#!/bin/bash ################################################ # Guidelines and tips by Jhonny Oliveira, developed by David Silva # version 1.7 2010 NIL/UL report bugs for nic@reitoria.ul.pt #Script for DNSSEC #this script allow to edit and sign a DNSSEC. The db file is automatic signed if any changes occur # Note: keys must be in same path as db file #Can use -a for a cron job that signs a file if the file as not been changed for at least 28 days so that the signature don't expires #The serial is incremented if the -a option is enabled and the file as changed #Options: #-a for autosign #-b for backup of the file after change it ; if no changes made the backup file is erased #-d for debug ; a little of verbose mode # #see --version for credits ################################################ ##Default variables #$changed - true if file changed, false otherwise #$DATE_FILE - date of file before it is opened #$DATE_MODIFIED - date of file in case of the file as been changed #$domain - domain of the dns zone #$ZONE_SIGNING_KEY - The path / file key for signing the zone #$KEY_SIGNING_KEY - The path / file key for signing the zone #$serial - the serial of the dns zone file #domain - the domain is obtain by removing the .db of the filename #$time - the time of the last modification on the file #$actualTime - The actual time of the system #$pathName - the path of the file - empty if no path entered #$file - the name of the file ###########FUNCTIONS############################ #sign the file with the keys described inside the file in the include lines. sign () { #######PATH######################################## path=$1 file=${path##*/} pathName=${path%%$file} #removes .db from the filename domain=`expr "$file" : '\([a-zA-Z0-9.]*[^.db]\)'` if $debug ; then echo "Name= "$file echo "Path= "$pathName echo "Domain= "$domain echo "Full= "$path fi #get the keys - they should be placed in the path or directory of included in the file # ZONE_SIGNING_KEY=`grep -o -E " .*\;\ Zone\ Signing" $1 | grep -o -E "\ .*\.key;" | sed 's/\.key;$//' | sed 's/include//'` # KEY_SIGNING_KEY=`grep -o -E " .*\;\ Key\ Signing" $1 | grep -o -E "\ .*\.key;" | sed 's/\.key;$//' | sed 's/include//'` ZONE_SIGNING_KEY=`grep -o -E " .*\;\ Zone\ Signing" $1 | grep -o -E "\ .*\.key;" | sed 's/^\$include//;s/\.key;//' | sed 's/^[ \t]*//'` KEY_SIGNING_KEY=`grep -o -E " .*\;\ Key\ Signing" $1 | grep -o -E "\ .*\.key;" | sed 's/^\$include//;s/\.key;//' | sed 's/^[ \t]*//'` if $debug then echo "ZSK ### -> " $ZONE_SIGNING_KEY echo "KSK ### -> " $KEY_SIGNING_KEY fi #if key files are missing program stops if [ -e "$pathName$ZONE_SIGNING_KEY.key" ] && [ -e "$pathName$KEY_SIGNING_KEY.key" ] then #sign dns file cd $pathName /usr/sbin/dnssec-signzone -k $KEY_SIGNING_KEY -o $domain -t $1 $ZONE_SIGNING_KEY echo "DNS Signed" #Validate zone before verify service /usr/sbin/named-checkzone $domain $1.signed #restart named services - has to be done in sudo mode /sbin/service named reload else if $debug ; then echo "Keys misplaced or incorrect path on file" echo "ZSK ### -> " $ZONE_SIGNING_KEY echo "KSK ### -> " $KEY_SIGNING_KEY fi exit 0 fi echo "Named Service Reloaded" } #increments the serial number. incrementSerial() { serial=`grep -o -E "2.*\;\ Serial" $1 | awk '{print $1}'` newSerial=$(( $serial + 1 )) #changes between line 1 and 4 #beware sed changes the modification date of the file!!! sed -i -e "1,4 s/${serial}/${newSerial}/" $1 } #######HELP########## moreHelp () { echo "Use: editNsign {path/file} [options]" echo "Backup of file : -b" echo "AutoSign file : -a" echo "Debug verbose : -d" exit 0 } ###############ARGS####################### if [ $# == 0 ] then echo "No input files" moreHelp exit 0 fi #display's some help if [ $1 == "--help" ] then moreHelp fi #Credits if [ $1 == "--version" ] then echo "Guidelines and tips by Jhonny Oliveira, developed by David Silva"; echo "version 1.7 2010 NIL/UL report bugs for ddsilva@reitoria.ul.pt" exit 0 fi ####ARGS#### ARRAY=("$@") #number of args ELEMENTS=${#ARRAY[@]} debug=false backup=false autoSign=false if [ $# -gt 1 ] then for (( i=1;i<$ELEMENTS;i++)); do case "${ARRAY[${i}]}" in '-d') debug=true;; '-b') backup=true;; '-a') autoSign=true;; *) moreHelp;; esac done fi #Verifies if file or path are real if [ -z $1 ] then echo "File or path not found" moreHelp exit 0 fi if [ ! -e $1 ] then echo "File Not Exists" exit 0 fi if $autoSign ; then inputFile=$1 #gets the time of the last change in file time=`date -r $inputFile +%s` #actualTime - the time of the system actualTime=`date +%s` #variaton between last change and actual time variation=$(( $actualTime - $time)) if $debug then echo "The file" $inputFile "as the time " $time echo "Actual Time "$actualTime echo "Difference " $variation #echo "Domain " $domain fi #2419200 - number of seconds in 28 days #if passed 28 or more days increment the serial and sign if [ $variation -gt 2419200 ] ; then incrementSerial $1 sign $1 fi exit 0 fi #verifies if the file exists. if exists can be edited #will exit if file does not exists if [ -e $1 ] ; then ##saves parameters indicated in ($x) at the var DATE_FILE #print $6" "$7" "$8 are the columns of the file #--time-style=full-iso gets you time in miliseconds if $backup then echo "Backing up" serial=`grep Serial $1 | grep -o -E "2[^ ;]*"` backup_file="$1.$serial" #backups the file cp $1 $backup_file fi DATE_FILE=`ls -l --time-style=full-iso $1 | awk '{print $6" "$7" "$8}'` #Opens the file to edit vi $1 DATE_MODIFIED=`ls -l --time-style=full-iso $1 | awk '{print $6" "$7" "$8}'` else echo "File of Pathname Not Found" moreHelp exit 0 fi #compare if there was changes since last modification to the file if [ "$DATE_FILE" == "$DATE_MODIFIED" ] ; then echo "File has not been changed" if $backup then rm $backup_file echo "Removing backup" fi else echo " File changed" echo "The backup File is " $backup_file sign $1 fi echo "Done" exit 0