From 906eaa19b25f08df67f31aaf7045360bf578f5a3 Mon Sep 17 00:00:00 2001 From: Till Brehm Date: Tue, 4 Aug 2020 10:53:57 +0200 Subject: [PATCH 1/6] Implemented #4561: SHA256 (ECDSAP256SHA256) Algorithm for DNNSEC and Algorithm selector in DNS zone settings. --- .../sql/incremental/upd_dev_collection.sql | 4 ++++ install/sql/ispconfig3.sql | 3 ++- interface/web/dns/dns_wizard.php | 5 ++++- interface/web/dns/form/dns_soa.tform.php | 8 ++++++++ interface/web/dns/lib/lang/ar_dns_soa.lng | 1 + interface/web/dns/lib/lang/bg_dns_soa.lng | 1 + interface/web/dns/lib/lang/br_dns_soa.lng | 1 + interface/web/dns/lib/lang/ca_dns_soa.lng | 1 + interface/web/dns/lib/lang/cz_dns_soa.lng | 1 + interface/web/dns/lib/lang/de_dns_soa.lng | 1 + interface/web/dns/lib/lang/dk_dns_soa.lng | 1 + interface/web/dns/lib/lang/el_dns_soa.lng | 1 + interface/web/dns/lib/lang/en_dns_soa.lng | 1 + interface/web/dns/lib/lang/es_dns_soa.lng | 1 + interface/web/dns/lib/lang/fi_dns_soa.lng | 1 + interface/web/dns/lib/lang/fr_dns_soa.lng | 1 + interface/web/dns/lib/lang/hr_dns_soa.lng | 1 + interface/web/dns/lib/lang/hu_dns_soa.lng | 1 + interface/web/dns/lib/lang/id_dns_soa.lng | 1 + interface/web/dns/lib/lang/it_dns_soa.lng | 1 + interface/web/dns/lib/lang/ja_dns_soa.lng | 1 + interface/web/dns/lib/lang/nl_dns_soa.lng | 1 + interface/web/dns/lib/lang/pl_dns_soa.lng | 1 + interface/web/dns/lib/lang/pt_dns_soa.lng | 1 + interface/web/dns/lib/lang/ro_dns_soa.lng | 1 + interface/web/dns/lib/lang/ru_dns_soa.lng | 1 + interface/web/dns/lib/lang/se_dns_soa.lng | 1 + interface/web/dns/lib/lang/sk_dns_soa.lng | 1 + interface/web/dns/lib/lang/tr_dns_soa.lng | 1 + interface/web/dns/templates/dns_soa_edit.htm | 6 ++++++ server/plugins-available/bind_plugin.inc.php | 20 ++++++++++++------- 31 files changed, 62 insertions(+), 9 deletions(-) diff --git a/install/sql/incremental/upd_dev_collection.sql b/install/sql/incremental/upd_dev_collection.sql index 1deb605028..3f03599e95 100644 --- a/install/sql/incremental/upd_dev_collection.sql +++ b/install/sql/incremental/upd_dev_collection.sql @@ -65,3 +65,7 @@ ALTER TABLE `client` CHANGE `id_rsa` `id_rsa` TEXT CHARACTER SET utf8 COLLATE ut ALTER TABLE `directive_snippets` ADD `update_sites` ENUM('y','n') NOT NULL DEFAULT 'n' ; +-- Add DNSSEC Algorithm setting +ALTER TABLE `dns_soa` ADD `dnssec_algo` ENUM('sha1','sha256') NULL DEFAULT NULL AFTER `dnssec_wanted`; +UPDATE `dns_soa` SET `dnssec_algo` = 'sha1' WHERE `dnssec_algo` IS NULL; +ALTER TABLE `dns_soa` CHANGE `dnssec_algo` `dnssec_algo` ENUM('sha1','sha256') CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL DEFAULT 'sha256'; diff --git a/install/sql/ispconfig3.sql b/install/sql/ispconfig3.sql index edd4dd5049..76e9f152bd 100644 --- a/install/sql/ispconfig3.sql +++ b/install/sql/ispconfig3.sql @@ -626,6 +626,7 @@ CREATE TABLE `dns_soa` ( `update_acl` varchar(255) default NULL, `dnssec_initialized` ENUM('Y','N') NOT NULL DEFAULT 'N', `dnssec_wanted` ENUM('Y','N') NOT NULL DEFAULT 'N', + `dnssec_algo` ENUM('sha1','sha256') NOT NULL DEFAULT 'sha256', `dnssec_last_signed` BIGINT NOT NULL DEFAULT '0', `dnssec_info` TEXT NULL, PRIMARY KEY (`id`), @@ -2501,7 +2502,7 @@ INSERT INTO `country` (`iso`, `name`, `printable_name`, `iso3`, `numcode`, `eu`) -- Dumping data for table `dns_template` -- -INSERT INTO `dns_template` (`template_id`, `sys_userid`, `sys_groupid`, `sys_perm_user`, `sys_perm_group`, `sys_perm_other`, `name`, `fields`, `template`, `visible`) VALUES (1, 1, 1, 'riud', 'riud', '', 'Default', 'DOMAIN,IP,NS1,NS2,EMAIL,DKIM,DNSSEC', '[ZONE]\norigin={DOMAIN}.\nns={NS1}.\nmbox={EMAIL}.\nrefresh=7200\nretry=540\nexpire=604800\nminimum=3600\nttl=3600\n\n[DNS_RECORDS]\nA|{DOMAIN}.|{IP}|0|3600\nA|www|{IP}|0|3600\nA|mail|{IP}|0|3600\nNS|{DOMAIN}.|{NS1}.|0|3600\nNS|{DOMAIN}.|{NS2}.|0|3600\nMX|{DOMAIN}.|mail.{DOMAIN}.|10|3600\nTXT|{DOMAIN}.|v=spf1 mx a ~all|0|3600', 'y'); +INSERT INTO `dns_template` (`template_id`, `sys_userid`, `sys_groupid`, `sys_perm_user`, `sys_perm_group`, `sys_perm_other`, `name`, `fields`, `template`, `visible`) VALUES (1, 1, 1, 'riud', 'riud', '', 'Default', 'DOMAIN,IP,NS1,NS2,EMAIL,DKIM,DNSSEC', '[ZONE]\norigin={DOMAIN}.\nns={NS1}.\nmbox={EMAIL}.\nrefresh=7200\nretry=540\nexpire=604800\nminimum=3600\nttl=3600\ndnssec_algo=sha256\n\n[DNS_RECORDS]\nA|{DOMAIN}.|{IP}|0|3600\nA|www|{IP}|0|3600\nA|mail|{IP}|0|3600\nNS|{DOMAIN}.|{NS1}.|0|3600\nNS|{DOMAIN}.|{NS2}.|0|3600\nMX|{DOMAIN}.|mail.{DOMAIN}.|10|3600\nTXT|{DOMAIN}.|v=spf1 mx a ~all|0|3600', 'y'); -- -------------------------------------------------------- diff --git a/interface/web/dns/dns_wizard.php b/interface/web/dns/dns_wizard.php index 91b2307dc5..121d3c81c3 100644 --- a/interface/web/dns/dns_wizard.php +++ b/interface/web/dns/dns_wizard.php @@ -339,6 +339,7 @@ if($_POST['create'] == 1) { $section = ''; $vars = array(); $vars['xfer']=''; + $vars['dnssec_algo']='sha256'; $dns_rr = array(); foreach($tpl_rows as $row) { $row = trim($row); @@ -398,6 +399,7 @@ if($_POST['create'] == 1) { $xfer = $vars['xfer']; $also_notify = $vars['also_notify']; $update_acl = $vars['update_acl']; + $dnssec_algo = $vars['dnssec_algo']; $serial = $app->validate_dns->increase_serial(0); $insert_data = array( @@ -420,7 +422,8 @@ if($_POST['create'] == 1) { "xfer" => $xfer, "also_notify" => $also_notify, "update_acl" => $update_acl, - "dnssec_wanted" => $enable_dnssec + "dnssec_wanted" => $enable_dnssec, + "dnssec_algo" => $dnssec_algo ); $dns_soa_id = $app->db->datalogInsert('dns_soa', $insert_data, 'id'); if($dns_soa_id > 