Commit 906eaa19 authored by Till Brehm's avatar Till Brehm
Browse files

Implemented #4561: SHA256 (ECDSAP256SHA256) Algorithm for DNNSEC and Algorithm...

Implemented #4561: SHA256 (ECDSAP256SHA256) Algorithm for DNNSEC and Algorithm selector in DNS zone settings.
parent 029e6435
Pipeline #3934 passed with stage
in 7 minutes and 44 seconds
......@@ -65,3 +65,7 @@ ALTER TABLE `client` CHANGE `id_rsa` `id_rsa` TEXT CHARACTER SET utf8 COLLATE ut
ALTER TABLE `directive_snippets` ADD `update_sites` ENUM('y','n') NOT NULL DEFAULT 'n' ;
-- Add DNSSEC Algorithm setting
ALTER TABLE `dns_soa` ADD `dnssec_algo` ENUM('sha1','sha256') NULL DEFAULT NULL AFTER `dnssec_wanted`;
UPDATE `dns_soa` SET `dnssec_algo` = 'sha1' WHERE `dnssec_algo` IS NULL;
ALTER TABLE `dns_soa` CHANGE `dnssec_algo` `dnssec_algo` ENUM('sha1','sha256') CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL DEFAULT 'sha256';
......@@ -626,6 +626,7 @@ CREATE TABLE `dns_soa` (
`update_acl` varchar(255) default NULL,
`dnssec_initialized` ENUM('Y','N') NOT NULL DEFAULT 'N',
`dnssec_wanted` ENUM('Y','N') NOT NULL DEFAULT 'N',
`dnssec_algo` ENUM('sha1','sha256') NOT NULL DEFAULT 'sha256',
`dnssec_last_signed` BIGINT NOT NULL DEFAULT '0',
`dnssec_info` TEXT NULL,
PRIMARY KEY (`id`),
......@@ -2501,7 +2502,7 @@ INSERT INTO `country` (`iso`, `name`, `printable_name`, `iso3`, `numcode`, `eu`)
-- Dumping data for table `dns_template`
--
INSERT INTO `dns_template` (`template_id`, `sys_userid`, `sys_groupid`, `sys_perm_user`, `sys_perm_group`, `sys_perm_other`, `name`, `fields`, `template`, `visible`) VALUES (1, 1, 1, 'riud', 'riud', '', 'Default', 'DOMAIN,IP,NS1,NS2,EMAIL,DKIM,DNSSEC', '[ZONE]\norigin={DOMAIN}.\nns={NS1}.\nmbox={EMAIL}.\nrefresh=7200\nretry=540\nexpire=604800\nminimum=3600\nttl=3600\n\n[DNS_RECORDS]\nA|{DOMAIN}.|{IP}|0|3600\nA|www|{IP}|0|3600\nA|mail|{IP}|0|3600\nNS|{DOMAIN}.|{NS1}.|0|3600\nNS|{DOMAIN}.|{NS2}.|0|3600\nMX|{DOMAIN}.|mail.{DOMAIN}.|10|3600\nTXT|{DOMAIN}.|v=spf1 mx a ~all|0|3600', 'y');
INSERT INTO `dns_template` (`template_id`, `sys_userid`, `sys_groupid`, `sys_perm_user`, `sys_perm_group`, `sys_perm_other`, `name`, `fields`, `template`, `visible`) VALUES (1, 1, 1, 'riud', 'riud', '', 'Default', 'DOMAIN,IP,NS1,NS2,EMAIL,DKIM,DNSSEC', '[ZONE]\norigin={DOMAIN}.\nns={NS1}.\nmbox={EMAIL}.\nrefresh=7200\nretry=540\nexpire=604800\nminimum=3600\nttl=3600\ndnssec_algo=sha256\n\n[DNS_RECORDS]\nA|{DOMAIN}.|{IP}|0|3600\nA|www|{IP}|0|3600\nA|mail|{IP}|0|3600\nNS|{DOMAIN}.|{NS1}.|0|3600\nNS|{DOMAIN}.|{NS2}.|0|3600\nMX|{DOMAIN}.|mail.{DOMAIN}.|10|3600\nTXT|{DOMAIN}.|v=spf1 mx a ~all|0|3600', 'y');
-- --------------------------------------------------------
......
