From b9f313bdc4992f64ed82ae998293df1e1626a4ff Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?A=2E=20T=C3=A4ffner?= <darkalex@firesplash.de>
Date: Thu, 21 Jan 2016 10:06:29 +0100
Subject: [PATCH] DNSSEC-Switch: Implementation finished, tested And found a
small bug (privkeys were not deleted on zone deletion) which is now fixed
Testing successful. Doing last test then if everything goes well this will be
the new merge request
---
install/tpl/dnssec-delete.sh.master | 1 +
install/tpl/dnssec-update.sh.master | 7 ++++---
interface/web/dns/lib/lang/de_dns_soa.lng | 1 +
interface/web/dns/lib/lang/en_dns_soa.lng | 1 +
interface/web/dns/templates/dns_soa_edit.htm | 6 +++---
server/plugins-available/bind_plugin.inc.php | 12 +++++-------
6 files changed, 15 insertions(+), 13 deletions(-)
diff --git a/install/tpl/dnssec-delete.sh.master b/install/tpl/dnssec-delete.sh.master
index 984d41a3d6..03d54b17c5 100644
--- a/install/tpl/dnssec-delete.sh.master
+++ b/install/tpl/dnssec-delete.sh.master
@@ -17,6 +17,7 @@ if [ "$mysqlcheck" = 0 ];then
fi
rm $bindpath/K$pardomain.+*.key
+rm $bindpath/K$pardomain.+*.private
rm "$bindpath/$filespre$pardomain.signed"
rm "$bindpath/dsset-$pardomain."
diff --git a/install/tpl/dnssec-update.sh.master b/install/tpl/dnssec-update.sh.master
index 5fd06942bc..1aeff9058a 100644
--- a/install/tpl/dnssec-update.sh.master
+++ b/install/tpl/dnssec-update.sh.master
@@ -1,13 +1,14 @@
#!/bin/bash
source {dnssec_conffile}
pardomain="${1::-1}"
+cd $bindpath
if [ ! -d $backuppath ]; then mkdir -p $backuppath; fi
#connect to database for testing
mysqlcheck=`mysql -u $dbuser --password=$dbpass -h $dbhost -Bse "use $dbase; show tables;" | wc -c`
if [ "$mysqlcheck" = 0 ];then
echo "$0 could not connect to database"
- cd $curdir
+ cd $curpath
exit 0
fi
@@ -33,8 +34,8 @@ mysqlcheck=`mysql -u $dbuser --password=$dbpass -h $dbhost -Bse "use $dbase; sel
fi
/usr/sbin/dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N increment -o $domain -t $filespre$domain
- mysql -u $dbuser --password=$dbpass -h $dbhost -Bse "use $dbase; update dns_soa set serial='$fserial' where origin='$domain.'; update dns_rr set serial='$fserial' WHERE zone=$zoneid"
+ mysql -u $dbuser --password=$dbpass -h $dbhost -Bse "use $dbase; update dns_soa set serial='$fserial', dnssec_info='`cat /tmp/.dnssec-$domain`' where origin='$domain.'; update dns_rr set serial='$fserial' WHERE zone=$zoneid"
echo "DNSSEC for $pardomain has been configured"
-cd $curdir
+cd $curpath
exit 0
diff --git a/interface/web/dns/lib/lang/de_dns_soa.lng b/interface/web/dns/lib/lang/de_dns_soa.lng
index 3cb6ebf248..6c475ed072 100644
--- a/interface/web/dns/lib/lang/de_dns_soa.lng
+++ b/interface/web/dns/lib/lang/de_dns_soa.lng
@@ -13,6 +13,7 @@ $wb['xfer_txt'] = 'Zonentransfer zu diesen IP Adressen erlauben (mit Komma getre
$wb['active_txt'] = 'Aktiv';
$wb['dnssec_info_txt'] = 'DNSSEC DS-Daten für Registry';
$wb['dnssec_wanted_txt'] = 'Zone signieren (DNSSEC)';
+$wb['dnssec_wanted_info'] = 'Wenn DNSSEC bereits aktiviert war und ein Key erstellt wurde, wird dieser durch deaktivieren nicht gelöscht. Die Zone wird dann jedoch nicht länger signiert ausgeliefert.';
$wb['limit_dns_zone_txt'] = 'Die maximale Anzahl an DNS Einträgen für Ihr Konto wurde erreicht.';
$wb['client_txt'] = 'Kunde';
$wb['no_zone_perm'] = 'Sie haben nicht die Berechtigung, einen Eintrag zu dieser DNS Zone hinzuzufügen.';
diff --git a/interface/web/dns/lib/lang/en_dns_soa.lng b/interface/web/dns/lib/lang/en_dns_soa.lng
index 12f81dd225..9018a6f38f 100644
--- a/interface/web/dns/lib/lang/en_dns_soa.lng
+++ b/interface/web/dns/lib/lang/en_dns_soa.lng
@@ -13,6 +13,7 @@ $wb["xfer_txt"] = 'Allow zone transfers to <br />these IPs (comma separated list
$wb["active_txt"] = 'Active';
$wb['dnssec_info_txt'] = 'DNSSEC DS-Data for registry';
$wb['dnssec_wanted_txt'] = 'Sign zone (DNSSEC)';
+$wb['dnssec_wanted_info'] = 'When disabling DNSSEC keys are not going to be deleted if DNSSEC was enabled before and keys already have been generated but the zone will no longer be delievered in signed format afterwards.';
$wb["limit_dns_zone_txt"] = 'The max. number of DNS zones for your account is reached.';
$wb["client_txt"] = 'Client';
$wb["no_zone_perm"] = 'You do not have the permission to add a record to this DNS zone.';
