diff --git a/install/sql/incremental/upd_dev_collection.sql b/install/sql/incremental/upd_dev_collection.sql index 1deb6050284d384ec4fdb69a6f65acee8fa4cdd8..b7db2767eda744d3f626494f52d4dd390243b33c 100644 --- a/install/sql/incremental/upd_dev_collection.sql +++ b/install/sql/incremental/upd_dev_collection.sql @@ -65,3 +65,8 @@ ALTER TABLE `client` CHANGE `id_rsa` `id_rsa` TEXT CHARACTER SET utf8 COLLATE ut ALTER TABLE `directive_snippets` ADD `update_sites` ENUM('y','n') NOT NULL DEFAULT 'n' ; +-- Add DNSSEC Algorithm setting +ALTER TABLE `dns_soa` ADD `dnssec_algo` SET('NSEC3RSASHA1','ECDSAP256SHA256') NULL DEFAULT NULL AFTER `dnssec_wanted`; +UPDATE `dns_soa` SET `dnssec_algo` = 'NSEC3RSASHA1' WHERE `dnssec_algo` IS NULL AND dnssec_initialized = 'Y'; +UPDATE `dns_soa` SET `dnssec_algo` = 'ECDSAP256SHA256' WHERE `dnssec_algo` IS NULL AND dnssec_initialized = 'N'; +ALTER TABLE `dns_soa` CHANGE `dnssec_algo` `dnssec_algo` SET('NSEC3RSASHA1','ECDSAP256SHA256') CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL DEFAULT 'ECDSAP256SHA256'; diff --git a/install/sql/ispconfig3.sql b/install/sql/ispconfig3.sql index edd4dd50491cf6dfe21898e8d7c6027b04e86541..0d76fb8c084356d790a7506b5044c6b36265ccdf 100644 --- a/install/sql/ispconfig3.sql +++ b/install/sql/ispconfig3.sql @@ -626,6 +626,7 @@ CREATE TABLE `dns_soa` ( `update_acl` varchar(255) default NULL, `dnssec_initialized` ENUM('Y','N') NOT NULL DEFAULT 'N', `dnssec_wanted` ENUM('Y','N') NOT NULL DEFAULT 'N', + `dnssec_algo` SET('NSEC3RSASHA1','ECDSAP256SHA256') NOT NULL DEFAULT 'ECDSAP256SHA256', `dnssec_last_signed` BIGINT NOT NULL DEFAULT '0', `dnssec_info` TEXT NULL, PRIMARY KEY (`id`), @@ -2501,7 +2502,7 @@ INSERT INTO `country` (`iso`, `name`, `printable_name`, `iso3`, `numcode`, `eu`) -- Dumping data for table `dns_template` -- -INSERT INTO `dns_template` (`template_id`, `sys_userid`, `sys_groupid`, `sys_perm_user`, `sys_perm_group`, `sys_perm_other`, `name`, `fields`, `template`, `visible`) VALUES (1, 1, 1, 'riud', 'riud', '', 'Default', 'DOMAIN,IP,NS1,NS2,EMAIL,DKIM,DNSSEC', '[ZONE]\norigin={DOMAIN}.\nns={NS1}.\nmbox={EMAIL}.\nrefresh=7200\nretry=540\nexpire=604800\nminimum=3600\nttl=3600\n\n[DNS_RECORDS]\nA|{DOMAIN}.|{IP}|0|3600\nA|www|{IP}|0|3600\nA|mail|{IP}|0|3600\nNS|{DOMAIN}.|{NS1}.|0|3600\nNS|{DOMAIN}.|{NS2}.|0|3600\nMX|{DOMAIN}.|mail.{DOMAIN}.|10|3600\nTXT|{DOMAIN}.|v=spf1 mx a ~all|0|3600', 'y'); +INSERT INTO `dns_template` (`template_id`, `sys_userid`, `sys_groupid`, `sys_perm_user`, `sys_perm_group`, `sys_perm_other`, `name`, `fields`, `template`, `visible`) VALUES (1, 1, 1, 'riud', 'riud', '', 'Default', 'DOMAIN,IP,NS1,NS2,EMAIL,DKIM,DNSSEC', '[ZONE]\norigin={DOMAIN}.\nns={NS1}.\nmbox={EMAIL}.\nrefresh=7200\nretry=540\nexpire=604800\nminimum=3600\nttl=3600\ndnssec_algo=ECDSAP256SHA256\n\n[DNS_RECORDS]\nA|{DOMAIN}.|{IP}|0|3600\nA|www|{IP}|0|3600\nA|mail|{IP}|0|3600\nNS|{DOMAIN}.|{NS1}.|0|3600\nNS|{DOMAIN}.|{NS2}.|0|3600\nMX|{DOMAIN}.|mail.{DOMAIN}.|10|3600\nTXT|{DOMAIN}.|v=spf1 mx a ~all|0|3600', 'y'); -- -------------------------------------------------------- diff --git a/interface/web/dns/dns_soa_edit.php b/interface/web/dns/dns_soa_edit.php index ec5ba67c79de4e675647ab21ea1ba1b823118ce2..f5e716ca5dfc8798952672e8ddab43d1eff12606 100644 --- a/interface/web/dns/dns_soa_edit.php +++ b/interface/web/dns/dns_soa_edit.php @@ -296,6 +296,8 @@ function onSubmit() { $this->dataRecord["xfer"] = preg_replace('/\s+/', '', $this->dataRecord["xfer"]); $this->dataRecord["also_notify"] = preg_replace('/\s+/', '', $this->dataRecord["also_notify"]); + + if(isset($this->dataRecord['dnssec_wanted']) && $this->dataRecord['dnssec_wanted'] == 'Y' && $this->dataRecord['dnssec_algo'] == '') $this->dataRecord['dnssec_algo'] = 'ECDSAP256SHA256'; //* Check if a secondary zone with the same name already exists $tmp = $app->db->queryOneRecord("SELECT count(id) as number FROM dns_slave WHERE origin = ? AND server_id = ?", $this->dataRecord["origin"], $this->dataRecord["server_id"]); diff --git a/interface/web/dns/dns_wizard.php b/interface/web/dns/dns_wizard.php