Commit 1a2f6006 authored by A. Täffner's avatar A. Täffner

final commit? Will test now a last time and if everything works as expected...

final commit? Will test now a last time and if everything works as expected this will be my merge request
parent eaafeeb3
......@@ -13,11 +13,9 @@ Installer
--------------------------------------
- Add a function to let a server join a existing installation.
- Change named.options.conf and add follwoing lines into options-brackets for DNSSEC-Implementation:
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
- Add Package haveged to requirements as it raises available entropy by more than 1500 which is very needed for DNSSEC Key-generation
- Add Package haveged to requirements (at least if entropy is low) as it raises available entropy significantly which is very needed for DNSSEC Key-generation
If it is not installed and entropy is low generating dnssec-keys lasts minutes (and would time out the server thus is not done) and new signing keys are not generated.
If there are no keys the zones can not be signed and will only be availableas a unsigned copy.
Uninstaller
--------------------------------------
......
......@@ -1517,7 +1517,7 @@ class installer_base {
$this->process_bind_file('dnssec-autopickup.sh', '/server/scripts/');
$this->process_bind_file('dnssec-autocreate.sh', '/server/scripts/');
$this->process_bind_file('dnssec-config.sh', '/server/scripts/');
$this->process_bind_file('named.conf.options', $conf['bind']['bind_zonefiles_dir']);
}
......
......@@ -7,9 +7,18 @@ if [ "$mysqlcheck" = 0 ];then
echo "$0 could not connect to database"
exit 0
fi
if [ `cat /proc/sys/kernel/random/entropy_avail` -lt 400 ] ; then
echo "ERROR: DNSSEC is not working as available entropy is below 400. Please consider installing package haveged. Skipping generation of keys as well as signing..."
cp $filespre$domain $filespre$domain.signed
mysql -u $dbuser --password=$dbpass -h $dbhost -Bse "use $dbase; UPDATE dns_soa SET dnssec_info='Error during generation of keys. Please contact our support. Reason: Too less entropy available.', dnssec_initialized='N' WHERE origin='$domain.'"
exit 20
fi
mysqlcheck=`mysql -u $dbuser --password=$dbpass -h $dbhost -Bse "use $dbase; select * from dns_soa where dnssec_initialized='Y' and origin='$domain.';" | wc -c`
if [ "$mysqlcheck" -gt 1 ];then
echo "$domain seems to be initialized. If that is wrong correct dnssec_initialized in dns_soa table"
echo "DNSSEC: $domain seems to be initialized. If that is wrong correct dnssec_initialized in dns_soa table"
exit 0
fi
cd $bindpath
......
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
};
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment