ISPConfig3 devel
parent: 1e33ee2d | patch | commit | ignore whitespace
Till Brehm
2016-04-07 6a85386aa4a1fd2072341546f4b07937cdbd94e5 
Merge branch 'dnssec-fix-cron' into 'stable-3.1'

DNSSEC-Fix: Possible transfer issue

This fixes the current fact that auto-resigned zones do not change their serial which might cause slave dns servers not to replicate the zone with new RRSIGs.
This is kind of a critical fix.

See merge request !308
1 files modified
50 ■■■■ changed files
server/lib/classes/cron.d/550-bind_dnssec.inc.php 50 ●●●● patch | view | raw | blame | history 
 server/lib/classes/cron.d/550-bind_dnssec.inc.php


@@ -35,6 +35,27 @@




    // job schedule


    protected $_schedule = '30 3 * * *'; //daily at 3:30 a.m.


	


    private function increase_serial($serial){


        global $app, $conf;




        // increase serial


        $serial_date = $app->functions->intval(substr($serial, 0, 8));


        $count = $app->functions->intval(substr($serial, 8, 2));


        $current_date = date("Ymd");


        if($serial_date >= $current_date){


            $count += 1;


            if ($count > 99) {


                $serial_date += 1;


                $count = 0;


            }


            $count = str_pad($count, 2, "0", STR_PAD_LEFT);


            $new_serial = $serial_date.$count;


        } else {


            $new_serial = $current_date.'01';


        }


        return $new_serial;


    }




    public function onRunJob() {


        global $app, $conf;


@@ -54,31 +75,8 @@


            $domain = substr($data['origin'], 0, strlen($data['origin'])-1);


            if (!file_exists($dns_config['bind_zonefiles_dir'].'/'.$filespre.$domain)) return false;


            


            $app->log('DNSSEC Auto-Resign: Resigning zone '.$domain, LOGLEVEL_INFO);


			


            $zonefile = file_get_contents($dns_config['bind_zonefiles_dir'].'/'.$filespre.$domain);


            $keycount=0;


            foreach (glob($dns_config['bind_zonefiles_dir'].'/K'.$domain.'*.key') as $keyfile) {


                $includeline = '$INCLUDE '.basename($keyfile);


                if (!preg_match('@'.preg_quote($includeline).'@', $zonefile)) $zonefile .= "\n".$includeline."\n";


                $keycount++;


            }


            if ($keycount != 2) $app->log('DNSSEC Warning: There are more or less than 2 keyfiles for zone '.$domain, LOGLEVEL_WARN);


            file_put_contents($dns_config['bind_zonefiles_dir'].'/'.$filespre.$domain, $zonefile);


			


            //Sign the zone and set it valid for max. 16 days


            exec('cd '.escapeshellcmd($dns_config['bind_zonefiles_dir']).';'.


                 '/usr/sbin/dnssec-signzone -A -e +1382400 -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N increment -o '.escapeshellcmd($domain).' -t '.$filespre.escapeshellcmd($domain));


				 


            //Write Data back into DB


            $dnssecdata = "DS-Records:\n".file_get_contents($dns_config['bind_zonefiles_dir'].'/dsset-'.$domain.'.');


            $dnssecdata .= "\n------------------------------------\n\nDNSKEY-Records:\n";


            foreach (glob($dns_config['bind_zonefiles_dir'].'/K'.$domain.'*.key') as $keyfile) {


                $dnssecdata .= file_get_contents($keyfile)."\n\n";


            }


			


            $app->db->query('UPDATE dns_soa SET dnssec_info=\''.$dnssecdata.'\', dnssec_initialized=\'Y\', dnssec_last_signed=\''.time().'\' WHERE id='.$data['id']);


            $data = next($soas);


            $app->log('DNSSEC Auto-Resign: Touching zone '.$domain, LOGLEVEL_INFO);


            $app->db->datalogUpdate('dns_soa', array("serial" => $this->increase_serial($data['serial'])), 'id', $data['id']);


        }


        


        parent::onRunJob();


@@ -86,4 +84,4 @@




}




?>


?>