0) $app->plugin->raiseEvent('dns:wizard:on_after_insert', $dns_soa_id); diff --git a/interface/web/dns/form/dns_soa.tform.php b/interface/web/dns/form/dns_soa.tform.php index cf0d143916..3d86e07f37 100644 --- a/interface/web/dns/form/dns_soa.tform.php +++ b/interface/web/dns/form/dns_soa.tform.php @@ -276,6 +276,14 @@ $form["tabs"]['dns_soa'] = array ( 'default' => 'Y', 'value' => array(0 => 'N', 1 => 'Y') ), + 'dnssec_algo' => array ( + 'datatype' => 'VARCHAR', + 'formtype' => 'SELECT', + 'default' => 'sha256', + 'value' => array('sha1' => 'SHA1','sha256' => 'SHA256'), + 'width' => '30', + 'maxlength' => '255' + ), 'dnssec_info' => array ( 'datatype' => 'TEXT', 'formtype' => 'TEXTAREA', diff --git a/interface/web/dns/lib/lang/ar_dns_soa.lng b/interface/web/dns/lib/lang/ar_dns_soa.lng index c9721cebc0..8c13c59e8e 100644 --- a/interface/web/dns/lib/lang/ar_dns_soa.lng +++ b/interface/web/dns/lib/lang/ar_dns_soa.lng @@ -41,4 +41,5 @@ $wb['dnssec_wanted_info'] = 'When disabling DNSSEC keys are not going to be dele $wb['error_not_allowed_server_id'] = 'The selected server is not allowed for this account.'; $wb['soa_cannot_be_changed_txt'] = 'Die Zone (SOA) kann nicht verändert werden. Bitte kontaktieren Sie ihren Administrator, um die Zone zu ändern.'; $wb['configuration_error_txt'] = 'CONFIGURATION ERROR'; +$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm'; ?> diff --git a/interface/web/dns/lib/lang/bg_dns_soa.lng b/interface/web/dns/lib/lang/bg_dns_soa.lng index 151e3ead11..9e9e8bf3f5 100644 --- a/interface/web/dns/lib/lang/bg_dns_soa.lng +++ b/interface/web/dns/lib/lang/bg_dns_soa.lng @@ -41,4 +41,5 @@ $wb['dnssec_wanted_info'] = 'When disabling DNSSEC keys are not going to be dele $wb['error_not_allowed_server_id'] = 'The selected server is not allowed for this account.'; $wb['soa_cannot_be_changed_txt'] = 'Die Zone (SOA) kann nicht verändert werden. Bitte kontaktieren Sie ihren Administrator, um die Zone zu ändern.'; $wb['configuration_error_txt'] = 'CONFIGURATION ERROR'; +$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm'; ?> diff --git a/interface/web/dns/lib/lang/br_dns_soa.lng b/interface/web/dns/lib/lang/br_dns_soa.lng index f5385c4706..f1cb453e99 100644 --- a/interface/web/dns/lib/lang/br_dns_soa.lng +++ b/interface/web/dns/lib/lang/br_dns_soa.lng @@ -41,4 +41,5 @@ $wb['ttl_range_error'] = 'Intervalo mínimo do TTL são 60 segundos.'; $wb['error_not_allowed_server_id'] = 'O servidor selecionado não é permitido para esta conta.'; $wb['soa_cannot_be_changed_txt'] = 'A zona (SOA) não pode ser alterada. Por favor, contate o administrador se deseja alterar esta zona.'; $wb['configuration_error_txt'] = 'ERRO DE CONFIGURAÇÃO'; +$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm'; ?> diff --git a/interface/web/dns/lib/lang/ca_dns_soa.lng b/interface/web/dns/lib/lang/ca_dns_soa.lng index 0b6759f073..ee2fdb07b6 100644 --- a/interface/web/dns/lib/lang/ca_dns_soa.lng +++ b/interface/web/dns/lib/lang/ca_dns_soa.lng @@ -41,4 +41,5 @@ $wb['dnssec_wanted_info'] = 'When disabling DNSSEC keys are not going to be dele $wb['error_not_allowed_server_id'] = 'The selected server is not allowed for this account.'; $wb['soa_cannot_be_changed_txt'] = 'Die Zone (SOA) kann nicht verändert werden. Bitte kontaktieren Sie ihren Administrator, um die Zone zu ändern.'; $wb['configuration_error_txt'] = 'CONFIGURATION ERROR'; +$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm'; ?> diff --git a/interface/web/dns/lib/lang/cz_dns_soa.lng b/interface/web/dns/lib/lang/cz_dns_soa.lng index cb35f0ef3b..ba6b2d4b52 100644 --- a/interface/web/dns/lib/lang/cz_dns_soa.lng +++ b/interface/web/dns/lib/lang/cz_dns_soa.lng @@ -41,4 +41,5 @@ $wb['dnssec_wanted_info'] = 'Když deaktivujete DNSSEC klíče nebudou odstraně $wb['error_not_allowed_server_id'] = 'Vybraný server není pro tento účet povolen.'; $wb['soa_cannot_be_changed_txt'] = 'Die Zone (SOA) kann nicht verändert werden. Bitte kontaktieren Sie ihren Administrator, um die Zone zu ändern.'; $wb['configuration_error_txt'] = 'CONFIGURATION ERROR'; +$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm'; ?> diff --git a/interface/web/dns/lib/lang/de_dns_soa.lng b/interface/web/dns/lib/lang/de_dns_soa.lng index 76d139391d..14897b24e4 100644 --- a/interface/web/dns/lib/lang/de_dns_soa.lng +++ b/interface/web/dns/lib/lang/de_dns_soa.lng @@ -41,4 +41,5 @@ $wb['xfer_error_regex'] = 'Zonentransfer: Verwenden Sie eine oder mehrere durch $wb['soa_cannot_be_changed_txt'] = 'Die Zone (SOA) kann nicht verändert werden. Bitte kontaktieren Sie ihren Administrator, um die Zone zu ändern.'; $wb['error_not_allowed_server_id'] = 'The selected server is not allowed for this account.'; $wb['configuration_error_txt'] = 'CONFIGURATION ERROR'; +$wb['dnssec_algo_txt'] = 'DNSSEC Algorithmus'; ?> diff --git a/interface/web/dns/lib/lang/dk_dns_soa.lng b/interface/web/dns/lib/lang/dk_dns_soa.lng index 6a3d71d973..a4ff50f14f 100644 --- a/interface/web/dns/lib/lang/dk_dns_soa.lng +++ b/interface/web/dns/lib/lang/dk_dns_soa.lng @@ -41,4 +41,5 @@ $wb['dnssec_wanted_info'] = 'When disabling DNSSEC keys are not going to be dele $wb['error_not_allowed_server_id'] = 'The selected server is not allowed for this account.'; $wb['soa_cannot_be_changed_txt'] = 'The Zone (SOA) can not be changed. Please contact your administrator to change the zone.'; $wb['configuration_error_txt'] = 'CONFIGURATION ERROR'; +$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm'; ?