......@@ -339,6 +339,7 @@ if($_POST['create'] == 1) {
$section = '';
$vars = array();
$vars['xfer']='';
$vars['dnssec_algo']='sha256';
$dns_rr = array();
foreach($tpl_rows as $row) {
$row = trim($row);
......@@ -398,6 +399,7 @@ if($_POST['create'] == 1) {
$xfer = $vars['xfer'];
$also_notify = $vars['also_notify'];
$update_acl = $vars['update_acl'];
$dnssec_algo = $vars['dnssec_algo'];
$serial = $app->validate_dns->increase_serial(0);
$insert_data = array(
......@@ -420,7 +422,8 @@ if($_POST['create'] == 1) {
"xfer" => $xfer,
"also_notify" => $also_notify,
"update_acl" => $update_acl,
"dnssec_wanted" => $enable_dnssec
"dnssec_wanted" => $enable_dnssec,
"dnssec_algo" => $dnssec_algo
);
$dns_soa_id = $app->db->datalogInsert('dns_soa', $insert_data, 'id');
if($dns_soa_id > 0) $app->plugin->raiseEvent('dns:wizard:on_after_insert', $dns_soa_id);
......
......@@ -276,6 +276,14 @@ $form["tabs"]['dns_soa'] = array (
'default' => 'Y',
'value' => array(0 => 'N', 1 => 'Y')
),
'dnssec_algo' => array (
'datatype' => 'VARCHAR',
'formtype' => 'SELECT',
'default' => 'sha256',
'value' => array('sha1' => 'SHA1','sha256' => 'SHA256'),
'width' => '30',
'maxlength' => '255'
),
'dnssec_info' => array (
'datatype' => 'TEXT',
'formtype' => 'TEXTAREA',
......
......@@ -41,4 +41,5 @@ $wb['dnssec_wanted_info'] = 'When disabling DNSSEC keys are not going to be dele
$wb['error_not_allowed_server_id'] = 'The selected server is not allowed for this account.';
$wb['soa_cannot_be_changed_txt'] = 'Die Zone (SOA) kann nicht verändert werden. Bitte kontaktieren Sie ihren Administrator, um die Zone zu ändern.';
$wb['configuration_error_txt'] = 'CONFIGURATION ERROR';
$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm';
?>
......@@ -41,4 +41,5 @@ $wb['dnssec_wanted_info'] = 'When disabling DNSSEC keys are not going to be dele
$wb['error_not_allowed_server_id'] = 'The selected server is not allowed for this account.';
$wb['soa_cannot_be_changed_txt'] = 'Die Zone (SOA) kann nicht verändert werden. Bitte kontaktieren Sie ihren Administrator, um die Zone zu ändern.';
$wb['configuration_error_txt'] = 'CONFIGURATION ERROR';
$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm';
?>
......@@ -41,4 +41,5 @@ $wb['ttl_range_error'] = 'Intervalo mínimo do TTL são 60 segundos.';
$wb['error_not_allowed_server_id'] = 'O servidor selecionado não é permitido para esta conta.';
$wb['soa_cannot_be_changed_txt'] = 'A zona (SOA) não pode ser alterada. Por favor, contate o administrador se deseja alterar esta zona.';
$wb['configuration_error_txt'] = 'ERRO DE CONFIGURAÇÃO';
$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm';
?>
......@@ -41,4 +41,5 @@ $wb['dnssec_wanted_info'] = 'When disabling DNSSEC keys are not going to be dele
$wb['error_not_allowed_server_id'] = 'The selected server is not allowed for this account.';
$wb['soa_cannot_be_changed_txt'] = 'Die Zone (SOA) kann nicht verändert werden. Bitte kontaktieren Sie ihren Administrator, um die Zone zu ändern.';
$wb['configuration_error_txt'] = 'CONFIGURATION ERROR';
$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm';
?>
......@@ -41,4 +41,5 @@ $wb['dnssec_wanted_info'] = 'Když deaktivujete DNSSEC klíče nebudou odstraně
$wb['error_not_allowed_server_id'] = 'Vybraný server není pro tento účet povolen.';
$wb['soa_cannot_be_changed_txt'] = 'Die Zone (SOA) kann nicht verändert werden. Bitte kontaktieren Sie ihren Administrator, um die Zone zu ändern.';
$wb['configuration_error_txt'] = 'CONFIGURATION ERROR';
$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm';
?>
......@@ -41,4 +41,5 @@ $wb['xfer_error_regex'] = 'Zonentransfer: Verwenden Sie eine oder mehrere durch
$wb['soa_cannot_be_changed_txt'] = 'Die Zone (SOA) kann nicht verändert werden. Bitte kontaktieren Sie ihren Administrator, um die Zone zu ändern.';
$wb['error_not_allowed_server_id'] = 'The selected server is not allowed for this account.';
