diff --git a/install/sql/incremental/upd_dev_collection.sql b/install/sql/incremental/upd_dev_collection.sql
index 1deb6050284d384ec4fdb69a6f65acee8fa4cdd8..b7db2767eda744d3f626494f52d4dd390243b33c 100644
--- a/install/sql/incremental/upd_dev_collection.sql
+++ b/install/sql/incremental/upd_dev_collection.sql
@@ -65,3 +65,8 @@ ALTER TABLE `client` CHANGE `id_rsa` `id_rsa` TEXT CHARACTER SET utf8 COLLATE ut
ALTER TABLE `directive_snippets` ADD `update_sites` ENUM('y','n') NOT NULL DEFAULT 'n' ;
+-- Add DNSSEC Algorithm setting
+ALTER TABLE `dns_soa` ADD `dnssec_algo` SET('NSEC3RSASHA1','ECDSAP256SHA256') NULL DEFAULT NULL AFTER `dnssec_wanted`;
+UPDATE `dns_soa` SET `dnssec_algo` = 'NSEC3RSASHA1' WHERE `dnssec_algo` IS NULL AND dnssec_initialized = 'Y';
+UPDATE `dns_soa` SET `dnssec_algo` = 'ECDSAP256SHA256' WHERE `dnssec_algo` IS NULL AND dnssec_initialized = 'N';
+ALTER TABLE `dns_soa` CHANGE `dnssec_algo` `dnssec_algo` SET('NSEC3RSASHA1','ECDSAP256SHA256') CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL DEFAULT 'ECDSAP256SHA256';
diff --git a/install/sql/ispconfig3.sql b/install/sql/ispconfig3.sql
index edd4dd50491cf6dfe21898e8d7c6027b04e86541..0d76fb8c084356d790a7506b5044c6b36265ccdf 100644
--- a/install/sql/ispconfig3.sql
+++ b/install/sql/ispconfig3.sql
@@ -626,6 +626,7 @@ CREATE TABLE `dns_soa` (
`update_acl` varchar(255) default NULL,
`dnssec_initialized` ENUM('Y','N') NOT NULL DEFAULT 'N',
`dnssec_wanted` ENUM('Y','N') NOT NULL DEFAULT 'N',
+ `dnssec_algo` SET('NSEC3RSASHA1','ECDSAP256SHA256') NOT NULL DEFAULT 'ECDSAP256SHA256',
`dnssec_last_signed` BIGINT NOT NULL DEFAULT '0',
`dnssec_info` TEXT NULL,
PRIMARY KEY (`id`),
@@ -2501,7 +2502,7 @@ INSERT INTO `country` (`iso`, `name`, `printable_name`, `iso3`, `numcode`, `eu`)
-- Dumping data for table `dns_template`
--
-INSERT INTO `dns_template` (`template_id`, `sys_userid`, `sys_groupid`, `sys_perm_user`, `sys_perm_group`, `sys_perm_other`, `name`, `fields`, `template`, `visible`) VALUES (1, 1, 1, 'riud', 'riud', '', 'Default', 'DOMAIN,IP,NS1,NS2,EMAIL,DKIM,DNSSEC', '[ZONE]\norigin={DOMAIN}.\nns={NS1}.\nmbox={EMAIL}.\nrefresh=7200\nretry=540\nexpire=604800\nminimum=3600\nttl=3600\n\n[DNS_RECORDS]\nA|{DOMAIN}.|{IP}|0|3600\nA|www|{IP}|0|3600\nA|mail|{IP}|0|3600\nNS|{DOMAIN}.|{NS1}.|0|3600\nNS|{DOMAIN}.|{NS2}.|0|3600\nMX|{DOMAIN}.|mail.{DOMAIN}.|10|3600\nTXT|{DOMAIN}.|v=spf1 mx a ~all|0|3600', 'y');
+INSERT INTO `dns_template` (`template_id`, `sys_userid`, `sys_groupid`, `sys_perm_user`, `sys_perm_group`, `sys_perm_other`, `name`, `fields`, `template`, `visible`) VALUES (1, 1, 1, 'riud', 'riud', '', 'Default', 'DOMAIN,IP,NS1,NS2,EMAIL,DKIM,DNSSEC', '[ZONE]\norigin={DOMAIN}.\nns={NS1}.\nmbox={EMAIL}.\nrefresh=7200\nretry=540\nexpire=604800\nminimum=3600\nttl=3600\ndnssec_algo=ECDSAP256SHA256\n\n[DNS_RECORDS]\nA|{DOMAIN}.|{IP}|0|3600\nA|www|{IP}|0|3600\nA|mail|{IP}|0|3600\nNS|{DOMAIN}.|{NS1}.|0|3600\nNS|{DOMAIN}.|{NS2}.|0|3600\nMX|{DOMAIN}.|mail.{DOMAIN}.|10|3600\nTXT|{DOMAIN}.|v=spf1 mx a ~all|0|3600', 'y');
-- --------------------------------------------------------
diff --git a/interface/web/dns/dns_soa_edit.php b/interface/web/dns/dns_soa_edit.php
index aa844d4e8e2c6f81962a9d165f6f70f33f7baa8f..e17571e73612e8db511c303479aa3c87aed0ae8c 100644
--- a/interface/web/dns/dns_soa_edit.php
+++ b/interface/web/dns/dns_soa_edit.php
@@ -296,6 +296,8 @@ function onSubmit() {
$this->dataRecord["xfer"] = preg_replace('/\s+/', '', $this->dataRecord["xfer"]);
$this->dataRecord["also_notify"] = preg_replace('/\s+/', '', $this->dataRecord["also_notify"]);
+
+ if(isset($this->dataRecord['dnssec_wanted']) && $this->dataRecord['dnssec_wanted'] == 'Y' && $this->dataRecord['dnssec_algo'] == '') $this->dataRecord['dnssec_algo'] = 'ECDSAP256SHA256';
//* Check if a secondary zone with the same name already exists
$tmp = $app->db->queryOneRecord("SELECT count(id) as number FROM dns_slave WHERE origin = ? AND server_id = ?", $this->dataRecord["origin"], $this->dataRecord["server_id"]);
diff --git a/interface/web/dns/dns_wizard.php b/interface/web/dns/dns_wizard.php