> diff --git a/interface/web/dns/lib/lang/el_dns_soa.lng b/interface/web/dns/lib/lang/el_dns_soa.lng index 4d8c876d28..aae62bef76 100644 --- a/interface/web/dns/lib/lang/el_dns_soa.lng +++ b/interface/web/dns/lib/lang/el_dns_soa.lng @@ -41,4 +41,5 @@ $wb['dnssec_wanted_info'] = 'When disabling DNSSEC keys are not going to be dele $wb['error_not_allowed_server_id'] = 'The selected server is not allowed for this account.'; $wb['soa_cannot_be_changed_txt'] = 'Die Zone (SOA) kann nicht verändert werden. Bitte kontaktieren Sie ihren Administrator, um die Zone zu ändern.'; $wb['configuration_error_txt'] = 'CONFIGURATION ERROR'; +$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm'; ?> diff --git a/interface/web/dns/lib/lang/en_dns_soa.lng b/interface/web/dns/lib/lang/en_dns_soa.lng index 1729a4d0cb..7d130b34b0 100644 --- a/interface/web/dns/lib/lang/en_dns_soa.lng +++ b/interface/web/dns/lib/lang/en_dns_soa.lng @@ -41,4 +41,5 @@ $wb['ttl_range_error'] = 'Min. TTL time is 60 seconds.'; $wb['error_not_allowed_server_id'] = 'The selected server is not allowed for this account.'; $wb['soa_cannot_be_changed_txt'] = 'The Zone (SOA) can not be changed. Please contact your administrator to change the zone.'; $wb['configuration_error_txt'] = 'CONFIGURATION ERROR'; +$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm'; ?> diff --git a/interface/web/dns/lib/lang/es_dns_soa.lng b/interface/web/dns/lib/lang/es_dns_soa.lng index 23f4cc5ffc..b1484e749a 100644 --- a/interface/web/dns/lib/lang/es_dns_soa.lng +++ b/interface/web/dns/lib/lang/es_dns_soa.lng @@ -41,4 +41,5 @@ $wb['update_acl_txt'] = 'Actualizar ACL'; $wb['xfer_error_regex'] = 'Notificar también a: Por favor, usa una dirección IP.'; $wb['xfer_txt'] = 'Permitir transferencia de zonas a
estas IP (lista separada por comas)'; $wb['configuration_error_txt'] = 'CONFIGURATION ERROR'; +$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm'; ?> diff --git a/interface/web/dns/lib/lang/fi_dns_soa.lng b/interface/web/dns/lib/lang/fi_dns_soa.lng index 3e10625967..b34b2893fd 100644 --- a/interface/web/dns/lib/lang/fi_dns_soa.lng +++ b/interface/web/dns/lib/lang/fi_dns_soa.lng @@ -41,4 +41,5 @@ $wb['dnssec_wanted_info'] = 'When disabling DNSSEC keys are not going to be dele $wb['error_not_allowed_server_id'] = 'The selected server is not allowed for this account.'; $wb['soa_cannot_be_changed_txt'] = 'Die Zone (SOA) kann nicht verändert werden. Bitte kontaktieren Sie ihren Administrator, um die Zone zu ändern.'; $wb['configuration_error_txt'] = 'CONFIGURATION ERROR'; +$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm'; ?> diff --git a/interface/web/dns/lib/lang/fr_dns_soa.lng b/interface/web/dns/lib/lang/fr_dns_soa.lng index da63faadbd..d2449c323e 100644 --- a/interface/web/dns/lib/lang/fr_dns_soa.lng +++ b/interface/web/dns/lib/lang/fr_dns_soa.lng @@ -41,4 +41,5 @@ $wb['dnssec_wanted_info'] = 'When disabling DNSSEC keys are not going to be dele $wb['error_not_allowed_server_id'] = 'The selected server is not allowed for this account.'; $wb['soa_cannot_be_changed_txt'] = 'Die Zone (SOA) kann nicht verändert werden. Bitte kontaktieren Sie ihren Administrator, um die Zone zu ändern.'; $wb['configuration_error_txt'] = 'CONFIGURATION ERROR'; +$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm'; ?> diff --git a/interface/web/dns/lib/lang/hr_dns_soa.lng b/interface/web/dns/lib/lang/hr_dns_soa.lng index b4a9f2f9b0..d738ff1e18 100644 --- a/interface/web/dns/lib/lang/hr_dns_soa.lng +++ b/interface/web/dns/lib/lang/hr_dns_soa.lng @@ -41,4 +41,5 @@ $wb['dnssec_wanted_info'] = 'When disabling DNSSEC keys are not going to be dele $wb['error_not_allowed_server_id'] = 'The selected server is not allowed for this account.'; $wb['soa_cannot_be_changed_txt'] = 'Die Zone (SOA) kann nicht verändert werden. Bitte kontaktieren Sie ihren Administrator, um die Zone zu ändern.'; $wb['configuration_error_txt'] = 'CONFIGURATION ERROR'; +$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm'; ?> diff --git a/interface/web/dns/lib/lang/hu_dns_soa.lng b/interface/web/dns/lib/lang/hu_dns_soa.lng index 4019614088..445de86d69 100644 --- a/interface/web/dns/lib/lang/hu_dns_soa.lng +++ b/interface/web/dns/lib/lang/hu_dns_soa.lng @@ -41,4 +41,5 @@ $wb['dnssec_wanted_info'] = 'When disabling DNSSEC keys are not going to be dele $wb['error_not_allowed_server_id'] = 'The selected server is not allowed for this account.'; $wb['soa_cannot_be_changed_txt'] = 'Die Zone (SOA) kann nicht verändert werden. Bitte kontaktieren Sie ihren Administrator, um die Zone zu ändern.'; $wb['configuration_error_txt'] = 'CONFIGURATION ERROR'; +$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm'; ?> diff --git a/interface/web/dns/lib/lang/id_dns_soa.lng b/interface/web/dns/lib/lang/id_dns_soa.lng index c42890b71c..c9a43ad057 100644 --- a/interface/web/dns/lib/lang/id_dns_soa.lng +++ b/interface/web/dns/lib/lang/id_dns_soa.lng @@ -41,4 +41,5 @@ $wb['dnssec_wanted_info'] = 'When disabling DNSSEC keys are not going to be dele $wb['error_not_allowed_server_id'] = 'The selected server is not allowed for this account.'; $wb['soa_cannot_be_changed_txt'] = 'Die Zone (SOA) kann nicht verändert werden. Bitte kontaktieren Sie ihren Administrator, um die Zone zu ändern.'; $wb['configuration_error_txt'] = 'CONFIGURATION ERROR'; +$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm'; ?