git.lirion.de

Of git, get, and gud

aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorHarald Pfeiffer <coding _ lirion.de> 2019-04-08 14:28:41 +0200
committerHarald Pfeiffer <coding _ lirion.de> 2019-04-08 14:28:41 +0200
commit5892adbad1514c2f176583eeca7f6a6a711bbc5d (patch)
tree979932e723dbb99ea697c67827200b2e304a6924
parent152fec4d76e58dd0c2090a138a8e714ffb76ddea (diff)
downloadlinux-scripts-5892adbad1514c2f176583eeca7f6a6a711bbc5d.tar.bz2
initial commit of zoneresign script
-rw-r--r--sbin/zoneresign164
1 files changed, 164 insertions, 0 deletions
diff --git a/sbin/zoneresign b/sbin/zoneresign
new file mode 100644
index 0000000..4dde475
--- /dev/null
+++ b/sbin/zoneresign
@@ -0,0 +1,164 @@
+#!/usr/bin/env bash
+
+# Small script to sign the zone with a new salt.
+# LICENSE: LGPLv3
+# AUTHOR: Harald Pfeiffer <coding@lirion.de>
+#
+# SYNTAX: zoneresign <example.com>
+#
+# 1. ONLY EXECUTE ON THE MASTER SERVER(S) (dns serial, slave notify, blah bleh)
+# 2. Don't do this too often. A regeneration of a new salt for the hashes is there
+# to not having some random dude with lots of compute resources break our hashes,
+# so something like once a week should be sufficient.
+# 3. Not too often ofc does not mean you can spare signing whatever actual changes
+# you make to the zones :) we are forgetting the salt intentionally.
+# 4. DO NOT AUTOMATE WITH -v
+# It will print the salt on-screen, in an automation setup you would then have
+# this logged and thus you can throw away the result. Use this only for debug
+# purposes, then, and do a run without -v before going home ;)
+#
+# The expected structure is as follows:
+# - named as service name (we're operating on RHEL derivatives), replace DNSSRV if
+# necessary
+# - All configuration files inside /etc/named (/etc/named.conf only includes
+# /etc/named/named.conf), including the zone files - the zone definitions reside
+# inside /var/named/data/db.whatever. This is a mixture of the desire to keep
+# configuration inside a configuration directory (the author still comes from the
+# Debian world) and slightly adhering to Red Hat standards preferring /var (but then
+# again, they also prefer jamming the /etc root directory ;) )
+# - All keys also reside inside /etc/named/, but they will be referred to with absolute
+# pathes, so don't worry to much
+#
+# TO-DO:
+# 1. Check whether the active(!) configuration is set to master or slave, reject
+# running if we are slave. (This way we'd keep the slave alive no matter if the
+# master falls apart. Handy, isn't it?)
+# 2. Introduce a parameter (-d) that allows for multiple zones to be signed. You
+# _should_ do things zone by zone, but admins these days neither have time nor
+# automation frameworks, and are condemned to quick-and-dirty work...
+
+# Are we called bind9 as everybody calls it, or named as RHEL/CentOS do?
+DNSSRV="named"
+# configuration directory, typically /etc/named, NO TRAILING SLASH
+CNFDIR="/etc/named"
+# Directory where the definition files for your zone resides, e.g.:
+# /etc/named/named.conf.example.com has "file /var/named/data/db.example.com" as directive,
+# then ZDBDIR would be "/var/named/data"
+ZDBDIR="/var/named/data"
+# Logging: if you activate logging through "-l", these are the parameters.
+LOGTARG="zoneresign"
+LOGFACIL="local3"
+# ...levels will be dynamically determined dependent on the type of message
+
+####################
+# SCRIPT FROM HERE #
+# ################ #
+
+export VERB=0 KEEPSER=0 LOGG0R=0
+
+hayulp() {
+ printf "USAGE: %s | [-v] [ -k ] [ -l ] TARGETZONE\n\n" "$(basename "$0")"
+ (
+ printf "TARGETZONE;Mandatory parameter: We are expecting the domain name to sign,\n"
+ printf ";so something like example.com\n"
+ printf "-h;This help text\n"
+ printf "-k;Keep serial (in case you already increased it in the zone file\n"
+ printf "-l;Log to system log (log daemon, so journald is supported\n"
+ printf "-v;Verbose output"
+ )|column -ts\;
+}
+[ -z "$1" ]&&hayulp&&printf "\nNo domain name given.\n" >&2&&exit 1
+
+while getopts :vhkl SHOPT;do
+ case "$SHOPT" in
+ h) hayulp;exit 0;;
+ k) export KEEPSER=1;;
+ l) export LOGG0R=1;;
+ v) export VERB=1;;
+ esac
+done
+shift $((OPTIND-1))
+
+PDIR="$(pwd)"
+
+[ "$VERB" -ne 0 ]&&printf "Checking named configuration for \"%s\"..." "$1"
+/usr/sbin/named-checkzone -q "$1" "$ZDBDIR/db.$1" >/dev/null 2>&1&&\
+ /usr/sbin/named-checkconf -z >/dev/null 2>&1
+case "$?" in
+ 0)
+ [ "$VERB" -ne 0 ]&&printf " OK.\n"||:
+ [ "$LOGG0R" -gt 0 ]&&logger -t"$LOGTARG" -p "$LOGFACIL"".info" "Conf check OK for $1."