index 91b2307dc5126dc3650a1f3a38a754ea135151e9..b2320dc6bf98466d0cb6726870665ffb06a1e41d 100644
--- a/interface/web/dns/dns_wizard.php
+++ b/interface/web/dns/dns_wizard.php
@@ -339,6 +339,7 @@ if($_POST['create'] == 1) {
$section = '';
$vars = array();
$vars['xfer']='';
+ $vars['dnssec_algo']='ECDSAP256SHA256';
$dns_rr = array();
foreach($tpl_rows as $row) {
$row = trim($row);
@@ -398,6 +399,7 @@ if($_POST['create'] == 1) {
$xfer = $vars['xfer'];
$also_notify = $vars['also_notify'];
$update_acl = $vars['update_acl'];
+ $dnssec_algo = $vars['dnssec_algo'];
$serial = $app->validate_dns->increase_serial(0);
$insert_data = array(
@@ -420,7 +422,8 @@ if($_POST['create'] == 1) {
"xfer" => $xfer,
"also_notify" => $also_notify,
"update_acl" => $update_acl,
- "dnssec_wanted" => $enable_dnssec
+ "dnssec_wanted" => $enable_dnssec,
+ "dnssec_algo" => $dnssec_algo
);
$dns_soa_id = $app->db->datalogInsert('dns_soa', $insert_data, 'id');
if($dns_soa_id > 0) $app->plugin->raiseEvent('dns:wizard:on_after_insert', $dns_soa_id);
diff --git a/interface/web/dns/form/dns_soa.tform.php b/interface/web/dns/form/dns_soa.tform.php
index cf0d143916c5fe2679777d1756ec96089bac9105..81389c4553f540a2f1ae367fdf7bf5858011bd7f 100644
--- a/interface/web/dns/form/dns_soa.tform.php
+++ b/interface/web/dns/form/dns_soa.tform.php
@@ -276,6 +276,15 @@ $form["tabs"]['dns_soa'] = array (
'default' => 'Y',
'value' => array(0 => 'N', 1 => 'Y')
),
+ 'dnssec_algo' => array (
+ 'datatype' => 'VARCHAR',
+ 'formtype' => 'CHECKBOXARRAY',
+ 'separator' => ',',
+ 'default' => 'ECDSAP256SHA256',
+ 'value' => array('NSEC3RSASHA1' => '7 (NSEC3RSASHA1)','ECDSAP256SHA256' => '13 (ECDSAP256SHA256)'),
+ 'width' => '30',
+ 'maxlength' => '255'
+ ),
'dnssec_info' => array (
'datatype' => 'TEXT',
'formtype' => 'TEXTAREA',
diff --git a/interface/web/dns/lib/lang/ar_dns_soa.lng b/interface/web/dns/lib/lang/ar_dns_soa.lng
index c9721cebc0e2de6bb770816a544e0b3b8dd3863d..8c13c59e8e67b1fd37768608289f51f01610d997 100644
--- a/interface/web/dns/lib/lang/ar_dns_soa.lng
+++ b/interface/web/dns/lib/lang/ar_dns_soa.lng
@@ -41,4 +41,5 @@ $wb['dnssec_wanted_info'] = 'When disabling DNSSEC keys are not going to be dele
$wb['error_not_allowed_server_id'] = 'The selected server is not allowed for this account.';
$wb['soa_cannot_be_changed_txt'] = 'Die Zone (SOA) kann nicht verändert werden. Bitte kontaktieren Sie ihren Administrator, um die Zone zu ändern.';
$wb['configuration_error_txt'] = 'CONFIGURATION ERROR';
+$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm';
?>
diff --git a/interface/web/dns/lib/lang/bg_dns_soa.lng b/interface/web/dns/lib/lang/bg_dns_soa.lng
index 151e3ead11483260d8acabf8ac729d7b0a5324c4..9e9e8bf3f50ce64fb5c25ebf642efd6cea336c1f 100644
--- a/interface/web/dns/lib/lang/bg_dns_soa.lng
+++ b/interface/web/dns/lib/lang/bg_dns_soa.lng
@@ -41,4 +41,5 @@ $wb['dnssec_wanted_info'] = 'When disabling DNSSEC keys are not going to be dele
$wb['error_not_allowed_server_id'] = 'The selected server is not allowed for this account.';
$wb['soa_cannot_be_changed_txt'] = 'Die Zone (SOA) kann nicht verändert werden. Bitte kontaktieren Sie ihren Administrator, um die Zone zu ändern.';
$wb['configuration_error_txt'] = 'CONFIGURATION ERROR';
+$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm';
?>
diff --git a/interface/web/dns/lib/lang/br_dns_soa.lng b/interface/web/dns/lib/lang/br_dns_soa.lng
index f5385c4706b98e51611e803341ac3ea1a4f35ac4..f1cb453e9959cf0b883cad31460a9982bd4d1ebe 100644
--- a/interface/web/dns/lib/lang/br_dns_soa.lng
+++ b/interface/web/dns/lib/lang/br_dns_soa.lng
@@ -41,4 +41,5 @@ $wb['ttl_range_error'] = 'Intervalo mÃnimo do TTL são 60 segundos.';
$wb['error_not_allowed_server_id'] = 'O servidor selecionado não é permitido para esta conta.';
$wb['soa_cannot_be_changed_txt'] = 'A zona (SOA) não pode ser alterada. Por favor, contate o administrador se deseja alterar esta zona.';
$wb['configuration_error_txt'] = 'ERRO DE CONFIGURAÇÃO';
+$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm';
?>
diff --git a/interface/web/dns/lib/lang/ca_dns_soa.lng b/interface/web/dns/lib/lang/ca_dns_soa.lng