> diff --git a/interface/web/dns/lib/lang/it_dns_soa.lng b/interface/web/dns/lib/lang/it_dns_soa.lng index 7ca3cb1cb1..714c6c7056 100644 --- a/interface/web/dns/lib/lang/it_dns_soa.lng +++ b/interface/web/dns/lib/lang/it_dns_soa.lng @@ -41,4 +41,5 @@ $wb['dnssec_wanted_info'] = 'When disabling DNSSEC keys are not going to be dele $wb['error_not_allowed_server_id'] = 'The selected server is not allowed for this account.'; $wb['soa_cannot_be_changed_txt'] = 'Die Zone (SOA) kann nicht verändert werden. Bitte kontaktieren Sie ihren Administrator, um die Zone zu ändern.'; $wb['configuration_error_txt'] = 'CONFIGURATION ERROR'; +$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm'; ?> diff --git a/interface/web/dns/lib/lang/ja_dns_soa.lng b/interface/web/dns/lib/lang/ja_dns_soa.lng index 3964f3fcdb..7ab5799750 100644 --- a/interface/web/dns/lib/lang/ja_dns_soa.lng +++ b/interface/web/dns/lib/lang/ja_dns_soa.lng @@ -41,4 +41,5 @@ $wb['dnssec_wanted_info'] = 'When disabling DNSSEC keys are not going to be dele $wb['error_not_allowed_server_id'] = 'The selected server is not allowed for this account.'; $wb['soa_cannot_be_changed_txt'] = 'Die Zone (SOA) kann nicht verändert werden. Bitte kontaktieren Sie ihren Administrator, um die Zone zu ändern.'; $wb['configuration_error_txt'] = 'CONFIGURATION ERROR'; +$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm'; ?> diff --git a/interface/web/dns/lib/lang/nl_dns_soa.lng b/interface/web/dns/lib/lang/nl_dns_soa.lng index 121339c00c..1f875df3c9 100644 --- a/interface/web/dns/lib/lang/nl_dns_soa.lng +++ b/interface/web/dns/lib/lang/nl_dns_soa.lng @@ -41,4 +41,5 @@ $wb['dnssec_wanted_info'] = 'When disabling DNSSEC keys are not going to be dele $wb['error_not_allowed_server_id'] = 'The selected server is not allowed for this account.'; $wb['soa_cannot_be_changed_txt'] = 'Die Zone (SOA) kann nicht verändert werden. Bitte kontaktieren Sie ihren Administrator, um die Zone zu ändern.'; $wb['configuration_error_txt'] = 'CONFIGURATION ERROR'; +$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm'; ?> diff --git a/interface/web/dns/lib/lang/pl_dns_soa.lng b/interface/web/dns/lib/lang/pl_dns_soa.lng index 1724c4c141..7502a59237 100644 --- a/interface/web/dns/lib/lang/pl_dns_soa.lng +++ b/interface/web/dns/lib/lang/pl_dns_soa.lng @@ -41,4 +41,5 @@ $wb['dnssec_wanted_info'] = 'When disabling DNSSEC keys are not going to be dele $wb['error_not_allowed_server_id'] = 'The selected server is not allowed for this account.'; $wb['soa_cannot_be_changed_txt'] = 'Die Zone (SOA) kann nicht verändert werden. Bitte kontaktieren Sie ihren Administrator, um die Zone zu ändern.'; $wb['configuration_error_txt'] = 'CONFIGURATION ERROR'; +$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm'; ?> diff --git a/interface/web/dns/lib/lang/pt_dns_soa.lng b/interface/web/dns/lib/lang/pt_dns_soa.lng index bdcc1660ff..7b6ac864a1 100644 --- a/interface/web/dns/lib/lang/pt_dns_soa.lng +++ b/interface/web/dns/lib/lang/pt_dns_soa.lng @@ -41,4 +41,5 @@ $wb['dnssec_wanted_info'] = 'When disabling DNSSEC keys are not going to be dele $wb['error_not_allowed_server_id'] = 'The selected server is not allowed for this account.'; $wb['soa_cannot_be_changed_txt'] = 'Die Zone (SOA) kann nicht verändert werden. Bitte kontaktieren Sie ihren Administrator, um die Zone zu ändern.'; $wb['configuration_error_txt'] = 'CONFIGURATION ERROR'; +$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm'; ?> diff --git a/interface/web/dns/lib/lang/ro_dns_soa.lng b/interface/web/dns/lib/lang/ro_dns_soa.lng index 40607318f7..9ae957f240 100644 --- a/interface/web/dns/lib/lang/ro_dns_soa.lng +++ b/interface/web/dns/lib/lang/ro_dns_soa.lng @@ -41,4 +41,5 @@ $wb['dnssec_wanted_info'] = 'When disabling DNSSEC keys are not going to be dele $wb['error_not_allowed_server_id'] = 'The selected server is not allowed for this account.'; $wb['soa_cannot_be_changed_txt'] = 'Die Zone (SOA) kann nicht verändert werden. Bitte kontaktieren Sie ihren Administrator, um die Zone zu ändern.'; $wb['configuration_error_txt'] = 'CONFIGURATION ERROR'; +$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm'; ?> diff --git a/interface/web/dns/lib/lang/ru_dns_soa.lng b/interface/web/dns/lib/lang/ru_dns_soa.lng index 7bd15cd638..f6043010d4 100644 --- a/interface/web/dns/lib/lang/ru_dns_soa.lng +++ b/interface/web/dns/lib/lang/ru_dns_soa.lng @@ -41,4 +41,5 @@ $wb['dnssec_wanted_info'] = 'При отключении DNSSEC ключи не $wb['error_not_allowed_server_id'] = 'Выбранный сервер не доступен для этой учетной записи.'; $wb['soa_cannot_be_changed_txt'] = 'Зона (SOA) не может быть изменена. Пожалуйста, обратитесь к администратору, чтобы изменить зону.'; $wb['configuration_error_txt'] = 'ОШИБКА КОНФИГУРАЦИИ'; +$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm'; ?> diff --git a/interface/web/dns/lib/lang/se_dns_soa.lng b/interface/web/dns/lib/lang/se_dns_soa.lng index cfeb2f9fde..8e380f85a3 100644 --- a/interface/web/dns/lib/lang/se_dns_soa.lng +++ b/interface/web/dns/lib/lang/se_dns_soa.lng @@ -41,4 +41,5 @@ $wb['dnssec_wanted_info'] = 'When disabling DNSSEC keys are not going to be dele $wb['error_not_allowed_server_id'] = 'The selected server is not allowed for this account.'; $wb['soa_cannot_be_changed_txt'] = 'Die Zone (SOA) kann nicht verändert werden. Bitte kontaktieren Sie ihren Administrator, um die Zone zu ändern.'; $wb['configuration_error_txt'] = 'CONFIGURATION ERROR'; +$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm'; ?