gitlabFork/ISPConfig3.git - Solinfo Gitblit

parent: ab1bb38b | patch | commit | ignore whitespace

DNSSEC-Switch: Implementation finished, tested And found a small bug (privk...

A. Täffner

2016-01-21 606a2d96f218abda206d2ae0d705649ea226bdd0

DNSSEC-Switch: Implementation finished, tested
And found a small bug (privkeys were not deleted on zone deletion) which is now fixed
Testing successful. Doing last test then if everything goes well this will be the new merge request

6 files modified

	install/tpl/dnssec-delete.sh.master	1 ●●●●● patch \| view \| raw \| blame \| history
	install/tpl/dnssec-update.sh.master	7 ●●●●● patch \| view \| raw \| blame \| history
	interface/web/dns/lib/lang/de_dns_soa.lng	1 ●●●●● patch \| view \| raw \| blame \| history
	interface/web/dns/lib/lang/en_dns_soa.lng	1 ●●●●● patch \| view \| raw \| blame \| history
	interface/web/dns/templates/dns_soa_edit.htm	6 ●●●●● patch \| view \| raw \| blame \| history
	server/plugins-available/bind_plugin.inc.php	12 ●●●●● patch \| view \| raw \| blame \| history

 install/tpl/dnssec-delete.sh.master

@@ -17,6 +17,7 @@
fi

rm $bindpath/K$pardomain.+*.key
rm $bindpath/K$pardomain.+*.private
rm "$bindpath/$filespre$pardomain.signed"
rm "$bindpath/dsset-$pardomain."


 install/tpl/dnssec-update.sh.master

@@ -1,13 +1,14 @@
#!/bin/bash
source {dnssec_conffile}
pardomain="${1::-1}"
cd $bindpath

if [ ! -d $backuppath ]; then mkdir -p $backuppath; fi
#connect to database for testing
mysqlcheck=`mysql -u $dbuser --password=$dbpass -h $dbhost -Bse "use $dbase; show tables;" | wc -c`
if [ "$mysqlcheck" = 0 ];then
 echo "$0 could not connect to database"
 cd $curdir
 cd $curpath
 exit 0
fi

@@ -33,8 +34,8 @@
      fi

    /usr/sbin/dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N increment -o $domain -t $filespre$domain
    mysql -u $dbuser --password=$dbpass -h $dbhost -Bse "use $dbase; update dns_soa set serial='$fserial' where origin='$domain.'; update dns_rr set serial='$fserial' WHERE zone=$zoneid"
    mysql -u $dbuser --password=$dbpass -h $dbhost -Bse "use $dbase; update dns_soa set serial='$fserial', dnssec_info='`cat /tmp/.dnssec-$domain`' where origin='$domain.'; update dns_rr set serial='$fserial' WHERE zone=$zoneid"

echo "DNSSEC for $pardomain has been configured"
cd $curdir
cd $curpath
exit 0

 interface/web/dns/lib/lang/de_dns_soa.lng

@@ -13,6 +13,7 @@
$wb['active_txt'] = 'Aktiv';
$wb['dnssec_info_txt'] = 'DNSSEC DS-Daten für Registry';
$wb['dnssec_wanted_txt'] = 'Zone signieren (DNSSEC)';
$wb['dnssec_wanted_info'] = 'Wenn DNSSEC bereits aktiviert war und ein Key erstellt wurde, wird dieser durch deaktivieren nicht gelöscht. Die Zone wird dann jedoch nicht länger signiert ausgeliefert.';
$wb['limit_dns_zone_txt'] = 'Die maximale Anzahl an DNS Einträgen für Ihr Konto wurde erreicht.';
$wb['client_txt'] = 'Kunde';
$wb['no_zone_perm'] = 'Sie haben nicht die Berechtigung, einen Eintrag zu dieser DNS Zone hinzuzufügen.';

 interface/web/dns/lib/lang/en_dns_soa.lng

@@ -13,6 +13,7 @@
$wb["active_txt"] = 'Active';
$wb['dnssec_info_txt'] = 'DNSSEC DS-Data for registry';
$wb['dnssec_wanted_txt'] = 'Sign zone (DNSSEC)';
$wb['dnssec_wanted_info'] = 'When disabling DNSSEC keys are not going to be deleted if DNSSEC was enabled before and keys already have been generated but the zone will no longer be delievered in signed format afterwards.';
$wb["limit_dns_zone_txt"] = 'The max. number of DNS zones for your account is reached.';
$wb["client_txt"] = 'Client';
$wb["no_zone_perm"] = 'You do not have the permission to add a record to this DNS zone.';

