diff --git a/TODO.txt b/TODO.txt index 382f8afa7a0eab987c634c372dbb2fc7051f025b..4d6881789aa3a5cd7e77c79cfb550c7773a093f6 100644 --- a/TODO.txt +++ b/TODO.txt @@ -13,6 +13,9 @@ Installer -------------------------------------- - Add a function to let a server join a existing installation. +- Add Package haveged to requirements (at least if entropy is low) as it raises available entropy significantly which is very needed for DNSSEC Key-generation + If it is not installed and entropy is low generating dnssec-keys lasts minutes (and would time out the server thus is not done) and new signing keys are not generated. + If there are no keys the zones can not be signed and will only be availableas a unsigned copy. Uninstaller -------------------------------------- @@ -26,6 +29,13 @@ Server Mail module -------------------------------------- +- Show mail statistics in the interface. The mail statistics are stored + in the database table mail_traffic and are collected by the file + server/cron_daily.php +-- For Courier this works but not Dovecot. Maybe the intention needs + reviewed as some clients think this should be the number of emails + and not the size of the emails. (I agree that size is important) + lathama Administration module -------------------------------------- @@ -80,6 +90,7 @@ Remoting framework Interface -------------------------------------- - Enhance the paging in lists (e.g. like this: [1 2 3 4 ... 10]) +- DNS: Add Checkbox to switch dnssec_wanted between Y and N to templates and/or wizard. I recommend doing it in the wizard though. General tasks -------------------------------------- diff --git a/install/lib/installer_base.lib.php b/install/lib/installer_base.lib.php index 69d5ccfd9a28da56b5a4cd4a0c46c992a22e93cb..d3b3364d5a6c8da61d879fbca5819c08254f7707 100644 --- a/install/lib/installer_base.lib.php +++ b/install/lib/installer_base.lib.php @@ -1469,6 +1469,27 @@ class installer_base { } + + //** writes bind configuration files + public function process_bind_file($configfile, $target='/', $absolute=false) { + global $conf; + + if ($absolute) $full_file_name = $target.$configfile; + else $full_file_name = $conf['ispconfig_install_dir'].$target.$configfile; + + //* Backup exiting file + if(is_file($full_file_name)) { + copy($full_file_name, $config_dir.$configfile.'~'); + } + $content = rfsel($conf['ispconfig_install_dir'].'/server/conf-custom/install/'.$configfile.'.master', 'tpl/'.$configfile.'.master'); + $content = str_replace('{mysql_server_ispconfig_user}', $conf['mysql']['ispconfig_user'], $content); + $content = str_replace('{mysql_server_ispconfig_password}', $conf['mysql']['ispconfig_password'], $content); + $content = str_replace('{mysql_server_ispconfig_database}', $conf['mysql']['database'], $content); + $content = str_replace('{mysql_server_ip}', $conf['mysql']['ip'], $content); + $content = str_replace('{ispconfig_install_dir}', $conf['ispconfig_install_dir'], $content); + $content = str_replace('{dnssec_conffile}', $conf['ispconfig_install_dir'].'/server/scripts/dnssec-config.sh', $content); + wf($full_file_name, $content); + } public function configure_bind() { global $conf; @@ -1487,7 +1508,9 @@ class installer_base { chown($content, $conf['bind']['bind_user']); chgrp($content, $conf['bind']['bind_group']); chmod($content, 02770); - + + //* Install scripts for dnssec implementation + $this->process_bind_file('named.conf.options', '/etc/bind/', true); //TODO replace hardcoded path } diff --git a/install/sql/incremental/upd_dev_collection.sql b/install/sql/incremental/upd_dev_collection.sql index 624d748a52bb52d9869cdb369985ef98647067b7..32e85bd876c1178da79b5e3ee7c8a7109dc330db 100644 --- a/install/sql/incremental/upd_dev_collection.sql +++ b/install/sql/incremental/upd_dev_collection.sql @@ -203,3 +203,13 @@ CREATE TABLE `ftp_traffic` ( ALTER TABLE `mail_forwarding` ADD COLUMN `allow_send_as` ENUM('n','y') NOT NULL DEFAULT 'n' AFTER `active`; UPDATE `mail_forwarding` SET `allow_send_as` = 'y' WHERE `type` = 'alias'; + +--- DNSSEC-Implementation by dark alex +--- TODO: Review and resolve conflicts if more has been done in that column +ALTER TABLE `dns_rr` CHANGE COLUMN `type` `type` ENUM('A','AAAA','ALIAS','CNAME','DS','HINFO','LOC','MX','NAPTR','NS','PTR','RP','SRV','TXT','TLSA','DNSKEY') NULL DEFAULT NULL AFTER `name`; + +ALTER TABLE `dns_soa` + ADD COLUMN `dnssec_initialized` ENUM('Y','N') NOT NULL DEFAULT 'N', + ADD COLUMN `dnssec_wanted` ENUM('Y','N') NOT NULL DEFAULT 'N', + ADD COLUMN `dnssec_last_signed` BIGINT NOT NULL DEFAULT '0', + ADD COLUMN `dnssec_info` TEXT NULL; \ No newline at end of file diff --git a/install/sql/ispconfig3.sql b/install/sql/ispconfig3.sql index f77bbf456d4ea2a740f18bbc3e30655890853bfb..fedb106bd3172fd68082c1e13223a5dad63fc816 100644 --- a/install/sql/ispconfig3.sql +++ b/install/sql/ispconfig3.sql @@ -478,7 +478,7 @@ CREATE TABLE `dns_rr` ( `server_id` int(11) NOT NULL default '1', `zone` int(11) unsigned NOT NULL DEFAULT '0', `name` varchar(255) NOT NULL DEFAULT '', - `type` enum('A','AAAA','ALIAS','CNAME','HINFO','MX','NAPTR','NS','PTR','RP','SRV','TXT') default NULL, + `type` enum('A','AAAA','ALIAS','CNAME','DS','HINFO','LOC','MX','NAPTR','NS','PTR','RP','SRV','TXT','TLSA','DNSKEY') default NULL, `data` TEXT NOT NULL DEFAULT '', `aux` int(11) unsigned NOT NULL default '0', `ttl` int(11) unsigned NOT NULL default '3600', @@ -539,6 +539,10 @@ CREATE TABLE `dns_soa` ( `xfer` varchar(255) NOT NULL DEFAULT '', `also_notify` varchar(255) default NULL, `update_acl` varchar(255) default NULL, + `dnssec_initialized` ENUM('Y','N') NOT NULL DEFAULT 'N', + `dnssec_wanted` ENUM('Y','N') NOT NULL DEFAULT 'N', + `dnssec_last_signed` BIGINT NOT NULL DEFAULT '0', + `dnssec_info` TEXT NULL, PRIMARY KEY (`id`), UNIQUE KEY `origin` (`origin`), KEY `active` (`active`) diff --git a/install/tpl/named.conf.options.master b/install/tpl/named.conf.options.master new file mode 100644 index 0000000000000000000000000000000000000000..f13976ffd6db31f72447c1d0d57be7d2935a556d --- /dev/null +++ b/install/tpl/named.conf.options.master @@ -0,0 +1,28 @@ +options { + directory "/var/cache/bind"; + + // If there is a firewall between you and nameservers you want + // to talk to, you may need to fix the firewall to allow multiple + // ports to talk. See http://www.kb.cert.org/vuls/id/800113 + + // If your ISP provided one or more IP addresses for stable + // nameservers, you probably want to use them as forwarders. + // Uncomment the following block, and insert the addresses replacing + // the all-0's placeholder. + + // forwarders { + // 0.0.0.0; + // }; + + //======================================================================== + // If BIND logs error messages about the root key being expired, + // you will need to update your keys. See https://www.isc.org/bind-keys + //======================================================================== + dnssec-enable yes; + dnssec-validation yes; + dnssec-lookaside auto; + + auth-nxdomain no; # conform to RFC1035 + listen-on-v6 { any; }; +}; + diff --git a/interface/lib/classes/tform_base.inc.php b/interface/lib/classes/tform_base.inc.php index 4405de4c53365854cc8ec9c8c324d02fadf7d7cc..bc995c17b2873c2fba7b055cbf1c6fad914cfab4 100644 --- a/interface/lib/classes/tform_base.inc.php +++ b/interface/lib/classes/tform_base.inc.php @@ -974,21 +974,16 @@ class tform_base { } } case 'ISEMAIL': - if($validator['allowempty'] != 'y') $validator['allowempty'] = 'n'; - if($validator['allowempty'] == 'y' && $field_value == '') { - //* Do nothing - } else { - if(function_exists('filter_var')) { - if(filter_var($field_value, FILTER_VALIDATE_EMAIL) === false) { - $errmsg = $validator['errmsg']; - if(isset($this->wordbook[$errmsg])) { - $this->errorMessage .= $this->wordbook[$errmsg]."