> diff --git a/interface/web/dns/lib/lang/sk_dns_soa.lng b/interface/web/dns/lib/lang/sk_dns_soa.lng index 79d49eee92..c96399cc4e 100644 --- a/interface/web/dns/lib/lang/sk_dns_soa.lng +++ b/interface/web/dns/lib/lang/sk_dns_soa.lng @@ -41,4 +41,5 @@ $wb['dnssec_wanted_info'] = 'When disabling DNSSEC keys are not going to be dele $wb['error_not_allowed_server_id'] = 'The selected server is not allowed for this account.'; $wb['soa_cannot_be_changed_txt'] = 'Die Zone (SOA) kann nicht verändert werden. Bitte kontaktieren Sie ihren Administrator, um die Zone zu ändern.'; $wb['configuration_error_txt'] = 'CONFIGURATION ERROR'; +$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm'; ?> diff --git a/interface/web/dns/lib/lang/tr_dns_soa.lng b/interface/web/dns/lib/lang/tr_dns_soa.lng index fd39de04f5..e5d55678cb 100644 --- a/interface/web/dns/lib/lang/tr_dns_soa.lng +++ b/interface/web/dns/lib/lang/tr_dns_soa.lng @@ -41,4 +41,5 @@ $wb['ttl_range_error'] = 'En düşük TTL süresi 60 saniyedir.'; $wb['error_not_allowed_server_id'] = 'Seçilmiş sunucuda bu hesap kullanılamaz.'; $wb['soa_cannot_be_changed_txt'] = 'Bölge (SOA) değiştirilemez. Lütfen bölgeyi değiştirmek için yöneticiniz ile görüşün.'; $wb['configuration_error_txt'] = 'YAPILANDIRMA SORUNU'; +$wb['dnssec_algo_txt'] = 'DNSSEC Algorithm'; ?> diff --git a/interface/web/dns/templates/dns_soa_edit.htm b/interface/web/dns/templates/dns_soa_edit.htm index c34e8a3416..a29d6d3cea 100644 --- a/interface/web/dns/templates/dns_soa_edit.htm +++ b/interface/web/dns/templates/dns_soa_edit.htm @@ -136,6 +136,12 @@
{tmpl_var name='dnssec_wanted'}
({tmpl_var name='dnssec_wanted_info'})
+ +
+ +
diff --git a/server/plugins-available/bind_plugin.inc.php b/server/plugins-available/bind_plugin.inc.php index d4b4a7c01c..20eeb28ad7 100644 --- a/server/plugins-available/bind_plugin.inc.php +++ b/server/plugins-available/bind_plugin.inc.php @@ -111,7 +111,11 @@ class bind_plugin { } //Do some magic... - $app->system->exec_safe('cd ?; dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE ?; dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE ?', $dns_config['bind_zonefiles_dir'], $domain, $domain); + if($data['new']['dnssec_algo'] == 'sha256') { + $app->system->exec_safe('cd ?; dnssec-keygen -3 -a ECDSAP256SHA256 -n ZONE ?; dnssec-keygen -f KSK -3 -a ECDSAP256SHA256 -n ZONE ?', $dns_config['bind_zonefiles_dir'], $domain, $domain); + } else { + $app->system->exec_safe('cd ?; dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE ?; dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE ?', $dns_config['bind_zonefiles_dir'], $domain, $domain); + } $this->soa_dnssec_sign($data); //Now sign the zone for the first time $data['new']['dnssec_initialized']='Y'; @@ -305,15 +309,17 @@ class bind_plugin { } //* DNSSEC-Implementation - if($data['old']['origin'] != $data['new']['origin']) { + if($data['old']['origin'] != $data['new']['origin'] || $data['old']['dnssec_algo'] != $data['new']['dnssec_algo']) { if (@$data['old']['dnssec_initialized'] == 'Y' && strlen(@$data['old']['origin']) > 3) $this->soa_dnssec_delete($data); //delete old keys - if ($data['new']['dnssec_wanted'] == 'Y') $this->soa_dnssec_create($data); - } - else if ($data['new']['dnssec_wanted'] == 'Y' && $data['old']['dnssec_initialized'] == 'N') $this->soa_dnssec_create($data); - else if ($data['new']['dnssec_wanted'] == 'N' && $data['old']['dnssec_initialized'] == 'Y') { //delete old signed file if dnssec is no longer wanted + if ($data['new']['dnssec_wanted'] == 'Y') $this->soa_dnssec_create($data); + } elseif ($data['new']['dnssec_wanted'] == 'Y' && $data['old']['dnssec_initialized'] == 'N') { + $this->soa_dnssec_create($data); + } elseif ($data['new']['dnssec_wanted'] == 'N' && $data['old']['dnssec_initialized'] == 'Y') { //delete old signed file if dnssec is no longer wanted $filename = $dns_config['bind_zonefiles_dir'].'/' . $this->zone_file_prefix() . str_replace("/", "_", substr($data['old']['origin'], 0, -1)); if(is_file($filename.'.signed')) unlink($filename.'.signed'); - } else if ($data['new']['dnssec_wanted'] == 'Y') $this->soa_dnssec_update($data); + } elseif ($data['new']['dnssec_wanted'] == 'Y') { + $this->soa_dnssec_update($data); + } // END DNSSEC //* rebuild the named.conf file if the origin has changed or when the origin is inserted. -- GitLab From 6863f325eaf2ee7c0a9e184ef3809d4a9e472630 Mon Sep 17 00:00:00 2001 From: Till Brehm Date: Mon, 10 Aug 2020 18:00:39 +0200 Subject: [PATCH 2/6] Reimplemented DNSSEC signing. --- .../sql/incremental/upd_dev_collection.sql | 6 +++--- install/sql/ispconfig3.sql | 2 +- interface/web/dns/dns_soa_edit.php | 2 ++ interface/web/dns/dns_wizard.php | 2 +- interface/web/dns/form/dns_soa.tform.php | 7 ++++--- server/plugins-available/bind_plugin.inc.php | 19 ++++++++++++++----- 6 files changed, 25 insertions(+), 13 deletions(-) diff --git a/install/sql/incremental/upd_dev_collection.sql b/install/sql/incremental/upd_dev_collection.sql index 3f03599e95..d42874095b 100644 --- a/install/sql/incremental/upd_dev_collection.sql +++ b/install/sql/incremental/upd_dev_collection.sql @@ -66,6 +66,6 @@ ALTER TABLE `client` CHANGE `id_rsa` `id_rsa` TEXT CHARACTER SET utf8 COLLATE ut ALTER TABLE `directive_snippets` ADD `update_sites` ENUM('y','n') NOT NULL DEFAULT 'n' ; -- Add DNSSEC Algorithm setting -ALTER TABLE `dns_soa` ADD `dnssec_algo` ENUM('sha1','sha256') NULL DEFAULT NULL AFTER `dnssec_wanted`; -UPDATE `dns_soa` SET `dnssec_algo` = 'sha1' WHERE `dnssec_algo` IS NULL; -ALTER TABLE `dns_soa` CHANGE `dnssec_algo` `dnssec_algo` ENUM('sha1','sha256') CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL DEFAULT 'sha256'; +ALTER TABLE `dns_soa` ADD `dnssec_algo` SET('NSEC3RSASHA1','ECDSAP256SHA256') NULL DEFAULT NULL AFTER `dnssec_wanted`; +UPDATE `dns_soa` SET `dnssec_algo` = 'NSEC3RSASHA1' WHERE `dnssec_algo` IS