index 91b2307dc5126dc3650a1f3a38a754ea135151e9..b2320dc6bf98466d0cb6726870665ffb06a1e41d 100644 --- a/interface/web/dns/dns_wizard.php +++ b/interface/web/dns/dns_wizard.php @@ -339,6 +339,7 @@ if($_POST['create'] == 1) { $section = ''; $vars = array(); $vars['xfer']=''; + $vars['dnssec_algo']='ECDSAP256SHA256'; $dns_rr = array(); foreach($tpl_rows as $row) { $row = trim($row); @@ -398,6 +399,7 @@ if($_POST['create'] == 1) { $xfer = $vars['xfer']; $also_notify = $vars['also_notify']; $update_acl = $vars['update_acl']; + $dnssec_algo = $vars['dnssec_algo']; $serial = $app->validate_dns->increase_serial(0); $insert_data = array( @@ -420,7 +422,8 @@ if($_POST['create'] == 1) { "xfer" => $xfer, "also_notify" => $also_notify, "update_acl" => $update_acl, - "dnssec_wanted" => $enable_dnssec + "dnssec_wanted" => $enable_dnssec, + "dnssec_algo" => $dnssec_algo ); $dns_soa_id = $app->db->datalogInsert('dns_soa', $insert_data, 'id'); if($dns_soa_id > 0) $app->plugin->raiseEvent('dns:wizard:on_after_insert', $dns_soa_id); diff --git a/interface/web/dns/form/dns_soa.tform.php b/interface/web/dns/form/dns_soa.tform.php index cf0d143916c5fe2679777d1756ec96089bac9105..81389c4553f540a2f1ae367fdf7bf5858011bd7f 100644 --- a/interface/web/dns/form/dns_soa.tform.php +++ b/interface/web/dns/form/dns_soa.tform.php @@ -276,6 +276,15 @@ $form["tabs"]['dns_soa'] = array ( 'default' => 'Y', 'value' => array(0 => 'N', 1 => 'Y') ), + 'dnssec_algo' => array ( + 'datatype' => 'VARCHAR', + 'formtype' => 'CHECKBOXARRAY', + 'separator' => ',', + 'default' => 'ECDSAP256SHA256', + 'value' => array('NSEC3RSASHA1' => '7 (NSEC3RSASHA1)','ECDSAP256SHA256' => '13 (ECDSAP256SHA256)'), + 'width' => '30', + 'maxlength' => '255' + ), 'dnssec_info' => array ( 'datatype' => 'TEXT', 'formtype' => 'TEXTAREA', diff --git a/interface/web/dns/lib/lang/ar_dns_soa.lng b/interface/web/dns/lib/lang/ar_dns_soa.lng index c9721cebc0e2de6bb770816a544e0b3b8dd3863d..8c13c59e8e67b1fd37768608289f51f01610d997 100644 --- a/interface/web/dns/lib/lang/ar_dns_soa.lng +++ b/interface/web/dns/lib/lang/ar_dns_soa.lng @@ -41,4 +41,5 @@ $wb['dnssec_wanted_info'] = 'When disabling DNSSEC keys are not going to be dele $wb['error_not_allowed_server_id'] = 'The selected server is not allowed for this account.'; $wb['soa_cannot_be_changed_txt'] = 'Die Zone (SOA) kann nicht verändert werden. Bitte kontaktieren Sie ihren Administrator, um die Zone zu ändern.'; $wb['configuration_error_txt'] = 'CONFIGURATION ERROR'; +$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm'; ?> diff --git a/interface/web/dns/lib/lang/bg_dns_soa.lng b/interface/web/dns/lib/lang/bg_dns_soa.lng index 151e3ead11483260d8acabf8ac729d7b0a5324c4..9e9e8bf3f50ce64fb5c25ebf642efd6cea336c1f 100644 --- a/interface/web/dns/lib/lang/bg_dns_soa.lng +++ b/interface/web/dns/lib/lang/bg_dns_soa.lng @@ -41,4 +41,5 @@ $wb['dnssec_wanted_info'] = 'When disabling DNSSEC keys are not going to be dele $wb['error_not_allowed_server_id'] = 'The selected server is not allowed for this account.'; $wb['soa_cannot_be_changed_txt'] = 'Die Zone (SOA) kann nicht verändert werden. Bitte kontaktieren Sie ihren Administrator, um die Zone zu ändern.'; $wb['configuration_error_txt'] = 'CONFIGURATION ERROR'; +$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm'; ?> diff --git a/interface/web/dns/lib/lang/br_dns_soa.lng b/interface/web/dns/lib/lang/br_dns_soa.lng index f5385c4706b98e51611e803341ac3ea1a4f35ac4..f1cb453e9959cf0b883cad31460a9982bd4d1ebe 100644 --- a/interface/web/dns/lib/lang/br_dns_soa.lng +++ b/interface/web/dns/lib/lang/br_dns_soa.lng @@ -41,4 +41,5 @@ $wb['ttl_range_error'] = 'Intervalo mínimo do TTL são 60 segundos.'; $wb['error_not_allowed_server_id'] = 'O servidor selecionado não é permitido para esta conta.'; $wb['soa_cannot_be_changed_txt'] = 'A zona (SOA) não pode ser alterada. Por favor, contate o administrador se deseja alterar esta zona.'; $wb['configuration_error_txt'] = 'ERRO DE CONFIGURAÇÃO'; +$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm'; ?