\r\n"; - } else { - $this->errorMessage .= $errmsg."
\r\n"; - } + if(function_exists('filter_var')) { + if(filter_var($field_value, FILTER_VALIDATE_EMAIL) === false) { + $errmsg = $validator['errmsg']; + if(isset($this->wordbook[$errmsg])) { + $this->errorMessage .= $this->wordbook[$errmsg]."
\r\n"; + } else { + $this->errorMessage .= $errmsg."
\r\n"; } - } else $this->errorMessage .= "function filter_var missing
\r\n"; - } + } + } else $this->errorMessage .= "function filter_var missing
\r\n"; break; case 'ISINT': if(function_exists('filter_var') && $field_value < 2147483647) { diff --git a/interface/web/client/form/client.tform.php b/interface/web/client/form/client.tform.php index 4415768d62d6b9043391265b9e984f4b0b8d44c2..8de41055392a576a3ff6b88778d4ca04e7196f40 100644 --- a/interface/web/client/form/client.tform.php +++ b/interface/web/client/form/client.tform.php @@ -501,7 +501,7 @@ $form["tabs"]['address'] = array ( 'type' => 'TOLOWER') ), 'validators' => array ( - 0 => array ( 'type' => 'ISEMAIL', 'allowempty' => 'y', 'errmsg'=> 'email_error_isemail'), + 0 => array ( 'type' => 'ISEMAIL', 'errmsg'=> 'email_error_isemail'), ), 'default' => '', 'value' => '', diff --git a/interface/web/client/form/reseller.tform.php b/interface/web/client/form/reseller.tform.php index 8f4e5baf6dab40b82d785e0c7fd5024e437b8f36..9bc416fd6247d8dfc2d49fd879b5c3e6bf307b58 100644 --- a/interface/web/client/form/reseller.tform.php +++ b/interface/web/client/form/reseller.tform.php @@ -499,7 +499,7 @@ $form["tabs"]['address'] = array ( 'type' => 'TOLOWER') ), 'validators' => array ( - 0 => array ( 'type' => 'ISEMAIL', 'allowempty' => 'y', 'errmsg'=> 'paypal_email_error_isemail'), + 0 => array ( 'type' => 'ISEMAIL', 'errmsg'=> 'paypal_email_error_isemail'), ), 'default' => '', 'value' => '', diff --git a/interface/web/dns/dns_ds_edit.php b/interface/web/dns/dns_ds_edit.php new file mode 100644 index 0000000000000000000000000000000000000000..9785916c5d448e25f5d2c5423672e9f80a0104f7 --- /dev/null +++ b/interface/web/dns/dns_ds_edit.php @@ -0,0 +1,53 @@ +onLoad(); + +?> diff --git a/interface/web/dns/dns_loc_edit.php b/interface/web/dns/dns_loc_edit.php new file mode 100644 index 0000000000000000000000000000000000000000..6c13ab9f90f9fe4a0b3d70e20e40716bf8cfe296 --- /dev/null +++ b/interface/web/dns/dns_loc_edit.php @@ -0,0 +1,53 @@ +onLoad(); + +?> diff --git a/interface/web/dns/dns_tlsa_edit.php b/interface/web/dns/dns_tlsa_edit.php new file mode 100644 index 0000000000000000000000000000000000000000..224475fd5c79e87f5bfd94e6df195690b41b1332 --- /dev/null +++ b/interface/web/dns/dns_tlsa_edit.php @@ -0,0 +1,161 @@ +auth->check_module_permissions('dns'); + +// Loading classes +$app->uses('tpl,tform,tform_actions,validate_dns'); +$app->load('tform_actions'); + +class page_action extends tform_actions { + + function onShowNew() { + global $app, $conf; + + // we will check only users, not admins + if($_SESSION["s"]["user"]["typ"] == 'user') { + + // Get the limits of the client + $client_group_id = intval($_SESSION["s"]["user"]["default_group"]); + $client = $app->db->queryOneRecord("SELECT limit_dns_record FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"); + + // Check if the user may add another mailbox. + if($client["limit_dns_record"] >= 0) { + $tmp = $app->db->queryOneRecord("SELECT count(id) as number FROM dns_rr WHERE sys_groupid = $client_group_id"); + if($tmp["number"] >= $client["limit_dns_record"]) { + $app->error($app->tform->wordbook["limit_dns_record_txt"]); + } + } + } + + parent::onShowNew(); + } + + function onSubmit() { + global $app, $conf; + + // Get the parent soa record of the domain + $soa = $app->db->queryOneRecord("SELECT * FROM dns_soa WHERE id = '".$app->functions->intval($_POST["zone"])."' AND ".$app->tform->getAuthSQL('r')); + + // Check if Domain belongs to user + if($soa["id"] != $_POST["zone"]) $app->tform->errorMessage .= $app->tform->wordbook["no_zone_perm"]; + + // Check the client limits, if user is not the admin + if($_SESSION["s"]["user"]["typ"] != 'admin') { // if user is not admin + // Get the limits of the client + $client_group_id = intval($_SESSION["s"]["user"]["default_group"]); + $client = $app->db->queryOneRecord("SELECT limit_dns_record FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys_group.groupid = $client_group_id"); + + // Check if the user may add another mailbox. + if($this->id == 0 && $client["limit_dns_record"] >= 0) { + $tmp = $app->db->queryOneRecord("SELECT count(id) as number FROM dns_rr WHERE sys_groupid = $client_group_id"); + if($tmp["number"] >= $client["limit_dns_record"]) { + $app->error($app->tform->wordbook["limit_dns_record_txt"]); + } + } + } // end if user is not admin + + + // Set the server ID of the rr record to the same server ID as the parent record. + $this->dataRecord["server_id"] = $soa["server_id"]; + + // Update the serial number and timestamp of the RR record + $soa = $app->db->queryOneRecord("SELECT serial FROM dns_rr WHERE id = ".$this->id); + $this->dataRecord["serial"] = $app->validate_dns->increase_serial($soa["serial"]); + $this->dataRecord["stamp"] = date('Y-m-d H:i:s'); + + parent::onSubmit(); + } + + function onInsert() { + global $app, $conf; + + // Check if record is existing already + $duplicate_tlsa = $app->db->queryOneRecord("SELECT * FROM dns_rr WHERE zone = ".$app->functions->intval($this->dataRecord["zone"])." AND name = '".$app->db->quote($this->dataRecord["name"])."' AND type = '".$app->db->quote($this->dataRecord["type"])."' AND data = '".$app->db->quote($this->dataRecord["data"])."' AND ".$app->tform->getAuthSQL('r')); + + if(is_array($duplicate_tlsa) && !empty($duplicate_tlsa)) $app->error($app->tform->wordbook["duplicate_tlsa_record_txt"]); + + parent::onInsert(); + } + + function onUpdate() { + global $app, $conf; + + // Check if record is existing already + $duplicate_tlsa = $app->db->queryOneRecord("SELECT * FROM dns_rr WHERE zone = ".