index 0b6759f07372f84c449c17942f8c4ca849225a53..ee2fdb07b64c3a188cca64d12fe20b6129c21f69 100644
--- a/interface/web/dns/lib/lang/ca_dns_soa.lng
+++ b/interface/web/dns/lib/lang/ca_dns_soa.lng
@@ -41,4 +41,5 @@ $wb['dnssec_wanted_info'] = 'When disabling DNSSEC keys are not going to be dele
$wb['error_not_allowed_server_id'] = 'The selected server is not allowed for this account.';
$wb['soa_cannot_be_changed_txt'] = 'Die Zone (SOA) kann nicht verändert werden. Bitte kontaktieren Sie ihren Administrator, um die Zone zu ändern.';
$wb['configuration_error_txt'] = 'CONFIGURATION ERROR';
+$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm';
?>
diff --git a/interface/web/dns/lib/lang/cz_dns_soa.lng b/interface/web/dns/lib/lang/cz_dns_soa.lng
index cb35f0ef3bbe946036dd51179d8f5c0ef92ce730..ba6b2d4b52b6ac8d3d0ffa770ee5f02b2f5133fd 100644
--- a/interface/web/dns/lib/lang/cz_dns_soa.lng
+++ b/interface/web/dns/lib/lang/cz_dns_soa.lng
@@ -41,4 +41,5 @@ $wb['dnssec_wanted_info'] = 'Když deaktivujete DNSSEC klÃÄe nebudou odstranÄ›
$wb['error_not_allowed_server_id'] = 'Vybraný server nenà pro tento úÄet povolen.';
$wb['soa_cannot_be_changed_txt'] = 'Die Zone (SOA) kann nicht verändert werden. Bitte kontaktieren Sie ihren Administrator, um die Zone zu ändern.';
$wb['configuration_error_txt'] = 'CONFIGURATION ERROR';
+$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm';
?>
diff --git a/interface/web/dns/lib/lang/de_dns_soa.lng b/interface/web/dns/lib/lang/de_dns_soa.lng
index 76d139391ddb580830e537c7050f09171d3bc943..14897b24e45fd86dbca1e4ddfc95d3317c6aae4b 100644
--- a/interface/web/dns/lib/lang/de_dns_soa.lng
+++ b/interface/web/dns/lib/lang/de_dns_soa.lng
@@ -41,4 +41,5 @@ $wb['xfer_error_regex'] = 'Zonentransfer: Verwenden Sie eine oder mehrere durch
$wb['soa_cannot_be_changed_txt'] = 'Die Zone (SOA) kann nicht verändert werden. Bitte kontaktieren Sie ihren Administrator, um die Zone zu ändern.';
$wb['error_not_allowed_server_id'] = 'The selected server is not allowed for this account.';
$wb['configuration_error_txt'] = 'CONFIGURATION ERROR';
+$wb['dnssec_algo_txt'] = 'DNSSEC Algorithmus';
?>
diff --git a/interface/web/dns/lib/lang/dk_dns_soa.lng b/interface/web/dns/lib/lang/dk_dns_soa.lng
index 6a3d71d973588f748bbda7b7d566a23442ed8a8a..a4ff50f14fa3f705e59b6ba19472bf8bd5f7ad5d 100644
--- a/interface/web/dns/lib/lang/dk_dns_soa.lng
+++ b/interface/web/dns/lib/lang/dk_dns_soa.lng
@@ -41,4 +41,5 @@ $wb['dnssec_wanted_info'] = 'When disabling DNSSEC keys are not going to be dele
$wb['error_not_allowed_server_id'] = 'The selected server is not allowed for this account.';
$wb['soa_cannot_be_changed_txt'] = 'The Zone (SOA) can not be changed. Please contact your administrator to change the zone.';
$wb['configuration_error_txt'] = 'CONFIGURATION ERROR';
+$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm';
?>
diff --git a/interface/web/dns/lib/lang/el_dns_soa.lng b/interface/web/dns/lib/lang/el_dns_soa.lng
index 4d8c876d28aab75d4c6e893dcd1667363f9cf758..aae62bef7618261ef0cb8e116287d33db8a68931 100644
--- a/interface/web/dns/lib/lang/el_dns_soa.lng
+++ b/interface/web/dns/lib/lang/el_dns_soa.lng
@@ -41,4 +41,5 @@ $wb['dnssec_wanted_info'] = 'When disabling DNSSEC keys are not going to be dele
$wb['error_not_allowed_server_id'] = 'The selected server is not allowed for this account.';
$wb['soa_cannot_be_changed_txt'] = 'Die Zone (SOA) kann nicht verändert werden. Bitte kontaktieren Sie ihren Administrator, um die Zone zu ändern.';
$wb['configuration_error_txt'] = 'CONFIGURATION ERROR';
+$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm';
?>
diff --git a/interface/web/dns/lib/lang/en_dns_soa.lng b/interface/web/dns/lib/lang/en_dns_soa.lng
index 1729a4d0cbe9b2e3a311462517c1dc811e11460c..7d130b34b03223a5ef82db646e913d652b39bd17 100644
--- a/interface/web/dns/lib/lang/en_dns_soa.lng
+++ b/interface/web/dns/lib/lang/en_dns_soa.lng
@@ -41,4 +41,5 @@ $wb['ttl_range_error'] = 'Min. TTL time is 60 seconds.';
$wb['error_not_allowed_server_id'] = 'The selected server is not allowed for this account.';
