DNSSEC-Switch: Implementation finished, tested

And found a small bug (privkeys were not deleted on zone deletion) which is now fixed Testing successful. Doing last test then if everything goes well this will be the new merge request

DNSSEC-Switch: Implementation finished, tested
606a2d96 · A. Täffner · ab1bb38b · 606a2d96 · 606a2d96 · 606a2d96
Commit 606a2d96 authored 9 years ago by A. Täffner
--- a/install/tpl/dnssec-delete.sh.master
+++ b/install/tpl/dnssec-delete.sh.master
@@ -17,6 +17,7 @@ if [ "$mysqlcheck" = 0 ];then
 fi

 rm $bindpath/K$pardomain.+*.key
+rm $bindpath/K$pardomain.+*.private
 rm "$bindpath/$filespre$pardomain.signed"
 rm "$bindpath/dsset-$pardomain."


--- a/install/tpl/dnssec-update.sh.master
+++ b/install/tpl/dnssec-update.sh.master
 #!/bin/bash
 source {dnssec_conffile}
 pardomain="${1::-1}"
+cd $bindpath

 if [ ! -d $backuppath ]; then mkdir -p $backuppath; fi
 #connect to database for testing
 mysqlcheck=`mysql -u $dbuser --password=$dbpass -h $dbhost -Bse "use $dbase; show tables;" | wc -c`
 if [ "$mysqlcheck" = 0 ];then
 echo "$0 could not connect to database"
- cd $curdir
+ cd $curpath
 exit 0
 fi

@@ -33,8 +34,8 @@ mysqlcheck=`mysql -u $dbuser --password=$dbpass -h $dbhost -Bse "use $dbase; sel
      fi

    /usr/sbin/dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N increment -o $domain -t $filespre$domain
-    mysql -u $dbuser --password=$dbpass -h $dbhost -Bse "use $dbase; update dns_soa set serial='$fserial' where origin='$domain.'; update dns_rr set serial='$fserial' WHERE zone=$zoneid"
+    mysql -u $dbuser --password=$dbpass -h $dbhost -Bse "use $dbase; update dns_soa set serial='$fserial', dnssec_info='`cat /tmp/.dnssec-$domain`' where origin='$domain.'; update dns_rr set serial='$fserial' WHERE zone=$zoneid"

 echo "DNSSEC for $pardomain has been configured"
-cd $curdir
+cd $curpath
 exit 0
--- a/interface/web/dns/lib/lang/de_dns_soa.lng
+++ b/interface/web/dns/lib/lang/de_dns_soa.lng
@@ -13,6 +13,7 @@ $wb['xfer_txt'] = 'Zonentransfer zu diesen IP Adressen erlauben (mit Komma getre
 $wb['active_txt'] = 'Aktiv';
 $wb['dnssec_info_txt'] = 'DNSSEC DS-Daten für Registry';
 $wb['dnssec_wanted_txt'] = 'Zone signieren (DNSSEC)';
+$wb['dnssec_wanted_info'] = 'Wenn DNSSEC bereits aktiviert war und ein Key erstellt wurde, wird dieser durch deaktivieren nicht gelöscht. Die Zone wird dann jedoch nicht länger signiert ausgeliefert.';
 $wb['limit_dns_zone_txt'] = 'Die maximale Anzahl an DNS Einträgen für Ihr Konto wurde erreicht.';
 $wb['client_txt'] = 'Kunde';
 $wb['no_zone_perm'] = 'Sie haben nicht die Berechtigung, einen Eintrag zu dieser DNS Zone hinzuzufügen.';

--- a/interface/web/dns/lib/lang/en_dns_soa.lng
+++ b/interface/web/dns/lib/lang/en_dns_soa.lng
@@ -13,6 +13,7 @@ $wb["xfer_txt"] = 'Allow zone transfers to <br />these IPs (comma separated list
 $wb["active_txt"] = 'Active';
 $wb['dnssec_info_txt'] = 'DNSSEC DS-Data for registry';
 $wb['dnssec_wanted_txt'] = 'Sign zone (DNSSEC)';
+$wb['dnssec_wanted_info'] = 'When disabling DNSSEC keys are not going to be deleted if DNSSEC was enabled before and keys already have been generated but the zone will no longer be delievered in signed format afterwards.';
 $wb["limit_dns_zone_txt"] = 'The max. number of DNS zones for your account is reached.';
 $wb["client_txt"] = 'Client';
 $wb["no_zone_perm"] = 'You do not have the permission to add a record to this DNS zone.';