NULL; +ALTER TABLE `dns_soa` CHANGE `dnssec_algo` `dnssec_algo` SET('NSEC3RSASHA1','ECDSAP256SHA256') CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL DEFAULT 'ECDSAP256SHA256'; diff --git a/install/sql/ispconfig3.sql b/install/sql/ispconfig3.sql index 76e9f152bd..aac7f1b784 100644 --- a/install/sql/ispconfig3.sql +++ b/install/sql/ispconfig3.sql @@ -626,7 +626,7 @@ CREATE TABLE `dns_soa` ( `update_acl` varchar(255) default NULL, `dnssec_initialized` ENUM('Y','N') NOT NULL DEFAULT 'N', `dnssec_wanted` ENUM('Y','N') NOT NULL DEFAULT 'N', - `dnssec_algo` ENUM('sha1','sha256') NOT NULL DEFAULT 'sha256', + `dnssec_algo` SET('NSEC3RSASHA1','ECDSAP256SHA256') NOT NULL DEFAULT 'ECDSAP256SHA256', `dnssec_last_signed` BIGINT NOT NULL DEFAULT '0', `dnssec_info` TEXT NULL, PRIMARY KEY (`id`), diff --git a/interface/web/dns/dns_soa_edit.php b/interface/web/dns/dns_soa_edit.php index ec5ba67c79..f5e716ca5d 100644 --- a/interface/web/dns/dns_soa_edit.php +++ b/interface/web/dns/dns_soa_edit.php @@ -296,6 +296,8 @@ function onSubmit() { $this->dataRecord["xfer"] = preg_replace('/\s+/', '', $this->dataRecord["xfer"]); $this->dataRecord["also_notify"] = preg_replace('/\s+/', '', $this->dataRecord["also_notify"]); + + if(isset($this->dataRecord['dnssec_wanted']) && $this->dataRecord['dnssec_wanted'] == 'Y' && $this->dataRecord['dnssec_algo'] == '') $this->dataRecord['dnssec_algo'] = 'ECDSAP256SHA256'; //* Check if a secondary zone with the same name already exists $tmp = $app->db->queryOneRecord("SELECT count(id) as number FROM dns_slave WHERE origin = ? AND server_id = ?", $this->dataRecord["origin"], $this->dataRecord["server_id"]); diff --git a/interface/web/dns/dns_wizard.php b/interface/web/dns/dns_wizard.php index 121d3c81c3..b2320dc6bf 100644 --- a/interface/web/dns/dns_wizard.php +++ b/interface/web/dns/dns_wizard.php @@ -339,7 +339,7 @@ if($_POST['create'] == 1) { $section = ''; $vars = array(); $vars['xfer']=''; - $vars['dnssec_algo']='sha256'; + $vars['dnssec_algo']='ECDSAP256SHA256'; $dns_rr = array(); foreach($tpl_rows as $row) { $row = trim($row); diff --git a/interface/web/dns/form/dns_soa.tform.php b/interface/web/dns/form/dns_soa.tform.php index 3d86e07f37..81389c4553 100644 --- a/interface/web/dns/form/dns_soa.tform.php +++ b/interface/web/dns/form/dns_soa.tform.php @@ -278,9 +278,10 @@ $form["tabs"]['dns_soa'] = array ( ), 'dnssec_algo' => array ( 'datatype' => 'VARCHAR', - 'formtype' => 'SELECT', - 'default' => 'sha256', - 'value' => array('sha1' => 'SHA1','sha256' => 'SHA256'), + 'formtype' => 'CHECKBOXARRAY', + 'separator' => ',', + 'default' => 'ECDSAP256SHA256', + 'value' => array('NSEC3RSASHA1' => '7 (NSEC3RSASHA1)','ECDSAP256SHA256' => '13 (ECDSAP256SHA256)'), 'width' => '30', 'maxlength' => '255' ), diff --git a/server/plugins-available/bind_plugin.inc.php b/server/plugins-available/bind_plugin.inc.php index 20eeb28ad7..a0668e4f1c 100644 --- a/server/plugins-available/bind_plugin.inc.php +++ b/server/plugins-available/bind_plugin.inc.php @@ -110,10 +110,14 @@ class bind_plugin { } } + // Get DNSSEC Algorithms + $dnssec_algo = explode(',',$data['new']['dnssec_algo']); + //Do some magic... - if($data['new']['dnssec_algo'] == 'sha256') { + if(in_array('ECDSAP256SHA256',$dnssec_algo)) { $app->system->exec_safe('cd ?; dnssec-keygen -3 -a ECDSAP256SHA256 -n ZONE ?; dnssec-keygen -f KSK -3 -a ECDSAP256SHA256 -n ZONE ?', $dns_config['bind_zonefiles_dir'], $domain, $domain); - } else { + } + if(in_array('NSEC3RSASHA1',$dnssec_algo)) { $app->system->exec_safe('cd ?; dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE ?; dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE ?', $dns_config['bind_zonefiles_dir'], $domain, $domain); } @@ -141,7 +145,10 @@ class bind_plugin { if (!preg_match('@'.preg_quote($includeline).'@', $zonefile)) $zonefile .= "\n".$includeline."\n"; $keycount++; } - if ($keycount != 2) $app->log('DNSSEC Warning: There are more or less than 2 keyfiles for zone '.$domain, LOGLEVEL_WARN); + + $keycount_wanted = count(explode(',',$data['new']['dnssec_algo']))*2; + + if ($keycount != $keycount_wanted) $app->log('DNSSEC Warning: There are more or less than 2 keyfiles for each algorithm for zone '.$domain, LOGLEVEL_WARN); file_put_contents($dns_config['bind_zonefiles_dir'].'/'.$filespre.$domain, $zonefile); //Sign the zone and set it valid for max. 16 days @@ -309,9 +316,11 @@ class bind_plugin { } //* DNSSEC-Implementation - if($data['old']['origin'] != $data['new']['origin'] || $data['old']['dnssec_algo'] != $data['new']['dnssec_algo']) { + if($data['old']['origin'] != $data['new']['origin']) { if (@$data['old']['dnssec_initialized'] == 'Y' && strlen(@$data['old']['origin']) > 3) $this->soa_dnssec_delete($data); //delete old keys - if ($data['new']['dnssec_wanted'] == 'Y') $this->soa_dnssec_create($data); + if ($data['new']['dnssec_wanted'] == 'Y') $this->soa_dnssec_create($data); + } elseif($data['old']['dnssec_algo'] != $data['new']['dnssec_algo']) { + if ($data['new']['dnssec_wanted'] == 'Y') $this->soa_dnssec_create($data); } elseif ($data['new']['dnssec_wanted'] == 'Y' && $data['old']['dnssec_initialized'] == 'N') { $this->soa_dnssec_create($data); } elseif ($data['new']['dnssec_wanted'] == 'N' && $data['old']['dnssec_initialized'] == 'Y') { //delete old signed file if dnssec is no longer wanted -- GitLab From ecaea32c4a548446ad4420354383777add56bec7 Mon Sep 17 00:00:00 2001 From: Till Brehm Date: Mon, 10 Aug 2020 18:03:03 +0200 Subject: [PATCH 3/6] Set ECDSAP256SHA256 algorithm in default DNSSEC template --- install/sql/ispconfig3.sql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install/sql/ispconfig3.sql b/install/sql/ispconfig3.sql index aac7f1b784..0d76fb8c08 100644 --- a/install/sql/ispconfig3.sql +++ b/install/sql/ispconfig3.sql @@ -2502,7 +2502,7 @@ INSERT INTO `country` (`iso`, `name`, `printable_name`, `iso3`, `numcode`, `eu`) -- Dumping data for table `dns_template` -- -INSERT INTO `dns_template` (`template_id`, `sys_userid`, `sys_groupid`, `sys_perm_user`, `sys_perm_group`, `sys_perm_other`, `name`, `fields`, `template`, `visible`) VALUES (1, 1, 1, 'riud', 'riud', '', 'Default', 'DOMAIN,IP,NS1,NS2,EMAIL,DKIM,DNSSEC', '[ZONE]\norigin={DOMAIN}.