> diff --git a/interface/web/dns/lib/lang/ca_dns_soa.lng b/interface/web/dns/lib/lang/ca_dns_soa.lng index 0b6759f07372f84c449c17942f8c4ca849225a53..ee2fdb07b64c3a188cca64d12fe20b6129c21f69 100644 --- a/interface/web/dns/lib/lang/ca_dns_soa.lng +++ b/interface/web/dns/lib/lang/ca_dns_soa.lng @@ -41,4 +41,5 @@ $wb['dnssec_wanted_info'] = 'When disabling DNSSEC keys are not going to be dele $wb['error_not_allowed_server_id'] = 'The selected server is not allowed for this account.'; $wb['soa_cannot_be_changed_txt'] = 'Die Zone (SOA) kann nicht verändert werden. Bitte kontaktieren Sie ihren Administrator, um die Zone zu ändern.'; $wb['configuration_error_txt'] = 'CONFIGURATION ERROR'; +$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm'; ?> diff --git a/interface/web/dns/lib/lang/cz_dns_soa.lng b/interface/web/dns/lib/lang/cz_dns_soa.lng index cb35f0ef3bbe946036dd51179d8f5c0ef92ce730..ba6b2d4b52b6ac8d3d0ffa770ee5f02b2f5133fd 100644 --- a/interface/web/dns/lib/lang/cz_dns_soa.lng +++ b/interface/web/dns/lib/lang/cz_dns_soa.lng @@ -41,4 +41,5 @@ $wb['dnssec_wanted_info'] = 'Když deaktivujete DNSSEC klíče nebudou odstraně $wb['error_not_allowed_server_id'] = 'Vybraný server není pro tento účet povolen.'; $wb['soa_cannot_be_changed_txt'] = 'Die Zone (SOA) kann nicht verändert werden. Bitte kontaktieren Sie ihren Administrator, um die Zone zu ändern.'; $wb['configuration_error_txt'] = 'CONFIGURATION ERROR'; +$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm'; ?> diff --git a/interface/web/dns/lib/lang/de_dns_soa.lng b/interface/web/dns/lib/lang/de_dns_soa.lng index 76d139391ddb580830e537c7050f09171d3bc943..14897b24e45fd86dbca1e4ddfc95d3317c6aae4b 100644 --- a/interface/web/dns/lib/lang/de_dns_soa.lng +++ b/interface/web/dns/lib/lang/de_dns_soa.lng @@ -41,4 +41,5 @@ $wb['xfer_error_regex'] = 'Zonentransfer: Verwenden Sie eine oder mehrere durch $wb['soa_cannot_be_changed_txt'] = 'Die Zone (SOA) kann nicht verändert werden. Bitte kontaktieren Sie ihren Administrator, um die Zone zu ändern.'; $wb['error_not_allowed_server_id'] = 'The selected server is not allowed for this account.'; $wb['configuration_error_txt'] = 'CONFIGURATION ERROR'; +$wb['dnssec_algo_txt'] = 'DNSSEC Algorithmus'; ?> diff --git a/interface/web/dns/lib/lang/dk_dns_soa.lng b/interface/web/dns/lib/lang/dk_dns_soa.lng index 6a3d71d973588f748bbda7b7d566a23442ed8a8a..a4ff50f14fa3f705e59b6ba19472bf8bd5f7ad5d 100644 --- a/interface/web/dns/lib/lang/dk_dns_soa.lng +++ b/interface/web/dns/lib/lang/dk_dns_soa.lng @@ -41,4 +41,5 @@ $wb['dnssec_wanted_info'] = 'When disabling DNSSEC keys are not going to be dele $wb['error_not_allowed_server_id'] = 'The selected server is not allowed for this account.'; $wb['soa_cannot_be_changed_txt'] = 'The Zone (SOA) can not be changed. Please contact your administrator to change the zone.'; $wb['configuration_error_txt'] = 'CONFIGURATION ERROR'; +$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm'; ?> diff --git a/interface/web/dns/lib/lang/el_dns_soa.lng b/interface/web/dns/lib/lang/el_dns_soa.lng index 4d8c876d28aab75d4c6e893dcd1667363f9cf758..aae62bef7618261ef0cb8e116287d33db8a68931 100644 --- a/interface/web/dns/lib/lang/el_dns_soa.lng +++ b/interface/web/dns/lib/lang/el_dns_soa.lng @@ -41,4 +41,5 @@ $wb['dnssec_wanted_info'] = 'When disabling DNSSEC keys are not going to be dele $wb['error_not_allowed_server_id'] = 'The selected server is not allowed for this account.'; $wb['soa_cannot_be_changed_txt'] = 'Die Zone (SOA) kann nicht verändert werden. Bitte kontaktieren Sie ihren Administrator, um die Zone zu ändern.'; $wb['configuration_error_txt'] = 'CONFIGURATION ERROR'; +$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm'; ?> diff --git a/interface/web/dns/lib/lang/en_dns_soa.lng b/interface/web/dns/lib/lang/en_dns_soa.lng index 1729a4d0cbe9b2e3a311462517c1dc811e11460c..7d130b34b03223a5ef82db646e913d652b39bd17 100644 --- a/interface/web/dns/lib/lang/en_dns_soa.lng +++ b/interface/web/dns/lib/lang/en_dns_soa.lng @@ -41,4 +41,5 @@ $wb['ttl_range_error'] = 'Min. TTL time is 60 seconds.'; $wb['error_not_allowed_server_id'] = 'The selected server is not allowed for this account.'; $wb['soa_cannot_be_changed_txt'] = 'The Zone (SOA) can not be changed. Please contact your administrator to change the zone.'; $wb['configuration_error_txt'] = 'CONFIGURATION ERROR'; +$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm'; ?