final commit? Will test now a last time and if everything works as expected this will be my merge request

Author: A. Täffner

TODO.txt

@@ -13,11 +13,9 @@ Installer
 --------------------------------------
 
 - Add a function to let a server join a existing installation.
-- Change named.options.conf and add follwoing lines into options-brackets for DNSSEC-Implementation:
-		dnssec-enable yes;
-		dnssec-validation yes;
-		dnssec-lookaside auto;
-- Add Package haveged to requirements as it raises available entropy by more than 1500 which is very needed for DNSSEC Key-generation
+- Add Package haveged to requirements (at least if entropy is low) as it raises available entropy significantly which is very needed for DNSSEC Key-generation
+	If it is not installed and entropy is low generating dnssec-keys lasts minutes (and would time out the server thus is not done) and new signing keys are not generated.
+	If there are no keys the zones can not be signed and will only be availableas a unsigned copy.
 
 Uninstaller
 --------------------------------------

install/lib/installer_base.lib.php

@@ -1517,7 +1517,7 @@ public function configure_bind() {
 		$this->process_bind_file('dnssec-autopickup.sh', '/server/scripts/');
 		$this->process_bind_file('dnssec-autocreate.sh', '/server/scripts/');
 		$this->process_bind_file('dnssec-config.sh', '/server/scripts/');
-
+		$this->process_bind_file('named.conf.options', $conf['bind']['bind_zonefiles_dir']);
 	}
 
 

install/tpl/dnssec-create.sh.master

@@ -7,9 +7,18 @@ if [ "$mysqlcheck" = 0 ];then
  echo "$0 could not connect to database"
  exit 0
 fi
+
+if [ `cat /proc/sys/kernel/random/entropy_avail` -lt 400 ] ; then
+	echo "ERROR: DNSSEC is not working as available entropy is below 400. Please consider installing package haveged. Skipping generation of keys as well as signing..."
+	cp $filespre$domain $filespre$domain.signed
+	mysql -u $dbuser --password=$dbpass -h $dbhost -Bse "use $dbase; UPDATE dns_soa SET dnssec_info='Error during generation of keys. Please contact our support. Reason: Too less entropy available.', dnssec_initialized='N' WHERE origin='$domain.'"
+	exit 20
+fi
+
 mysqlcheck=`mysql -u $dbuser --password=$dbpass -h $dbhost -Bse "use $dbase; select * from dns_soa where dnssec_initialized='Y' and origin='$domain.';" | wc -c`
 if [ "$mysqlcheck" -gt 1 ];then
- echo "$domain seems to be initialized. If that is wrong correct dnssec_initialized in dns_soa table"
+ echo "DNSSEC: $domain seems to be initialized. If that is wrong correct dnssec_initialized in dns_soa table"
+ exit 0
 fi
 cd $bindpath
 

install/tpl/named.conf.options.master

@@ -0,0 +1,28 @@
+options {
+	directory "/var/cache/bind";
+
+	// If there is a firewall between you and nameservers you want
+	// to talk to, you may need to fix the firewall to allow multiple
+	// ports to talk.  See http://www.kb.cert.org/vuls/id/800113
+
+	// If your ISP provided one or more IP addresses for stable 
+	// nameservers, you probably want to use them as forwarders.  
+	// Uncomment the following block, and insert the addresses replacing 
+	// the all-0's placeholder.
+
+	// forwarders {
+	// 	0.0.0.0;
+	// };
+
+	//========================================================================
+	// If BIND logs error messages about the root key being expired,
+	// you will need to update your keys.  See https://www.isc.org/bind-keys
+	//========================================================================
+	dnssec-enable yes;
+	dnssec-validation yes;
+	dnssec-lookaside auto;
+
+	auth-nxdomain no;    # conform to RFC1035
+	listen-on-v6 { any; };
+};
+