\nns={NS1}.\nmbox={EMAIL}.\nrefresh=7200\nretry=540\nexpire=604800\nminimum=3600\nttl=3600\ndnssec_algo=sha256\n\n[DNS_RECORDS]\nA|{DOMAIN}.|{IP}|0|3600\nA|www|{IP}|0|3600\nA|mail|{IP}|0|3600\nNS|{DOMAIN}.|{NS1}.|0|3600\nNS|{DOMAIN}.|{NS2}.|0|3600\nMX|{DOMAIN}.|mail.{DOMAIN}.|10|3600\nTXT|{DOMAIN}.|v=spf1 mx a ~all|0|3600', 'y'); +INSERT INTO `dns_template` (`template_id`, `sys_userid`, `sys_groupid`, `sys_perm_user`, `sys_perm_group`, `sys_perm_other`, `name`, `fields`, `template`, `visible`) VALUES (1, 1, 1, 'riud', 'riud', '', 'Default', 'DOMAIN,IP,NS1,NS2,EMAIL,DKIM,DNSSEC', '[ZONE]\norigin={DOMAIN}.\nns={NS1}.\nmbox={EMAIL}.\nrefresh=7200\nretry=540\nexpire=604800\nminimum=3600\nttl=3600\ndnssec_algo=ECDSAP256SHA256\n\n[DNS_RECORDS]\nA|{DOMAIN}.|{IP}|0|3600\nA|www|{IP}|0|3600\nA|mail|{IP}|0|3600\nNS|{DOMAIN}.|{NS1}.|0|3600\nNS|{DOMAIN}.|{NS2}.|0|3600\nMX|{DOMAIN}.|mail.{DOMAIN}.|10|3600\nTXT|{DOMAIN}.|v=spf1 mx a ~all|0|3600', 'y'); -- -------------------------------------------------------- -- GitLab From 68faf135d8d256eb2ab74ddfcbc34695fc37542f Mon Sep 17 00:00:00 2001 From: Till Brehm Date: Tue, 11 Aug 2020 11:24:20 +0200 Subject: [PATCH 4/6] Change enabled DNSSEC zones to old algorithm only. --- install/sql/incremental/upd_dev_collection.sql | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/install/sql/incremental/upd_dev_collection.sql b/install/sql/incremental/upd_dev_collection.sql index d42874095b..b7db2767ed 100644 --- a/install/sql/incremental/upd_dev_collection.sql +++ b/install/sql/incremental/upd_dev_collection.sql @@ -67,5 +67,6 @@ ALTER TABLE `directive_snippets` ADD `update_sites` ENUM('y','n') NOT NULL DEFAU -- Add DNSSEC Algorithm setting ALTER TABLE `dns_soa` ADD `dnssec_algo` SET('NSEC3RSASHA1','ECDSAP256SHA256') NULL DEFAULT NULL AFTER `dnssec_wanted`; -UPDATE `dns_soa` SET `dnssec_algo` = 'NSEC3RSASHA1' WHERE `dnssec_algo` IS NULL; +UPDATE `dns_soa` SET `dnssec_algo` = 'NSEC3RSASHA1' WHERE `dnssec_algo` IS NULL AND dnssec_initialized = 'Y'; +UPDATE `dns_soa` SET `dnssec_algo` = 'ECDSAP256SHA256' WHERE `dnssec_algo` IS NULL AND dnssec_initialized = 'N'; ALTER TABLE `dns_soa` CHANGE `dnssec_algo` `dnssec_algo` SET('NSEC3RSASHA1','ECDSAP256SHA256') CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL DEFAULT 'ECDSAP256SHA256'; -- GitLab From acafd80f736441b15b709e1366404d90afafceca Mon Sep 17 00:00:00 2001 From: Till Brehm Date: Tue, 11 Aug 2020 17:59:48 +0200 Subject: [PATCH 5/6] Various fixes and improvements in multi algo DNSSEC implementation. --- interface/web/dns/templates/dns_soa_edit.htm | 4 +- server/plugins-available/bind_plugin.inc.php | 65 +++++++++++++------- 2 files changed, 45 insertions(+), 24 deletions(-) diff --git a/interface/web/dns/templates/dns_soa_edit.htm b/interface/web/dns/templates/dns_soa_edit.htm index a29d6d3cea..e16faac1aa 100644 --- a/interface/web/dns/templates/dns_soa_edit.htm +++ b/interface/web/dns/templates/dns_soa_edit.htm @@ -139,9 +139,7 @@
-
+
{tmpl_var name='dnssec_algo'}
diff --git a/server/plugins-available/bind_plugin.inc.php b/server/plugins-available/bind_plugin.inc.php index a0668e4f1c..6b30d6b4f3 100644 --- a/server/plugins-available/bind_plugin.inc.php +++ b/server/plugins-available/bind_plugin.inc.php @@ -97,27 +97,29 @@ class bind_plugin { } //* Verify that we do not already have keys (overwriting-protection) - if (file_exists($dns_config['bind_zonefiles_dir'].'/dsset-'.$domain.'.')) { - return $this->soa_dnssec_update($data); - } else if ($data['new']['dnssec_initialized'] == 'Y') { //In case that we generated keys but the dsset-file was not generated - $keycount=0; - foreach (glob($dns_config['bind_zonefiles_dir'].'/K'.$domain.'*.key') as $keyfile) { - $keycount++; - } - if ($keycount > 0) { - $this->soa_dnssec_sign($data); - return true; + if($data['old']['dnssec_algo'] == $data['new']['dnssec_algo']) { + if (file_exists($dns_config['bind_zonefiles_dir'].'/dsset-'.$domain.'.')) { + return $this->soa_dnssec_update($data); + } else if ($data['new']['dnssec_initialized'] == 'Y') { //In case that we generated keys but the dsset-file was not generated + $keycount=0; + foreach (glob($dns_config['bind_zonefiles_dir'].'/K'.$domain.'*.key') as $keyfile) { + $keycount++; + } + if ($keycount > 0) { + $this->soa_dnssec_sign($data); + return true; + } } } // Get DNSSEC Algorithms $dnssec_algo = explode(',',$data['new']['dnssec_algo']); - //Do some magic... - if(in_array('ECDSAP256SHA256',$dnssec_algo)) { + //* Create the Zone Signing and Key Signing Keys + if(in_array('ECDSAP256SHA256',$dnssec_algo) && count(glob($dns_config['bind_zonefiles_dir'].'/K'.$domain.'.+013*.key')) == 0) { $app->system->exec_safe('cd ?; dnssec-keygen -3 -a ECDSAP256SHA256 -n ZONE ?; dnssec-keygen -f KSK -3 -a ECDSAP256SHA256 -n ZONE ?', $dns_config['bind_zonefiles_dir'], $domain, $domain); } - if(in_array('NSEC3RSASHA1',$dnssec_algo)) { + if(in_array('NSEC3RSASHA1',$dnssec_algo) && count(glob($dns_config['bind_zonefiles_dir'].'