> diff --git a/interface/web/dns/lib/lang/es_dns_soa.lng b/interface/web/dns/lib/lang/es_dns_soa.lng index 23f4cc5ffcfb53f784333a43965cfdd740cbac0c..b1484e749a0258b43ed279ca159226a451badb81 100644 --- a/interface/web/dns/lib/lang/es_dns_soa.lng +++ b/interface/web/dns/lib/lang/es_dns_soa.lng @@ -41,4 +41,5 @@ $wb['update_acl_txt'] = 'Actualizar ACL'; $wb['xfer_error_regex'] = 'Notificar también a: Por favor, usa una dirección IP.'; $wb['xfer_txt'] = 'Permitir transferencia de zonas a
estas IP (lista separada por comas)'; $wb['configuration_error_txt'] = 'CONFIGURATION ERROR'; +$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm'; ?> diff --git a/interface/web/dns/lib/lang/fi_dns_soa.lng b/interface/web/dns/lib/lang/fi_dns_soa.lng index 3e106259677bea687262bb3cc99098c89e901c9c..b34b2893fdf514db92a3da4c8f8692066aaca771 100644 --- a/interface/web/dns/lib/lang/fi_dns_soa.lng +++ b/interface/web/dns/lib/lang/fi_dns_soa.lng @@ -41,4 +41,5 @@ $wb['dnssec_wanted_info'] = 'When disabling DNSSEC keys are not going to be dele $wb['error_not_allowed_server_id'] = 'The selected server is not allowed for this account.'; $wb['soa_cannot_be_changed_txt'] = 'Die Zone (SOA) kann nicht verändert werden. Bitte kontaktieren Sie ihren Administrator, um die Zone zu ändern.'; $wb['configuration_error_txt'] = 'CONFIGURATION ERROR'; +$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm'; ?> diff --git a/interface/web/dns/lib/lang/fr_dns_soa.lng b/interface/web/dns/lib/lang/fr_dns_soa.lng index da63faadbdea9adab67fa598a1331997d941d246..d2449c323e9a95cb966fd7f9497699a7044f51db 100644 --- a/interface/web/dns/lib/lang/fr_dns_soa.lng +++ b/interface/web/dns/lib/lang/fr_dns_soa.lng @@ -41,4 +41,5 @@ $wb['dnssec_wanted_info'] = 'When disabling DNSSEC keys are not going to be dele $wb['error_not_allowed_server_id'] = 'The selected server is not allowed for this account.'; $wb['soa_cannot_be_changed_txt'] = 'Die Zone (SOA) kann nicht verändert werden. Bitte kontaktieren Sie ihren Administrator, um die Zone zu ändern.'; $wb['configuration_error_txt'] = 'CONFIGURATION ERROR'; +$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm'; ?> diff --git a/interface/web/dns/lib/lang/hr_dns_soa.lng b/interface/web/dns/lib/lang/hr_dns_soa.lng index b4a9f2f9b0ad77b8808ab250735d93de8486d451..d738ff1e184cb52628d8aa105c16cc92503a60bb 100644 --- a/interface/web/dns/lib/lang/hr_dns_soa.lng +++ b/interface/web/dns/lib/lang/hr_dns_soa.lng @@ -41,4 +41,5 @@ $wb['dnssec_wanted_info'] = 'When disabling DNSSEC keys are not going to be dele $wb['error_not_allowed_server_id'] = 'The selected server is not allowed for this account.'; $wb['soa_cannot_be_changed_txt'] = 'Die Zone (SOA) kann nicht verändert werden. Bitte kontaktieren Sie ihren Administrator, um die Zone zu ändern.'; $wb['configuration_error_txt'] = 'CONFIGURATION ERROR'; +$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm'; ?> diff --git a/interface/web/dns/lib/lang/hu_dns_soa.lng b/interface/web/dns/lib/lang/hu_dns_soa.lng index 401961408864d7817ba7e8c5f4b4ecbc3b02d7c8..445de86d69c7c8d8f1d73a0fa49b5dcbe94e97c4 100644 --- a/interface/web/dns/lib/lang/hu_dns_soa.lng +++ b/interface/web/dns/lib/lang/hu_dns_soa.lng @@ -41,4 +41,5 @@ $wb['dnssec_wanted_info'] = 'When disabling DNSSEC keys are not going to be dele $wb['error_not_allowed_server_id'] = 'The selected server is not allowed for this account.'; $wb['soa_cannot_be_changed_txt'] = 'Die Zone (SOA) kann nicht verändert werden. Bitte kontaktieren Sie ihren Administrator, um die Zone zu ändern.'; $wb['configuration_error_txt'] = 'CONFIGURATION ERROR'; +$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm'; ?