$wb['configuration_error_txt'] = 'CONFIGURATION ERROR';
$wb['dnssec_algo_txt'] = 'DNSSEC Algorithmus';
?>
......@@ -41,4 +41,5 @@ $wb['dnssec_wanted_info'] = 'When disabling DNSSEC keys are not going to be dele
$wb['error_not_allowed_server_id'] = 'The selected server is not allowed for this account.';
$wb['soa_cannot_be_changed_txt'] = 'The Zone (SOA) can not be changed. Please contact your administrator to change the zone.';
$wb['configuration_error_txt'] = 'CONFIGURATION ERROR';
$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm';
?>
......@@ -41,4 +41,5 @@ $wb['dnssec_wanted_info'] = 'When disabling DNSSEC keys are not going to be dele
$wb['error_not_allowed_server_id'] = 'The selected server is not allowed for this account.';
$wb['soa_cannot_be_changed_txt'] = 'Die Zone (SOA) kann nicht verändert werden. Bitte kontaktieren Sie ihren Administrator, um die Zone zu ändern.';
$wb['configuration_error_txt'] = 'CONFIGURATION ERROR';
$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm';
?>
......@@ -41,4 +41,5 @@ $wb['ttl_range_error'] = 'Min. TTL time is 60 seconds.';
$wb['error_not_allowed_server_id'] = 'The selected server is not allowed for this account.';
$wb['soa_cannot_be_changed_txt'] = 'The Zone (SOA) can not be changed. Please contact your administrator to change the zone.';
$wb['configuration_error_txt'] = 'CONFIGURATION ERROR';
$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm';
?>
......@@ -41,4 +41,5 @@ $wb['update_acl_txt'] = 'Actualizar ACL';
$wb['xfer_error_regex'] = 'Notificar también a: Por favor, usa una dirección IP.';
$wb['xfer_txt'] = 'Permitir transferencia de zonas a<br />estas IP (lista separada por comas)';
$wb['configuration_error_txt'] = 'CONFIGURATION ERROR';
$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm';
?>
......@@ -41,4 +41,5 @@ $wb['dnssec_wanted_info'] = 'When disabling DNSSEC keys are not going to be dele
$wb['error_not_allowed_server_id'] = 'The selected server is not allowed for this account.';
$wb['soa_cannot_be_changed_txt'] = 'Die Zone (SOA) kann nicht verändert werden. Bitte kontaktieren Sie ihren Administrator, um die Zone zu ändern.';
$wb['configuration_error_txt'] = 'CONFIGURATION ERROR';
$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm';
?>
......@@ -41,4 +41,5 @@ $wb['dnssec_wanted_info'] = 'When disabling DNSSEC keys are not going to be dele
$wb['error_not_allowed_server_id'] = 'The selected server is not allowed for this account.';
$wb['soa_cannot_be_changed_txt'] = 'Die Zone (SOA) kann nicht verändert werden. Bitte kontaktieren Sie ihren Administrator, um die Zone zu ändern.';
$wb['configuration_error_txt'] = 'CONFIGURATION ERROR';
$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm';
?>
......@@ -41,4 +41,5 @@ $wb['dnssec_wanted_info'] = 'When disabling DNSSEC keys are not going to be dele
$wb['error_not_allowed_server_id'] = 'The selected server is not allowed for this account.';
$wb['soa_cannot_be_changed_txt'] = 'Die Zone (SOA) kann nicht verändert werden. Bitte kontaktieren Sie ihren Administrator, um die Zone zu ändern.';
$wb['configuration_error_txt'] = 'CONFIGURATION ERROR';
$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm';
?>
......@@ -41,4 +41,5 @@ $wb['dnssec_wanted_info'] = 'When disabling DNSSEC keys are not going to be dele
$wb['error_not_allowed_server_id'] = 'The selected server is not allowed for this account.';
$wb['soa_cannot_be_changed_txt'] = 'Die Zone (SOA) kann nicht verändert werden. Bitte kontaktieren Sie ihren Administrator, um die Zone zu ändern.';
$wb['configuration_error_txt'] = 'CONFIGURATION ERROR';
$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm';
?>
......@@ -41,4 +41,5 @@ $wb['dnssec_wanted_info'] = 'When disabling DNSSEC keys are not going to be dele
$wb['error_not_allowed_server_id'] = 'The selected server is not allowed for this account.';
