From e1ceb050e19c7574bca146a8da7047ee4ff456b5 Mon Sep 17 00:00:00 2001
From: Marius Burkard <m.burkard@pixcept.de>
Date: Sun, 10 Jul 2016 05:02:35 -0400
Subject: [PATCH] Merge branch 'stable-3.1'

---
 server/plugins-available/bind_plugin.inc.php |  188 ++++++++++++++++++++++++++++++----------------
 1 files changed, 123 insertions(+), 65 deletions(-)

diff --git a/server/plugins-available/bind_plugin.inc.php b/server/plugins-available/bind_plugin.inc.php
index e230d02..3b3179b 100644
--- a/server/plugins-available/bind_plugin.inc.php
+++ b/server/plugins-available/bind_plugin.inc.php
@@ -77,7 +77,7 @@
 	}
 
 	//* This creates DNSSEC-Keys and calls soa_dnssec_update.
-	function soa_dnssec_create($data) {
+	function soa_dnssec_create(&$data) {
 		global $app, $conf;
 
 		//* Load libraries
@@ -85,80 +85,138 @@
 
 		//* load the server configuration options
 		$dns_config = $app->getconf->get_server_config($conf["server_id"], 'dns');
-		
-		$domain = substr($data['new']['origin'], 0, strlen($data['new']['origin'])-1);
-		if (!file_exists($dns_config['bind_zonefiles_dir'].'/'.$domain)) return false;
-		
-		//* Check Entropy
-		if (file_get_contents('/proc/sys/kernel/random/entropy_avail') < 400) {
-			$app->log('DNSSEC ERROR: We are low on entropy. Not generating new Keys for '.$domain.'. Please consider installing package haveged.', LOGLEVEL_WARN);
-			return false;
-		}
-		
-		//* Verify that we do not already have keys (overwriting-protection)
-		//TODO : change this when distribution information has been integrated into server record
-		if (file_exists($dns_config['bind_zonefiles_dir'].'/dsset-'.$domain.'.')) {
-			return $this->soa_dnssec_update($data);
-		}
-		
-		//Do some magic...
-		exec('cd '.escapeshellcmd($dns_config['bind_zonefiles_dir']).';'.
-		'/usr/sbin/dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE '.escapeshellcmd($domain).';'.
-		'/usr/sbin/dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE '.escapeshellcmd($domain));
-
-		$this->soa_dnssec_update($data, true); //Now sign the zone
-		
-		$dnssecdata = "DS-Records:\n".file_get_contents($dns_config['bind_zonefiles_dir'].'/dsset-'.$domain.'.');
-		opendir($dns_config['bind_zonefiles_dir']);
-		$dnssecdata .= "\n------------------------------------\n\nDNSKEY-Records:\n";
-		foreach (glob('K'.$domain.'*.key') as $keyfile) {
-			$dnssecdata .= file_get_contents($keyfile)."\n\n";
-		}
-		
-		$app->db->query('UPDATE dns_soa SET dnssec_info=\''.$dnssecdata.'\' WHERE id='.$data['new']['id']);
-	}
-	
-	function soa_dnssec_update($data, $new=false) {
-		global $app, $conf;
-
-		//* Load libraries
-		$app->uses("getconf,tpl");
-		
-		$domain = substr($data['new']['origin'], 0, strlen($data['new']['origin'])-1);
-		if (!file_exists($dns_config['bind_zonefiles_dir'].'/'.$domain)) return false;
-
-		//* load the server configuration options
-		$dns_config = $app->getconf->get_server_config($conf["server_id"], 'dns');
-		
-		//* Check Entropy
-		if (file_get_contents('/proc/sys/kernel/random/entropy_avail') < 200) {
-			$app->log('DNSSEC ERROR: We are low on entropy. This could cause server script to fail. Please consider installing package haveged.', LOGLEVEL_ERR);
-			return false;
-		}
-		
-		if (!$new && !file_exists($dns_config['bind_zonefiles_dir'].'/dsset-'.$domain.'.')) return $this->soa_dnssec_create($data);
 		
 		//TODO : change this when distribution information has been integrated into server record
 		$filespre = (file_exists('/etc/gentoo-release')) ? 'pri/' : 'pri.';
 		
-		$dbdata = $app->db->queryOneRecord('SELECT id,serial FROM dns_soa WHERE id='.$data['new']['id']);
-		$newserial = exec('cd '.escapeshellcmd($dns_config['bind_zonefiles_dir']).';'.
-						  '/usr/sbin/named-checkzone '.escapeshellcmd($domain).' '.escapeshellcmd($dns_config['bind_zonefiles_dir']).'/'.$filespre.escapeshellcmd($domain).' | egrep -ho \'[0-9]{10}\'');
+		$domain = substr($data['new']['origin'], 0, strlen($data['new']['origin'])-1);
+		if (!file_exists($dns_config['bind_zonefiles_dir'].'/'.$filespre.$domain)) return false;
 		