> diff --git a/interface/web/dns/lib/lang/id_dns_soa.lng b/interface/web/dns/lib/lang/id_dns_soa.lng index c42890b71c1ae0cd010a138d54c21fd6e0016403..c9a43ad057a07bc4a12a16b6a90b737f9f58217b 100644 --- a/interface/web/dns/lib/lang/id_dns_soa.lng +++ b/interface/web/dns/lib/lang/id_dns_soa.lng @@ -41,4 +41,5 @@ $wb['dnssec_wanted_info'] = 'When disabling DNSSEC keys are not going to be dele $wb['error_not_allowed_server_id'] = 'The selected server is not allowed for this account.'; $wb['soa_cannot_be_changed_txt'] = 'Die Zone (SOA) kann nicht verändert werden. Bitte kontaktieren Sie ihren Administrator, um die Zone zu ändern.'; $wb['configuration_error_txt'] = 'CONFIGURATION ERROR'; +$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm'; ?> diff --git a/interface/web/dns/lib/lang/it_dns_soa.lng b/interface/web/dns/lib/lang/it_dns_soa.lng index 7ca3cb1cb13f1f104d5aad6516d522735045182d..714c6c70566c3af03ee5395ccc5790a8b86273c9 100644 --- a/interface/web/dns/lib/lang/it_dns_soa.lng +++ b/interface/web/dns/lib/lang/it_dns_soa.lng @@ -41,4 +41,5 @@ $wb['dnssec_wanted_info'] = 'When disabling DNSSEC keys are not going to be dele $wb['error_not_allowed_server_id'] = 'The selected server is not allowed for this account.'; $wb['soa_cannot_be_changed_txt'] = 'Die Zone (SOA) kann nicht verändert werden. Bitte kontaktieren Sie ihren Administrator, um die Zone zu ändern.'; $wb['configuration_error_txt'] = 'CONFIGURATION ERROR'; +$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm'; ?> diff --git a/interface/web/dns/lib/lang/ja_dns_soa.lng b/interface/web/dns/lib/lang/ja_dns_soa.lng index 3964f3fcdb73888f6c3208043b4cb7adf29e425e..7ab57997508202e5496ae098ccb59a2b0bf4c2b6 100644 --- a/interface/web/dns/lib/lang/ja_dns_soa.lng +++ b/interface/web/dns/lib/lang/ja_dns_soa.lng @@ -41,4 +41,5 @@ $wb['dnssec_wanted_info'] = 'When disabling DNSSEC keys are not going to be dele $wb['error_not_allowed_server_id'] = 'The selected server is not allowed for this account.'; $wb['soa_cannot_be_changed_txt'] = 'Die Zone (SOA) kann nicht verändert werden. Bitte kontaktieren Sie ihren Administrator, um die Zone zu ändern.'; $wb['configuration_error_txt'] = 'CONFIGURATION ERROR'; +$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm'; ?> diff --git a/interface/web/dns/lib/lang/nl_dns_soa.lng b/interface/web/dns/lib/lang/nl_dns_soa.lng index 121339c00ca296b5b108516fb406c98edd4e7f4c..1f875df3c9007659806b6e48a22fb3f1497ba89e 100644 --- a/interface/web/dns/lib/lang/nl_dns_soa.lng +++ b/interface/web/dns/lib/lang/nl_dns_soa.lng @@ -41,4 +41,5 @@ $wb['dnssec_wanted_info'] = 'When disabling DNSSEC keys are not going to be dele $wb['error_not_allowed_server_id'] = 'The selected server is not allowed for this account.'; $wb['soa_cannot_be_changed_txt'] = 'Die Zone (SOA) kann nicht verändert werden. Bitte kontaktieren Sie ihren Administrator, um die Zone zu ändern.'; $wb['configuration_error_txt'] = 'CONFIGURATION ERROR'; +$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm'; ?> diff --git a/interface/web/dns/lib/lang/pl_dns_soa.lng b/interface/web/dns/lib/lang/pl_dns_soa.lng index 1724c4c141c77a15d08c93021ca7ee2d3f189fe0..7502a592372707764358fde63333b8ef0938ee9d 100644 --- a/interface/web/dns/lib/lang/pl_dns_soa.lng +++ b/interface/web/dns/lib/lang/pl_dns_soa.lng @@ -41,4 +41,5 @@ $wb['dnssec_wanted_info'] = 'When disabling DNSSEC keys are not going to be dele $wb['error_not_allowed_server_id'] = 'The selected server is not allowed for this account.'; $wb['soa_cannot_be_changed_txt'] = 'Die Zone (SOA) kann nicht verändert werden. Bitte kontaktieren Sie ihren Administrator, um die Zone zu ändern.'; $wb['configuration_error_txt'] = 'CONFIGURATION ERROR'; +$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm'; ?> diff --git a/interface/web/dns/lib/lang/pt_dns_soa.lng b/interface/web/dns/lib/lang/pt_dns_soa.lng index bdcc1660ff0e7f4b9a348ce678520aea214d8ed9..7b6ac864a163decd043ef4d35429c532a3df92ee 100644 --- a/interface/web/dns/lib/lang/pt_dns_soa.lng +++ b/interface/web/dns/lib/lang/pt_dns_soa.lng @@ -41,4 +41,5 @@ $wb['dnssec_wanted_info'] = 'When disabling DNSSEC keys are not going to be dele $wb['error_not_allowed_server_id'] = 'The selected server is not allowed for this account.'; $wb['soa_cannot_be_changed_txt'] = 'Die Zone (SOA) kann nicht verändert werden. Bitte kontaktieren Sie ihren Administrator, um die Zone zu ändern.'; $wb['configuration_error_txt'] = 'CONFIGURATION ERROR'; +$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm'; ?