final commit? Will test now a last time and if everything works as expected this will be my merge request
1 files added
3 files modified
| | |
| | | -------------------------------------- |
| | | |
| | | - Add a function to let a server join a existing installation. |
| | | - Change named.options.conf and add follwoing lines into options-brackets for DNSSEC-Implementation: |
| | | dnssec-enable yes; |
| | | dnssec-validation yes; |
| | | dnssec-lookaside auto; |
| | | - Add Package haveged to requirements as it raises available entropy by more than 1500 which is very needed for DNSSEC Key-generation |
| | | - Add Package haveged to requirements (at least if entropy is low) as it raises available entropy significantly which is very needed for DNSSEC Key-generation |
| | | If it is not installed and entropy is low generating dnssec-keys lasts minutes (and would time out the server thus is not done) and new signing keys are not generated. |
| | | If there are no keys the zones can not be signed and will only be availableas a unsigned copy. |
| | | |
| | | Uninstaller |
| | | -------------------------------------- |
| | |
| | | $this->process_bind_file('dnssec-autopickup.sh', '/server/scripts/'); |
| | | $this->process_bind_file('dnssec-autocreate.sh', '/server/scripts/'); |
| | | $this->process_bind_file('dnssec-config.sh', '/server/scripts/'); |
| | | |
| | | $this->process_bind_file('named.conf.options', $conf['bind']['bind_zonefiles_dir']); |
| | | } |
| | | |
| | | |
| | |
| | | echo "$0 could not connect to database" |
| | | exit 0 |
| | | fi |
| | | |
| | | if [ `cat /proc/sys/kernel/random/entropy_avail` -lt 400 ] ; then |
| | | echo "ERROR: DNSSEC is not working as available entropy is below 400. Please consider installing package haveged. Skipping generation of keys as well as signing..." |
| | | cp $filespre$domain $filespre$domain.signed |
| | | mysql -u $dbuser --password=$dbpass -h $dbhost -Bse "use $dbase; UPDATE dns_soa SET dnssec_info='Error during generation of keys. Please contact our support. Reason: Too less entropy available.', dnssec_initialized='N' WHERE origin='$domain.'" |
| | | exit 20 |
| | | fi |
| | | |
| | | mysqlcheck=`mysql -u $dbuser --password=$dbpass -h $dbhost -Bse "use $dbase; select * from dns_soa where dnssec_initialized='Y' and origin='$domain.';" | wc -c` |
| | | if [ "$mysqlcheck" -gt 1 ];then |
| | | echo "$domain seems to be initialized. If that is wrong correct dnssec_initialized in dns_soa table" |
| | | echo "DNSSEC: $domain seems to be initialized. If that is wrong correct dnssec_initialized in dns_soa table" |
| | | exit 0 |
| | | fi |
| | | cd $bindpath |
| | | |
New file |
| | |
| | | options { |
| | | directory "/var/cache/bind"; |
| | | |
| | | // If there is a firewall between you and nameservers you want |
| | | // to talk to, you may need to fix the firewall to allow multiple |
| | | // ports to talk. See http://www.kb.cert.org/vuls/id/800113 |
| | | |
| | | // If your ISP provided one or more IP addresses for stable |
| | | // nameservers, you probably want to use them as forwarders. |
| | | // Uncomment the following block, and insert the addresses replacing |
| | | // the all-0's placeholder. |
| | | |
| | | // forwarders { |
| | | // 0.0.0.0; |
| | | // }; |
| | | |
| | | //======================================================================== |
| | | // If BIND logs error messages about the root key being expired, |
| | | // you will need to update your keys. See https://www.isc.org/bind-keys |
| | | //======================================================================== |
| | | dnssec-enable yes; |
| | | dnssec-validation yes; |
| | | dnssec-lookaside auto; |
| | | |
| | | auth-nxdomain no; # conform to RFC1035 |
| | | listen-on-v6 { any; }; |
| | | }; |
| | | |