+ ;;
+ *)
+ [ "$VERB" -ne 0 ]&&printf " failed!\n"||printf "Conf check for %s failed!\n" "$1" >&2
+ [ "$LOGG0R" -gt 0 ]&&logger -t"$LOGTARG" -p "$LOGFACIL"".error" "Conf check failed for $1."
+ exit 2
+ ;;
+esac
+SERIAL="$(/usr/sbin/named-checkzone "$1" "$ZDBDIR/db.$1"|egrep -ho '[0-9]{10}')"
+if [ -z "$SERIAL" ];then
+ printf "Zone serial cannot be determined for %s!" "$1" >&2
+ logger -t"$LOGTARG" -p "$LOGFACIL"".error" "Zone serial cannot be determined for $1"
+ exit 3
+fi
+[ "$KEEPSER" -eq 0 ]&&sed -i 's/'$SERIAL'/'$(($SERIAL+1))'/' "$ZDBDIR/db.$1"||:
+# we need a hexadecimal salt here, this is intentional.
+MYSALT="$(head -c 1000 /dev/random|sha1sum|cut -b 1-16)"
+case "$VERB" in
+ 0)
+ /usr/sbin/dnssec-signzone -3 "$MYSALT" -A -N INCREMENT -o "$1" -K "/etc/named" -t \
+ "$ZDBDIR/db.$1" >/dev/null 2>&1
+ ;;
+ *)
+ printf "Signing zone \"%s\"...\n" "$1"
+ printf "Salt: %s\n" "$MYSALT"
+ /usr/sbin/dnssec-signzone -3 "$MYSALT" -A -N INCREMENT -o "$1" -K "/etc/named" -t \
+ "$ZDBDIR/db.$1"
+ ;;
+esac
+BONK="$?"
+unset MYSALT
+case "$BONK" in
+ 0)
+ [ "$VERB" -ne 0 ]&&printf "\n--OK--\n"||:
+ [ "$LOGG0R" -gt 0 ]&&logger -t"$LOGTARG" -p "$LOGFACIL"".info" "Zone $1 signed successfully."
+ ;;
+ *)
+ [ "$VERB" -ne 0 ]&&printf "\n--FAILURE--\n"||printf "Signature of zone %s failed!" "$1" >&2
+ [ "$LOGG0R" -gt 0 ]&&logger -t"$LOGTARG" -p "$LOGFACIL"".error" "Zone $1 signature failed!"
+ exit 4
+ ;;
+esac
+# named on systemd is a nice wankology (at least on CentOS):
+# a reload will give you RC 0 in case of a configuration that is garbage. thumbs up.
+# so we'll do a zone-and-config-check again (plus the signed file):
+[ "$VERB" -ne 0 ]&&printf "Checking named configuration for \"%s\"..." "$1"
+/usr/sbin/named-checkzone -q "$1" "$ZDBDIR/db.$1" >/dev/null 2>&1&&\
+ /usr/sbin/named-checkzone -q "$1" "$ZDBDIR/db.$1"".signed" >/dev/null 2>&1&&\
+ /usr/sbin/named-checkconf -z >/dev/null >/dev/null 2>%1
+case "$?" in
+ 0)
+ [ "$VERB" -ne 0 ]&&printf " OK.\n"||:
+ [ "$LOGG0R" -gt 0 ]&&logger -t"$LOGTARG" -p "$LOGFACIL"".info" "Conf check OK for $1."&& \
+ /usr/sbin/named-checkzone "$1" "$ZDBDIR/db.$1"".signed" 2>&1|tr '\n' ' '|\
+ logger -t"$LOGTARG" -p "$LOGFACIL"".info"
+ ;;
+ *)
+ [ "$VERB" -ne 0 ]&&printf " failed!\n"||printf "Conf check for %s failed!\n" "$1" >&2
+ [ "$LOGG0R" -gt 0 ]&&logger -t"$LOGTARG" -p "$LOGFACIL"".error" "Conf check failed for $1."
+ exit 5
+ ;;
+esac
+[ "$VERB" -ne 0 ]&&printf "Reloading bind daemon (%s)..." "$DNSSRV"
+service "$DNSSRV" reload >/dev/null 2>&1
+case "$?" in
+ 0)
+ [ "$VERB" -ne 0 ]&&printf " OK.\n"||:
+ [ "$LOGG0R" -gt 0 ]&&logger -t"$LOGTARG" -p "$LOGFACIL"".info" "$DNSSRV daemon reloaded."
+ ;;
+ *)
+ [ "$VERB" -ne 0 ]&&printf " failed!\n"||printf "Reload of %s daemon failed!\n" "$DNSSRV" >&2
+ [ "$LOGG0R" -gt 0 ]&&logger -t"$LOGTARG" -p "$LOGFACIL"".error" "Reload of $1 daemon failed."
+ exit 6
+ ;;
+esac