m4/dnslib.m4
+++ b/m4/dnslib.m4
@@ -93,6 +93,8 @@ define(`ZONEDIR', `zone')
 define(`BAKDIR', `bak')
 define(`VERSDIR', `ver')
 define(`HASHDIR', `hash')
+define(`KEYDIR', `keys')
+define(`DSSDIR', `dss')
 define(`ROOTCACHE', `root.cache')
 
 define(`REFRESH', HOURS(8))
@@ -103,6 +105,9 @@ define(`NSNAME', translit(esyscmd(`hostname -f'),`
 ',`'))
 define(`MAINTNAME', `root'.`nsc_corr_dot(NSNAME)')
 
+define(`KEYGEN_OPTIONS', `-a RSASHA256 -b 1024')
+define(`SIGNZONE_OPTIONS', `-e +'DAYS(365))
+
 # And finally we change comments to semicolons to be compatible with the zone files
 
 changecom(;)

diff --git a/m4/mkmf.m4 b/m4/mkmf.m4
index 2bdde831bb678ac74c5d5b15520d6df1544d10a5..fcf21a45ae40150d492986730ef0ca4c8cd9978e 100644 (file)
--- a/m4/mkmf.m4
+++ b/m4/mkmf.m4
@@ -37,7 +37,7 @@ VERSDIR/.version: CFDIR/domains ROOTCACHE`'PRIMARIES`'ifdef(`NEED_BLACKHOLE',` Z
        touch VERSDIR/.version
 
 clean:
-       find BAKDIR ZONEDIR HASHDIR -maxdepth 1 -type f | xargs rm -f
+       find BAKDIR ZONEDIR HASHDIR DSSDIR -maxdepth 1 -type f | xargs rm -f
 
 clobber: clean
        rm -f Makefile named.conf bin/shell-env

diff --git a/m4/mkshell-env.m4 b/m4/mkshell-env.m4
index e34954c1c1b654450c09b4a6e93a9fc5b421e969..16bb1d4386a01f821cd302a3ca820549d3658d28 100644 (file)
--- a/m4/mkshell-env.m4
+++ b/m4/mkshell-env.m4
@@ -10,5 +10,9 @@ divert(0)dnl
 `BAKDIR'=BAKDIR
 `VERSDIR'=VERSDIR
 `HASHDIR'=HASHDIR
+`KEYDIR'=KEYDIR
+`DSSDIR'=DSSDIR
 `ROOTCACHE'=ROOTCACHE
 `M4'=M4
+`KEYGEN_OPTIONS'="KEYGEN_OPTIONS"
+`SIGNZONE_OPTIONS'="SIGNZONE_OPTIONS"