$wb['soa_cannot_be_changed_txt'] = 'The Zone (SOA) can not be changed. Please contact your administrator to change the zone.';
$wb['configuration_error_txt'] = 'CONFIGURATION ERROR';
+$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm';
?>
diff --git a/interface/web/dns/lib/lang/es_dns_soa.lng b/interface/web/dns/lib/lang/es_dns_soa.lng
index 23f4cc5ffcfb53f784333a43965cfdd740cbac0c..b1484e749a0258b43ed279ca159226a451badb81 100644
--- a/interface/web/dns/lib/lang/es_dns_soa.lng
+++ b/interface/web/dns/lib/lang/es_dns_soa.lng
@@ -41,4 +41,5 @@ $wb['update_acl_txt'] = 'Actualizar ACL';
$wb['xfer_error_regex'] = 'Notificar también a: Por favor, usa una dirección IP.';
$wb['xfer_txt'] = 'Permitir transferencia de zonas a<br />estas IP (lista separada por comas)';
$wb['configuration_error_txt'] = 'CONFIGURATION ERROR';
+$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm';
?>
diff --git a/interface/web/dns/lib/lang/fi_dns_soa.lng b/interface/web/dns/lib/lang/fi_dns_soa.lng
index 3e106259677bea687262bb3cc99098c89e901c9c..b34b2893fdf514db92a3da4c8f8692066aaca771 100644
--- a/interface/web/dns/lib/lang/fi_dns_soa.lng
+++ b/interface/web/dns/lib/lang/fi_dns_soa.lng
@@ -41,4 +41,5 @@ $wb['dnssec_wanted_info'] = 'When disabling DNSSEC keys are not going to be dele
$wb['error_not_allowed_server_id'] = 'The selected server is not allowed for this account.';
$wb['soa_cannot_be_changed_txt'] = 'Die Zone (SOA) kann nicht verändert werden. Bitte kontaktieren Sie ihren Administrator, um die Zone zu ändern.';
$wb['configuration_error_txt'] = 'CONFIGURATION ERROR';
+$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm';
?>
diff --git a/interface/web/dns/lib/lang/fr_dns_soa.lng b/interface/web/dns/lib/lang/fr_dns_soa.lng
index da63faadbdea9adab67fa598a1331997d941d246..d2449c323e9a95cb966fd7f9497699a7044f51db 100644
--- a/interface/web/dns/lib/lang/fr_dns_soa.lng
+++ b/interface/web/dns/lib/lang/fr_dns_soa.lng
@@ -41,4 +41,5 @@ $wb['dnssec_wanted_info'] = 'When disabling DNSSEC keys are not going to be dele
$wb['error_not_allowed_server_id'] = 'The selected server is not allowed for this account.';
$wb['soa_cannot_be_changed_txt'] = 'Die Zone (SOA) kann nicht verändert werden. Bitte kontaktieren Sie ihren Administrator, um die Zone zu ändern.';
$wb['configuration_error_txt'] = 'CONFIGURATION ERROR';
+$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm';
?>
diff --git a/interface/web/dns/lib/lang/hr_dns_soa.lng b/interface/web/dns/lib/lang/hr_dns_soa.lng
index b4a9f2f9b0ad77b8808ab250735d93de8486d451..d738ff1e184cb52628d8aa105c16cc92503a60bb 100644
--- a/interface/web/dns/lib/lang/hr_dns_soa.lng
+++ b/interface/web/dns/lib/lang/hr_dns_soa.lng
@@ -41,4 +41,5 @@ $wb['dnssec_wanted_info'] = 'When disabling DNSSEC keys are not going to be dele
$wb['error_not_allowed_server_id'] = 'The selected server is not allowed for this account.';
$wb['soa_cannot_be_changed_txt'] = 'Die Zone (SOA) kann nicht verändert werden. Bitte kontaktieren Sie ihren Administrator, um die Zone zu ändern.';
$wb['configuration_error_txt'] = 'CONFIGURATION ERROR';
+$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm';
?>
diff --git a/interface/web/dns/lib/lang/hu_dns_soa.lng b/interface/web/dns/lib/lang/hu_dns_soa.lng
index 401961408864d7817ba7e8c5f4b4ecbc3b02d7c8..445de86d69c7c8d8f1d73a0fa49b5dcbe94e97c4 100644
--- a/interface/web/dns/lib/lang/hu_dns_soa.lng
+++ b/interface/web/dns/lib/lang/hu_dns_soa.lng
@@ -41,4 +41,5 @@ $wb['dnssec_wanted_info'] = 'When disabling DNSSEC keys are not going to be dele
$wb['error_not_allowed_server_id'] = 'The selected server is not allowed for this account.';
$wb['soa_cannot_be_changed_txt'] = 'Die Zone (SOA) kann nicht verändert werden. Bitte kontaktieren Sie ihren Administrator, um die Zone zu ändern.';
$wb['configuration_error_txt'] = 'CONFIGURATION ERROR';
+$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm';
?>
diff --git a/interface/web/dns/lib/lang/id_dns_soa.lng b/interface/web/dns/lib/lang/id_dns_soa.lng
index c42890b71c1ae0cd010a138d54c21fd6e0016403..c9a43ad057a07bc4a12a16b6a90b737f9f58217b 100644
--- a/interface/web/dns/lib/lang/id_dns_soa.lng
+++ b/interface/web/dns/lib/lang/id_dns_soa.lng
@@ -41,4 +41,5 @@ $wb['dnssec_wanted_info'] = 'When disabling DNSSEC keys are not going to be dele
$wb['error_not_allowed_server_id'] = 'The selected server is not allowed for this account.';
$wb['soa_cannot_be_changed_txt'] = 'Die Zone (SOA) kann nicht verändert werden. Bitte kontaktieren Sie ihren Administrator, um die Zone zu ändern.';
$wb['configuration_error_txt'] = 'CONFIGURATION ERROR';
+$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm';
?>
diff --git a/interface/web/dns/lib/lang/it_dns_soa.lng b/interface/web/dns/lib/lang/it_dns_soa.lng
index 7ca3cb1cb13f1f104d5aad6516d522735045182d..714c6c70566c3af03ee5395ccc5790a8b86273c9 100644
--- a/interface/web/dns/lib/lang/it_dns_soa.lng
+++ b/interface/web/dns/lib/lang/it_dns_soa.lng
@@ -41,4 +41,5 @@ $wb['dnssec_wanted_info'] = 'When disabling DNSSEC keys are not going to be dele
$wb['error_not_allowed_server_id'] = 'The selected server is not allowed for this account.';
$wb['soa_cannot_be_changed_txt'] = 'Die Zone (SOA) kann nicht verändert werden. Bitte kontaktieren Sie ihren Administrator, um die Zone zu ändern.';
$wb['configuration_error_txt'] = 'CONFIGURATION ERROR';
+$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm';
?>
diff --git a/interface/web/dns/lib/lang/ja_dns_soa.lng b/interface/web/dns/lib/lang/ja_dns_soa.lng
index 3964f3fcdb73888f6c3208043b4cb7adf29e425e..7ab57997508202e5496ae098ccb59a2b0bf4c2b6 100644
--- a/interface/web/dns/lib/lang/ja_dns_soa.lng
+++ b/interface/web/dns/lib/lang/ja_dns_soa.lng
@@ -41,4 +41,5 @@ $wb['dnssec_wanted_info'] = 'When disabling DNSSEC keys are not going to be dele
$wb['error_not_allowed_server_id'] = 'The selected server is not allowed for this account.';
$wb['soa_cannot_be_changed_txt'] = 'Die Zone (SOA) kann nicht verändert werden. Bitte kontaktieren Sie ihren Administrator, um die Zone zu ändern.';
$wb['configuration_error_txt'] = 'CONFIGURATION ERROR';
+$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm';
?>
diff --git a/interface/web/dns/lib/lang/nl_dns_soa.lng b/interface/web/dns/lib/lang/nl_dns_soa.lng
index 121339c00ca296b5b108516fb406c98edd4e7f4c..1f875df3c9007659806b6e48a22fb3f1497ba89e 100644
--- a/interface/web/dns/lib/lang/nl_dns_soa.lng
+++ b/interface/web/dns/lib/lang/nl_dns_soa.lng
@@ -41,4 +41,5 @@ $wb['dnssec_wanted_info'] = 'When disabling DNSSEC keys are not going to be dele
$wb['error_not_allowed_server_id'] = 'The selected server is not allowed for this account.';
$wb['soa_cannot_be_changed_txt'] = 'Die Zone (SOA) kann nicht verändert werden. Bitte kontaktieren Sie ihren Administrator, um die Zone zu ändern.';
$wb['configuration_error_txt'] = 'CONFIGURATION ERROR';
+$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm';
?>
diff --git a/interface/web/dns/lib/lang/pl_dns_soa.lng b/interface/web/dns/lib/lang/pl_dns_soa.lng
index 1724c4c141c77a15d08c93021ca7ee2d3f189fe0..7502a592372707764358fde63333b8ef0938ee9d 100644
--- a/interface/web/dns/lib/lang/pl_dns_soa.lng
+++ b/interface/web/dns/lib/lang/pl_dns_soa.lng
@@ -41,4 +41,5 @@ $wb['dnssec_wanted_info'] = 'When disabling DNSSEC keys are not going to be dele
$wb['error_not_allowed_server_id'] = 'The selected server is not allowed for this account.';
$wb['soa_cannot_be_changed_txt'] = 'Die Zone (SOA) kann nicht verändert werden. Bitte kontaktieren Sie ihren Administrator, um die Zone zu ändern.';
$wb['configuration_error_txt'] = 'CONFIGURATION ERROR';
+$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm';
?>
diff --git a/interface/web/dns/lib/lang/pt_dns_soa.lng b/interface/web/dns/lib/lang/pt_dns_soa.lng
index bdcc1660ff0e7f4b9a348ce678520aea214d8ed9..7b6ac864a163decd043ef4d35429c532a3df92ee 100644
--- a/interface/web/dns/lib/lang/pt_dns_soa.lng
+++ b/interface/web/dns/lib/lang/pt_dns_soa.lng
@@ -41,4 +41,5 @@ $wb['dnssec_wanted_info'] = 'When disabling DNSSEC keys are not going to be dele
$wb['error_not_allowed_server_id'] = 'The selected server is not allowed for this account.';
$wb['soa_cannot_be_changed_txt'] = 'Die Zone (SOA) kann nicht verändert werden. Bitte kontaktieren Sie ihren Administrator, um die Zone zu ändern.';