 interface/web/dns/templates/dns_soa_edit.htm

@@ -128,12 +128,12 @@
            <div class="form-group">
                <label class="col-sm-3 control-label">{tmpl_var name='dnssec_wanted_txt'}</label>
                <div class="col-sm-9">
                    {tmpl_var name='dnssec_wanted'}
                </div>
                    {tmpl_var name='dnssec_wanted'}<br /><small>({tmpl_var name='dnssec_wanted_info'})</small>
                </div> 
            </div>
            <div class="form-group">
                <label for="update_acl" class="col-sm-3 control-label">{tmpl_var name='dnssec_info_txt'}</label>
                <div class="col-sm-9"><textarea readonly="true" rows="5" class="form-control">{tmpl_var name='dnssec_info'}</textarea></div>
                <div class="col-sm-9"><textarea readonly="true" rows="5" id="dnssec_info" name="dnssec_info" class="form-control">{tmpl_var name='dnssec_info'}</textarea></div>
            </div>
            
        <input type="hidden" name="id" value="{tmpl_var name='id'}">

 server/plugins-available/bind_plugin.inc.php

@@ -151,9 +151,8 @@
            if (@$data['old']['dnssec_initialized'] == 'Y' && strlen(@$data['old']['origin']) > 3) exec('/usr/local/ispconfig/server/scripts/dnssec-delete.sh '.escapeshellcmd($data['old']['origin'])); //delete old keys
            if ($data['new']['dnssec_wanted'] == 'Y') exec('/usr/local/ispconfig/server/scripts/dnssec-create.sh '.escapeshellcmd($data['new']['origin'])); //Create new keys for new origin
        }
        if ($data['new']['dnssec_wanted'] == 'Y' AND $data['new']['dnssec_initialized'] == 'N') if ($data['new']['dnssec_wanted'] == 'Y') exec('/usr/local/ispconfig/server/scripts/dnssec-create.sh '.escapeshellcmd($data['new']['origin'])); //Create new keys for new origin
        else if ($data['old']['dnssec_wanted'] == 'Y') exec('/usr/local/ispconfig/server/scripts/dnssec-update.sh '.escapeshellcmd($data['new']['origin']));
        if($data['old']['dnssec_initialized'] == 'Y' && $data['new']['dnssec_wanted'] == 'N') {    //delete old signed file if dnssec is no longer wanted
        else if ($data['new']['dnssec_wanted'] == 'Y' && $data['old']['dnssec_initialized'] == 'N') exec('/usr/local/ispconfig/server/scripts/dnssec-create.sh '.escapeshellcmd($data['new']['origin'])); //Create new keys for new origin
        else if ($data['new']['dnssec_wanted'] == 'N' && $data['old']['dnssec_initialized'] == 'Y') {    //delete old signed file if dnssec is no longer wanted
            //TODO : change this when distribution information has been integrated into server record
            if (file_exists('/etc/gentoo-release')) {
                $filename = $dns_config['bind_zonefiles_dir'].'/pri/'.str_replace("/", "_", substr($data['old']['origin'], 0, -1));
@@ -162,7 +161,7 @@
                $filename = $dns_config['bind_zonefiles_dir'].'/pri.'.str_replace("/", "_", substr($data['old']['origin'], 0, -1));
            }
            if(is_file($filename.'.signed')) unlink($filename.'.signed');
         }
         } else if ($data['new']['dnssec_wanted'] == 'Y') exec('/usr/local/ispconfig/server/scripts/dnssec-update.sh '.escapeshellcmd($data['new']['origin']));
        // END DNSSEC
        
        //* rebuild the named.conf file if the origin has changed or when the origin is inserted.
@@ -346,7 +345,7 @@
        global $app, $conf;

        //* Only write the master file for the current server
        $tmps = $app->db->queryAllRecords("SELECT origin, xfer, also_notify, update_acl, dnssec_initialized FROM dns_soa WHERE active = 'Y' AND server_id=?", $conf["server_id"]);
        $tmps = $app->db->queryAllRecords("SELECT origin, xfer, also_notify, update_acl, dnssec_wanted FROM dns_soa WHERE active = 'Y' AND server_id=?", $conf["server_id"]);
        $zones = array();

