-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathre-assinar-zona-PK.csh
More file actions
executable file
·138 lines (102 loc) · 4.31 KB
/
re-assinar-zona-PK.csh
File metadata and controls
executable file
·138 lines (102 loc) · 4.31 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
#!/bin/csh -f
# -------------------------------------------------------------------
# File: re-assinar-zona-PK /\
# Type: C Shell Script /_.\
# By Fernando Gilli fernando<at>wekers(dot)org _,.-'/ `",\'-.,_
# Last modified:2016-05-23 -~^ /______\`~~-^~:
# ----------
# Re-signing DNSSEC Zone ZSK with method pre-publish
# After pass time of TTL, we need rollover key with
# file "re-assinar-zone-RK"
# Tools: Nsd + ldns
# / OS : $FreeBSD
# -------------------------------------------------------------------
# -------------------------------------------------------------------
# First Step: Run re-assinar-zona-PK - "Pre-Publish Keys"
# Second Step: Run re-assinar-zona-RK - "Rollover Keys"
# Last Step: Run re-assinar-zona-CL - "Cleanup Keys"
# The time for run each file is defined by your TTL config on SOA
# Put these files to run on crontab once a month, following steps
# according your TTL SOA interval
# Keep this file on ie: $ZONEDIR/scripts
# Create also $ZONEDIR/pk-backup
# -------------------------------------------------------------------
# uncomment nonomatch if need debug
#set nonomatch
set PDIR=`/bin/pwd`
# Set domain name
set NomeDominio="domain.com"
# Set location of zone files
set ZONEDIR="/etc/nsd/master"
# The keys are on $ZONEDIR/keys and backup on $ZONEDIR/backup
cd $ZONEDIR
# Change serial zone in format yymmddhh
echo "Setting new Serial to Zone"
set OT=`/usr/bin/grep serial $ZONEDIR/${NomeDominio}.zone | /usr/bin/awk '{print $1}'`
set NT=`/bin/date +%Y%m%d%H`
/usr/bin/perl -p -i -e "s/${OT}/${NT}/" $ZONEDIR/${NomeDominio}.zone
echo "New SOA Serial: ${NT}"
# Create a copy of original zone
/bin/cp $ZONEDIR/${NomeDominio}.zone $ZONEDIR/${NomeDominio}.zone.orig
# Create a new ZSK key
echo "Creating new Key ZSK"
###############
# ATTENTION ###
# Here set algorithm equal you did to sign in first time, also to key length for both (KSK and ZSK)
# eg: when you created DNSSEC in first time,
# you setting sign RSASHA256 and now you set RSASHA512 there's a problem
# your sign will be invalidated
#set NovaKey=`ldns-keygen -a RSASHA256 -b 1024 ${NomeDominio}`
set NovaKey=`/usr/local/bin/ldns-keygen -a RSASHA512 -b 2048 ${NomeDominio}`
# Add the new key to zone
echo "Adding new key to zone"
/bin/cat $ZONEDIR/${NovaKey}.key >> $ZONEDIR/${NomeDominio}.zone
# Copy new key to a temporary file
echo "Doing copy of new key to $ZONEDIR/${NomeDominio}.zone.temp.pk"
/bin/cat $ZONEDIR/${NovaKey}.key > $ZONEDIR/${NomeDominio}.zone.temp.pk
# Set Permissions
/bin/chmod 640 $ZONEDIR/${NomeDominio}.zone.temp.pk
echo "Key: ${NovaKey} added"
# Remove current .signed zone
/bin/rm $ZONEDIR/${NomeDominio}.zone.signed
# Signing the zone with current ZSK and new ZSK was added in zone file
# #####################
echo "Re-Signing Zone"
# Search for KSK key name
set kskFile=`/usr/bin/grep "ksk" -l $ZONEDIR/keys/K${NomeDominio}*.key | /usr/bin/sed 's/\.key//'`
# Search for ZSK key name
set zskFile=`/usr/bin/grep "zsk" -l $ZONEDIR/keys/K${NomeDominio}*.key | /usr/bin/sed 's/\.key//'`
echo "Signing with same and current key"
# Signing
/usr/local/bin/ldns-signzone -n $ZONEDIR/${NomeDominio}.zone ${kskFile} ${zskFile}
echo "ksk = ${kskFile}"
echo "zsk = ${zskFile}"
# #####################
# Set permissions
/bin/chmod 640 $ZONEDIR/*.signed
# Replace original zone that was copied previously without the new ZSK key that was placed in zone file
/bin/mv $ZONEDIR/${NomeDominio}.zone.orig $ZONEDIR/${NomeDominio}.zone
###################
# Add the current key that was be old key a one temporary file, for able to do the next signing programmed, called "Roll the keys"
/bin/cat ${zskFile}.key > $ZONEDIR/${NomeDominio}.zone.temp.rk
###################
# Set permissions
/bin/chmod 640 $ZONEDIR/${NomeDominio}.zone.temp.rk
# Move current key ZSK to backup folder
echo "moving current ZSK to backup"
/bin/mv ${zskFile}.* $ZONEDIR/pk-backup/
# Move new key ZSK to /Keys folder
echo "moving new key to /keys folder"
/bin/mv $ZONEDIR/${NovaKey}.* $ZONEDIR/keys/
# Set permissionss
echo "Setting permissions.."
/bin/chmod 640 $ZONEDIR/keys/${NovaKey}.*
/bin/chmod 640 $ZONEDIR/backup/*
/bin/chmod 640 $ZONEDIR/pk-backup/*
# Reload nsd and notify slave
echo "Reloading NSD..."
/usr/local/sbin/nsd-control reload
/usr/local/sbin/nsd-control notify
cd $PDIR
exit 0
#EOF