From c7abe2650e0619e012fc7cf8d9eee60cfc7a73fd Mon Sep 17 00:00:00 2001
From: A. Täffner <darkalex@firesplash.de>
Date: Fri, 22 Jan 2016 05:10:44 -0500
Subject: [PATCH] dnssec-create moved to PHP (test)
---
server/plugins-available/bind_plugin.inc.php | 111 ++++++++++++++++++++++++++++++++++++++++++++-----------
1 files changed, 89 insertions(+), 22 deletions(-)
diff --git a/server/plugins-available/bind_plugin.inc.php b/server/plugins-available/bind_plugin.inc.php
index 4823cf3..1fceb34 100644
--- a/server/plugins-available/bind_plugin.inc.php
+++ b/server/plugins-available/bind_plugin.inc.php
@@ -76,6 +76,46 @@
}
+ //* This creates DNSSEC-Keys but does NOT actually sign the zone.
+ function soa_dnssec_create(&$data) {
+ global $app, $conf;
+
+ //* Load libraries
+ $app->uses("getconf,tpl");
+
+ //* load the server configuration options
+ $dns_config = $app->getconf->get_server_config($conf["server_id"], 'dns');
+
+ //* Check Entropy
+ if (file_get_contents('/proc/sys/kernel/random/entropy_avail') < 400) {
+ if($dns_config['disable_bind_log'] === 'y') {
+ $app->log('DNSSEC ERROR: We are low on entropy. Not generating new Keys for '.$data['new']['origin'].'. Please consider installing package haveged.', LOGLEVEL_DEBUG);
+ } else {
+ $app->log('DNSSEC ERROR: We are low on entropy. Not generating new Keys for '.$data['new']['origin'].'. Please consider installing package haveged.', LOGLEVEL_WARN);
+ }
+ return false;
+ }
+
+ //* Verify that we do not already have keys (overwriting-protection)
+ //TODO : change this when distribution information has been integrated into server record
+ if (file_exists($dns_config['bind_zonefiles_dir'].'/dsset-'.$data['new']['origin'].'.')) {
+ return $this->soa_dnssec_update(&$data);
+ }
+
+ //Do some magic...
+ exec('cd '.escapeshellargs($dns_config['bind_zonefiles_dir']).';'.
+ 'dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE '.escapeshellargs($data['new']['origin']).';'.
+ 'dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE '.escapeshellargs($data['new']['origin']));
+
+ $dnssecdata = "DS-Records:\n\r".file_get_contents($dns_config['bind_zonefiles_dir'].'/dsset-'.$data['new']['origin'].'.');
+ opendir($dns_config['bind_zonefiles_dir']);
+ $dnssecdata .= "\n\r------------------------------------\n\r\n\rDNSKEY-Records:\n\r"
+ foreach (glob('K'.$data['new']['origin'].'*.key') as $keyfile) {
+ $dnssecdata .= file_get_contents($keyfile)."\n\r\n\r";
+ }
+
+ $app->db->datalogUpdate('dns_soa', array('dnssec_info' => $dnssecdata), 'id', $data['new']['id']);
+ }
function soa_insert($event_name, $data) {
global $app, $conf;
@@ -102,17 +142,22 @@
$zone = $data['new'];
$tpl->setVar($zone);
- $records = $app->db->queryAllRecords("SELECT * FROM dns_rr WHERE zone = ".$zone['id']." AND active = 'Y'");
+ $records = $app->db->queryAllRecords("SELECT * FROM dns_rr WHERE zone = ? AND active = 'Y'", $zone['id']);
