gitlabFork/ISPConfig3.git - Solinfo Gitblit

parent: eaafeeb3 | patch | commit | ignore whitespace

final commit? Will test now a last time and if everything works as expected...

A. Täffner

2016-01-20 1a2f60067da29914c833ec813950e76a717cd45b

final commit? Will test now a last time and if everything works as expected this will be my merge request

1 files added

3 files modified

	TODO.txt	8 ●●●●● patch \| view \| raw \| blame \| history
	install/lib/installer_base.lib.php	2 ●●●●● patch \| view \| raw \| blame \| history
	install/tpl/dnssec-create.sh.master	11 ●●●●● patch \| view \| raw \| blame \| history
	install/tpl/named.conf.options.master	28 ●●●●● patch \| view \| raw \| blame \| history

 TODO.txt

@@ -13,11 +13,9 @@
--------------------------------------

- Add a function to let a server join a existing installation.
- Change named.options.conf and add follwoing lines into options-brackets for DNSSEC-Implementation:
        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside auto;
- Add Package haveged to requirements as it raises available entropy by more than 1500 which is very needed for DNSSEC Key-generation
- Add Package haveged to requirements (at least if entropy is low) as it raises available entropy significantly which is very needed for DNSSEC Key-generation
    If it is not installed and entropy is low generating dnssec-keys lasts minutes (and would time out the server thus is not done) and new signing keys are not generated.
    If there are no keys the zones can not be signed and will only be availableas a unsigned copy.

Uninstaller
--------------------------------------

 install/lib/installer_base.lib.php

@@ -1517,7 +1517,7 @@
        $this->process_bind_file('dnssec-autopickup.sh', '/server/scripts/');
        $this->process_bind_file('dnssec-autocreate.sh', '/server/scripts/');
        $this->process_bind_file('dnssec-config.sh', '/server/scripts/');

        $this->process_bind_file('named.conf.options', $conf['bind']['bind_zonefiles_dir']);
    }



 install/tpl/dnssec-create.sh.master

@@ -7,9 +7,18 @@
 echo "$0 could not connect to database"
 exit 0
fi

if [ `cat /proc/sys/kernel/random/entropy_avail` -lt 400 ] ; then
    echo "ERROR: DNSSEC is not working as available entropy is below 400. Please consider installing package haveged. Skipping generation of keys as well as signing..."
    cp $filespre$domain $filespre$domain.signed
    mysql -u $dbuser --password=$dbpass -h $dbhost -Bse "use $dbase; UPDATE dns_soa SET dnssec_info='Error during generation of keys. Please contact our support. Reason: Too less entropy available.', dnssec_initialized='N' WHERE origin='$domain.'"
    exit 20
fi

mysqlcheck=`mysql -u $dbuser --password=$dbpass -h $dbhost -Bse "use $dbase; select * from dns_soa where dnssec_initialized='Y' and origin='$domain.';" | wc -c`
if [ "$mysqlcheck" -gt 1 ];then
 echo "$domain seems to be initialized. If that is wrong correct dnssec_initialized in dns_soa table"
 echo "DNSSEC: $domain seems to be initialized. If that is wrong correct dnssec_initialized in dns_soa table"
 exit 0
fi
cd $bindpath


 install/tpl/named.conf.options.master

New file
@@ -0,0 +1,28 @@
options {
    directory "/var/cache/bind";

    // If there is a firewall between you and nameservers you want
    // to talk to, you may need to fix the firewall to allow multiple
    // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

    // If your ISP provided one or more IP addresses for stable 
    // nameservers, you probably want to use them as forwarders.  
    // Uncomment the following block, and insert the addresses replacing 
    // the all-0's placeholder.

    // forwarders {
    //     0.0.0.0;
    // };

    //========================================================================
    // If BIND logs error messages about the root key being expired,
    // you will need to update your keys.  See https://www.isc.org/bind-keys
    //========================================================================
    dnssec-enable yes;
    dnssec-validation yes;
    dnssec-lookaside auto;

    auth-nxdomain no;    # conform to RFC1035
    listen-on-v6 { any; };
};

			@@ -13,11 +13,9 @@
			--------------------------------------

			- Add a function to let a server join a existing installation.
			- Change named.options.conf and add follwoing lines into options-brackets for DNSSEC-Implementation:
			dnssec-enable yes;
			dnssec-validation yes;
			dnssec-lookaside auto;
			- Add Package haveged to requirements as it raises available entropy by more than 1500 which is very needed for DNSSEC Key-generation
			- Add Package haveged to requirements (at least if entropy is low) as it raises available entropy significantly which is very needed for DNSSEC Key-generation
			If it is not installed and entropy is low generating dnssec-keys lasts minutes (and would time out the server thus is not done) and new signing keys are not generated.
			If there are no keys the zones can not be signed and will only be availableas a unsigned copy.

			Uninstaller
			--------------------------------------

			@@ -1517,7 +1517,7 @@
			$this->process_bind_file('dnssec-autopickup.sh', '/server/scripts/');
			$this->process_bind_file('dnssec-autocreate.sh', '/server/scripts/');
			$this->process_bind_file('dnssec-config.sh', '/server/scripts/');

			$this->process_bind_file('named.conf.options', $conf['bind']['bind_zonefiles_dir']);
			}

			@@ -7,9 +7,18 @@
			echo "$0 could not connect to database"
			exit 0
			fi

			if [ `cat /proc/sys/kernel/random/entropy_avail` -lt 400 ] ; then
			echo "ERROR: DNSSEC is not working as available entropy is below 400. Please consider installing package haveged. Skipping generation of keys as well as signing..."
			cp $filespre$domain $filespre$domain.signed
			mysql -u $dbuser --password=$dbpass -h $dbhost -Bse "use $dbase; UPDATE dns_soa SET dnssec_info='Error during generation of keys. Please contact our support. Reason: Too less entropy available.', dnssec_initialized='N' WHERE origin='$domain.'"
			exit 20
			fi

			mysqlcheck=`mysql -u $dbuser --password=$dbpass -h $dbhost -Bse "use $dbase; select * from dns_soa where dnssec_initialized='Y' and origin='$domain.';" \| wc -c`
			if [ "$mysqlcheck" -gt 1 ];then
			echo "$domain seems to be initialized. If that is wrong correct dnssec_initialized in dns_soa table"
			echo "DNSSEC: $domain seems to be initialized. If that is wrong correct dnssec_initialized in dns_soa table"
			exit 0
			fi
			cd $bindpath

New file
			@@ -0,0 +1,28 @@
			options {
			directory "/var/cache/bind";

			// If there is a firewall between you and nameservers you want
			// to talk to, you may need to fix the firewall to allow multiple
			// ports to talk. See http://www.kb.cert.org/vuls/id/800113

			// If your ISP provided one or more IP addresses for stable
			// nameservers, you probably want to use them as forwarders.
			// Uncomment the following block, and insert the addresses replacing
			// the all-0's placeholder.

			// forwarders {
			// 0.0.0.0;
			// };

			//========================================================================
			// If BIND logs error messages about the root key being expired,
			// you will need to update your keys. See https://www.isc.org/bind-keys
			//========================================================================
			dnssec-enable yes;
			dnssec-validation yes;
			dnssec-lookaside auto;

			auth-nxdomain no; # conform to RFC1035
			listen-on-v6 { any; };
			};