$wb['configuration_error_txt'] = 'CONFIGURATION ERROR';
+$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm';
?>
diff --git a/interface/web/dns/lib/lang/ro_dns_soa.lng b/interface/web/dns/lib/lang/ro_dns_soa.lng
index 40607318f713d7a08f4d87dd24425e1b0f60e44e..9ae957f2406129be0f0b27645946c2efe6ab713e 100644
--- a/interface/web/dns/lib/lang/ro_dns_soa.lng
+++ b/interface/web/dns/lib/lang/ro_dns_soa.lng
@@ -41,4 +41,5 @@ $wb['dnssec_wanted_info'] = 'When disabling DNSSEC keys are not going to be dele
$wb['error_not_allowed_server_id'] = 'The selected server is not allowed for this account.';
$wb['soa_cannot_be_changed_txt'] = 'Die Zone (SOA) kann nicht verändert werden. Bitte kontaktieren Sie ihren Administrator, um die Zone zu ändern.';
$wb['configuration_error_txt'] = 'CONFIGURATION ERROR';
+$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm';
?>
diff --git a/interface/web/dns/lib/lang/ru_dns_soa.lng b/interface/web/dns/lib/lang/ru_dns_soa.lng
index 7bd15cd63858f16b496326756fe8b652902e63b7..f6043010d4e021d4d677e6fca002456e924cb3f3 100644
--- a/interface/web/dns/lib/lang/ru_dns_soa.lng
+++ b/interface/web/dns/lib/lang/ru_dns_soa.lng
@@ -41,4 +41,5 @@ $wb['dnssec_wanted_info'] = 'При отключении DNSSEC ключи не
$wb['error_not_allowed_server_id'] = 'Выбранный Ñервер не доÑтупен Ð´Ð»Ñ Ñтой учетной запиÑи.';
$wb['soa_cannot_be_changed_txt'] = 'Зона (SOA) не может быть изменена. ПожалуйÑта, обратитеÑÑŒ к админиÑтратору, чтобы изменить зону.';
$wb['configuration_error_txt'] = 'ОШИБКРКОÐФИГУРÐЦИИ';
+$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm';
?>
diff --git a/interface/web/dns/lib/lang/se_dns_soa.lng b/interface/web/dns/lib/lang/se_dns_soa.lng
index cfeb2f9fde36215601657786424c558134aeb70b..8e380f85a3f79c217c0fc0fb59009e6e197bc64d 100644
--- a/interface/web/dns/lib/lang/se_dns_soa.lng
+++ b/interface/web/dns/lib/lang/se_dns_soa.lng
@@ -41,4 +41,5 @@ $wb['dnssec_wanted_info'] = 'When disabling DNSSEC keys are not going to be dele
$wb['error_not_allowed_server_id'] = 'The selected server is not allowed for this account.';
$wb['soa_cannot_be_changed_txt'] = 'Die Zone (SOA) kann nicht verändert werden. Bitte kontaktieren Sie ihren Administrator, um die Zone zu ändern.';
$wb['configuration_error_txt'] = 'CONFIGURATION ERROR';
+$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm';
?>
diff --git a/interface/web/dns/lib/lang/sk_dns_soa.lng b/interface/web/dns/lib/lang/sk_dns_soa.lng
index 79d49eee92d6136f143f0d8a477f66c2b5b3a663..c96399cc4ec4b433264bfa75e111d3b66334d467 100644
--- a/interface/web/dns/lib/lang/sk_dns_soa.lng
+++ b/interface/web/dns/lib/lang/sk_dns_soa.lng
@@ -41,4 +41,5 @@ $wb['dnssec_wanted_info'] = 'When disabling DNSSEC keys are not going to be dele
$wb['error_not_allowed_server_id'] = 'The selected server is not allowed for this account.';
$wb['soa_cannot_be_changed_txt'] = 'Die Zone (SOA) kann nicht verändert werden. Bitte kontaktieren Sie ihren Administrator, um die Zone zu ändern.';
$wb['configuration_error_txt'] = 'CONFIGURATION ERROR';
+$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm';
?>
diff --git a/interface/web/dns/lib/lang/tr_dns_soa.lng b/interface/web/dns/lib/lang/tr_dns_soa.lng
index fd39de04f5e9742c3717bb77a33e6d25908a1a16..e5d55678cbd42f76353d2923d1c5d252c9c6d81a 100644
--- a/interface/web/dns/lib/lang/tr_dns_soa.lng
+++ b/interface/web/dns/lib/lang/tr_dns_soa.lng
@@ -41,4 +41,5 @@ $wb['ttl_range_error'] = 'En düşük TTL süresi 60 saniyedir.';
$wb['error_not_allowed_server_id'] = 'Seçilmiş sunucuda bu hesap kullanılamaz.';
$wb['soa_cannot_be_changed_txt'] = 'Bölge (SOA) değiştirilemez. Lütfen bölgeyi değiştirmek için yöneticiniz ile görüşün.';
$wb['configuration_error_txt'] = 'YAPILANDIRMA SORUNU';
+$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm';
?>
diff --git a/interface/web/dns/templates/dns_soa_edit.htm b/interface/web/dns/templates/dns_soa_edit.htm
index c34e8a341647dcb0972b7f784be7d3b26c8842a0..e16faac1aa5c4d9ea1641abb9f92ab70f631c5c4 100644
--- a/interface/web/dns/templates/dns_soa_edit.htm
+++ b/interface/web/dns/templates/dns_soa_edit.htm
@@ -136,6 +136,10 @@