diff --git a/interface/web/dns/templates/dns_soa_edit.htm b/interface/web/dns/templates/dns_soa_edit.htm
index 91833bccef..be2e7fa831 100644
--- a/interface/web/dns/templates/dns_soa_edit.htm
+++ b/interface/web/dns/templates/dns_soa_edit.htm
@@ -128,12 +128,12 @@
<div class="form-group">
<label class="col-sm-3 control-label">{tmpl_var name='dnssec_wanted_txt'}</label>
<div class="col-sm-9">
- {tmpl_var name='dnssec_wanted'}
- </div>
+ {tmpl_var name='dnssec_wanted'}<br /><small>({tmpl_var name='dnssec_wanted_info'})</small>
+ </div>
</div>
<div class="form-group">
<label for="update_acl" class="col-sm-3 control-label">{tmpl_var name='dnssec_info_txt'}</label>
- <div class="col-sm-9"><textarea readonly="true" rows="5" class="form-control">{tmpl_var name='dnssec_info'}</textarea></div>
+ <div class="col-sm-9"><textarea readonly="true" rows="5" id="dnssec_info" name="dnssec_info" class="form-control">{tmpl_var name='dnssec_info'}</textarea></div>
</div>
<input type="hidden" name="id" value="{tmpl_var name='id'}">
diff --git a/server/plugins-available/bind_plugin.inc.php b/server/plugins-available/bind_plugin.inc.php
index 3836e7e05c..c74f198885 100644
--- a/server/plugins-available/bind_plugin.inc.php
+++ b/server/plugins-available/bind_plugin.inc.php
@@ -151,9 +151,8 @@ class bind_plugin {
if (@$data['old']['dnssec_initialized'] == 'Y' && strlen(@$data['old']['origin']) > 3) exec('/usr/local/ispconfig/server/scripts/dnssec-delete.sh '.escapeshellcmd($data['old']['origin'])); //delete old keys
if ($data['new']['dnssec_wanted'] == 'Y') exec('/usr/local/ispconfig/server/scripts/dnssec-create.sh '.escapeshellcmd($data['new']['origin'])); //Create new keys for new origin
}
- if ($data['new']['dnssec_wanted'] == 'Y' AND $data['new']['dnssec_initialized'] == 'N') if ($data['new']['dnssec_wanted'] == 'Y') exec('/usr/local/ispconfig/server/scripts/dnssec-create.sh '.escapeshellcmd($data['new']['origin'])); //Create new keys for new origin
- else if ($data['old']['dnssec_wanted'] == 'Y') exec('/usr/local/ispconfig/server/scripts/dnssec-update.sh '.escapeshellcmd($data['new']['origin']));
- if($data['old']['dnssec_initialized'] == 'Y' && $data['new']['dnssec_wanted'] == 'N') { //delete old signed file if dnssec is no longer wanted
+ else if ($data['new']['dnssec_wanted'] == 'Y' && $data['old']['dnssec_initialized'] == 'N') exec('/usr/local/ispconfig/server/scripts/dnssec-create.sh '.escapeshellcmd($data['new']['origin'])); //Create new keys for new origin
+ else if ($data['new']['dnssec_wanted'] == 'N' && $data['old']['dnssec_initialized'] == 'Y') { //delete old signed file if dnssec is no longer wanted
//TODO : change this when distribution information has been integrated into server record
if (file_exists('/etc/gentoo-release')) {
$filename = $dns_config['bind_zonefiles_dir'].'/pri/'.str_replace("/", "_", substr($data['old']['origin'], 0, -1));
@@ -162,7 +161,7 @@ class bind_plugin {
$filename = $dns_config['bind_zonefiles_dir'].'/pri.'.str_replace("/", "_", substr($data['old']['origin'], 0, -1));
}
if(is_file($filename.'.signed')) unlink($filename.'.signed');
- }
+ } else if ($data['new']['dnssec_wanted'] == 'Y') exec('/usr/local/ispconfig/server/scripts/dnssec-update.sh '.escapeshellcmd($data['new']['origin']));
// END DNSSEC
//* rebuild the named.conf file if the origin has changed or when the origin is inserted.
@@ -346,7 +345,7 @@ class bind_plugin {
global $app, $conf;
//* Only write the master file for the current server
- $tmps = $app->db->queryAllRecords("SELECT origin, xfer, also_notify, update_acl, dnssec_initialized FROM dns_soa WHERE active = 'Y' AND server_id=?", $conf["server_id"]);
+ $tmps = $app->db->queryAllRecords("SELECT origin, xfer, also_notify, update_acl, dnssec_wanted FROM dns_soa WHERE active = 'Y' AND server_id=?", $conf["server_id"]);
$zones = array();
//* Check if the current zone that triggered this function has at least one NS record
@@ -364,9 +363,8 @@ class bind_plugin {
//* Loop trough zones
foreach($tmps as $tmp) {
-
$zone_file = $pri_zonefiles_path.str_replace("/", "_", substr($tmp['origin'], 0, -1));
- if ($tmp['dnssec_initialized'] == 'Y') $zone_file .= '.signed' //.signed is for DNSSEC-Implementation
+ if ($tmp['dnssec_wanted'] == 'Y') $zone_file .= '.signed'; //.signed is for DNSSEC-Implementation
$options = '';
if(trim($tmp['xfer']) != '') {
--
GitLab