$wb['soa_cannot_be_changed_txt'] = 'Die Zone (SOA) kann nicht verändert werden. Bitte kontaktieren Sie ihren Administrator, um die Zone zu ändern.';
$wb['configuration_error_txt'] = 'CONFIGURATION ERROR';
$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm';
?>
......@@ -41,4 +41,5 @@ $wb['dnssec_wanted_info'] = 'When disabling DNSSEC keys are not going to be dele
$wb['error_not_allowed_server_id'] = 'The selected server is not allowed for this account.';
$wb['soa_cannot_be_changed_txt'] = 'Die Zone (SOA) kann nicht verändert werden. Bitte kontaktieren Sie ihren Administrator, um die Zone zu ändern.';
$wb['configuration_error_txt'] = 'CONFIGURATION ERROR';
$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm';
?>
......@@ -41,4 +41,5 @@ $wb['dnssec_wanted_info'] = 'When disabling DNSSEC keys are not going to be dele
$wb['error_not_allowed_server_id'] = 'The selected server is not allowed for this account.';
$wb['soa_cannot_be_changed_txt'] = 'Die Zone (SOA) kann nicht verändert werden. Bitte kontaktieren Sie ihren Administrator, um die Zone zu ändern.';
$wb['configuration_error_txt'] = 'CONFIGURATION ERROR';
$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm';
?>
......@@ -41,4 +41,5 @@ $wb['dnssec_wanted_info'] = 'When disabling DNSSEC keys are not going to be dele
$wb['error_not_allowed_server_id'] = 'The selected server is not allowed for this account.';
$wb['soa_cannot_be_changed_txt'] = 'Die Zone (SOA) kann nicht verändert werden. Bitte kontaktieren Sie ihren Administrator, um die Zone zu ändern.';
$wb['configuration_error_txt'] = 'CONFIGURATION ERROR';
$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm';
?>
......@@ -41,4 +41,5 @@ $wb['dnssec_wanted_info'] = 'When disabling DNSSEC keys are not going to be dele
$wb['error_not_allowed_server_id'] = 'The selected server is not allowed for this account.';
$wb['soa_cannot_be_changed_txt'] = 'Die Zone (SOA) kann nicht verändert werden. Bitte kontaktieren Sie ihren Administrator, um die Zone zu ändern.';
$wb['configuration_error_txt'] = 'CONFIGURATION ERROR';
$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm';
?>
......@@ -41,4 +41,5 @@ $wb['dnssec_wanted_info'] = 'When disabling DNSSEC keys are not going to be dele
$wb['error_not_allowed_server_id'] = 'The selected server is not allowed for this account.';
$wb['soa_cannot_be_changed_txt'] = 'Die Zone (SOA) kann nicht verändert werden. Bitte kontaktieren Sie ihren Administrator, um die Zone zu ändern.';
$wb['configuration_error_txt'] = 'CONFIGURATION ERROR';
$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm';
?>
......@@ -41,4 +41,5 @@ $wb['dnssec_wanted_info'] = 'When disabling DNSSEC keys are not going to be dele
$wb['error_not_allowed_server_id'] = 'The selected server is not allowed for this account.';
$wb['soa_cannot_be_changed_txt'] = 'Die Zone (SOA) kann nicht verändert werden. Bitte kontaktieren Sie ihren Administrator, um die Zone zu ändern.';
$wb['configuration_error_txt'] = 'CONFIGURATION ERROR';
$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm';
?>
......@@ -41,4 +41,5 @@ $wb['dnssec_wanted_info'] = 'При отключении DNSSEC ключи не
$wb['error_not_allowed_server_id'] = 'Выбранный сервер не доступен для этой учетной записи.';
$wb['soa_cannot_be_changed_txt'] = 'Зона (SOA) не может быть изменена. Пожалуйста, обратитесь к администратору, чтобы изменить зону.';
$wb['configuration_error_txt'] = 'ОШИБКА КОНФИГУРАЦИИ';
$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm';
?>
......@@ -41,4 +41,5 @@ $wb['dnssec_wanted_info'] = 'When disabling DNSSEC keys are not going to be dele
$wb['error_not_allowed_server_id'] = 'The selected server is not allowed for this account.';
$wb['soa_cannot_be_changed_txt'] = 'Die Zone (SOA) kann nicht verändert werden. Bitte kontaktieren Sie ihren Administrator, um die Zone zu ändern.';
$wb['configuration_error_txt'] = 'CONFIGURATION ERROR';
$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm';