> diff --git a/interface/web/dns/lib/lang/ro_dns_soa.lng b/interface/web/dns/lib/lang/ro_dns_soa.lng index 40607318f713d7a08f4d87dd24425e1b0f60e44e..9ae957f2406129be0f0b27645946c2efe6ab713e 100644 --- a/interface/web/dns/lib/lang/ro_dns_soa.lng +++ b/interface/web/dns/lib/lang/ro_dns_soa.lng @@ -41,4 +41,5 @@ $wb['dnssec_wanted_info'] = 'When disabling DNSSEC keys are not going to be dele $wb['error_not_allowed_server_id'] = 'The selected server is not allowed for this account.'; $wb['soa_cannot_be_changed_txt'] = 'Die Zone (SOA) kann nicht verändert werden. Bitte kontaktieren Sie ihren Administrator, um die Zone zu ändern.'; $wb['configuration_error_txt'] = 'CONFIGURATION ERROR'; +$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm'; ?> diff --git a/interface/web/dns/lib/lang/ru_dns_soa.lng b/interface/web/dns/lib/lang/ru_dns_soa.lng index 7bd15cd63858f16b496326756fe8b652902e63b7..f6043010d4e021d4d677e6fca002456e924cb3f3 100644 --- a/interface/web/dns/lib/lang/ru_dns_soa.lng +++ b/interface/web/dns/lib/lang/ru_dns_soa.lng @@ -41,4 +41,5 @@ $wb['dnssec_wanted_info'] = 'При отключении DNSSEC ключи не $wb['error_not_allowed_server_id'] = 'Выбранный сервер не доступен для этой учетной записи.'; $wb['soa_cannot_be_changed_txt'] = 'Зона (SOA) не может быть изменена. Пожалуйста, обратитесь к администратору, чтобы изменить зону.'; $wb['configuration_error_txt'] = 'ОШИБКА КОНФИГУРАЦИИ'; +$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm'; ?> diff --git a/interface/web/dns/lib/lang/se_dns_soa.lng b/interface/web/dns/lib/lang/se_dns_soa.lng index cfeb2f9fde36215601657786424c558134aeb70b..8e380f85a3f79c217c0fc0fb59009e6e197bc64d 100644 --- a/interface/web/dns/lib/lang/se_dns_soa.lng +++ b/interface/web/dns/lib/lang/se_dns_soa.lng @@ -41,4 +41,5 @@ $wb['dnssec_wanted_info'] = 'When disabling DNSSEC keys are not going to be dele $wb['error_not_allowed_server_id'] = 'The selected server is not allowed for this account.'; $wb['soa_cannot_be_changed_txt'] = 'Die Zone (SOA) kann nicht verändert werden. Bitte kontaktieren Sie ihren Administrator, um die Zone zu ändern.'; $wb['configuration_error_txt'] = 'CONFIGURATION ERROR'; +$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm'; ?> diff --git a/interface/web/dns/lib/lang/sk_dns_soa.lng b/interface/web/dns/lib/lang/sk_dns_soa.lng index 79d49eee92d6136f143f0d8a477f66c2b5b3a663..c96399cc4ec4b433264bfa75e111d3b66334d467 100644 --- a/interface/web/dns/lib/lang/sk_dns_soa.lng +++ b/interface/web/dns/lib/lang/sk_dns_soa.lng @@ -41,4 +41,5 @@ $wb['dnssec_wanted_info'] = 'When disabling DNSSEC keys are not going to be dele $wb['error_not_allowed_server_id'] = 'The selected server is not allowed for this account.'; $wb['soa_cannot_be_changed_txt'] = 'Die Zone (SOA) kann nicht verändert werden. Bitte kontaktieren Sie ihren Administrator, um die Zone zu ändern.'; $wb['configuration_error_txt'] = 'CONFIGURATION ERROR'; +$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm'; ?> diff --git a/interface/web/dns/lib/lang/tr_dns_soa.lng b/interface/web/dns/lib/lang/tr_dns_soa.lng index fd39de04f5e9742c3717bb77a33e6d25908a1a16..e5d55678cbd42f76353d2923d1c5d252c9c6d81a 100644 --- a/interface/web/dns/lib/lang/tr_dns_soa.lng +++ b/interface/web/dns/lib/lang/tr_dns_soa.lng @@ -41,4 +41,5 @@ $wb['ttl_range_error'] = 'En düşük TTL süresi 60 saniyedir.'; $wb['error_not_allowed_server_id'] = 'Seçilmiş sunucuda bu hesap kullanılamaz.'; $wb['soa_cannot_be_changed_txt'] = 'Bölge (SOA) değiştirilemez. Lütfen bölgeyi değiştirmek için yöneticiniz ile görüşün.'; $wb['configuration_error_txt'] = 'YAPILANDIRMA SORUNU'; +$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm'; ?> diff --git a/interface/web/dns/templates/dns_soa_edit.htm b/interface/web/dns/templates/dns_soa_edit.htm index c34e8a341647dcb0972b7f784be7d3b26c8842a0..e16faac1aa5c4d9ea1641abb9f92ab70f631c5c4 100644 --- a/interface/web/dns/templates/dns_soa_edit.htm +++ b/interface/web/dns/templates/dns_soa_edit.htm @@ -136,6 +136,10 @@
{tmpl_var name='dnssec_wanted'}
({tmpl_var name='dnssec_wanted_info'})
+ +
+ +
{tmpl_var name='dnssec_algo'}
diff --git a/server/plugins-available/bind_plugin.inc.php b/server/plugins-available/bind_plugin.inc.php index d4b4a7c01c0516e582c1128c6180a6d3e6320aa1..e915f447ffa3755a90d819e61ef2a72555f47ad1 100644 --- a/server/plugins-available/bind_plugin.inc.php +++ b/server/plugins-available/bind_plugin.inc.php @@ -97,21 +97,31 @@ class bind_plugin { } //* Verify that we do not already have keys (overwriting-protection) - if (file_exists($dns_config['bind_zonefiles_dir'].'/dsset-'.$domain.'.')) { - return $this->soa_dnssec_update($data); - } else if ($data['new']['dnssec_initialized'] == 'Y') { //In case that we generated keys but the dsset-file was not generated - $keycount=0; - foreach (glob($dns_config['bind_zonefiles_dir'].'/K'.$domain.'*.key') as $keyfile) { - $keycount++; - } - if ($keycount > 0) { - $this->soa_dnssec_sign($data); - return true; + if($data['old']['dnssec_algo'] == $data['new']['dnssec_algo']) { + if (file_exists($dns_config['bind_zonefiles_dir'].'/dsset-'.$domain.'.')) { + return $this->soa_dnssec_update($data); + } else if ($data['new']['dnssec_initialized'] == 'Y') { //In case that we generated keys but the dsset-file was not generated + $keycount=0; + foreach (glob($dns_config['bind_zonefiles_dir'].'/K'.$domain.'*.key') as $keyfile) { + $keycount++; + } + if ($keycount > 0) { + $this->soa_dnssec_sign($data); + return true; + } } } - //Do some magic... - $app->system->exec_safe('cd ?; dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE ?; dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE ?', $dns_config['bind_zonefiles_dir'], $domain, $domain); + // Get DNSSEC Algorithms + $dnssec_algo = explode(',',$data['new']['dnssec_algo']); + + //* Create the Zone Signing and Key Signing Keys + if(in_array('ECDSAP256SHA256',$dnssec_algo) && count(glob($dns_config['bind_zonefiles_dir'].'/K'.$domain.'.+013*.key')) == 0) { + $app->system->exec_safe('cd ?; dnssec-keygen -3 -a ECDSAP256SHA256 -n ZONE ?; dnssec-keygen -f KSK -3 -a ECDSAP256SHA256 -n ZONE ?', $dns_config['bind_zonefiles_dir'], $domain, $domain); + } + if(in_array('NSEC3RSASHA1',$dnssec_algo) && count(glob($dns_config['bind_zonefiles_dir'].'/K'.$domain.'.+007*.key')) == 0) { + $app->system->exec_safe('cd ?; dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE ?; dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE ?', $dns_config['bind_zonefiles_dir'], $domain, $domain); + } $this->soa_dnssec_sign($data); //Now sign the zone for the first time $data['new']['dnssec_initialized']='Y'; @@ -130,24 +140,53 @@ class bind_plugin { $domain = substr($data['new']['origin'], 0, strlen($data['new']['origin'])-1); if (!file_exists($dns_config['bind_zonefiles_dir'].'/'.$filespre.$domain)) return false; + //* Get DNSSEC Algorithms + $dnssec_algo = explode(',',$data['new']['dnssec_algo']); + + //* Get Zone file content $zonefile = file_get_contents($dns_config['bind_zonefiles_dir'].'/'.$filespre.$domain); $keycount=0; - foreach (glob($dns_config['bind_zonefiles_dir'].'/K'.$domain.'*.key') as $keyfile) { - $includeline = '$INCLUDE '.basename($keyfile); - if (!preg_match('@'.preg_quote($includeline).'@', $zonefile)) $zonefile .= "\n".$includeline."\n"; - $keycount++; + + //* Include ECDSAP256SHA256 keys in zone + if(in_array('ECDSAP256SHA256',$dnssec_algo)) { + foreach (glob($dns_config['bind_zonefiles_dir'].'/K'.$domain.'.+013*.key') as $keyfile) { + $includeline = '$INCLUDE '.basename($keyfile); + if (!preg_match('@'.preg_quote($includeline).'@', $zonefile)) $zonefile .= "\n".$includeline."\n"; + $keycount++; + } + } + + //* Include NSEC3RSASHA1 keys in zone + if(in_array('NSEC3RSASHA1',$dnssec_algo)) { + foreach (glob($dns_config['bind_zonefiles_dir'].'/K'.$domain.'.