        //* Check if the current zone that triggered this function has at least one NS record
@@ -364,9 +363,8 @@

        //* Loop trough zones
        foreach($tmps as $tmp) {

            $zone_file = $pri_zonefiles_path.str_replace("/", "_", substr($tmp['origin'], 0, -1));
            if ($tmp['dnssec_initialized'] == 'Y') $zone_file .= '.signed' //.signed is for DNSSEC-Implementation
            if ($tmp['dnssec_wanted'] == 'Y') $zone_file .= '.signed'; //.signed is for DNSSEC-Implementation

            $options = '';
            if(trim($tmp['xfer']) != '') {

			@@ -17,6 +17,7 @@
			fi

			rm $bindpath/K$pardomain.+*.key
			rm $bindpath/K$pardomain.+*.private
			rm "$bindpath/$filespre$pardomain.signed"
			rm "$bindpath/dsset-$pardomain."

			@@ -1,13 +1,14 @@
			#!/bin/bash
			source {dnssec_conffile}
			pardomain="${1::-1}"
			cd $bindpath

			if [ ! -d $backuppath ]; then mkdir -p $backuppath; fi
			#connect to database for testing
			mysqlcheck=`mysql -u $dbuser --password=$dbpass -h $dbhost -Bse "use $dbase; show tables;" \| wc -c`
			if [ "$mysqlcheck" = 0 ];then
			echo "$0 could not connect to database"
			cd $curdir
			cd $curpath
			exit 0
			fi

			@@ -33,8 +34,8 @@
			fi

			/usr/sbin/dnssec-signzone -A -3 $(head -c 1000 /dev/random \| sha1sum \| cut -b 1-16) -N increment -o $domain -t $filespre$domain
			mysql -u $dbuser --password=$dbpass -h $dbhost -Bse "use $dbase; update dns_soa set serial='$fserial' where origin='$domain.'; update dns_rr set serial='$fserial' WHERE zone=$zoneid"
			mysql -u $dbuser --password=$dbpass -h $dbhost -Bse "use $dbase; update dns_soa set serial='$fserial', dnssec_info='`cat /tmp/.dnssec-$domain`' where origin='$domain.'; update dns_rr set serial='$fserial' WHERE zone=$zoneid"

			echo "DNSSEC for $pardomain has been configured"
			cd $curdir
			cd $curpath
			exit 0

			@@ -13,6 +13,7 @@
			$wb['active_txt'] = 'Aktiv';
			$wb['dnssec_info_txt'] = 'DNSSEC DS-Daten für Registry';
			$wb['dnssec_wanted_txt'] = 'Zone signieren (DNSSEC)';
			$wb['dnssec_wanted_info'] = 'Wenn DNSSEC bereits aktiviert war und ein Key erstellt wurde, wird dieser durch deaktivieren nicht gelöscht. Die Zone wird dann jedoch nicht länger signiert ausgeliefert.';
			$wb['limit_dns_zone_txt'] = 'Die maximale Anzahl an DNS Einträgen für Ihr Konto wurde erreicht.';
			$wb['client_txt'] = 'Kunde';
			$wb['no_zone_perm'] = 'Sie haben nicht die Berechtigung, einen Eintrag zu dieser DNS Zone hinzuzufügen.';

			@@ -13,6 +13,7 @@
			$wb["active_txt"] = 'Active';
			$wb['dnssec_info_txt'] = 'DNSSEC DS-Data for registry';
			$wb['dnssec_wanted_txt'] = 'Sign zone (DNSSEC)';
			$wb['dnssec_wanted_info'] = 'When disabling DNSSEC keys are not going to be deleted if DNSSEC was enabled before and keys already have been generated but the zone will no longer be delievered in signed format afterwards.';
			$wb["limit_dns_zone_txt"] = 'The max. number of DNS zones for your account is reached.';
			$wb["client_txt"] = 'Client';
			$wb["no_zone_perm"] = 'You do not have the permission to add a record to this DNS zone.';