if(is_array($records) && !empty($records)){
for($i=0;$i<sizeof($records);$i++){
if($records[$i]['ttl'] == 0) $records[$i]['ttl'] = '';
+ if($records[$i]['name'] == '') $records[$i]['name'] = '@';
+ //* Split TXT records, if nescessary
+ if($records[$i]['type'] == 'TXT' && strlen($records[$i]['data']) > 255) {
+ $records[$i]['data'] = implode('" "',str_split( $records[$i]['data'], 255));
+ }
}
}
$tpl->setLoop('zones', $records);
//TODO : change this when distribution information has been integrated into server record
if (file_exists('/etc/gentoo-release')) {
- $filename = escapeshellcmd($dns_config['bind_zonefiles_dir'].'/pri.'.str_replace("/", "_", substr($zone['origin'], 0, -1)));
+ $filename = escapeshellcmd($dns_config['bind_zonefiles_dir'].'/pri/'.str_replace("/", "_", substr($zone['origin'], 0, -1)));
}
else {
$filename = escapeshellcmd($dns_config['bind_zonefiles_dir'].'/pri.'.str_replace("/", "_", substr($zone['origin'], 0, -1)));
@@ -128,7 +173,11 @@
if($return_status === 0) {
$app->log("Writing BIND domain file: ".$filename, LOGLEVEL_DEBUG);
} else {
- $app->log("Writing BIND domain file failed: ".$filename." ".implode(' ', $out), LOGLEVEL_WARN);
+ if($dns_config['disable_bind_log'] === 'y') {
+ $app->log("Writing BIND domain file failed: ".$filename." ".implode(' ', $out), LOGLEVEL_DEBUG);
+ } else {
+ $app->log("Writing BIND domain file failed: ".$filename." ".implode(' ', $out), LOGLEVEL_WARN);
+ }
rename($filename, $filename.'.err');
}
unset($tpl);
@@ -136,7 +185,25 @@
unset($records_out);
unset($zone);
}
-
+
+ //* DNSSEC-Implementation
+ if($data['old']['origin'] != $data['new']['origin']) {
+ if (@$data['old']['dnssec_initialized'] == 'Y' && strlen(@$data['old']['origin']) > 3) exec('/usr/local/ispconfig/server/scripts/dnssec-delete.sh '.escapeshellcmd($data['old']['origin'])); //delete old keys
+ if ($data['new']['dnssec_wanted'] == 'Y') $this->soa_dnssec_create($data);
+ }
+ else if ($data['new']['dnssec_wanted'] == 'Y' && $data['old']['dnssec_initialized'] == 'N') $this->soa_dnssec_create($data);
+ else if ($data['new']['dnssec_wanted'] == 'N' && $data['old']['dnssec_initialized'] == 'Y') { //delete old signed file if dnssec is no longer wanted
+ //TODO : change this when distribution information has been integrated into server record
+ if (file_exists('/etc/gentoo-release')) {
+ $filename = $dns_config['bind_zonefiles_dir'].'/pri/'.str_replace("/", "_", substr($data['old']['origin'], 0, -1));
+ }
+ else {
+ $filename = $dns_config['bind_zonefiles_dir'].'/pri.'.str_replace("/", "_", substr($data['old']['origin'], 0, -1));
+ }
+ if(is_file($filename.'.signed')) unlink($filename.'.signed');
+ } else if ($data['new']['dnssec_wanted'] == 'Y') exec('/usr/local/ispconfig/server/scripts/dnssec-update.sh '.escapeshellcmd($data['new']['origin']));
+ // END DNSSEC
+
//* rebuild the named.conf file if the origin has changed or when the origin is inserted.