<div class="col-sm-9">
{tmpl_var name='dnssec_wanted'}<br /><small>({tmpl_var name='dnssec_wanted_info'})</small>
</div>
+ </div>
+ <div class="form-group">
+ <label for="dnssec_algo" class="col-sm-3 control-label">{tmpl_var name='dnssec_algo_txt'}</label>
+ <div class="col-sm-9">{tmpl_var name='dnssec_algo'}</div>
</div>
<div class="form-group">
<label for="update_acl" class="col-sm-3 control-label">{tmpl_var name='dnssec_info_txt'}</label>
diff --git a/server/plugins-available/bind_plugin.inc.php b/server/plugins-available/bind_plugin.inc.php
index d4b4a7c01c0516e582c1128c6180a6d3e6320aa1..e915f447ffa3755a90d819e61ef2a72555f47ad1 100644
--- a/server/plugins-available/bind_plugin.inc.php
+++ b/server/plugins-available/bind_plugin.inc.php
@@ -97,21 +97,31 @@ class bind_plugin {
}
//* Verify that we do not already have keys (overwriting-protection)
- if (file_exists($dns_config['bind_zonefiles_dir'].'/dsset-'.$domain.'.')) {
- return $this->soa_dnssec_update($data);
- } else if ($data['new']['dnssec_initialized'] == 'Y') { //In case that we generated keys but the dsset-file was not generated
- $keycount=0;
- foreach (glob($dns_config['bind_zonefiles_dir'].'/K'.$domain.'*.key') as $keyfile) {
- $keycount++;
- }
- if ($keycount > 0) {
- $this->soa_dnssec_sign($data);
- return true;
+ if($data['old']['dnssec_algo'] == $data['new']['dnssec_algo']) {
+ if (file_exists($dns_config['bind_zonefiles_dir'].'/dsset-'.$domain.'.')) {
+ return $this->soa_dnssec_update($data);
+ } else if ($data['new']['dnssec_initialized'] == 'Y') { //In case that we generated keys but the dsset-file was not generated
+ $keycount=0;
+ foreach (glob($dns_config['bind_zonefiles_dir'].'/K'.$domain.'*.key') as $keyfile) {
+ $keycount++;
+ }
+ if ($keycount > 0) {
+ $this->soa_dnssec_sign($data);
+ return true;
+ }
}
}
- //Do some magic...
- $app->system->exec_safe('cd ?; dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE ?; dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE ?', $dns_config['bind_zonefiles_dir'], $domain, $domain);
+ // Get DNSSEC Algorithms
+ $dnssec_algo = explode(',',$data['new']['dnssec_algo']);
+
+ //* Create the Zone Signing and Key Signing Keys
+ if(in_array('ECDSAP256SHA256',$dnssec_algo) && count(glob($dns_config['bind_zonefiles_dir'].'/K'.$domain.'.+013*.key')) == 0) {
+ $app->system->exec_safe('cd ?; dnssec-keygen -3 -a ECDSAP256SHA256 -n ZONE ?; dnssec-keygen -f KSK -3 -a ECDSAP256SHA256 -n ZONE ?', $dns_config['bind_zonefiles_dir'], $domain, $domain);
+ }
+ if(in_array('NSEC3RSASHA1',$dnssec_algo) && count(glob($dns_config['bind_zonefiles_dir'].'/K'.$domain.'.+007*.key')) == 0) {
+ $app->system->exec_safe('cd ?; dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE ?; dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE ?', $dns_config['bind_zonefiles_dir'], $domain, $domain);
+ }
$this->soa_dnssec_sign($data); //Now sign the zone for the first time
$data['new']['dnssec_initialized']='Y';
@@ -130,24 +140,53 @@ class bind_plugin {
$domain = substr($data['new']['origin'], 0, strlen($data['new']['origin'])-1);
if (!file_exists($dns_config['bind_zonefiles_dir'].'/'.$filespre.$domain)) return false;
+ //* Get DNSSEC Algorithms
+ $dnssec_algo = explode(',',$data['new']['dnssec_algo']);
+
+ //* Get Zone file content
$zonefile = file_get_contents($dns_config['bind_zonefiles_dir'].'/'.$filespre.$domain);
$keycount=0;
- foreach (glob($dns_config['bind_zonefiles_dir'].'/K'.$domain.'*.key') as $keyfile) {
- $includeline = '$INCLUDE '.basename($keyfile);
- if (!preg_match('@'.preg_quote($includeline).'@', $zonefile)) $zonefile .= "\n".$includeline."\n";
- $keycount++;
+
+ //* Include ECDSAP256SHA256 keys in zone
+ if(in_array('ECDSAP256SHA256',$dnssec_algo)) {
+ foreach (glob($dns_config['bind_zonefiles_dir'].'/K'.$domain.'.+013*.key') as $keyfile) {
+ $includeline = '$INCLUDE '.basename($keyfile);
+ if (!preg_match('@'.preg_quote($includeline).'@', $zonefile)) $zonefile .= "\n".$includeline."\n";
+ $keycount++;
+ }
+ }
+
+ //* Include NSEC3RSASHA1 keys in zone
+ if(in_array('NSEC3RSASHA1',$dnssec_algo)) {
