From 4510de948808854c21fdc144af95ef420bdf9767 Mon Sep 17 00:00:00 2001 From: Frank Brehm Date: Thu, 26 Jan 2023 09:31:30 +0100 Subject: [PATCH] Adding scripts/enable-dnssec.sh --- scripts/enable-dnssec.sh | 238 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 238 insertions(+) create mode 100755 scripts/enable-dnssec.sh diff --git a/scripts/enable-dnssec.sh b/scripts/enable-dnssec.sh new file mode 100755 index 0000000..3dd9d43 --- /dev/null +++ b/scripts/enable-dnssec.sh @@ -0,0 +1,238 @@ +#!/bin/bash + +set -e +set -u + +BASE_NAME="$( basename ${0} )" +MY_REAL_NAME=$( readlink -f $0 ) + + +if [[ -f /usr/libexec/pixelpark/functions.rc ]] ; then + . /usr/libexec/pixelpark/functions.rc +else + echo "Did not found /usr/libexec/pixelpark/functions.rc." >&2 + exit 5 +fi + +declare -a ZONES=() + +PDNSUTIL_RV= + +detect_color + +set_locale "en_US.utf8" + +DESCRIPTION=$( cat <<-EOF + Enable DNSSEC for the given zones. + + EOF +) + +#------------------------------------------------------------------------------ +usage() { + cat <<-EOF + Usage: ${BASE_NAME} [Common Options] [ ...] + ${BASE_NAME} [-h|--help] + ${BASE_NAME} [-V|--version] + + Mandatory Parameter(s): + ZONE: The name of the zone to enable DNSSEC. + + Common Options: + ${STD_USAGE_MSG} + EOF + +} + +#------------------------------------------------------------------------------ +get_options() { + + local tmp= + local base_dir= + + set +e + tmp=$( getopt -o ${STD_SHORT_OPTIONS} \ + --long ${STD_LONG_OPTIONS} \ + -n "${BASE_NAME}" -- "$@" ) + if [[ $? != 0 ]] ; then + echo "" >&2 + usage >&2 + exit 1 + fi + set -e + + # Note the quotes around `$TEMP': they are essential! + eval set -- "${tmp}" + eval_common_options "$@" + if [[ "${DEBUG}" == 'y' ]] ; then + declare -p REMAINING_OPTS + declare -p REMAINING_ARGS + fi + + if [[ "${#REMAINING_OPTS[@]}" -gt 0 ]] ; then + error "Unknown options: ${REMAINING_OPTS[*]}" + echo >&2 + usage >&2 + exit 2 + fi + + if [[ "${#REMAINING_ARGS[@]}" == "0" ]] ; then + error "No zones given to enable DNSSEC." + echo >&2 + usage >&2 + exit 2 + fi + + local i=0 + local zone= + for zone in "${REMAINING_ARGS[@]}" ; do + if [[ "$i" == 0 ]]; then + i=1 + continue + fi + ZONES+=(${zone}) + i=$(( $i + 1 )) + done + + if [[ "${DEBUG}" == 'y' ]] ; then + declare -p ZONES + fi + + check_for_root + + if ! type -p pdnsutil >/dev/null ; then + error "Command '${RED}pdnsutil${NORMAL}' not found!" + exit 7 + fi + +} + +#------------------------------------------------------------------------------ +force_exec_pdnsutil() { + + local cmd="pdnsutil $*" + + debug "Executing: ${cmd}" >&2 + + eval ${cmd} + +} + +#------------------------------------------------------------------------------ +exec_pdnsutil() { + + local cmd="pdnsutil $*" + + if [[ "${SIMULATE}" == "y" ]] ; then + info "Simulate executing: ${cmd}" >&2 + else + force_exec_pdnsutil "$@" + fi + +} + +#------------------------------------------------------------------------------ +get_zone_info() { + + local zone="$1" + + info "Get zone info for zone '${CYAN}${zone}${NORMAL}' ..." >&2 + force_exec_pdnsutil show-zone "\"${zone}\"" + +} + +#------------------------------------------------------------------------------ +enable_dnssec() { + + local zone="$1" + local rv= + local zone_info= + local has_dnssec="n" + local cmd= + local salt= + local nsec_params= + local api_rectify= + + empty_line + line '-' 40 + set +e + zone_info=$( get_zone_info "${zone}" ) + rv="$?" + set -e + if [[ "${rv}" != "0" ]] ; then + warn "${YELLOW}${rv}${NORMAL}: Zone '${YELLOW}${zone}${NORMAL}' seems not to exists." + return 0 + fi + + info "Checking zone '${CYAN}${zone}${NORMAL}' ..." + set +e + force_exec_pdnsutil check-zone "\"${zone}\"" + rv="$?" + set -e + if [[ "${rv}" != "0" ]] ; then + warn "${YELLOW}${rv}${NORMAL}: Zone '${YELLOW}${zone}${NORMAL}' ${CYAN}has to be rectified${NORMAL}." + return 0 + fi + + if echo "${zone_info}" | grep -q -P '^keys:\s*$' ; then + has_dnssec="y" + fi + if [[ "${has_dnssec}" == "y" ]] ; then + info "Zone '${CYAN}${zone}${NORMAL}' has already DNSSEC keys." + else + info "Securing zone '${CYAN}${zone}${NORMAL}' ..." + exec_pdnsutil secure-zone "\"${zone}\"" + sleep 0.5 + fi + + nsec_params=$( force_exec_pdnsutil get-meta "\"${zone}\"" NSEC3PARAM | \ + grep 'NSEC3PARAM' | \ + sed -e 's/^[ ]*NSEC3PARAM[ ]*=[ ]*//' -e 's/[ ]*$//' ) + if [[ -n "${nsec_params}" ]] ; then + info "${CYAN}NSEC3 parameters${NORMAL} '${GREEN}${nsec_params}${NORMAL}' are already set for zone '${CYAN}${zone}${NORMAL}'." + else + salt=$( printf "%0x" $(( RANDOM + 100 )) | sed -e 's/^\(..\).*/\1/' ) + nsec_params="1 0 0 ${salt}" + info "Setting ${CYAN}NSEC3 parameters${NORMAL} '${GREEN}${nsec_params}${NORMAL}' for zone '${CYAN}${zone}${NORMAL}' ..." + exec_pdnsutil set-nsec3 "\"${zone}\"" "'${nsec_params}'" + sleep 0.3 + fi + + api_rectify=$( force_exec_pdnsutil get-meta "\"${zone}\"" API-RECTIFY | \ + grep 'API-RECTIFY' | \ + sed -e 's/^[ ]*API-RECTIFY[ *=[ ]*//' -e 's/[ ]*$//' ) + if [[ "${api_rectify}" == "1" ]] ; then + info "${CYAN}API-rectify${NORMAL} is already enabled for zone '${CYAN}${zone}${NORMAL}'." + else + info "Enabling ${CYAN}API-rectify${NORMAL} for zone '${CYAN}${zone}${NORMAL}' ..." + exec_pdnsutil set-meta "\"${zone}\"" API-RECTIFY 1 + sleep 0.2 + fi + +} + +#------------------------------------------------------------------------------ +main() { + + get_options "$@" + + local zone= + local i=0 + + for zone in "${ZONES[@]}" ; do + + if [[ "$i" -gt "0" ]] ; then + sleep 1 + fi + i=$(( i + 1 )) + enable_dnssec "${zone}" + + done + +} + +main "$@" + +exit 0 + +# vim: tabstop=4 expandtab shiftwidth=4 softtabstop=4 list -- 2.39.5