//if($this->action == 'insert' || $data['old']['origin'] != $data['new']['origin']) {
$this->write_named_conf($data, $dns_config);
@@ -146,7 +213,7 @@
if($data['old']['origin'] != $data['new']['origin']) {
//TODO : change this when distribution information has been integrated into server record
if (file_exists('/etc/gentoo-release')) {
- $filename = $dns_config['bind_zonefiles_dir'].'/pri.'.str_replace("/", "_", substr($data['old']['origin'], 0, -1));
+ $filename = $dns_config['bind_zonefiles_dir'].'/pri/'.str_replace("/", "_", substr($data['old']['origin'], 0, -1));
}
else {
$filename = $dns_config['bind_zonefiles_dir'].'/pri.'.str_replace("/", "_", substr($data['old']['origin'], 0, -1));
@@ -154,10 +221,15 @@
if(is_file($filename)) unlink($filename);
if(is_file($filename.'.err')) unlink($filename.'.err');
+ if(is_file($filename.'.signed')) unlink($filename.'.signed');
+ }
+
+ //* Restart bind nameserver if update_acl is not empty, otherwise reload it
+ if($data['new']['update_acl'] != '') {
+ $app->services->restartServiceDelayed('bind', 'restart');
+ } else {
+ $app->services->restartServiceDelayed('bind', 'reload');
}
-
- //* Reload bind nameserver
- $app->services->restartServiceDelayed('bind', 'reload');
}
@@ -184,6 +256,9 @@
if(is_file($zone_file_name.'.err')) unlink($zone_file_name.'.err');
$app->log("Deleting BIND domain file: ".$zone_file_name, LOGLEVEL_DEBUG);
+ //* DNSSEC-Implementation
+ if ($data['old']['dnssec_initialized'] == 'Y') exec('/usr/local/ispconfig/server/scripts/dnssec-delete.sh '.$data['old']['origin']); //delete keys
+
//* Reload bind nameserver
$app->services->restartServiceDelayed('bind', 'reload');
@@ -272,7 +347,7 @@
global $app, $conf;
//* Get the data of the soa and call soa_update
- $tmp = $app->db->queryOneRecord("SELECT * FROM dns_soa WHERE id = ".$data['new']['zone']);
+ $tmp = $app->db->queryOneRecord("SELECT * FROM dns_soa WHERE id = ?", $data['new']['zone']);
$data["new"] = $tmp;
$data["old"] = $tmp;
$this->action = 'update';
@@ -284,7 +359,7 @@
global $app, $conf;
//* Get the data of the soa and call soa_update
- $tmp = $app->db->queryOneRecord("SELECT * FROM dns_soa WHERE id = ".$data['new']['zone']);
+ $tmp = $app->db->queryOneRecord("SELECT * FROM dns_soa WHERE id = ?", $data['new']['zone']);
$data["new"] = $tmp;
$data["old"] = $tmp;
$this->action = 'update';
@@ -296,7 +371,7 @@
global $app, $conf;
//* Get the data of the soa and call soa_update
- $tmp = $app->db->queryOneRecord("SELECT * FROM dns_soa WHERE id = ".intval($data['old']['zone']));
+ $tmp = $app->db->queryOneRecord("SELECT * FROM dns_soa WHERE id = ?", $data['old']['zone']);
$data["new"] = $tmp;
$data["old"] = $tmp;
$this->action = 'update';
@@ -310,18 +385,10 @@
global $app, $conf;
//* Only write the master file for the current server
- $tmps = $app->db->queryAllRecords("SELECT origin, xfer, also_notify, update_acl FROM dns_soa WHERE active = 'Y' AND server_id=".$conf["server_id"]);
+ $tmps = $app->db->queryAllRecords("SELECT origin, xfer, also_notify, update_acl, dnssec_wanted FROM dns_soa WHERE active = 'Y' AND server_id=?", $conf["server_id"]);
$zones = array();
//* Check if the current zone that triggered this function has at least one NS record
- /* Has been replaced by a better zone check
- $rec_num = $app->db->queryOneRecord("SELECT count(id) as ns FROM dns_rr WHERE type = 'NS' AND zone = ".intval($data['new']['id'])." AND active = 'Y'");
- if($rec_num['ns'] == 0) {
- $exclude_zone = $data['new']['origin'];
- } else {
- $exclude_zone = '';
- }
- */
//TODO : change this when distribution information has been integrated into server record
if (file_exists('/etc/gentoo-release')) {
@@ -336,8 +403,8 @@
//* Loop trough zones
foreach($tmps as $tmp) {
-
$zone_file = $pri_zonefiles_path.str_replace("/", "_", substr($tmp['origin'], 0, -1));
+ if ($tmp['dnssec_wanted'] == 'Y') $zone_file .= '.signed'; //.signed is for DNSSEC-Implementation
$options = '';
if(trim($tmp['xfer']) != '') {
@@ -361,7 +428,7 @@
$tpl->setLoop('zones', $zones);
//* And loop through the secondary zones, but only for the current server
- $tmps_sec = $app->db->queryAllRecords("SELECT origin, xfer, ns FROM dns_slave WHERE active = 'Y' AND server_id=".$conf["server_id"]);
+ $tmps_sec = $app->db->queryAllRecords("SELECT origin, xfer, ns FROM dns_slave WHERE active = 'Y' AND server_id=?", $conf["server_id"]);
$zones_sec = array();
foreach($tmps_sec as $tmp) {
--
Gitblit v1.9.1