From 22a85253671af52e4493367d33fb77373b7dd932 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?A=2E=20T=C3=A4ffner?= Date: Wed, 20 Jan 2016 17:06:54 +0100 Subject: [PATCH] final commit? Will test now a last time and if everything works as expected this will be my merge request --- TODO.txt | 8 +++----- install/lib/installer_base.lib.php | 2 +- install/tpl/dnssec-create.sh.master | 11 ++++++++++- install/tpl/named.conf.options.master | 28 +++++++++++++++++++++++++++ 4 files changed, 42 insertions(+), 7 deletions(-) create mode 100644 install/tpl/named.conf.options.master diff --git a/TODO.txt b/TODO.txt index ce0de4f9e6..31212293ca 100644 --- a/TODO.txt +++ b/TODO.txt @@ -13,11 +13,9 @@ Installer -------------------------------------- - Add a function to let a server join a existing installation. -- Change named.options.conf and add follwoing lines into options-brackets for DNSSEC-Implementation: - dnssec-enable yes; - dnssec-validation yes; - dnssec-lookaside auto; -- Add Package haveged to requirements as it raises available entropy by more than 1500 which is very needed for DNSSEC Key-generation +- Add Package haveged to requirements (at least if entropy is low) as it raises available entropy significantly which is very needed for DNSSEC Key-generation + If it is not installed and entropy is low generating dnssec-keys lasts minutes (and would time out the server thus is not done) and new signing keys are not generated. + If there are no keys the zones can not be signed and will only be availableas a unsigned copy. Uninstaller -------------------------------------- diff --git a/install/lib/installer_base.lib.php b/install/lib/installer_base.lib.php index 7643043c9f..41701a3d12 100644 --- a/install/lib/installer_base.lib.php +++ b/install/lib/installer_base.lib.php @@ -1517,7 +1517,7 @@ class installer_base { $this->process_bind_file('dnssec-autopickup.sh', '/server/scripts/'); $this->process_bind_file('dnssec-autocreate.sh', '/server/scripts/'); $this->process_bind_file('dnssec-config.sh', '/server/scripts/'); - + $this->process_bind_file('named.conf.options', $conf['bind']['bind_zonefiles_dir']); } diff --git a/install/tpl/dnssec-create.sh.master b/install/tpl/dnssec-create.sh.master index 675fcb13c4..521c62042a 100644 --- a/install/tpl/dnssec-create.sh.master +++ b/install/tpl/dnssec-create.sh.master @@ -7,9 +7,18 @@ if [ "$mysqlcheck" = 0 ];then echo "$0 could not connect to database" exit 0 fi + +if [ `cat /proc/sys/kernel/random/entropy_avail` -lt 400 ] ; then + echo "ERROR: DNSSEC is not working as available entropy is below 400. Please consider installing package haveged. Skipping generation of keys as well as signing..." + cp $filespre$domain $filespre$domain.signed + mysql -u $dbuser --password=$dbpass -h $dbhost -Bse "use $dbase; UPDATE dns_soa SET dnssec_info='Error during generation of keys. Please contact our support. Reason: Too less entropy available.', dnssec_initialized='N' WHERE origin='$domain.'" + exit 20 +fi + mysqlcheck=`mysql -u $dbuser --password=$dbpass -h $dbhost -Bse "use $dbase; select * from dns_soa where dnssec_initialized='Y' and origin='$domain.';" | wc -c` if [ "$mysqlcheck" -gt 1 ];then - echo "$domain seems to be initialized. If that is wrong correct dnssec_initialized in dns_soa table" + echo "DNSSEC: $domain seems to be initialized. If that is wrong correct dnssec_initialized in dns_soa table" + exit 0 fi cd $bindpath diff --git a/install/tpl/named.conf.options.master b/install/tpl/named.conf.options.master new file mode 100644 index 0000000000..f13976ffd6 --- /dev/null +++ b/install/tpl/named.conf.options.master @@ -0,0 +1,28 @@ +options { + directory "/var/cache/bind"; + + // If there is a firewall between you and nameservers you want + // to talk to, you may need to fix the firewall to allow multiple + // ports to talk. See http://www.kb.cert.org/vuls/id/800113 + + // If your ISP provided one or more IP addresses for stable + // nameservers, you probably want to use them as forwarders. + // Uncomment the following block, and insert the addresses replacing + // the all-0's placeholder. + + // forwarders { + // 0.0.0.0; + // }; + + //======================================================================== + // If BIND logs error messages about the root key being expired, + // you will need to update your keys. See https://www.isc.org/bind-keys + //======================================================================== + dnssec-enable yes; + dnssec-validation yes; + dnssec-lookaside auto; + + auth-nxdomain no; # conform to RFC1035 + listen-on-v6 { any; }; +}; + -- GitLab