Commit 6863f325 authored by Till Brehm's avatar Till Brehm
Browse files

Reimplemented DNSSEC signing.

parent 906eaa19
Pipeline #4060 passed with stage
in 8 minutes and 4 seconds
......@@ -66,6 +66,6 @@ ALTER TABLE `client` CHANGE `id_rsa` `id_rsa` TEXT CHARACTER SET utf8 COLLATE ut
ALTER TABLE `directive_snippets` ADD `update_sites` ENUM('y','n') NOT NULL DEFAULT 'n' ;
-- Add DNSSEC Algorithm setting
ALTER TABLE `dns_soa` ADD `dnssec_algo` ENUM('sha1','sha256') NULL DEFAULT NULL AFTER `dnssec_wanted`;
UPDATE `dns_soa` SET `dnssec_algo` = 'sha1' WHERE `dnssec_algo` IS NULL;
ALTER TABLE `dns_soa` CHANGE `dnssec_algo` `dnssec_algo` ENUM('sha1','sha256') CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL DEFAULT 'sha256';
ALTER TABLE `dns_soa` ADD `dnssec_algo` SET('NSEC3RSASHA1','ECDSAP256SHA256') NULL DEFAULT NULL AFTER `dnssec_wanted`;
UPDATE `dns_soa` SET `dnssec_algo` = 'NSEC3RSASHA1' WHERE `dnssec_algo` IS NULL;
ALTER TABLE `dns_soa` CHANGE `dnssec_algo` `dnssec_algo` SET('NSEC3RSASHA1','ECDSAP256SHA256') CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL DEFAULT 'ECDSAP256SHA256';
......@@ -626,7 +626,7 @@ CREATE TABLE `dns_soa` (
`update_acl` varchar(255) default NULL,
`dnssec_initialized` ENUM('Y','N') NOT NULL DEFAULT 'N',
`dnssec_wanted` ENUM('Y','N') NOT NULL DEFAULT 'N',
`dnssec_algo` ENUM('sha1','sha256') NOT NULL DEFAULT 'sha256',
`dnssec_algo` SET('NSEC3RSASHA1','ECDSAP256SHA256') NOT NULL DEFAULT 'ECDSAP256SHA256',
`dnssec_last_signed` BIGINT NOT NULL DEFAULT '0',
`dnssec_info` TEXT NULL,
PRIMARY KEY (`id`),
......
......@@ -296,6 +296,8 @@ function onSubmit() {
$this->dataRecord["xfer"] = preg_replace('/\s+/', '', $this->dataRecord["xfer"]);
$this->dataRecord["also_notify"] = preg_replace('/\s+/', '', $this->dataRecord["also_notify"]);
if(isset($this->dataRecord['dnssec_wanted']) && $this->dataRecord['dnssec_wanted'] == 'Y' && $this->dataRecord['dnssec_algo'] == '') $this->dataRecord['dnssec_algo'] = 'ECDSAP256SHA256';
//* Check if a secondary zone with the same name already exists
$tmp = $app->db->queryOneRecord("SELECT count(id) as number FROM dns_slave WHERE origin = ? AND server_id = ?", $this->dataRecord["origin"], $this->dataRecord["server_id"]);
......
......@@ -339,7 +339,7 @@ if($_POST['create'] == 1) {
$section = '';
$vars = array();
$vars['xfer']='';
$vars['dnssec_algo']='sha256';
$vars['dnssec_algo']='ECDSAP256SHA256';
$dns_rr = array();
foreach($tpl_rows as $row) {
$row = trim($row);
......
......@@ -278,9 +278,10 @@ $form["tabs"]['dns_soa'] = array (
),
'dnssec_algo' => array (
'datatype' => 'VARCHAR',
'formtype' => 'SELECT',
'default' => 'sha256',
'value' => array('sha1' => 'SHA1','sha256' => 'SHA256'),
'formtype' => 'CHECKBOXARRAY',
'separator' => ',',
'default' => 'ECDSAP256SHA256',
'value' => array('NSEC3RSASHA1' => '7 (NSEC3RSASHA1)','ECDSAP256SHA256' => '13 (ECDSAP256SHA256)'),
'width' => '30',
'maxlength' => '255'
),
......
......@@ -110,10 +110,14 @@ class bind_plugin {
}
}
// Get DNSSEC Algorithms
$dnssec_algo = explode(',',$data['new']['dnssec_algo']);
//Do some magic...
if($data['new']['dnssec_algo'] == 'sha256') {
if(in_array('ECDSAP256SHA256',$dnssec_algo)) {
$app->system->exec_safe('cd ?; dnssec-keygen -3 -a ECDSAP256SHA256 -n ZONE ?; dnssec-keygen -f KSK -3 -a ECDSAP256SHA256 -n ZONE ?', $dns_config['bind_zonefiles_dir'], $domain, $domain);
} else {
}
if(in_array('NSEC3RSASHA1',$dnssec_algo)) {
$app->system->exec_safe('cd ?; dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE ?; dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE ?', $dns_config['bind_zonefiles_dir'], $domain, $domain);
}
......@@ -141,7 +145,10 @@ class bind_plugin {
if (!preg_match('@'.preg_quote($includeline).'@', $zonefile)) $zonefile .= "\n".$includeline."\n";
$keycount++;
}
if ($keycount != 2) $app->log('DNSSEC Warning: There are more or less than 2 keyfiles for zone '.$domain, LOGLEVEL_WARN);
$keycount_wanted = count(explode(',',$data['new']['dnssec_algo']))*2;
if ($keycount != $keycount_wanted) $app->log('DNSSEC Warning: There are more or less than 2 keyfiles for each algorithm for zone '.$domain, LOGLEVEL_WARN);
file_put_contents($dns_config['bind_zonefiles_dir'].'/'.$filespre.$domain, $zonefile);
//Sign the zone and set it valid for max. 16 days
......@@ -309,9 +316,11 @@ class bind_plugin {
}
//* DNSSEC-Implementation
if($data['old']['origin'] != $data['new']['origin'] || $data['old']['dnssec_algo'] != $data['new']['dnssec_algo']) {
if($data['old']['origin'] != $data['new']['origin']) {
if (@$data['old']['dnssec_initialized'] == 'Y' && strlen(@$data['old']['origin']) > 3) $this->soa_dnssec_delete($data); //delete old keys
if ($data['new']['dnssec_wanted'] == 'Y') $this->soa_dnssec_create($data);
if ($data['new']['dnssec_wanted'] == 'Y') $this->soa_dnssec_create($data);
} elseif($data['old']['dnssec_algo'] != $data['new']['dnssec_algo']) {
if ($data['new']['dnssec_wanted'] == 'Y') $this->soa_dnssec_create($data);
} elseif ($data['new']['dnssec_wanted'] == 'Y' && $data['old']['dnssec_initialized'] == 'N') {
$this->soa_dnssec_create($data);
} elseif ($data['new']['dnssec_wanted'] == 'N' && $data['old']['dnssec_initialized'] == 'Y') { //delete old signed file if dnssec is no longer wanted
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment