Newer
Older
#!/bin/bash
source {dnssec_conffile}
domain="${1::-1}"
mysqlcheck=`mysql -u $dbuser --password=$dbpass -h $dbhost -Bse "use $dbase; show tables;" | wc -c`
if [ "$mysqlcheck" = 0 ];then
echo "$0 could not connect to database"
exit 0
fi
if [ `cat /proc/sys/kernel/random/entropy_avail` -lt 400 ] ; then
echo "ERROR: DNSSEC is not working as available entropy is below 400. Please consider installing package haveged. Skipping generation of keys as well as signing..."
cp $filespre$domain $filespre$domain.signed
mysql -u $dbuser --password=$dbpass -h $dbhost -Bse "use $dbase; UPDATE dns_soa SET dnssec_info='Error during generation of keys. Please contact our support. Reason: Too less entropy available.', dnssec_initialized='N' WHERE origin='$domain.'"
exit 20
fi
mysqlcheck=`mysql -u $dbuser --password=$dbpass -h $dbhost -Bse "use $dbase; select * from dns_soa where dnssec_initialized='Y' and origin='$domain.';" | wc -c`
if [ "$mysqlcheck" -gt 1 ];then
echo "DNSSEC: $domain seems to be initialized. If that is wrong correct dnssec_initialized in dns_soa table"
exit 0
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
fi
cd $bindpath
if [ ! $domain = "" ];then
if [ ! -f $filespre$domain ]; then
echo "$domain zone file ($filespre$domain) does not exist"
exit 0
else
if [ -f dsset-$domain. ];then
echo "dnssec keys for $domain already exists!"
exit 0
else
echo "Creating keys for $domain"
dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE $domain
dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE $domain
for key in `ls K$domain*.key`; do
echo "\$INCLUDE $bindpath/$key">> $filespre$domain
done
dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N INCREMENT -o $domain -t $filespre$domain
fi
fi
serial=`cat $bindpath/$filespre$domain |grep "serial," |awk {' print $domain '}`
echo ""
dnssechelp=`head -1 $bindpath/dsset-$domain.`
dnssecid=`echo $dnssechelp | awk {' print $4 '}`
dnssecalg=`echo $dnssechelp | awk {' print $5 '}`
dnssecdt=`echo $dnssechelp | awk {' print $6 '}`
dnssecd=`echo $dnssechelp | awk {' print $7 '}`
echo "DS Record 1:">/tmp/.dnssec-$domain
echo "Key Tag/ID: $dnssecid">>/tmp/.dnssec-$domain
echo "Algorithm: $dnssecalg">>/tmp/.dnssec-$domain
echo "Digest/HASH Type: $dnssecdt">>/tmp/.dnssec-$domain
echo "Digest/HASH: $dnssecd">>/tmp/.dnssec-$domain
dns2sechelp=`tail -n 1 $bindpath/dsset-$domain.`
dns2secid=`echo $dns2sechelp | awk {' print $4 '}`
dns2secalg=`echo $dns2sechelp | awk {' print $5 '}`
dns2secdt=`echo $dns2sechelp | awk {' print $6 '}`
dns2secd=`echo $dns2sechelp | awk {' print $7""$8 '}`
echo "">>/tmp/.dnssec-$domain
echo "DS Record 2:">>/tmp/.dnssec-$domain
echo "Key Tag/ID: $dns2secid">>/tmp/.dnssec-$domain
echo "Algorithm: $dns2secalg">>/tmp/.dnssec-$domain
echo "Digest/HASH Type: $dns2secdt">>/tmp/.dnssec-$domain
echo "Digest/HASH: $dns2secd">>/tmp/.dnssec-$domain
echo "">>/tmp/.dnssec-$domain
echo "In DS-Record format:">>/tmp/.dnssec-$domain
cat $bindpath/dsset-$domain.>>/tmp/.dnssec-$domain
echo "">>/tmp/.dnssec-$domain
echo "DNSKEY-Records:">>/tmp/.dnssec-$domain
cat $bindpath/K$domain.+*.key>>/tmp/.dnssec-$domain
mysql -u $dbuser --password=$dbpass -h $dbhost -Bse "use $dbase; UPDATE dns_soa SET dnssec_info='`cat /tmp/.dnssec-$domain`', dnssec_initialized='Y' WHERE origin='$domain.'"
rm /tmp/.dnssec-$domain
else
echo "usage: dnssec-create.sh <domain.tld>"
fi
cd $curpath