/K'.$domain.'.+007*.key')) == 0) { $app->system->exec_safe('cd ?; dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE ?; dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE ?', $dns_config['bind_zonefiles_dir'], $domain, $domain); } @@ -138,23 +140,40 @@ class bind_plugin { $domain = substr($data['new']['origin'], 0, strlen($data['new']['origin'])-1); if (!file_exists($dns_config['bind_zonefiles_dir'].'/'.$filespre.$domain)) return false; + //* Get DNSSEC Algorithms + $dnssec_algo = explode(',',$data['new']['dnssec_algo']); + + //* Get Zone file content $zonefile = file_get_contents($dns_config['bind_zonefiles_dir'].'/'.$filespre.$domain); $keycount=0; - foreach (glob($dns_config['bind_zonefiles_dir'].'/K'.$domain.'*.key') as $keyfile) { - $includeline = '$INCLUDE '.basename($keyfile); - if (!preg_match('@'.preg_quote($includeline).'@', $zonefile)) $zonefile .= "\n".$includeline."\n"; - $keycount++; + + //* Include ECDSAP256SHA256 keys in zone + if(in_array('ECDSAP256SHA256',$dnssec_algo)) { + foreach (glob($dns_config['bind_zonefiles_dir'].'/K'.$domain.'.+013*.key') as $keyfile) { + $includeline = '$INCLUDE '.basename($keyfile); + if (!preg_match('@'.preg_quote($includeline).'@', $zonefile)) $zonefile .= "\n".$includeline."\n"; + $keycount++; + } + } + + //* Include NSEC3RSASHA1 keys in zone + if(in_array('NSEC3RSASHA1',$dnssec_algo)) { + foreach (glob($dns_config['bind_zonefiles_dir'].'/K'.$domain.'.+007*.key') as $keyfile) { + $includeline = '$INCLUDE '.basename($keyfile); + if (!preg_match('@'.preg_quote($includeline).'@', $zonefile)) $zonefile .= "\n".$includeline."\n"; + $keycount++; + } } $keycount_wanted = count(explode(',',$data['new']['dnssec_algo']))*2; - if ($keycount != $keycount_wanted) $app->log('DNSSEC Warning: There are more or less than 2 keyfiles for each algorithm for zone '.$domain, LOGLEVEL_WARN); + if ($keycount != $keycount_wanted) $app->log('DNSSEC Warning: There are more or less than 2 keyfiles for each algorithm for zone '.$domain.'. Found: '.$keycount. ' Expected: '.$keycount_wanted, LOGLEVEL_WARN); file_put_contents($dns_config['bind_zonefiles_dir'].'/'.$filespre.$domain, $zonefile); - //Sign the zone and set it valid for max. 16 days + //* Sign the zone and set it valid for max. 16 days $app->system->exec_safe('cd ?; dnssec-signzone -A -e +1382400 -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N increment -o ? -t ?', $dns_config['bind_zonefiles_dir'], $domain, $filespre.$domain); - //Write Data back ino DB + //* Write Data back ino DB $dnssecdata = "DS-Records:\n".file_get_contents($dns_config['bind_zonefiles_dir'].'/dsset-'.$domain.'.'); $dnssecdata .= "\n------------------------------------\n\nDNSKEY-Records:\n"; foreach (glob($dns_config['bind_zonefiles_dir'].'/K'.$domain.'*.key') as $keyfile) { @@ -209,7 +228,10 @@ class bind_plugin { $domain = substr($data['new']['origin'], 0, strlen($data['new']['origin'])-1); - unlink($dns_config['bind_zonefiles_dir'].'/K'.$domain.'.+*'); + $key_files = glob($dns_config['bind_zonefiles_dir'].'/K'.$domain.'.+*'); + foreach($key_files as $file) { + unlink($file); + } unlink($dns_config['bind_zonefiles_dir'].'/'.$this->zone_file_prefix().$domain.'.signed'); unlink($dns_config['bind_zonefiles_dir'].'/dsset-'.$domain.'.'); @@ -320,6 +342,7 @@ class bind_plugin { if (@$data['old']['dnssec_initialized'] == 'Y' && strlen(@$data['old']['origin']) > 3) $this->soa_dnssec_delete($data); //delete old keys if ($data['new']['dnssec_wanted'] == 'Y') $this->soa_dnssec_create($data); } elseif($data['old']['dnssec_algo'] != $data['new']['dnssec_algo']) { + $app->log("DNSSEC Algorithm has changed: ".$data['new']['dnssec_algo'], LOGLEVEL_DEBUG); if ($data['new']['dnssec_wanted'] == 'Y') $this->soa_dnssec_create($data); } elseif ($data['new']['dnssec_wanted'] == 'Y' && $data['old']['dnssec_initialized'] == 'N') { $this->soa_dnssec_create($data); -- GitLab From c0fb9a4bdde8961cbd32f04daa7b4e1ea8ab0032 Mon Sep 17 00:00:00 2001 From: Till Brehm Date: Thu, 13 Aug 2020 17:56:12 +0200 Subject: [PATCH 6/6] Load only key files of active DNSSEC algorithms into the database. --- server/plugins-available/bind_plugin.inc.php | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/server/plugins-available/bind_plugin.inc.php b/server/plugins-available/bind_plugin.inc.php index 6b30d6b4f3..e915f447ff 100644 --- a/server/plugins-available/bind_plugin.inc.php +++ b/server/plugins-available/bind_plugin.inc.php @@ -176,8 +176,17 @@ class bind_plugin { //* Write Data back ino DB $dnssecdata = "DS-Records:\n".file_get_contents($dns_config['bind_zonefiles_dir'].'/dsset-'.$domain.'.'); $dnssecdata .= "\n------------------------------------\n\nDNSKEY-Records:\n"; - foreach (glob($dns_config['bind_zonefiles_dir'].'/K'.$domain.'*.key') as $keyfile) { - $dnssecdata .= file_get_contents($keyfile)."\n\n"; + + if(in_array('ECDSAP256SHA256',$dnssec_algo)) { + foreach (glob($dns_config['bind_zonefiles_dir'].'/K'.$domain.'.+013*.key') as $keyfile) { + $dnssecdata .= file_get_contents($keyfile)."\n\n"; + } + } + + if(in_array('NSEC3RSASHA1',$dnssec_algo)) { + foreach (glob($dns_config['bind_zonefiles_dir'].'/K'.$domain.'.+007*.key') as $keyfile) { + $dnssecdata .= file_get_contents($keyfile)."\n\n"; + } } if ($app->dbmaster !== $app->db) $app->dbmaster->query('UPDATE dns_soa SET dnssec_info=?, dnssec_initialized=\'Y\', dnssec_last_signed=? WHERE id=?', $dnssecdata, intval(time()), intval($data['new']['id'])); -- GitLab