+ foreach (glob($dns_config['bind_zonefiles_dir'].'/K'.$domain.'.+007*.key') as $keyfile) {
+ $includeline = '$INCLUDE '.basename($keyfile);
+ if (!preg_match('@'.preg_quote($includeline).'@', $zonefile)) $zonefile .= "\n".$includeline."\n";
+ $keycount++;
+ }
}
- if ($keycount != 2) $app->log('DNSSEC Warning: There are more or less than 2 keyfiles for zone '.$domain, LOGLEVEL_WARN);
+
+ $keycount_wanted = count(explode(',',$data['new']['dnssec_algo']))*2;
+
+ if ($keycount != $keycount_wanted) $app->log('DNSSEC Warning: There are more or less than 2 keyfiles for each algorithm for zone '.$domain.'. Found: '.$keycount. ' Expected: '.$keycount_wanted, LOGLEVEL_WARN);
file_put_contents($dns_config['bind_zonefiles_dir'].'/'.$filespre.$domain, $zonefile);
- //Sign the zone and set it valid for max. 16 days
+ //* Sign the zone and set it valid for max. 16 days
$app->system->exec_safe('cd ?; dnssec-signzone -A -e +1382400 -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N increment -o ? -t ?', $dns_config['bind_zonefiles_dir'], $domain, $filespre.$domain);
- //Write Data back ino DB
+ //* Write Data back ino DB
$dnssecdata = "DS-Records:\n".file_get_contents($dns_config['bind_zonefiles_dir'].'/dsset-'.$domain.'.');
$dnssecdata .= "\n------------------------------------\n\nDNSKEY-Records:\n";
- foreach (glob($dns_config['bind_zonefiles_dir'].'/K'.$domain.'*.key') as $keyfile) {
- $dnssecdata .= file_get_contents($keyfile)."\n\n";
+
+ if(in_array('ECDSAP256SHA256',$dnssec_algo)) {
+ foreach (glob($dns_config['bind_zonefiles_dir'].'/K'.$domain.'.+013*.key') as $keyfile) {
+ $dnssecdata .= file_get_contents($keyfile)."\n\n";
+ }
+ }
+
+ if(in_array('NSEC3RSASHA1',$dnssec_algo)) {
+ foreach (glob($dns_config['bind_zonefiles_dir'].'/K'.$domain.'.+007*.key') as $keyfile) {
+ $dnssecdata .= file_get_contents($keyfile)."\n\n";
+ }
}
if ($app->dbmaster !== $app->db) $app->dbmaster->query('UPDATE dns_soa SET dnssec_info=?, dnssec_initialized=\'Y\', dnssec_last_signed=? WHERE id=?', $dnssecdata, intval(time()), intval($data['new']['id']));
@@ -198,7 +237,10 @@ class bind_plugin {
$domain = substr($data['new']['origin'], 0, strlen($data['new']['origin'])-1);
- unlink($dns_config['bind_zonefiles_dir'].'/K'.$domain.'.+*');
+ $key_files = glob($dns_config['bind_zonefiles_dir'].'/K'.$domain.'.+*');
+ foreach($key_files as $file) {
+ unlink($file);
+ }
unlink($dns_config['bind_zonefiles_dir'].'/'.$this->zone_file_prefix().$domain.'.signed');
unlink($dns_config['bind_zonefiles_dir'].'/dsset-'.$domain.'.');
@@ -308,12 +350,17 @@ class bind_plugin {
if($data['old']['origin'] != $data['new']['origin']) {
if (@$data['old']['dnssec_initialized'] == 'Y' && strlen(@$data['old']['origin']) > 3) $this->soa_dnssec_delete($data); //delete old keys
if ($data['new']['dnssec_wanted'] == 'Y') $this->soa_dnssec_create($data);
- }
- else if ($data['new']['dnssec_wanted'] == 'Y' && $data['old']['dnssec_initialized'] == 'N') $this->soa_dnssec_create($data);
- else if ($data['new']['dnssec_wanted'] == 'N' && $data['old']['dnssec_initialized'] == 'Y') { //delete old signed file if dnssec is no longer wanted
+ } elseif($data['old']['dnssec_algo'] != $data['new']['dnssec_algo']) {
+ $app->log("DNSSEC Algorithm has changed: ".$data['new']['dnssec_algo'], LOGLEVEL_DEBUG);
+ if ($data['new']['dnssec_wanted'] == 'Y') $this->soa_dnssec_create($data);
+ } elseif ($data['new']['dnssec_wanted'] == 'Y' && $data['old']['dnssec_initialized'] == 'N') {
+ $this->soa_dnssec_create($data);
+ } elseif ($data['new']['dnssec_wanted'] == 'N' && $data['old']['dnssec_initialized'] == 'Y') { //delete old signed file if dnssec is no longer wanted
$filename = $dns_config['bind_zonefiles_dir'].'/' . $this->zone_file_prefix() . str_replace("/", "_", substr($data['old']['origin'], 0, -1));
if(is_file($filename.'.signed')) unlink($filename.'.signed');
- } else if ($data['new']['dnssec_wanted'] == 'Y') $this->soa_dnssec_update($data);
+ } elseif ($data['new']['dnssec_wanted'] == 'Y') {
+ $this->soa_dnssec_update($data);
+ }
// END DNSSEC
//* rebuild the named.conf file if the origin has changed or when the origin is inserted.