			@@ -128,12 +128,12 @@
			<div class="form-group">
			<label class="col-sm-3 control-label">{tmpl_var name='dnssec_wanted_txt'}</label>
			<div class="col-sm-9">
			{tmpl_var name='dnssec_wanted'}
			</div>
			{tmpl_var name='dnssec_wanted'}<br /><small>({tmpl_var name='dnssec_wanted_info'})</small>
			</div>
			</div>
			<div class="form-group">
			<label for="update_acl" class="col-sm-3 control-label">{tmpl_var name='dnssec_info_txt'}</label>
			<div class="col-sm-9"><textarea readonly="true" rows="5" class="form-control">{tmpl_var name='dnssec_info'}</textarea></div>
			<div class="col-sm-9"><textarea readonly="true" rows="5" id="dnssec_info" name="dnssec_info" class="form-control">{tmpl_var name='dnssec_info'}</textarea></div>
			</div>

			<input type="hidden" name="id" value="{tmpl_var name='id'}">

			@@ -151,9 +151,8 @@
			if (@$data['old']['dnssec_initialized'] == 'Y' && strlen(@$data['old']['origin']) > 3) exec('/usr/local/ispconfig/server/scripts/dnssec-delete.sh '.escapeshellcmd($data['old']['origin'])); //delete old keys
			if ($data['new']['dnssec_wanted'] == 'Y') exec('/usr/local/ispconfig/server/scripts/dnssec-create.sh '.escapeshellcmd($data['new']['origin'])); //Create new keys for new origin
			}
			if ($data['new']['dnssec_wanted'] == 'Y' AND $data['new']['dnssec_initialized'] == 'N') if ($data['new']['dnssec_wanted'] == 'Y') exec('/usr/local/ispconfig/server/scripts/dnssec-create.sh '.escapeshellcmd($data['new']['origin'])); //Create new keys for new origin
			else if ($data['old']['dnssec_wanted'] == 'Y') exec('/usr/local/ispconfig/server/scripts/dnssec-update.sh '.escapeshellcmd($data['new']['origin']));
			if($data['old']['dnssec_initialized'] == 'Y' && $data['new']['dnssec_wanted'] == 'N') { //delete old signed file if dnssec is no longer wanted
			else if ($data['new']['dnssec_wanted'] == 'Y' && $data['old']['dnssec_initialized'] == 'N') exec('/usr/local/ispconfig/server/scripts/dnssec-create.sh '.escapeshellcmd($data['new']['origin'])); //Create new keys for new origin
			else if ($data['new']['dnssec_wanted'] == 'N' && $data['old']['dnssec_initialized'] == 'Y') { //delete old signed file if dnssec is no longer wanted
			//TODO : change this when distribution information has been integrated into server record
			if (file_exists('/etc/gentoo-release')) {
			$filename = $dns_config['bind_zonefiles_dir'].'/pri/'.str_replace("/", "_", substr($data['old']['origin'], 0, -1));
			@@ -162,7 +161,7 @@
			$filename = $dns_config['bind_zonefiles_dir'].'/pri.'.str_replace("/", "_", substr($data['old']['origin'], 0, -1));
			}
			if(is_file($filename.'.signed')) unlink($filename.'.signed');
			}
			} else if ($data['new']['dnssec_wanted'] == 'Y') exec('/usr/local/ispconfig/server/scripts/dnssec-update.sh '.escapeshellcmd($data['new']['origin']));
			// END DNSSEC

			//* rebuild the named.conf file if the origin has changed or when the origin is inserted.
			@@ -346,7 +345,7 @@
			global $app, $conf;

			//* Only write the master file for the current server
			$tmps = $app->db->queryAllRecords("SELECT origin, xfer, also_notify, update_acl, dnssec_initialized FROM dns_soa WHERE active = 'Y' AND server_id=?", $conf["server_id"]);
			$tmps = $app->db->queryAllRecords("SELECT origin, xfer, also_notify, update_acl, dnssec_wanted FROM dns_soa WHERE active = 'Y' AND server_id=?", $conf["server_id"]);
			$zones = array();

			//* Check if the current zone that triggered this function has at least one NS record
			@@ -364,9 +363,8 @@

			//* Loop trough zones
			foreach($tmps as $tmp) {

			$zone_file = $pri_zonefiles_path.str_replace("/", "_", substr($tmp['origin'], 0, -1));
			if ($tmp['dnssec_initialized'] == 'Y') $zone_file .= '.signed' //.signed is for DNSSEC-Implementation
			if ($tmp['dnssec_wanted'] == 'Y') $zone_file .= '.signed'; //.signed is for DNSSEC-Implementation

			$options = '';
			if(trim($tmp['xfer']) != '') {