$app->functions->intval($this->dataRecord["zone"])." AND name = '".$app->db->quote($this->dataRecord["name"])."' AND type = '".$app->db->quote($this->dataRecord["type"])."' AND data = '".$app->db->quote($this->dataRecord["data"])."' AND id != ".$app->functions->intval($this->dataRecord["id"])." AND ".$app->tform->getAuthSQL('r')); + + if(is_array($duplicate_tlsa) && !empty($duplicate_tlsa)) $app->error($app->tform->wordbook["duplicate_tlsa_record_txt"]); + + parent::onUpdate(); + } + + function onAfterInsert() { + global $app, $conf; + + //* Set the sys_groupid of the rr record to be the same then the sys_groupid of the soa record + $soa = $app->db->queryOneRecord("SELECT sys_groupid,serial FROM dns_soa WHERE id = '".$app->functions->intval($this->dataRecord["zone"])."' AND ".$app->tform->getAuthSQL('r')); + $app->db->datalogUpdate('dns_rr', "sys_groupid = ".$soa['sys_groupid'], 'id', $this->id); + + //* Update the serial number of the SOA record + $soa_id = $app->functions->intval($_POST["zone"]); + $serial = $app->validate_dns->increase_serial($soa["serial"]); + $app->db->datalogUpdate('dns_soa', "serial = $serial", 'id', $soa_id); + } + + function onAfterUpdate() { + global $app, $conf; + + //* Update the serial number of the SOA record + $soa = $app->db->queryOneRecord("SELECT serial FROM dns_soa WHERE id = '".$app->functions->intval($this->dataRecord["zone"])."' AND ".$app->tform->getAuthSQL('r')); + $soa_id = $app->functions->intval($_POST["zone"]); + $serial = $app->validate_dns->increase_serial($soa["serial"]); + $app->db->datalogUpdate('dns_soa', "serial = $serial", 'id', $soa_id); + } + +} + +$page = new page_action; +$page->onLoad(); + +?> diff --git a/interface/web/dns/form/dns_ds.tform.php b/interface/web/dns/form/dns_ds.tform.php new file mode 100644 index 0000000000000000000000000000000000000000..fe8528f9c8951ff33ee0560f95b562941bcad8c3 --- /dev/null +++ b/interface/web/dns/form/dns_ds.tform.php @@ -0,0 +1,166 @@ + 0 id must match with id of current user +$form["auth_preset"]["groupid"] = 0; // 0 = default groupid of the user, > 0 id must match with groupid of current user +$form["auth_preset"]["perm_user"] = 'riud'; //r = read, i = insert, u = update, d = delete +$form["auth_preset"]["perm_group"] = 'riud'; //r = read, i = insert, u = update, d = delete +$form["auth_preset"]["perm_other"] = ''; //r = read, i = insert, u = update, d = delete + +$form["tabs"]['dns'] = array ( + 'title' => "DNS DS", + 'width' => 100, + 'template' => "templates/dns_ds_edit.htm", + 'fields' => array ( + //################################# + // Begin Datatable fields + //################################# + 'server_id' => array ( + 'datatype' => 'INTEGER', + 'formtype' => 'SELECT', + 'default' => '', + 'value' => '', + 'width' => '30', + 'maxlength' => '255' + ), + 'zone' => array ( + 'datatype' => 'INTEGER', + 'formtype' => 'TEXT', + 'default' => @$app->functions->intval($_REQUEST["zone"]), + 'value' => '', + 'width' => '30', + 'maxlength' => '255' + ), + 'name' => array ( + 'datatype' => 'VARCHAR', + 'formtype' => 'TEXT', + 'filters' => array( 0 => array( 'event' => 'SAVE', + 'type' => 'IDNTOASCII'), + 1 => array( 'event' => 'SHOW', + 'type' => 'IDNTOUTF8'), + 2 => array( 'event' => 'SAVE', + 'type' => 'TOLOWER') + ), + 'validators' => array ( 0 => array ( 'type' => 'REGEX', + 'regex' => '/^[a-zA-Z0-9\.\-\_]{0,255}$/', + 'errmsg'=> 'name_error_regex'), + ), + 'default' => '', + 'value' => '', + 'width' => '30', + 'maxlength' => '255' + ), + 'type' => array ( + 'datatype' => 'VARCHAR', + 'formtype' => 'TEXT', + 'default' => 'DS', + 'value' => '', + 'width' => '5', + 'maxlength' => '5' + ), + 'data' => array ( //TODO Regex validation does not take place obviously - why ever... + 'datatype' => 'VARCHAR', + 'formtype' => 'TEXT', + 'validators' => array ( + 0 => array ( + 'type' => 'REGEX', + 'regex' => "/^\d{1,5}\s\d{1,2}\s\d{1,2}\s.+$/", + 'errmsg'=> 'invalid_type_ds' + ) + ), + 'default' => '', + 'value' => '', + 'width' => '30', + 'maxlength' => '255' + ), + 'ttl' => array ( + 'datatype' => 'INTEGER', + 'formtype' => 'TEXT', + 'validators' => array ( 0 => array ( 'type' => 'RANGE', + 'range' => '60:', + 'errmsg'=> 'ttl_range_error'), + ), + 'default' => '3600', + 'value' => '', + 'width' => '10', + 'maxlength' => '10' + ), + 'active' => array ( + 'datatype' => 'VARCHAR', + 'formtype' => 'CHECKBOX', + 'default' => 'Y', + 'value' => array(0 => 'N', 1 => 'Y') + ), + 'stamp' => array ( + 'datatype' => 'VARCHAR', + 'formtype' => 'TEXT', + 'default' => '', + 'value' => '', + 'width' => '30', + 'maxlength' => '255' + ), + 'serial' => array ( + 'datatype' => 'INTEGER', + 'formtype' => 'TEXT', + 'default' => '', + 'value' => '', + 'width' => '10', + 'maxlength' => '10' + ), + //################################# + // ENDE Datatable fields + //################################# + ) +); + +if($_SESSION["s"]["user"]["typ"] == 'admin') { + unset($form["tabs"]['dns']['fields']['data']['validators']); + $form["tabs"]['dns']['fields']['data']['validators'][0]['type'] = 'NOTEMPTY'; + $form["tabs"]['dns']['fields']['data']['validators'][0]['errmsg'] = 'data_error_empty'; + $form["tabs"]['dns']['fields']['data']['maxlength'] = 512; +} +?> diff --git a/interface/web/dns/form/dns_loc.tform.php b/interface/web/dns/form/dns_loc.tform.php new file mode 100644 index 0000000000000000000000000000000000000000..5749a866b23510f7e210336bcb60c59fe2ed241d --- /dev/null +++ b/interface/web/dns/form/dns_loc.tform.php @@ -0,0 +1,171 @@ + 0 id must match with id of current user +$form["auth_preset"]["groupid"] = 0; // 0 = default groupid of the user, > 0 id must match with groupid of current user +$form["auth_preset"]["perm_user"] = 'riud'; //r = read, i = insert, u = update, d = delete +$form["auth_preset"]["perm_group"] = 'riud'; //r = read, i = insert, u = update, d = delete +$form["auth_preset"]["perm_other"] = ''; //r = read, i = insert, u = update, d = delete + +$form["tabs"]['dns'] = array ( + 'title' => "DNS LOC", + 'width' => 100, + 'template' => "templates/dns_loc_edit.htm", + 'fields' => array ( + //################################# + // Begin Datatable fields + //################################# + 'server_id' => array ( + 'datatype' => 'INTEGER', + 'formtype' => 'SELECT', + 'default' => '', + 'value' => '', + 'width' => '30', + 'maxlength' => '255' + ), + 'zone' => array ( + 'datatype' => 'INTEGER', + 'formtype' => 'TEXT', + 'default' => @$app->functions->intval($_REQUEST["zone"]), + 'value' => '', + 'width' => '30', + 'maxlength' => '255' + ), + 'name' => array ( + 'datatype' => 'VARCHAR', + 'formtype' => 'TEXT', + 'filters' => array( 0 => array( 'event' => 'SAVE', + 'type' => 'IDNTOASCII'), + 1 => array( 'event' => 'SHOW', + 'type' => 'IDNTOUTF8'), + 2 => array( 'event' => 'SAVE', + 'type' => 'TOLOWER') + ), + 'validators' => array ( 0 => array ( 'type' => 'REGEX', + 'regex' => '/^[a-zA-Z0-9\.\-\_]{0,255}$/', + 'errmsg'=> 'name_error_regex'), + ), + 'default' => '', + 'value' => '', + 'width' => '30', + 'maxlength' => '255' + ), + 'type' => array ( + 'datatype' => 'VARCHAR', + 'formtype' => 'TEXT', + 'default' => 'LOC', + 'value' => '', + 'width' => '5', + 'maxlength' => '5' + ), + 'data' => array ( + 'datatype' => 'VARCHAR', + 'formtype' => 'TEXT', + 'validators' => array ( + 0 => array ( + 'type' => 'NOTEMPTY', + 'errmsg'=> 'data_error_empty' + ), + //TODO Regex check... I guess I had an error in this regex as I'm not used to RegEx. Further the check did never actually take place... + // 1 => array ( + // 'type' => 'REGEX', + // 'regex' => "/^(\d+\s)(\d+\s)?(\d+\s)?[NS]{1}\s(\d\s)(\d+\s)?(\d+\s)?[EW]{1}(\s\d+m?)(\s\d+m?)?(\s\d+m?)?(\s\d+m?)?$/s", + // 'errmsg'=> 'invalid_type_dkim' + // ), + ), + 'default' => '', + 'value' => '', + 'width' => '30', + 'maxlength' => '255' + ), + 'ttl' => array ( + 'datatype' => 'INTEGER', + 'formtype' => 'TEXT', + 'validators' => array ( 0 => array ( 'type' => 'RANGE', + 'range' => '60:', + 'errmsg'=> 'ttl_range_error'), + ), + 'default' => '3600', + 'value' => '', + 'width' => '10', + 'maxlength' => '10' + ), + 'active' => array ( + 'datatype' => 'VARCHAR', + 'formtype' => 'CHECKBOX', + 'default' => 'Y', + 'value' => array(0 => 'N', 1 => 'Y') + ), + 'stamp' => array ( + 'datatype' => 'VARCHAR', + 'formtype' => 'TEXT', + 'default' => '', + 'value' => '', + 'width' => '30', + 'maxlength' => '255' + ), + 'serial' => array ( + 'datatype' => 'INTEGER', + 'formtype' => 'TEXT', + 'default' => '', + 'value' => '', + 'width' => '10', + 'maxlength' => '10' + ), + //################################# + // ENDE Datatable fields + //################################# + ) +); + +if($_SESSION["s"]["user"]["typ"] == 'admin') { + unset($form["tabs"]['dns']['fields']['data']['validators']); + $form["tabs"]['dns']['fields']['data']['validators'][0]['type'] = 'NOTEMPTY'; + $form["tabs"]['dns']['fields']['data']['validators'][0]['errmsg'] = 'data_error_empty'; + $form["tabs"]['dns']['fields']['data']['maxlength'] = 512; +} +?> diff --git a/interface/web/dns/form/dns_soa.tform.php b/interface/web/dns/form/dns_soa.tform.php index 02afa86c53d28af488c8c49bcc8e8a7fbbd67ccd..05e915740c9dd69467680148c307109ccaad5c08 100644 --- a/interface/web/dns/form/dns_soa.tform.php +++ b/interface/web/dns/form/dns_soa.tform.php @@ -264,6 +264,20 @@ $form["tabs"]['dns_soa'] = array ( 'default' => 'Y', 'value' => array(0 => 'N', 1 => 'Y') ), + 'dnssec_wanted' => array ( + 'datatype' => 'VARCHAR', + 'formtype' => 'CHECKBOX', + 'default' => 'Y', + 'value' => array(0 => 'N', 1 => 'Y') + ), + 'dnssec_info' => array ( + 'datatype' => 'TEXT', + 'formtype' => 'TEXTAREA', + 'default' => '', + 'value' => '', + 'width' => '30', + 'maxlength' => '10000' + ), //################################# // ENDE Datatable fields //################################# diff --git a/interface/web/dns/form/dns_tlsa.tform.php b/interface/web/dns/form/dns_tlsa.tform.php new file mode 100644 index 0000000000000000000000000000000000000000..ef6f2a05b16a4028d2334ecd08a380a92778d45a --- /dev/null +++ b/interface/web/dns/form/dns_tlsa.tform.php @@ -0,0 +1,158 @@ + 0 id must match with id of current user +$form["auth_preset"]["groupid"] = 0; // 0 = default groupid of the user, > 0 id must match with groupid of current user +$form["auth_preset"]["perm_user"] = 'riud'; //r = read, i = insert, u = update, d = delete +$form["auth_preset"]["perm_group"] = 'riud'; //r = read, i = insert, u = update, d = delete +$form["auth_preset"]["perm_other"] = ''; //r = read, i = insert, u = update, d = delete + +$form["tabs"]['dns'] = array ( + 'title' => "DNS tlsa", + 'width' => 100, + 'template' => "templates/dns_tlsa_edit.htm", + 'fields' => array ( + //################################# + // Begin Datatable fields + //################################# + 'server_id' => array ( + 'datatype' => 'INTEGER', + 'formtype' => 'SELECT', + 'default' => '', + 'value' => '', + 'width' => '30', + 'maxlength' => '255' + ), + 'zone' => array ( + 'datatype' => 'INTEGER', + 'formtype' => 'TEXT', + 'default' => @$app->functions->intval($_REQUEST["zone"]), + 'value' => '', + 'width' => '30', + 'maxlength' => '255' + ), + 'name' => array ( + 'datatype' => 'VARCHAR', + 'formtype' => 'TEXT', + 'filters' => array( 0 => array( 'event' => 'SAVE', + 'type' => 'TOLOWER') + ), + 'validators' => array ( 0 => array ( 'type' => 'REGEX', + 'regex' => '/^\_\d{1,5}\.\_(tcp|udp)\.[a-zA-Z0-9\.\-]{1,255}$/', + 'errmsg'=> 'name_error_regex') + ), + 'default' => '', + 'value' => '', + 'width' => '30', + 'maxlength' => '255' + ), + 'type' => array ( + 'datatype' => 'VARCHAR', + 'formtype' => 'TEXT', + 'default' => 'TLSA', + 'value' => '', + 'width' => '5', + 'maxlength' => '5' + ), + 'data' => array ( + 'datatype' => 'TEXT', + 'formtype' => 'TEXT', + 'validators' => array ( 0 => array ( 'type' => 'NOTEMPTY', + 'errmsg'=> 'data_error_empty'), + 1 => array ( 'type' => 'REGEX', + 'regex' => '/^\d \d \d [a-zA-Z0-9]*$/', + 'errmsg'=> 'data_error_regex') + ), + 'default' => '', + 'value' => '', + 'width' => '30', + 'maxlength' => '255' + ), + 'ttl' => array ( + 'datatype' => 'INTEGER', + 'formtype' => 'TEXT', + 'validators' => array ( 0 => array ( 'type' => 'RANGE', + 'range' => '60:', + 'errmsg'=> 'ttl_range_error'), + ), + 'default' => '7200', + 'value' => '', + 'width' => '10', + 'maxlength' => '10' + ), + 'active' => array ( + 'datatype' => 'VARCHAR', + 'formtype' => 'CHECKBOX', + 'default' => 'Y', + 'value' => array(0 => 'N', 1 => 'Y') + ), + 'stamp' => array ( + 'datatype' => 'VARCHAR', + 'formtype' => 'TEXT', + 'default' => '', + 'value' => '', + 'width' => '30', + 'maxlength' => '255' + ), + 'serial' => array ( + 'datatype' => 'INTEGER', + 'formtype' => 'TEXT', + 'default' => '', + 'value' => '', + 'width' => '10', + 'maxlength' => '10' + ), + //################################# + // ENDE Datatable fields + //################################# + ) +); + + + +?> diff --git a/interface/web/dns/lib/lang/de_dns_ds.lng b/interface/web/dns/lib/lang/de_dns_ds.lng new file mode 100644 index 0000000000000000000000000000000000000000..565844cf56ac9c859f043688f4aae3fe64590576 --- /dev/null +++ b/interface/web/dns/lib/lang/de_dns_ds.lng @@ -0,0 +1,17 @@ + diff --git a/interface/web/dns/lib/lang/de_dns_loc.lng b/interface/web/dns/lib/lang/de_dns_loc.lng new file mode 100644 index 0000000000000000000000000000000000000000..eb2f83263af2bb4ad4f0d25d4b21ad86fffeaf75 --- /dev/null +++ b/interface/web/dns/lib/lang/de_dns_loc.lng @@ -0,0 +1,16 @@ + diff --git a/interface/web/dns/lib/lang/de_dns_soa.lng b/interface/web/dns/lib/lang/de_dns_soa.lng index efd6e905515e3b6a16d081e54af5e2397d14c43c..6c475ed072cbc3d30af4acc6514d4f63084c227d 100644 --- a/interface/web/dns/lib/lang/de_dns_soa.lng +++ b/interface/web/dns/lib/lang/de_dns_soa.lng @@ -11,6 +11,9 @@ $wb['minimum_txt'] = 'Minimum'; $wb['ttl_txt'] = 'TTL'; $wb['xfer_txt'] = 'Zonentransfer zu diesen IP Adressen erlauben (mit Komma getrennte Liste)'; $wb['active_txt'] = 'Aktiv'; +$wb['dnssec_info_txt'] = 'DNSSEC DS-Daten für Registry'; +$wb['dnssec_wanted_txt'] = 'Zone signieren (DNSSEC)'; +$wb['dnssec_wanted_info'] = 'Wenn DNSSEC bereits aktiviert war und ein Key erstellt wurde, wird dieser durch deaktivieren nicht gelöscht. Die Zone wird dann jedoch nicht länger signiert ausgeliefert.'; $wb['limit_dns_zone_txt'] = 'Die maximale Anzahl an DNS Einträgen für Ihr Konto wurde erreicht.'; $wb['client_txt'] = 'Kunde'; $wb['no_zone_perm'] = 'Sie haben nicht die Berechtigung, einen Eintrag zu dieser DNS Zone hinzuzufügen.'; diff --git a/interface/web/dns/lib/lang/de_dns_spf.lng b/interface/web/dns/lib/lang/de_dns_spf.lng index dc2ca3496acd21a0409d4a4338349b2f6b0e1334..e75cd7aaaf5b4ac5647c02b0688166fa625d390d 100644 --- a/interface/web/dns/lib/lang/de_dns_spf.lng +++ b/interface/web/dns/lib/lang/de_dns_spf.lng @@ -1,3 +1,5 @@ + + + diff --git a/interface/web/dns/lib/lang/de_dns_tlsa.lng b/interface/web/dns/lib/lang/de_dns_tlsa.lng new file mode 100644 index 0000000000000000000000000000000000000000..ba5e4dca3faa47c8cb99571725907f28bc709a87 --- /dev/null +++ b/interface/web/dns/lib/lang/de_dns_tlsa.lng @@ -0,0 +1,16 @@ + diff --git a/interface/web/dns/lib/lang/en_dns_ds.lng b/interface/web/dns/lib/lang/en_dns_ds.lng new file mode 100644 index 0000000000000000000000000000000000000000..3f9b447811389dc80a42c129cd5a7bc5792ee75b --- /dev/null +++ b/interface/web/dns/lib/lang/en_dns_ds.lng @@ -0,0 +1,18 @@ + diff --git a/interface/web/dns/lib/lang/en_dns_loc.lng b/interface/web/dns/lib/lang/en_dns_loc.lng new file mode 100644 index 0000000000000000000000000000000000000000..a2e3322bb6d175e6bb32a2cd91fdc7325fcd706a --- /dev/null +++ b/interface/web/dns/lib/lang/en_dns_loc.lng @@ -0,0 +1,16 @@ + diff --git a/interface/web/dns/lib/lang/en_dns_soa.lng b/interface/web/dns/lib/lang/en_dns_soa.lng index 433530c02daf50067a71f9302145303c2f936de5..9018a6f38f75fca1f37a77c1d2a26f9ca58d2e71 100644 --- a/interface/web/dns/lib/lang/en_dns_soa.lng +++ b/interface/web/dns/lib/lang/en_dns_soa.lng @@ -11,6 +11,9 @@ $wb["minimum_txt"] = 'Minimum'; $wb["ttl_txt"] = 'TTL'; $wb["xfer_txt"] = 'Allow zone transfers to
these IPs (comma separated list)'; $wb["active_txt"] = 'Active'; +$wb['dnssec_info_txt'] = 'DNSSEC DS-Data for registry'; +$wb['dnssec_wanted_txt'] = 'Sign zone (DNSSEC)'; +$wb['dnssec_wanted_info'] = 'When disabling DNSSEC keys are not going to be deleted if DNSSEC was enabled before and keys already have been generated but the zone will no longer be delievered in signed format afterwards.'; $wb["limit_dns_zone_txt"] = 'The max. number of DNS zones for your account is reached.'; $wb["client_txt"] = 'Client'; $wb["no_zone_perm"] = 'You do not have the permission to add a record to this DNS zone.'; diff --git a/interface/web/dns/lib/lang/en_dns_spf.lng b/interface/web/dns/lib/lang/en_dns_spf.lng index 8a1a611c215e175ac1c981c15083e6f29cb2bc39..7ac24dd227b26b9a34faa0b6877a8a7c5a53b99a 100644 --- a/interface/web/dns/lib/lang/en_dns_spf.lng +++ b/interface/web/dns/lib/lang/en_dns_spf.lng @@ -1,3 +1,5 @@ + + + diff --git a/interface/web/dns/lib/lang/en_dns_tlsa.lng b/interface/web/dns/lib/lang/en_dns_tlsa.lng new file mode 100644 index 0000000000000000000000000000000000000000..dcfb3bfa333d0c65f05f397e7ce4549e6753019b --- /dev/null +++ b/interface/web/dns/lib/lang/en_dns_tlsa.lng @@ -0,0 +1,16 @@ + \ No newline at end of file diff --git a/interface/web/dns/lib/remote.conf.php b/interface/web/dns/lib/remote.conf.php index dcabf948575e69ebd707b0f1fd489ce0e6738e0f..0ca556926bf29d8f6aaadbdebb8cb7ad324be371 100644 --- a/interface/web/dns/lib/remote.conf.php +++ b/interface/web/dns/lib/remote.conf.php @@ -5,8 +5,11 @@ $function_list['dns_a_get,dns_a_add,dns_a_update,dns_a_delete'] = 'DNS a functio $function_list['dns_aaaa_get,dns_aaaa_add,dns_aaaa_update,dns_aaaa_delete'] = 'DNS aaaa functions'; $function_list['dns_alias_get,dns_alias_add,dns_alias_update,dns_alias_delete'] = 'DNS alias functions'; $function_list['dns_cname_get,dns_cname_add,dns_cname_update,dns_cname_delete'] = 'DNS cname functions'; +$function_list['dns_ds_get,dns_ds_add,dns_ds_update,dns_ds_delete'] = 'DNS ds functions'; $function_list['dns_hinfo_get,dns_hinfo_add,dns_hinfo_update,dns_hinfo_delete'] = 'DNS hinfo functions'; +$function_list['dns_loc_get,dns_loc_add,dns_loc_update,dns_loc_delete'] = 'DNS loc functions'; $function_list['dns_mx_get,dns_mx_add,dns_mx_update,dns_mx_delete'] = 'DNS mx functions'; +$function_list['dns_tlsa_get,dns_tlsa_add,dns_tlsa_update,dns_tlsa_delete'] = 'DNS tlsa functions'; $function_list['dns_ns_get,dns_ns_add,dns_ns_update,dns_ns_delete'] = 'DNS ns functions'; $function_list['dns_ptr_get,dns_ptr_add,dns_ptr_update,dns_ptr_delete'] = 'DNS ptr functions'; $function_list['dns_rp_get,dns_rp_add,dns_rp_update,dns_rp_delete'] = 'DNS rp functions'; diff --git a/interface/web/dns/list/dns_a.list.php b/interface/web/dns/list/dns_a.list.php index bf5bf1d52dbd2400614b7a33c2ed12ce9a40f153..b65fdf677cc5b4559fa0b063ef5874ef7c1b8946 100644 --- a/interface/web/dns/list/dns_a.list.php +++ b/interface/web/dns/list/dns_a.list.php @@ -132,7 +132,7 @@ $liste["item"][] = array( 'field' => "type", 'prefix' => "", 'suffix' => "", 'width' => "", - 'value' => array('A'=>'A', 'AAAA' => 'AAAA', 'ALIAS'=>'ALIAS', 'CNAME'=>'CNAME', 'HINFO'=>'HINFO', 'MX'=>'MX', 'NS'=>'NS', 'PTR'=>'PTR', 'RP'=>'RP', 'SPF'=>'SPF', 'SRV'=>'SRV', 'TXT'=>'TXT')); + 'value' => array('A'=>'A', 'AAAA' => 'AAAA', 'ALIAS'=>'ALIAS', 'CNAME'=>'CNAME', 'DS'=>'DS', 'HINFO'=>'HINFO', 'LOC'=>'LOC', 'MX'=>'MX', 'NS'=>'NS', 'PTR'=>'PTR', 'RP'=>'RP', 'SRV'=>'SRV', 'TLSA'=>'TLSA', 'TXT'=>'TXT')); ?> diff --git a/interface/web/dns/templates/dns_a_list.htm b/interface/web/dns/templates/dns_a_list.htm index 790fbdcb39d06d29be75da3bc849daf9d3093428..1f9d1251523566ee11c5729efc477aa96bfcfad3 100644 --- a/interface/web/dns/templates/dns_a_list.htm +++ b/interface/web/dns/templates/dns_a_list.htm @@ -22,14 +22,17 @@ + + + diff --git a/interface/web/dns/templates/dns_ds_edit.htm b/interface/web/dns/templates/dns_ds_edit.htm new file mode 100644 index 0000000000000000000000000000000000000000..56113f0ec0e95df7075d815bfc96a3c63c6c60fc --- /dev/null +++ b/interface/web/dns/templates/dns_ds_edit.htm @@ -0,0 +1,32 @@ +
+

+
+

+ + + +
+ +
+
+ +
+
+ +
+
+ +
+ {tmpl_var name='active'} +
+
+ + + + + + +
+ + +
\ No newline at end of file diff --git a/interface/web/dns/templates/dns_loc_edit.htm b/interface/web/dns/templates/dns_loc_edit.htm new file mode 100644 index 0000000000000000000000000000000000000000..12cfb6357fd42285214e4423c5e9196b6c5dc7df --- /dev/null +++ b/interface/web/dns/templates/dns_loc_edit.htm @@ -0,0 +1,32 @@ +
+

+
+

+ + + +
+ +
+
+ +
+
+ +
+
+ +
+ {tmpl_var name='active'} +
+
+ + + + + + +
+ + +
\ No newline at end of file diff --git a/interface/web/dns/templates/dns_soa_edit.htm b/interface/web/dns/templates/dns_soa_edit.htm index 33d429884605be7b702b38d7aed0ccddcaf21afa..be2e7fa831367c4e0eb9abadceb5eb3c0bde479c 100644 --- a/interface/web/dns/templates/dns_soa_edit.htm +++ b/interface/web/dns/templates/dns_soa_edit.htm @@ -125,6 +125,16 @@ +
+ +
+ {tmpl_var name='dnssec_wanted'}
({tmpl_var name='dnssec_wanted_info'}) +
+
+
+ +
+
diff --git a/interface/web/dns/templates/dns_tlsa_edit.htm b/interface/web/dns/templates/dns_tlsa_edit.htm new file mode 100644 index 0000000000000000000000000000000000000000..c2cde8be6197c060588bf337749b315e6ed151c9 --- /dev/null +++ b/interface/web/dns/templates/dns_tlsa_edit.htm @@ -0,0 +1,32 @@ +
+

+
+

+ + + +
+ +
+
+ +
+
+ +
+
+ +
+ {tmpl_var name='active'} +
+
+ + + + + + +
+ + +
\ No newline at end of file diff --git a/server/conf/bind_pri.domain.master b/server/conf/bind_pri.domain.master index 279fbac3517bb75753c560f7c7de30fc35b73f59..ed395064af5490be0a11aafeac61a67a9ef99d2e 100644 --- a/server/conf/bind_pri.domain.master +++ b/server/conf/bind_pri.domain.master @@ -23,9 +23,15 @@ $TTL {tmpl_var name='ttl'} {tmpl_var name='name'} {tmpl_var name='ttl'} CNAME {tmpl_var name='data'} + +{tmpl_var name='name'} {tmpl_var name='ttl'} DS {tmpl_var name='data'} + {tmpl_var name='name'} {tmpl_var name='ttl'} HINFO {tmpl_var name='data'} + +{tmpl_var name='name'} {tmpl_var name='ttl'} LOC {tmpl_var name='data'} + {tmpl_var name='name'} {tmpl_var name='ttl'} MX {tmpl_var name='aux'} {tmpl_var name='data'} @@ -41,6 +47,9 @@ $TTL {tmpl_var name='ttl'} {tmpl_var name='name'} {tmpl_var name='ttl'} SRV {tmpl_var name='aux'} {tmpl_var name='data'} + +{tmpl_var name='name'} {tmpl_var name='ttl'} TLSA {tmpl_var name='data'} + {tmpl_var name='name'} {tmpl_var name='ttl'} TXT "{tmpl_var name='data'}" diff --git a/server/lib/classes/cron.d/550-bind_dnssec.inc.php b/server/lib/classes/cron.d/550-bind_dnssec.inc.php new file mode 100644 index 0000000000000000000000000000000000000000..a8c643fb65a0d860fe32aea4f9251e94a438de8b --- /dev/null +++ b/server/lib/classes/cron.d/550-bind_dnssec.inc.php @@ -0,0 +1,89 @@ +uses("getconf,tpl"); + + //* load the server configuration options + $dns_config = $app->getconf->get_server_config($conf["server_id"], 'dns'); + + //TODO : change this when distribution information has been integrated into server record + $filespre = (file_exists('/etc/gentoo-release')) ? 'pri/' : 'pri.'; + + $soas = $app->db->queryAllRecords('SELECT * FROM dns_soa WHERE dnssec_wanted=\'Y\' AND dnssec_initialized=\'Y\' AND dnssec_last_signed < '.(time()-(3600*24*5)+900)); //Resign zones every 5 days (expiry is 16 days so we have enough safety, 15 minutes tolerance) + + foreach ($soas as $data) { + $domain = substr($data['origin'], 0, strlen($data['origin'])-1); + if (!file_exists($dns_config['bind_zonefiles_dir'].'/'.$filespre.$domain)) return false; + + $app->log('DNSSEC Auto-Resign: Resigning zone '.