From ad1eea8a1a1cc14c3cbd210228e162dc55b58f10 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?A=2E=20T=C3=A4ffner?= Date: Thu, 7 Apr 2016 10:14:47 +0200 Subject: [PATCH 1/2] Fixed cron to update serial and not sign directly. This now issues a job for the cron server which will then generate the zone and sign it. cleaner solution AND fixes a possible replication (zone-transfer) issue. --- .../classes/cron.d/550-bind_dnssec.inc.php | 53 +++++++++---------- 1 file changed, 26 insertions(+), 27 deletions(-) diff --git a/server/lib/classes/cron.d/550-bind_dnssec.inc.php b/server/lib/classes/cron.d/550-bind_dnssec.inc.php index 2d238c7f4c..99360e06ac 100644 --- a/server/lib/classes/cron.d/550-bind_dnssec.inc.php +++ b/server/lib/classes/cron.d/550-bind_dnssec.inc.php @@ -34,7 +34,29 @@ DNSSEC-Implementation by Alexander T class cronjob_bind_dnssec extends cronjob { // job schedule - protected $_schedule = '30 3 * * *'; //daily at 3:30 a.m. + //protected $_schedule = '30 3 * * *'; //daily at 3:30 a.m. + protected $_schedule = '* * * * *'; //temp 4 test + + private function increase_serial($serial){ + global $app, $conf; + + // increase serial + $serial_date = $app->functions->intval(substr($serial, 0, 8)); + $count = $app->functions->intval(substr($serial, 8, 2)); + $current_date = date("Ymd"); + if($serial_date >= $current_date){ + $count += 1; + if ($count > 99) { + $serial_date += 1; + $count = 0; + } + $count = str_pad($count, 2, "0", STR_PAD_LEFT); + $new_serial = $serial_date.$count; + } else { + $new_serial = $current_date.'01'; + } + return $new_serial; + } public function onRunJob() { global $app, $conf; @@ -54,31 +76,8 @@ class cronjob_bind_dnssec extends cronjob { $domain = substr($data['origin'], 0, strlen($data['origin'])-1); if (!file_exists($dns_config['bind_zonefiles_dir'].'/'.$filespre.$domain)) return false; - $app->log('DNSSEC Auto-Resign: Resigning zone '.$domain, LOGLEVEL_INFO); - - $zonefile = file_get_contents($dns_config['bind_zonefiles_dir'].'/'.$filespre.$domain); - $keycount=0; - foreach (glob($dns_config['bind_zonefiles_dir'].'/K'.$domain.'*.key') as $keyfile) { - $includeline = '$INCLUDE '.basename($keyfile); - if (!preg_match('@'.preg_quote($includeline).'@', $zonefile)) $zonefile .= "\n".$includeline."\n"; - $keycount++; - } - if ($keycount != 2) $app->log('DNSSEC Warning: There are more or less than 2 keyfiles for zone '.$domain, LOGLEVEL_WARN); - file_put_contents($dns_config['bind_zonefiles_dir'].'/'.$filespre.$domain, $zonefile); - - //Sign the zone and set it valid for max. 16 days - exec('cd '.escapeshellcmd($dns_config['bind_zonefiles_dir']).';'. - '/usr/sbin/dnssec-signzone -A -e +1382400 -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N increment -o '.escapeshellcmd($domain).' -t '.$filespre.escapeshellcmd($domain)); - - //Write Data back into DB - $dnssecdata = "DS-Records:\n".file_get_contents($dns_config['bind_zonefiles_dir'].'/dsset-'.$domain.'.'); - $dnssecdata .= "\n------------------------------------\n\nDNSKEY-Records:\n"; - foreach (glob($dns_config['bind_zonefiles_dir'].'/K'.$domain.'*.key') as $keyfile) { - $dnssecdata .= file_get_contents($keyfile)."\n\n"; - } - - $app->db->query('UPDATE dns_soa SET dnssec_info=\''.$dnssecdata.'\', dnssec_initialized=\'Y\', dnssec_last_signed=\''.time().'\' WHERE id='.$data['id']); - $data = next($soas); + $app->log('DNSSEC Auto-Resign: Touching zone '.$domain, LOGLEVEL_INFO); + $app->db->datalogUpdate('dns_soa', array("serial" => $this->increase_serial($data['serial'])), 'id', $data['id']); } parent::onRunJob(); @@ -86,4 +85,4 @@ class cronjob_bind_dnssec extends cronjob { } -?> +?> \ No newline at end of file -- GitLab From 7f0edcf2a684e6f00fef64ebe35f59647c9e1d7c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?A=2E=20T=C3=A4ffner?= Date: Thu, 7 Apr 2016 10:16:13 +0200 Subject: [PATCH 2/2] reverted testing cron schedule --- server/lib/classes/cron.d/550-bind_dnssec.inc.php | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/server/lib/classes/cron.d/550-bind_dnssec.inc.php b/server/lib/classes/cron.d/550-bind_dnssec.inc.php index 99360e06ac..eb145fca34 100644 --- a/server/lib/classes/cron.d/550-bind_dnssec.inc.php +++ b/server/lib/classes/cron.d/550-bind_dnssec.inc.php @@ -34,8 +34,7 @@ DNSSEC-Implementation by Alexander T class cronjob_bind_dnssec extends cronjob { // job schedule - //protected $_schedule = '30 3 * * *'; //daily at 3:30 a.m. - protected $_schedule = '* * * * *'; //temp 4 test + protected $_schedule = '30 3 * * *'; //daily at 3:30 a.m. private function increase_serial($serial){ global $app, $conf; -- GitLab