- Update or delete nsc.lsm
DNSSEC:
-- DS records and dependencies on them
- in reverse zones, file name != zone name => need to pass zone name to genzone
-- dependencies on resign-stamp
+- signing reverse zones
CURRENT_HASH=$($M4 -DHASHING m4/nsc.m4 "$@" | md5sum | cut -d " " -f1)
if [ -f khash/$Z ] ; then
CURRENT_HASH=$CURRENT_HASH:$(cat khash/$Z)
- if [ -f khash/resign-stamp ] ; then
- CURRENT_HASH=$CURRENT_HASH:$(stat -c '%Y' khash/resign-stamp)
+ if [ -f keys/resign-stamp ] ; then
+ CURRENT_HASH=$CURRENT_HASH:$(stat -c '%Y' keys/resign-stamp)
fi
fi
$M4 -DVERS=ver/$Z m4/nsc.m4 "$@" >zone/$Z.new
NEWVER="$(sed -e "s/^;;; VERSION: //; t; d" zone/$Z.new)"
if [ -f khash/$Z ] ; then
- if ! dnssec-signzone -a -d dss -g -K keys/$Z $SIGNZONE_OPTIONS -f zone/$Z.signed -o $Z -S -3 - zone/$Z.new &>zone/$Z.tmp ; then
+ if ! dnssec-signzone -a -d tmp -K keys/$Z $SIGNZONE_OPTIONS -f zone/$Z.signed -o $Z -S -3 - zone/$Z.new &>zone/$Z.tmp ; then
cat zone/$Z.tmp
echo >&2 "FATAL: Signing failed"
exit 1
fi
rm -f zone/$Z.tmp
+ rm -f tmp/dsset-*
mv zone/$Z.signed zone/$Z
SIGNED=" (signed)"
else
--- /dev/null
+#!/bin/bash
+# NSC -- DNSSEC key delegation
+# (c) 2019 Martin Mares <mj@ucw.cz>
+
+set -e
+shopt -s nullglob
+. bin/shell-env
+
+if [ $# -ne 1 ] ; then
+ echo >&2 "Usage: $0 <zone>"
+ exit 1
+fi
+Z=$1
+
+>dss/$Z.new
+for K in keys/$Z/*.key ; do
+ B=$(basename $K .key)
+ if grep -q '; This is a key-signing key,' $K ; then
+ echo "** $B: Adding"
+ dnssec-dsfromkey $DSFROMKEY_OPTIONS $K >>dss/$Z.new
+ else
+ echo "-- $B: Not a KSK"
+ fi
+done
+mv dss/$Z.new dss/$Z
. bin/shell-env
if [ -z "$1" ] ; then
- echo >&2 "Usage: $0 <domain> [<extra-keygen-params>]"
+ echo >&2 "Usage: $0 <zone> [<extra-keygen-params>]"
exit 1
fi
D="$1"
. bin/shell-env
if [ $# -gt 1 ] ; then
- echo >&2 "Usage: $0 [<domain>]"
+ echo >&2 "Usage: $0 [<zone>]"
exit 1
fi
local D=$1
local K=keys/$D
local H=khash/$D
- cat $K/*.key | sha1sum | cut -f1 -d' ' >$H.new
+ cat /dev/null $K/*.key | sha1sum | cut -f1 -d' ' >$H.new
if [ ! -f $H ] || ! cmp -s $H $H.new ; then
echo "** $D: New key hash"
mv $H.new $H
exit 1
fi
-mkdir -p zone bak hash ver keys khash dss
+mkdir -p zone bak hash ver keys khash dss tmp
$M4 m4/mkconf.m4 $DOMAINS >named.conf
$M4 m4/mkmf.m4 $DOMAINS >Makefile
$M4 -DM4=$M4 m4/mkshell-env.m4 >bin/shell-env
DNSSEC(`
PRIMARY(example.com)
+DSFOR(a.example.com)
')
; It also has a couple of sub-domains and one of them resides on another server
TXT(Once upon a midnight dreary)
TXT(When I pondered weak and weary)
-; A subdomain called a.example.com
+; A subdomain called a.example.com with DNSSEC keys
D(a)
NS(ns1.example.com, ns2.example.com)
+DS()
; Another subdomain (b.example.com), but this time one of the nameservers
; is inside, so we need to specify a glue record
define(`KEYGEN_OPTIONS', `-a RSASHA256 -b 1024')
define(`SIGNZONE_OPTIONS', `-e +'DAYS(365))
+define(`DSFROMKEY_OPTIONS', `')
# And finally we change comments to semicolons to be compatible with the zone files
define(`nsc_prepend_cf_one', ` 'CFDIR/`nsc_file_name($1)')
define(`nsc_prepend_cf_multi', `nsc_iterate(`nsc_prepend_cf_one', $@)')
-define(`nsc_key_dep', `ifelse(USE_DNSSEC,,,` 'khash/$1 khash/resign-stamp)')
-define(`PRIMARY', `divert(0)zone/nsc_file_name($1):nsc_prepend_cf_multi($@)nsc_key_dep($1) $(DDEPS)
+define(`nsc_key_dep', `ifelse(USE_DNSSEC,,,` 'khash/$1 keys/resign-stamp)')
+define(`PRIMARY', `define(`CURRENT_TARGET',zone/nsc_file_name($1))
+divert(0)CURRENT_TARGET:nsc_prepend_cf_multi($@)nsc_key_dep($1) $(DDEPS)
@bin/genzone nsc_file_name($1)`'nsc_prepend_cf_multi($@)
divert(-1)
define(`BLACKHOLE', `define(`NEED_BLACKHOLE', 1)')
+define(`DSFOR', `divert(0)CURRENT_TARGET: dss/$1
+
+divert(-1)')
+
# Insertion of raw makefile material
define(`MAKEFILE', `divert(0)$1
NAMED_RESTART_CMD
touch ver/.version
+keys/resign-stamp:
+ touch `$'@
+
clean:
- find bak zone hash -maxdepth 1 -type f | xargs rm -f
+ find bak zone hash tmp -maxdepth 1 -type f | xargs rm -f
clobber: clean
rm -f Makefile named.conf bin/shell-env
`M4'=M4
`KEYGEN_OPTIONS'="KEYGEN_OPTIONS"
`SIGNZONE_OPTIONS'="SIGNZONE_OPTIONS"
+`DSFROMKEY_OPTIONS'="DSFROMKEY_OPTIONS"
define(nsc_set_name, `define(`CURRENT_NAME', nsc_corr_dot($1))define(`PRINT_NAME', CURRENT_NAME)')
define(nsc_emit_name, `ifdef(`PRINT_NAME', `PRINT_NAME`'undefine(`PRINT_NAME')', `')')
define(nsc_abs_name, `ifelse(CURRENT_NAME, translit(CURRENT_NAME,.,:), CURRENT_NAME.CURRENT_DOMAIN, CURRENT_NAME)')
+define(nsc_abs_name_nodot, `define(`nsc_tmp', nsc_abs_name)substr(nsc_tmp,0,decr(len(nsc_tmp)))')
# SOA record
define(PTR, `$1 `PTR' nsc_corr_dot($2)')
+# DS records (DNSSEC keys for subdomains)
+
+define(DS, `ifdef(`REVERSE_MODE',,`nsc_DS')')
+define(nsc_DS, `undivert(dss/nsc_abs_name_nodot)')
+
# Shortcut for classless reverse delegation of a block
define(REVBLOCK, `nsc_forloop(`i', $2, $3, `i' `CNAME' `i'.$1
projects / nsc-5.git / commitdiff