?>
......@@ -41,4 +41,5 @@ $wb['dnssec_wanted_info'] = 'When disabling DNSSEC keys are not going to be dele
$wb['error_not_allowed_server_id'] = 'The selected server is not allowed for this account.';
$wb['soa_cannot_be_changed_txt'] = 'Die Zone (SOA) kann nicht verändert werden. Bitte kontaktieren Sie ihren Administrator, um die Zone zu ändern.';
$wb['configuration_error_txt'] = 'CONFIGURATION ERROR';
$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm';
?>
......@@ -41,4 +41,5 @@ $wb['ttl_range_error'] = 'En düşük TTL süresi 60 saniyedir.';
$wb['error_not_allowed_server_id'] = 'Seçilmiş sunucuda bu hesap kullanılamaz.';
$wb['soa_cannot_be_changed_txt'] = 'Bölge (SOA) değiştirilemez. Lütfen bölgeyi değiştirmek için yöneticiniz ile görüşün.';
$wb['configuration_error_txt'] = 'YAPILANDIRMA SORUNU';
$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm';
?>
......@@ -136,6 +136,12 @@
<div class="col-sm-9">
{tmpl_var name='dnssec_wanted'}<br /><small>({tmpl_var name='dnssec_wanted_info'})</small>
</div>
</div>
<div class="form-group">
<label for="dnssec_algo" class="col-sm-3 control-label">{tmpl_var name='dnssec_algo_txt'}</label>
<div class="col-sm-9"><select name="dnssec_algo" id="dnssec_algo" class="form-control">
{tmpl_var name='dnssec_algo'}
</select></div>
</div>
<div class="form-group">
<label for="update_acl" class="col-sm-3 control-label">{tmpl_var name='dnssec_info_txt'}</label>
......
......@@ -111,7 +111,11 @@ class bind_plugin {
}
//Do some magic...
$app->system->exec_safe('cd ?; dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE ?; dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE ?', $dns_config['bind_zonefiles_dir'], $domain, $domain);
if($data['new']['dnssec_algo'] == 'sha256') {
$app->system->exec_safe('cd ?; dnssec-keygen -3 -a ECDSAP256SHA256 -n ZONE ?; dnssec-keygen -f KSK -3 -a ECDSAP256SHA256 -n ZONE ?', $dns_config['bind_zonefiles_dir'], $domain, $domain);
} else {
$app->system->exec_safe('cd ?; dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE ?; dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE ?', $dns_config['bind_zonefiles_dir'], $domain, $domain);
}
$this->soa_dnssec_sign($data); //Now sign the zone for the first time
$data['new']['dnssec_initialized']='Y';
......@@ -305,15 +309,17 @@ class bind_plugin {
}
//* DNSSEC-Implementation
if($data['old']['origin'] != $data['new']['origin']) {
if($data['old']['origin'] != $data['new']['origin'] || $data['old']['dnssec_algo'] != $data['new']['dnssec_algo']) {
if (@$data['old']['dnssec_initialized'] == 'Y' && strlen(@$data['old']['origin']) > 3) $this->soa_dnssec_delete($data); //delete old keys
if ($data['new']['dnssec_wanted'] == 'Y') $this->soa_dnssec_create($data);
}
else if ($data['new']['dnssec_wanted'] == 'Y' && $data['old']['dnssec_initialized'] == 'N') $this->soa_dnssec_create($data);
else if ($data['new']['dnssec_wanted'] == 'N' && $data['old']['dnssec_initialized'] == 'Y') { //delete old signed file if dnssec is no longer wanted
if ($data['new']['dnssec_wanted'] == 'Y') $this->soa_dnssec_create($data);
} elseif ($data['new']['dnssec_wanted'] == 'Y' && $data['old']['dnssec_initialized'] == 'N') {
$this->soa_dnssec_create($data);
} elseif ($data['new']['dnssec_wanted'] == 'N' && $data['old']['dnssec_initialized'] == 'Y') { //delete old signed file if dnssec is no longer wanted
$filename = $dns_config['bind_zonefiles_dir'].'/' . $this->zone_file_prefix() . str_replace("/", "_", substr($data['old']['origin'], 0, -1));
if(is_file($filename.'.signed')) unlink($filename.'.signed');
} else if ($data['new']['dnssec_wanted'] == 'Y') $this->soa_dnssec_update($data);
} elseif ($data['new']['dnssec_wanted'] == 'Y') {
$this->soa_dnssec_update($data);
}
// END DNSSEC
//* rebuild the named.conf file if the origin has changed or when the origin is inserted.
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment