-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathre-assinar-zona-CL.csh
More file actions
executable file
·97 lines (73 loc) · 2.87 KB
/
re-assinar-zona-CL.csh
File metadata and controls
executable file
·97 lines (73 loc) · 2.87 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
#!/bin/csh -f
# -------------------------------------------------------------------
# File: re-assinar-zona-CL /\
# Type: C Shell Script /_.\
# By Fernando Gilli fernando<at>wekers(dot)org _,.-'/ `",\'-.,_
# Last modified:2016-05-23 -~^ /______\`~~-^~:
# ------------------------
# Re-signing DNSSEC Zone ZSK and Clean zone
# This method is after method Rollover keys has completed
# Tools: Nsd + ldns
# / OS : $FreeBSD
# -------------------------------------------------------------------
# -------------------------------------------------------------------
# First Step: Run re-assinar-zona-PK - "Pre-Publish Keys"
# Second Step: Run re-assinar-zona-RK - "Rollover Keys"
# Last Step: Run re-assinar-zona-CL - "Cleanup Keys"
# The time for run each file is defined by your TTL config on SOA
# Put these files to run on crontab once a month, following steps
# according your TTL SOA interval
# -------------------------------------------------------------------
# Uncomment nonomatch for debug
#set nonomatch
set PDIR=`/bin/pwd`
# Set domain name
set NomeDominio="domain.com"
# Set location of zone files
set ZONEDIR="/etc/nsd/master"
# The keys are on $ZONEDIR/keys and backup on $ZONEDIR/backup
cd $ZONEDIR
echo "Cleanup Keys"
# Change serial zone in format yymmddhh
echo "Setting new Serial to Zone"
set OT=`/usr/bin/grep serial $ZONEDIR/${NomeDominio}.zone | /usr/bin/awk '{print $1}'`
set NT=`/bin/date +%Y%m%d%H`
/usr/bin/perl -p -i -e "s/${OT}/${NT}/" $ZONEDIR/${NomeDominio}.zone
echo "New SOA Serial: ${NT}"
# Remove current .signed zone
/bin/rm $ZONEDIR/${NomeDominio}.zone.signed
# Signing the zone with current ZSK without put anything on zone file
#######################
echo "Re-Signing Zone"
# Search for KSK key name
set kskFile=`/usr/bin/grep "ksk" -l $ZONEDIR/keys/K${NomeDominio}*.key | /usr/bin/sed 's/\.key//'`
# Search for ZSK key name
set zskFile=`/usr/bin/grep "zsk" -l $ZONEDIR/keys/K${NomeDominio}*.key | /usr/bin/sed 's/\.key//'`
# Signing
/usr/local/bin/ldns-signzone -n $ZONEDIR/${NomeDominio}.zone ${kskFile} ${zskFile}
# #####################
echo "ksk = ${kskFile}"
echo "zsk = ${zskFile}"
echo "Set permissions"
# Set permissions
/bin/chmod 640 $ZONEDIR/*.signed
# Remove temporary file with old key used in rollover method
/bin/rm $ZONEDIR/${NomeDominio}.zone.temp.rk
# Delete backup files oldest than 90 days
# ########
# # max age to keep files of backups in hours
set maxage="2160" # 90 days
@ days = $maxage / 24
if ( -f "/usr/local/sbin/tmpwatch" ) then
echo "Delete backup files oldest than $days days"
/usr/local/sbin/tmpwatch $maxage $ZONEDIR/backup/
else
echo "tmpwatch not found, please install it"
endif
# Reload nsd and notify slave
echo "Reloading NSD.."
/usr/local/sbin/nsd-control reload
/usr/local/sbin/nsd-control notify
cd $PDIR
exit 0
#EOF