#!/bin/bash
|
source {dnssec_conffile}
|
domain="${1::-1}"
|
|
mysqlcheck=`mysql -u $dbuser --password=$dbpass -h $dbhost -Bse "use $dbase; show tables;" | wc -c`
|
if [ "$mysqlcheck" = 0 ];then
|
echo "$0 could not connect to database"
|
exit 0
|
fi
|
|
if [ `cat /proc/sys/kernel/random/entropy_avail` -lt 400 ] ; then
|
echo "ERROR: DNSSEC is not working as available entropy is below 400. Please consider installing package haveged. Skipping generation of keys as well as signing..."
|
cp $filespre$domain $filespre$domain.signed
|
mysql -u $dbuser --password=$dbpass -h $dbhost -Bse "use $dbase; UPDATE dns_soa SET dnssec_info='Error during generation of keys. Please contact our support. Reason: Too less entropy available.', dnssec_initialized='N' WHERE origin='$domain.'"
|
exit 20
|
fi
|
|
mysqlcheck=`mysql -u $dbuser --password=$dbpass -h $dbhost -Bse "use $dbase; select * from dns_soa where dnssec_initialized='Y' and origin='$domain.';" | wc -c`
|
if [ "$mysqlcheck" -gt 1 ];then
|
echo "DNSSEC: $domain seems to be initialized. If that is wrong correct dnssec_initialized in dns_soa table"
|
exit 0
|
fi
|
cd $bindpath
|
|
if [ ! $domain = "" ];then
|
if [ ! -f $filespre$domain ]; then
|
echo "$domain zone file ($filespre$domain) does not exist"
|
exit 0
|
else
|
if [ -f dsset-$domain. ];then
|
echo "dnssec keys for $domain already exists!"
|
exit 0
|
else
|
echo "Creating keys for $domain"
|
dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE $domain
|
dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE $domain
|
for key in `ls K$domain*.key`; do
|
echo "\$INCLUDE $bindpath/$key">> $filespre$domain
|
done
|
dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N INCREMENT -o $domain -t $filespre$domain
|
fi
|
fi
|
serial=`cat $bindpath/$filespre$domain |grep "serial," |awk {' print $domain '}`
|
echo ""
|
dnssechelp=`head -1 $bindpath/dsset-$domain.`
|
dnssecid=`echo $dnssechelp | awk {' print $4 '}`
|
dnssecalg=`echo $dnssechelp | awk {' print $5 '}`
|
dnssecdt=`echo $dnssechelp | awk {' print $6 '}`
|
dnssecd=`echo $dnssechelp | awk {' print $7 '}`
|
echo "DS Record 1:">/tmp/.dnssec-$domain
|
echo "Key Tag/ID: $dnssecid">>/tmp/.dnssec-$domain
|
echo "Algorithm: $dnssecalg">>/tmp/.dnssec-$domain
|
echo "Digest/HASH Type: $dnssecdt">>/tmp/.dnssec-$domain
|
echo "Digest/HASH: $dnssecd">>/tmp/.dnssec-$domain
|
|
dns2sechelp=`tail -n 1 $bindpath/dsset-$domain.`
|
dns2secid=`echo $dns2sechelp | awk {' print $4 '}`
|
dns2secalg=`echo $dns2sechelp | awk {' print $5 '}`
|
dns2secdt=`echo $dns2sechelp | awk {' print $6 '}`
|
dns2secd=`echo $dns2sechelp | awk {' print $7""$8 '}`
|
echo "">>/tmp/.dnssec-$domain
|
echo "DS Record 2:">>/tmp/.dnssec-$domain
|
echo "Key Tag/ID: $dns2secid">>/tmp/.dnssec-$domain
|
echo "Algorithm: $dns2secalg">>/tmp/.dnssec-$domain
|
echo "Digest/HASH Type: $dns2secdt">>/tmp/.dnssec-$domain
|
echo "Digest/HASH: $dns2secd">>/tmp/.dnssec-$domain
|
|
echo "">>/tmp/.dnssec-$domain
|
echo "In DS-Record format:">>/tmp/.dnssec-$domain
|
cat $bindpath/dsset-$domain.>>/tmp/.dnssec-$domain
|
|
echo "">>/tmp/.dnssec-$domain
|
echo "DNSKEY-Records:">>/tmp/.dnssec-$domain
|
cat $bindpath/K$domain.+*.key>>/tmp/.dnssec-$domain
|
|
mysql -u $dbuser --password=$dbpass -h $dbhost -Bse "use $dbase; UPDATE dns_soa SET dnssec_info='`cat /tmp/.dnssec-$domain`', dnssec_initialized='Y' WHERE origin='$domain.'"
|
rm /tmp/.dnssec-$domain
|
|
else
|
echo "usage: dnssec-create.sh <domain.tld>"
|
fi
|
cd $curpath
|
