From 2c5837136158422b198dd306e66f71c4db87182f Mon Sep 17 00:00:00 2001 From: Martin Mares Date: Tue, 29 Jan 2019 22:57:24 +0100 Subject: [PATCH] DNSSEC: Key management scripts --- bin/key-gen | 17 +++++++++++++++++ bin/key-update | 44 ++++++++++++++++++++++++++++++++++++++++++++ bin/nsconfig | 4 ++-- m4/dnslib.m4 | 5 +++++ m4/mkmf.m4 | 2 +- m4/mkshell-env.m4 | 4 ++++ 6 files changed, 73 insertions(+), 3 deletions(-) create mode 100755 bin/key-gen create mode 100755 bin/key-update diff --git a/bin/key-gen b/bin/key-gen new file mode 100755 index 0000000..686e8ca --- /dev/null +++ b/bin/key-gen @@ -0,0 +1,17 @@ +#!/bin/sh +# NSC -- DNSSEC key generator +# (c) 2019 Martin Mares + +set -e +. bin/shell-env + +if [ -z "$1" ] ; then + echo >&2 "Usage: $0 []" + exit 1 +fi +D="$1" +shift + +mkdir -p $KEYDIR/$D +dnssec-keygen $KEYGEN_OPTIONS -K $KEYDIR/$D "$@" $D +bin/key-update $D diff --git a/bin/key-update b/bin/key-update new file mode 100755 index 0000000..b033eba --- /dev/null +++ b/bin/key-update @@ -0,0 +1,44 @@ +#!/bin/bash +# NSC -- DNSSEC key hash updater +# (c) 2019 Martin Mares + +set -e +shopt -s nullglob +. bin/shell-env + +if [ $# -gt 1 ] ; then + echo >&2 "Usage: $0 []" + exit 1 +fi + +update () +{ + local D=$1 + local K=$KEYDIR/$D + local H=$K.hash + cat $K/*.key | sha1sum | cut -f1 -d' ' >$H.new + if [ ! -f $H ] || ! cmp -s $H $H.new ; then + echo "** $D: New key hash" + mv $H.new $H + else + echo "-- $D: No change" + rm $H.new + fi +} + +if [ -z "$1" ] ; then + for DD in $KEYDIR/* ; do + if [ -d "$DD" ] ; then + update $(basename $DD) + fi + done + for H in $KEYDIR/*.hash ; do + B=$(basename $H .hash) + if [ ! -d $KEYDIR/$B ] ; then + echo "## $B: Deleted obsolete hash" + rm $H + fi + done +else + update $1 +fi diff --git a/bin/nsconfig b/bin/nsconfig index 5110b1f..676651d 100755 --- a/bin/nsconfig +++ b/bin/nsconfig @@ -1,6 +1,6 @@ #!/bin/sh # NSC -- Makefile & Config file build script -# (c) 1997--2008 Martin Mares +# (c) 1997--2019 Martin Mares set -e @@ -12,7 +12,7 @@ if [ ! -f $DOMAINS ] ; then exit 1 fi -mkdir -p zone bak hash ver +mkdir -p zone bak hash ver keys dss $M4 m4/mkconf.m4 $DOMAINS >named.conf $M4 m4/mkmf.m4 $DOMAINS >Makefile $M4 -DM4=$M4 m4/mkshell-env.m4 >bin/shell-env diff --git a/m4/dnslib.m4 b/m4/dnslib.m4 index a431380..b09d4d1 100644 --- a/m4/dnslib.m4 +++ b/m4/dnslib.m4 @@ -93,6 +93,8 @@ define(`ZONEDIR', `zone') define(`BAKDIR', `bak') define(`VERSDIR', `ver') define(`HASHDIR', `hash') +define(`KEYDIR', `keys') +define(`DSSDIR', `dss') define(`ROOTCACHE', `root.cache') define(`REFRESH', HOURS(8)) @@ -103,6 +105,9 @@ define(`NSNAME', translit(esyscmd(`hostname -f'),` ',`')) define(`MAINTNAME', `root'.`nsc_corr_dot(NSNAME)') +define(`KEYGEN_OPTIONS', `-a RSASHA256 -b 1024') +define(`SIGNZONE_OPTIONS', `-e +'DAYS(365)) + # And finally we change comments to semicolons to be compatible with the zone files changecom(;) diff --git a/m4/mkmf.m4 b/m4/mkmf.m4 index 2bdde83..fcf21a4 100644 --- a/m4/mkmf.m4 +++ b/m4/mkmf.m4 @@ -37,7 +37,7 @@ VERSDIR/.version: CFDIR/domains ROOTCACHE`'PRIMARIES`'ifdef(`NEED_BLACKHOLE',` Z touch VERSDIR/.version clean: - find BAKDIR ZONEDIR HASHDIR -maxdepth 1 -type f | xargs rm -f + find BAKDIR ZONEDIR HASHDIR DSSDIR -maxdepth 1 -type f | xargs rm -f clobber: clean rm -f Makefile named.conf bin/shell-env diff --git a/m4/mkshell-env.m4 b/m4/mkshell-env.m4 index e34954c..16bb1d4 100644 --- a/m4/mkshell-env.m4 +++ b/m4/mkshell-env.m4 @@ -10,5 +10,9 @@ divert(0)dnl `BAKDIR'=BAKDIR `VERSDIR'=VERSDIR `HASHDIR'=HASHDIR +`KEYDIR'=KEYDIR +`DSSDIR'=DSSDIR `ROOTCACHE'=ROOTCACHE `M4'=M4 +`KEYGEN_OPTIONS'="KEYGEN_OPTIONS" +`SIGNZONE_OPTIONS'="SIGNZONE_OPTIONS" -- 2.39.2