From 1a2f60067da29914c833ec813950e76a717cd45b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?A=2E=20T=C3=A4ffner?= <darkalex@firesplash.de>
Date: Wed, 20 Jan 2016 17:06:54 +0100
Subject: [PATCH] final commit? Will test now a last time and if everything
 works as expected this will be my merge request

---
 TODO.txt                              |  8 +++-----
 install/lib/installer_base.lib.php    |  2 +-
 install/tpl/dnssec-create.sh.master   | 11 ++++++++++-
 install/tpl/named.conf.options.master | 28 +++++++++++++++++++++++++++
 4 files changed, 42 insertions(+), 7 deletions(-)
 create mode 100644 install/tpl/named.conf.options.master

diff --git a/TODO.txt b/TODO.txt
index ce0de4f9e6..31212293ca 100644
--- a/TODO.txt
+++ b/TODO.txt
@@ -13,11 +13,9 @@ Installer
 --------------------------------------
 
 - Add a function to let a server join a existing installation.
-- Change named.options.conf and add follwoing lines into options-brackets for DNSSEC-Implementation:
-		dnssec-enable yes;
-		dnssec-validation yes;
-		dnssec-lookaside auto;
-- Add Package haveged to requirements as it raises available entropy by more than 1500 which is very needed for DNSSEC Key-generation
+- Add Package haveged to requirements (at least if entropy is low) as it raises available entropy significantly which is very needed for DNSSEC Key-generation
+	If it is not installed and entropy is low generating dnssec-keys lasts minutes (and would time out the server thus is not done) and new signing keys are not generated.
+	If there are no keys the zones can not be signed and will only be availableas a unsigned copy.
 
 Uninstaller
 --------------------------------------
diff --git a/install/lib/installer_base.lib.php b/install/lib/installer_base.lib.php
index 7643043c9f..41701a3d12 100644
--- a/install/lib/installer_base.lib.php
+++ b/install/lib/installer_base.lib.php
@@ -1517,7 +1517,7 @@ class installer_base {
 		$this->process_bind_file('dnssec-autopickup.sh', '/server/scripts/');
 		$this->process_bind_file('dnssec-autocreate.sh', '/server/scripts/');
 		$this->process_bind_file('dnssec-config.sh', '/server/scripts/');
-
+		$this->process_bind_file('named.conf.options', $conf['bind']['bind_zonefiles_dir']);
 	}
 
 
diff --git a/install/tpl/dnssec-create.sh.master b/install/tpl/dnssec-create.sh.master
index 675fcb13c4..521c62042a 100644
--- a/install/tpl/dnssec-create.sh.master
+++ b/install/tpl/dnssec-create.sh.master
@@ -7,9 +7,18 @@ if [ "$mysqlcheck" = 0 ];then
  echo "$0 could not connect to database"
  exit 0
 fi
+
+if [ `cat /proc/sys/kernel/random/entropy_avail` -lt 400 ] ; then
+	echo "ERROR: DNSSEC is not working as available entropy is below 400. Please consider installing package haveged. Skipping generation of keys as well as signing..."
+	cp $filespre$domain $filespre$domain.signed
+	mysql -u $dbuser --password=$dbpass -h $dbhost -Bse "use $dbase; UPDATE dns_soa SET dnssec_info='Error during generation of keys. Please contact our support. Reason: Too less entropy available.', dnssec_initialized='N' WHERE origin='$domain.'"
+	exit 20
+fi
+
 mysqlcheck=`mysql -u $dbuser --password=$dbpass -h $dbhost -Bse "use $dbase; select * from dns_soa where dnssec_initialized='Y' and origin='$domain.';" | wc -c`
 if [ "$mysqlcheck" -gt 1 ];then
- echo "$domain seems to be initialized. If that is wrong correct dnssec_initialized in dns_soa table"
+ echo "DNSSEC: $domain seems to be initialized. If that is wrong correct dnssec_initialized in dns_soa table"
+ exit 0
 fi
 cd $bindpath
 
diff --git a/install/tpl/named.conf.options.master b/install/tpl/named.conf.options.master
new file mode 100644
index 0000000000..f13976ffd6
--- /dev/null
+++ b/install/tpl/named.conf.options.master
@@ -0,0 +1,28 @@
+options {
+	directory "/var/cache/bind";
+
+	// If there is a firewall between you and nameservers you want
+	// to talk to, you may need to fix the firewall to allow multiple
+	// ports to talk.  See http://www.kb.cert.org/vuls/id/800113
+
+	// If your ISP provided one or more IP addresses for stable 
+	// nameservers, you probably want to use them as forwarders.  
+	// Uncomment the following block, and insert the addresses replacing 
+	// the all-0's placeholder.
+
+	// forwarders {
+	// 	0.0.0.0;
+	// };
+
+	//========================================================================
+	// If BIND logs error messages about the root key being expired,
+	// you will need to update your keys.  See https://www.isc.org/bind-keys
+	//========================================================================
+	dnssec-enable yes;
+	dnssec-validation yes;
+	dnssec-lookaside auto;
+
+	auth-nxdomain no;    # conform to RFC1035
+	listen-on-v6 { any; };
+};
+
-- 
GitLab