-		opendir($dns_config['bind_zonefiles_dir']);
-		$includeline=array();
-		$zonefile = file_get_contents(escapeshellcmd($dns_config['bind_zonefiles_dir']).'/'.$filespre.escapeshellcmd($domain));
+		//* Check Entropy
+		if (file_get_contents('/proc/sys/kernel/random/entropy_avail') < 400) {
+			$app->log('DNSSEC ERROR: We are low on entropy. Not generating new Keys for '.$domain.'. Please consider installing package haveged.', LOGLEVEL_WARN);
+			echo "DNSSEC ERROR: We are low on entropy. Not generating new Keys for $domain. Please consider installing package haveged.\n";
+			return false;
+		}
+		
+		//* Verify that we do not already have keys (overwriting-protection)
+		if (file_exists($dns_config['bind_zonefiles_dir'].'/dsset-'.$domain.'.')) {
+			return $this->soa_dnssec_update($data);
+		} else if ($data['new']['dnssec_initialized'] == 'Y') { //In case that we generated keys but the dsset-file was not generated
+			$keycount=0;
+			foreach (glob($dns_config['bind_zonefiles_dir'].'/K'.$domain.'*.key') as $keyfile) {
+				$keycount++;
+			}
+			if ($keycount > 0) {
+				$this->soa_dnssec_sign($data);
+				return true;
+			}
+		}
+		
+		//Do some magic...
+		exec('cd '.escapeshellcmd($dns_config['bind_zonefiles_dir']).';'.
+		'dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE '.escapeshellcmd($domain).';'.
+		'dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE '.escapeshellcmd($domain));
+
+		$this->soa_dnssec_sign($data); //Now sign the zone for the first time
+		$data['new']['dnssec_initialized']='Y';
+	}
+	
+	function soa_dnssec_sign(&$data) {
+		global $app, $conf;
+		
+		//* Load libraries
+		$app->uses("getconf,tpl");
+
+		//* load the server configuration options
+		$dns_config = $app->getconf->get_server_config($conf["server_id"], 'dns');
+		
+		//TODO : change this when distribution information has been integrated into server record
+		$filespre = (file_exists('/etc/gentoo-release')) ? 'pri/' : 'pri.';
+		
+		$domain = substr($data['new']['origin'], 0, strlen($data['new']['origin'])-1);
+		if (!file_exists($dns_config['bind_zonefiles_dir'].'/'.$filespre.$domain)) return false;
+		
+		$zonefile = file_get_contents($dns_config['bind_zonefiles_dir'].'/'.$filespre.$domain);
 		$keycount=0;
-		foreach (glob('K'.$domain.'*.key') as $keyfile) {
-			$includeline = '$INCLUDE '.$keyfile;
-			if (!preg_match('/'.$line.'/', $zonefile)) $zonefile .= "\n".$includeline."\n";
+		foreach (glob($dns_config['bind_zonefiles_dir'].'/K'.$domain.'*.key') as $keyfile) {
+			$includeline = '$INCLUDE '.basename($keyfile);
+			if (!preg_match('@'.preg_quote($includeline).'@', $zonefile)) $zonefile .= "\n".$includeline."\n";
 			$keycount++;
 		}
-		if ($keycount > 2) $app->log('DNSSEC Warning: There are more than 2 keyfiles for zone '.$domain, LOGLEVEL_WARN);
+		if ($keycount != 2) $app->log('DNSSEC Warning: There are more or less than 2 keyfiles for zone '.$domain, LOGLEVEL_WARN);
 		file_put_contents($dns_config['bind_zonefiles_dir'].'/'.$filespre.$domain, $zonefile);
 		