$domain, LOGLEVEL_INFO); + + $zonefile = file_get_contents($dns_config['bind_zonefiles_dir'].'/'.$filespre.$domain); + $keycount=0; + foreach (glob($dns_config['bind_zonefiles_dir'].'/K'.$domain.'*.key') as $keyfile) { + $includeline = '$INCLUDE '.basename($keyfile); + if (!preg_match('@'.preg_quote($includeline).'@', $zonefile)) $zonefile .= "\n".$includeline."\n"; + $keycount++; + } + if ($keycount != 2) $app->log('DNSSEC Warning: There are more or less than 2 keyfiles for zone '.$domain, LOGLEVEL_WARN); + file_put_contents($dns_config['bind_zonefiles_dir'].'/'.$filespre.$domain, $zonefile); + + //Sign the zone and set it valid for max. 16 days + exec('cd '.escapeshellcmd($dns_config['bind_zonefiles_dir']).';'. + '/usr/sbin/dnssec-signzone -A -e +1382400 -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N increment -o '.escapeshellcmd($domain).' -t '.$filespre.escapeshellcmd($domain)); + + //Write Data back into DB + $dnssecdata = "DS-Records:\n".file_get_contents($dns_config['bind_zonefiles_dir'].'/dsset-'.$domain.'.'); + $dnssecdata .= "\n------------------------------------\n\nDNSKEY-Records:\n"; + foreach (glob($dns_config['bind_zonefiles_dir'].'/K'.$domain.'*.key') as $keyfile) { + $dnssecdata .= file_get_contents($keyfile)."\n\n"; + } + + $app->db->query('UPDATE dns_soa SET dnssec_info=\''.$dnssecdata.'\', dnssec_initialized=\'Y\', dnssec_last_signed=\''.time().'\' WHERE id='.$data['id']); + $data = next($soas); + } + + parent::onRunJob(); + } + +} + +?> diff --git a/server/plugins-available/bind_plugin.inc.php b/server/plugins-available/bind_plugin.inc.php index c538cb9570ce2d07ca395a3d808626ed56a129aa..cede1cb82c2395c1cc077ab19c571ca80bcdcbc6 100644 --- a/server/plugins-available/bind_plugin.inc.php +++ b/server/plugins-available/bind_plugin.inc.php @@ -76,6 +76,144 @@ class bind_plugin { } + //* This creates DNSSEC-Keys and calls soa_dnssec_update. + function soa_dnssec_create(&$data) { + global $app, $conf; + + //* Load libraries + $app->uses("getconf,tpl"); + + //* load the server configuration options + $dns_config = $app->getconf->get_server_config($conf["server_id"], 'dns'); + + //TODO : change this when distribution information has been integrated into server record + $filespre = (file_exists('/etc/gentoo-release')) ? 'pri/' : 'pri.'; + + $domain = substr($data['new']['origin'], 0, strlen($data['new']['origin'])-1); + if (!file_exists($dns_config['bind_zonefiles_dir'].'/'.$filespre.$domain)) return false; + + //* Check Entropy + if (file_get_contents('/proc/sys/kernel/random/entropy_avail') < 400) { + $app->log('DNSSEC ERROR: We are low on entropy. Not generating new Keys for '.$domain.'. Please consider installing package haveged.', LOGLEVEL_WARN); + return false; + } + + //* Verify that we do not already have keys (overwriting-protection) + if (file_exists($dns_config['bind_zonefiles_dir'].'/dsset-'.$domain.'.')) { + return $this->soa_dnssec_update($data); + } else if ($data['new']['dnssec_initialized'] == 'Y') { //In case that we generated keys but the dsset-file was not generated + $keycount=0; + foreach (glob($dns_config['bind_zonefiles_dir'].'/K'.$domain.'*.key') as $keyfile) { + $keycount++; + } + if ($keycount > 0) { + $this->soa_dnssec_sign($data); + return true; + } + } + + //Do some magic... + exec('cd '.escapeshellcmd($dns_config['bind_zonefiles_dir']).';'. + 'dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE '.escapeshellcmd($domain).';'. + 'dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE '.escapeshellcmd($domain)); + + $this->soa_dnssec_sign($data); //Now sign the zone for the first time + $data['new']['dnssec_initialized']='Y'; + } + + function soa_dnssec_sign(&$data) { + global $app, $conf; + + //* Load libraries + $app->uses("getconf,tpl"); + + //* load the server configuration options + $dns_config = $app->getconf->get_server_config($conf["server_id"], 'dns'); + + //TODO : change this when distribution information has been integrated into server record + $filespre = (file_exists('/etc/gentoo-release')) ? 'pri/' : 'pri.'; + + $domain = substr($data['new']['origin'], 0, strlen($data['new']['origin'])-1); + if (!file_exists($dns_config['bind_zonefiles_dir'].'/'.$filespre.$domain)) return false; + + $zonefile = file_get_contents($dns_config['bind_zonefiles_dir'].'/'.$filespre.$domain); + $keycount=0; + foreach (glob($dns_config['bind_zonefiles_dir'].'/K'.$domain.'*.key') as $keyfile) { + $includeline = '$INCLUDE '.basename($keyfile); + if (!preg_match('@'.preg_quote($includeline).'@', $zonefile)) $zonefile .= "\n".$includeline."\n"; + $keycount++; + } + if ($keycount != 2) $app->log('DNSSEC Warning: There are more or less than 2 keyfiles for zone '.$domain, LOGLEVEL_WARN); + file_put_contents($dns_config['bind_zonefiles_dir'].'/'.$filespre.$domain, $zonefile); + + //Sign the zone and set it valid for max. 16 days + exec('cd '.escapeshellcmd($dns_config['bind_zonefiles_dir']).';'. + 'dnssec-signzone -A -e +1382400 -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N increment -o '.escapeshellcmd($domain).' -t '.$filespre.escapeshellcmd($domain)); + + //Write Data back ino DB + $dnssecdata = "DS-Records:\n".file_get_contents($dns_config['bind_zonefiles_dir'].'/dsset-'.$domain.'.'); + $dnssecdata .= "\n------------------------------------\n\nDNSKEY-Records:\n"; + foreach (glob($dns_config['bind_zonefiles_dir'].'/K'.$domain.'*.key') as $keyfile) { + $dnssecdata .= file_get_contents($keyfile)."\n\n"; + } + + $app->db->query('UPDATE dns_soa SET dnssec_info=\''.$dnssecdata.'\', dnssec_initialized=\'Y\', dnssec_last_signed=\''.time().'\' WHERE id='.$data['new']['id']); + } + + function soa_dnssec_update(&$data, $new=false) { + global $app, $conf; + + //* Load libraries + $app->uses("getconf,tpl"); + + //* load the server configuration options + $dns_config = $app->getconf->get_server_config($conf["server_id"], 'dns'); + + //TODO : change this when distribution information has been integrated into server record + $filespre = (file_exists('/etc/gentoo-release')) ? 