--- a/interface/web/dns/templates/dns_soa_edit.htm
+++ b/interface/web/dns/templates/dns_soa_edit.htm
@@ -128,12 +128,12 @@
 		    <div class="form-group">
                <label class="col-sm-3 control-label">{tmpl_var name='dnssec_wanted_txt'}</label>
                <div class="col-sm-9">
-                    {tmpl_var name='dnssec_wanted'}
-                </div>
+                    {tmpl_var name='dnssec_wanted'}<br /><small>({tmpl_var name='dnssec_wanted_info'})</small>
+                </div> 
            </div>
            <div class="form-group">
                <label for="update_acl" class="col-sm-3 control-label">{tmpl_var name='dnssec_info_txt'}</label>
-                <div class="col-sm-9"><textarea readonly="true" rows="5" class="form-control">{tmpl_var name='dnssec_info'}</textarea></div>
+                <div class="col-sm-9"><textarea readonly="true" rows="5" id="dnssec_info" name="dnssec_info" class="form-control">{tmpl_var name='dnssec_info'}</textarea></div>
 			</div>
            
        <input type="hidden" name="id" value="{tmpl_var name='id'}">

--- a/server/plugins-available/bind_plugin.inc.php
+++ b/server/plugins-available/bind_plugin.inc.php
@@ -151,9 +151,8 @@ class bind_plugin {
 			if (@$data['old']['dnssec_initialized'] == 'Y' && strlen(@$data['old']['origin']) > 3) exec('/usr/local/ispconfig/server/scripts/dnssec-delete.sh '.escapeshellcmd($data['old']['origin'])); //delete old keys
 			if ($data['new']['dnssec_wanted'] == 'Y') exec('/usr/local/ispconfig/server/scripts/dnssec-create.sh '.escapeshellcmd($data['new']['origin'])); //Create new keys for new origin
 		}
-		if ($data['new']['dnssec_wanted'] == 'Y' AND $data['new']['dnssec_initialized'] == 'N') if ($data['new']['dnssec_wanted'] == 'Y') exec('/usr/local/ispconfig/server/scripts/dnssec-create.sh '.escapeshellcmd($data['new']['origin'])); //Create new keys for new origin
-		else if ($data['old']['dnssec_wanted'] == 'Y') exec('/usr/local/ispconfig/server/scripts/dnssec-update.sh '.escapeshellcmd($data['new']['origin']));
-		if($data['old']['dnssec_initialized'] == 'Y' && $data['new']['dnssec_wanted'] == 'N') {	//delete old signed file if dnssec is no longer wanted
+		else if ($data['new']['dnssec_wanted'] == 'Y' && $data['old']['dnssec_initialized'] == 'N') exec('/usr/local/ispconfig/server/scripts/dnssec-create.sh '.escapeshellcmd($data['new']['origin'])); //Create new keys for new origin
+		else if ($data['new']['dnssec_wanted'] == 'N' && $data['old']['dnssec_initialized'] == 'Y') {	//delete old signed file if dnssec is no longer wanted
 			//TODO : change this when distribution information has been integrated into server record
 			if (file_exists('/etc/gentoo-release')) {
 				$filename = $dns_config['bind_zonefiles_dir'].'/pri/'.str_replace("/", "_", substr($data['old']['origin'], 0, -1));
@@ -162,7 +161,7 @@ class bind_plugin {
 				$filename = $dns_config['bind_zonefiles_dir'].'/pri.'.str_replace("/", "_", substr($data['old']['origin'], 0, -1));
 			}
 			if(is_file($filename.'.signed')) unlink($filename.'.signed');
- 		}
+ 		} else if ($data['new']['dnssec_wanted'] == 'Y') exec('/usr/local/ispconfig/server/scripts/dnssec-update.sh '.escapeshellcmd($data['new']['origin']));
 		// END DNSSEC
 		
 		//* rebuild the named.conf file if the origin has changed or when the origin is inserted.
@@ -346,7 +345,7 @@ class bind_plugin {
 		global $app, $conf;

 		//* Only write the master file for the current server
-		$tmps = $app->db->queryAllRecords("SELECT origin, xfer, also_notify, update_acl, dnssec_initialized FROM dns_soa WHERE active = 'Y' AND server_id=?", $conf["server_id"]);
+		$tmps = $app->db->queryAllRecords("SELECT origin, xfer, also_notify, update_acl, dnssec_wanted FROM dns_soa WHERE active = 'Y' AND server_id=?", $conf["server_id"]);
 		$zones = array();

 		//* Check if the current zone that triggered this function has at least one NS record
@@ -364,9 +363,8 @@ class bind_plugin {

 		//* Loop trough zones
 		foreach($tmps as $tmp) {
-
 			$zone_file = $pri_zonefiles_path.str_replace("/", "_", substr($tmp['origin'], 0, -1));
-			if ($tmp['dnssec_initialized'] == 'Y') $zone_file .= '.signed' //.signed is for DNSSEC-Implementation
+			if ($tmp['dnssec_wanted'] == 'Y') $zone_file .= '.signed'; //.signed is for DNSSEC-Implementation

 			$options = '';
 			if(trim($tmp['xfer']) != '') {