+		//Sign the zone and set it valid for max. 16 days
 		exec('cd '.escapeshellcmd($dns_config['bind_zonefiles_dir']).';'.
-			 '/usr/sbin/dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N increment -o '.escapeshellcmd($domain).' -t '.$filespre.escapeshellcmd($domain));
+			 'dnssec-signzone -A -e +1382400 -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N increment -o '.escapeshellcmd($domain).' -t '.$filespre.escapeshellcmd($domain));
+			 
+		//Write Data back ino DB
+		$dnssecdata = "DS-Records:\n".file_get_contents($dns_config['bind_zonefiles_dir'].'/dsset-'.$domain.'.');
+		$dnssecdata .= "\n------------------------------------\n\nDNSKEY-Records:\n";
+		foreach (glob($dns_config['bind_zonefiles_dir'].'/K'.$domain.'*.key') as $keyfile) {
+			$dnssecdata .= file_get_contents($keyfile)."\n\n";
+		}
+		
+		if ($app->dbmaster !== $app->db) $app->dbmaster->query('UPDATE dns_soa SET dnssec_info=?, dnssec_initialized=\'Y\', dnssec_last_signed=? WHERE id=?', $dnssecdata, intval(time()), intval($data['new']['id']));
+		$app->db->query('UPDATE dns_soa SET dnssec_info=?, dnssec_initialized=\'Y\', dnssec_last_signed=? WHERE id=?', $dnssecdata, intval(time()), intval($data['new']['id']));
+	}
+	
+	function soa_dnssec_update(&$data, $new=false) {
+		global $app, $conf;
+
+		//* Load libraries
+		$app->uses("getconf,tpl");
+
+		//* load the server configuration options
+		$dns_config = $app->getconf->get_server_config($conf["server_id"], 'dns');
+		
+		//TODO : change this when distribution information has been integrated into server record
+		$filespre = (file_exists('/etc/gentoo-release')) ? 'pri/' : 'pri.';
+		
+		$domain = substr($data['new']['origin'], 0, strlen($data['new']['origin'])-1);
+		if (!file_exists($dns_config['bind_zonefiles_dir'].'/'.$filespre.$domain)) return false;
+		
+		//* Check for available entropy
+		if (file_get_contents('/proc/sys/kernel/random/entropy_avail') < 200) {
+			$app->log('DNSSEC ERROR: We are low on entropy. This could cause server script to fail. Please consider installing package haveged.', LOGLEVEL_ERR);
+			echo "DNSSEC ERROR: We are low on entropy. This could cause server script to fail. Please consider installing package haveged.\n";
+			return false;
+		}
+		
+		if (!$new && !file_exists($dns_config['bind_zonefiles_dir'].'/dsset-'.$domain.'.')) $this->soa_dnssec_create($data);
+		
+		$dbdata = $app->db->queryOneRecord('SELECT id,serial FROM dns_soa WHERE id=?', intval($data['new']['id']));
+		exec('cd '.escapeshellcmd($dns_config['bind_zonefiles_dir']).';'.
+			 'named-checkzone '.escapeshellcmd($domain).' '.escapeshellcmd($dns_config['bind_zonefiles_dir']).'/'.$filespre.escapeshellcmd($domain).' | egrep -ho \'[0-9]{10}\'', $serial, $retState);
+		if ($retState != 0) {
+			$app->log('DNSSEC Error: Error in Zonefile for '.$domain, LOGLEVEL_ERR);
+			return false;
+		}
+		
+		$this->soa_dnssec_sign($data);
+	}
+	
+	function soa_dnssec_delete(&$data) {
+		global $app, $conf;
+
+		//* Load libraries
+		$app->uses("getconf,tpl");
+
+		//* load the server configuration options
+		$dns_config = $app->getconf->get_server_config($conf["server_id"], 'dns');
+		
+		//TODO : change this when distribution information has been integrated into server record
+		$filespre = (file_exists('/etc/gentoo-release')) ? 'pri/' : 'pri.';
+		
+		$domain = substr($data['new']['origin'], 0, strlen($data['new']['origin'])-1);
+		
+		unlink($dns_config['bind_zonefiles_dir'].'/K'.$domain.'.+*');
+		unlink($dns_config['bind_zonefiles_dir'].'/'.$filespre.$domain.'.signed');
+		unlink($dns_config['bind_zonefiles_dir'].'/dsset-'.$domain.'.');
+		
+		if ($app->dbmaster !== $app->db) $app->dbmaster->query('UPDATE dns_soa SET dnssec_info=\'\', dnssec_initialized=\'N\' WHERE id=?', intval($data['new']['id']));
+		$app->db->query('UPDATE dns_soa SET dnssec_info=\'\', dnssec_initialized=\'N\' WHERE id=?', intval($data['new']['id']));
 	}
 
 	function soa_insert($event_name, $data) {
@@ -232,7 +290,7 @@
 		
 		//* DNSSEC-Implementation
 		if($data['old']['origin'] != $data['new']['origin']) {			
-			if (@$data['old']['dnssec_initialized'] == 'Y' && strlen(@$data['old']['origin']) > 3) exec('/usr/local/ispconfig/server/scripts/dnssec-delete.sh '.escapeshellcmd($data['old']['origin'])); //delete old keys
+			if (@$data['old']['dnssec_initialized'] == 'Y' && strlen(@$data['old']['origin']) > 3) $this->soa_dnssec_delete($data); //delete old keys
 			if ($data['new']['dnssec_wanted'] == 'Y') $this->soa_dnssec_create($data);
 		}
 		else if ($data['new']['dnssec_wanted'] == 'Y' && $data['old']['dnssec_initialized'] == 'N') $this->soa_dnssec_create($data);

--
Gitblit v1.9.1