'pri/' : 'pri.'; + + $domain = substr($data['new']['origin'], 0, strlen($data['new']['origin'])-1); + if (!file_exists($dns_config['bind_zonefiles_dir'].'/'.$filespre.$domain)) return false; + + //* Check for available entropy + if (file_get_contents('/proc/sys/kernel/random/entropy_avail') < 200) { + $app->log('DNSSEC ERROR: We are low on entropy. This could cause server script to fail. Please consider installing package haveged.', LOGLEVEL_ERR); + return false; + } + + if (!$new && !file_exists($dns_config['bind_zonefiles_dir'].'/dsset-'.$domain.'.')) $this->soa_dnssec_create($data); + + $dbdata = $app->db->queryOneRecord('SELECT id,serial FROM dns_soa WHERE id='.$data['new']['id']); + exec('cd '.escapeshellcmd($dns_config['bind_zonefiles_dir']).';'. + 'named-checkzone '.escapeshellcmd($domain).' '.escapeshellcmd($dns_config['bind_zonefiles_dir']).'/'.$filespre.escapeshellcmd($domain).' | egrep -ho \'[0-9]{10}\'', $serial, $retState); + if ($retState != 0) { + $app->log('DNSSEC Error: Error in Zonefile for '.$domain, LOGLEVEL_ERR); + return false; + } + + $this->soa_dnssec_sign($data); + } + + function soa_dnssec_delete(&$data) { + global $app, $conf; + + //* Load libraries + $app->uses("getconf,tpl"); + + //* load the server configuration options + $dns_config = $app->getconf->get_server_config($conf["server_id"], 'dns'); + + //TODO : change this when distribution information has been integrated into server record + $filespre = (file_exists('/etc/gentoo-release')) ? 'pri/' : 'pri.'; + + $domain = substr($data['new']['origin'], 0, strlen($data['new']['origin'])-1); + + unlink($dns_config['bind_zonefiles_dir'].'/K'.$domain.'.+*'); + unlink($dns_config['bind_zonefiles_dir'].'/'.$filespre.$domain.'.signed'); + unlink($dns_config['bind_zonefiles_dir'].'/dsset-'.$domain.'.'); + + $app->db->query('UPDATE dns_soa SET dnssec_info=\'\', dnssec_initialized=\'N\' WHERE id='.$data['new']['id']); + } function soa_insert($event_name, $data) { global $app, $conf; @@ -145,7 +283,25 @@ class bind_plugin { unset($records_out); unset($zone); } - + + //* DNSSEC-Implementation + if($data['old']['origin'] != $data['new']['origin']) { + if (@$data['old']['dnssec_initialized'] == 'Y' && strlen(@$data['old']['origin']) > 3) $this->soa_dnssec_delete($data); //delete old keys + if ($data['new']['dnssec_wanted'] == 'Y') $this->soa_dnssec_create($data); + } + else if ($data['new']['dnssec_wanted'] == 'Y' && $data['old']['dnssec_initialized'] == 'N') $this->soa_dnssec_create($data); + else if ($data['new']['dnssec_wanted'] == 'N' && $data['old']['dnssec_initialized'] == 'Y') { //delete old signed file if dnssec is no longer wanted + //TODO : change this when distribution information has been integrated into server record + if (file_exists('/etc/gentoo-release')) { + $filename = $dns_config['bind_zonefiles_dir'].'/pri/'.str_replace("/", "_", substr($data['old']['origin'], 0, -1)); + } + else { + $filename = $dns_config['bind_zonefiles_dir'].'/pri.'.str_replace("/", "_", substr($data['old']['origin'], 0, -1)); + } + if(is_file($filename.'.signed')) unlink($filename.'.signed'); + } else if ($data['new']['dnssec_wanted'] == 'Y') $this->soa_dnssec_update($data); + // END DNSSEC + //* rebuild the named.conf file if the origin has changed or when the origin is inserted. //if($this->action == 'insert' || $data['old']['origin'] != $data['new']['origin']) { $this->write_named_conf($data, $dns_config); @@ -163,8 +319,9 @@ class bind_plugin { if(is_file($filename)) unlink($filename); if(is_file($filename.'.err')) unlink($filename.'.err'); - } - + if(is_file($filename.'.signed')) unlink($filename.'.signed'); + } + //* Restart bind nameserver if update_acl is not empty, otherwise reload it if($data['new']['update_acl'] != '') { $app->services->restartServiceDelayed('bind', 'restart'); @@ -197,6 +354,9 @@ class bind_plugin { if(is_file($zone_file_name.'.err')) unlink($zone_file_name.'.err'); $app->log("Deleting BIND domain file: ".$zone_file_name, LOGLEVEL_DEBUG); + //* DNSSEC-Implementation + if ($data['old']['dnssec_initialized'] == 'Y') exec('/usr/local/ispconfig/server/scripts/dnssec-delete.sh '.$data['old']['origin']); //delete keys + //* Reload bind nameserver $app->services->restartServiceDelayed('bind', 'reload'); @@ -323,7 +483,7 @@ class bind_plugin { global $app, $conf; //* Only write the master file for the current server - $tmps = $app->db->queryAllRecords("SELECT origin, xfer, also_notify, update_acl FROM dns_soa WHERE active = 'Y' AND server_id=?", $conf["server_id"]); + $tmps = $app->db->queryAllRecords("SELECT origin, xfer, also_notify, update_acl, dnssec_wanted FROM dns_soa WHERE active = 'Y' AND server_id=?", $conf["server_id"]); $zones = array(); //* Check if the current zone that triggered this function has at least one NS record @@ -341,8 +501,8 @@ class bind_plugin { //* Loop trough zones foreach($tmps as $tmp) { - $zone_file = $pri_zonefiles_path.str_replace("/", "_", substr($tmp['origin'], 0, -1)); + if ($tmp['dnssec_wanted'] == 'Y') $zone_file .= '.signed'; //.signed is for DNSSEC-Implementation $options = ''; if(trim($tmp['xfer']) != '') { diff --git a/server/plugins-available/mongo_clientdb_plugin.inc.php b/server/plugins-available/mongo_clientdb_plugin.inc.php index 62585838747b9a6e25c6ffc3004b235e5ae285b6..b4d274cba5ceed8868ea606374702667059224e1 100644 --- a/server/plugins-available/mongo_clientdb_plugin.inc.php +++ b/server/plugins-available/mongo_clientdb_plugin.inc.php @@ -52,14 +52,11 @@ class mongo_clientdb_plugin { function onInstall() { global $conf; - /*if($conf['services']['db'] == true && class_exists('MongoClient')) { + if($conf['services']['db'] == true && class_exists('MongoClient')) { return true; } else { return false; - }*/ - - // Disable mongodb plugin in ISPConfig 3.1 - return false; + } }