+007*.key') as $keyfile) { + $includeline = '$INCLUDE '.basename($keyfile); + if (!preg_match('@'.preg_quote($includeline).'@', $zonefile)) $zonefile .= "\n".$includeline."\n"; + $keycount++; + } } - if ($keycount != 2) $app->log('DNSSEC Warning: There are more or less than 2 keyfiles for zone '.$domain, LOGLEVEL_WARN); + + $keycount_wanted = count(explode(',',$data['new']['dnssec_algo']))*2; + + if ($keycount != $keycount_wanted) $app->log('DNSSEC Warning: There are more or less than 2 keyfiles for each algorithm for zone '.$domain.'. Found: '.$keycount. ' Expected: '.$keycount_wanted, LOGLEVEL_WARN); file_put_contents($dns_config['bind_zonefiles_dir'].'/'.$filespre.$domain, $zonefile); - //Sign the zone and set it valid for max. 16 days + //* Sign the zone and set it valid for max. 16 days $app->system->exec_safe('cd ?; dnssec-signzone -A -e +1382400 -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N increment -o ? -t ?', $dns_config['bind_zonefiles_dir'], $domain, $filespre.$domain); - //Write Data back ino DB + //* Write Data back ino DB $dnssecdata = "DS-Records:\n".file_get_contents($dns_config['bind_zonefiles_dir'].'/dsset-'.$domain.'.'); $dnssecdata .= "\n------------------------------------\n\nDNSKEY-Records:\n"; - foreach (glob($dns_config['bind_zonefiles_dir'].'/K'.$domain.'*.key') as $keyfile) { - $dnssecdata .= file_get_contents($keyfile)."\n\n"; + + if(in_array('ECDSAP256SHA256',$dnssec_algo)) { + foreach (glob($dns_config['bind_zonefiles_dir'].'/K'.$domain.'.+013*.key') as $keyfile) { + $dnssecdata .= file_get_contents($keyfile)."\n\n"; + } + } + + if(in_array('NSEC3RSASHA1',$dnssec_algo)) { + foreach (glob($dns_config['bind_zonefiles_dir'].'/K'.$domain.'.+007*.key') as $keyfile) { + $dnssecdata .= file_get_contents($keyfile)."\n\n"; + } } if ($app->dbmaster !== $app->db) $app->dbmaster->query('UPDATE dns_soa SET dnssec_info=?, dnssec_initialized=\'Y\', dnssec_last_signed=? WHERE id=?', $dnssecdata, intval(time()), intval($data['new']['id'])); @@ -198,7 +237,10 @@ class bind_plugin { $domain = substr($data['new']['origin'], 0, strlen($data['new']['origin'])-1); - unlink($dns_config['bind_zonefiles_dir'].'/K'.$domain.'.+*'); + $key_files = glob($dns_config['bind_zonefiles_dir'].'/K'.$domain.'.+*'); + foreach($key_files as $file) { + unlink($file); + } unlink($dns_config['bind_zonefiles_dir'].'/'.$this->zone_file_prefix().$domain.'.signed'); unlink($dns_config['bind_zonefiles_dir'].'/dsset-'.$domain.'.'); @@ -308,12 +350,17 @@ class bind_plugin { if($data['old']['origin'] != $data['new']['origin']) { if (@$data['old']['dnssec_initialized'] == 'Y' && strlen(@$data['old']['origin']) > 3) $this->soa_dnssec_delete($data); //delete old keys if ($data['new']['dnssec_wanted'] == 'Y') $this->soa_dnssec_create($data); - } - else if ($data['new']['dnssec_wanted'] == 'Y' && $data['old']['dnssec_initialized'] == 'N') $this->soa_dnssec_create($data); - else if ($data['new']['dnssec_wanted'] == 'N' && $data['old']['dnssec_initialized'] == 'Y') { //delete old signed file if dnssec is no longer wanted + } elseif($data['old']['dnssec_algo'] != $data['new']['dnssec_algo']) { + $app->log("DNSSEC Algorithm has changed: ".$data['new']['dnssec_algo'], LOGLEVEL_DEBUG); + if ($data['new']['dnssec_wanted'] == 'Y') $this->soa_dnssec_create($data); + } elseif ($data['new']['dnssec_wanted'] == 'Y' && $data['old']['dnssec_initialized'] == 'N') { + $this->soa_dnssec_create($data); + } elseif ($data['new']['dnssec_wanted'] == 'N' && $data['old']['dnssec_initialized'] == 'Y') { //delete old signed file if dnssec is no longer wanted $filename = $dns_config['bind_zonefiles_dir'].'/' . $this->zone_file_prefix() . str_replace("/", "_", substr($data['old']['origin'], 0, -1)); if(is_file($filename.'.signed')) unlink($filename.'.signed'); - } else if ($data['new']['dnssec_wanted'] == 'Y') $this->soa_dnssec_update($data); + } elseif ($data['new']['dnssec_wanted'] == 'Y') { + $this->soa_dnssec_update($data); + } // END DNSSEC //* rebuild the named.conf file if the origin has changed or when the origin is inserted.