Skip to content

Commit 26a202f

Browse files
author
Till Brehm
committed
Merge branch '5485-dns-transfer' into 'stable-3.1'
Make allow-transfer globally configurable (#5485) Closes #5485 See merge request ispconfig/ispconfig3!1114
2 parents bddc0e9 + e439437 commit 26a202f

File tree

2 files changed

+40
-41
lines changed

2 files changed

+40
-41
lines changed

install/tpl/named.conf.options.master

Lines changed: 5 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -5,9 +5,9 @@ options {
55
// to talk to, you may need to fix the firewall to allow multiple
66
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
77

8-
// If your ISP provided one or more IP addresses for stable
9-
// nameservers, you probably want to use them as forwarders.
10-
// Uncomment the following block, and insert the addresses replacing
8+
// If your ISP provided one or more IP addresses for stable
9+
// nameservers, you probably want to use them as forwarders.
10+
// Uncomment the following block, and insert the addresses replacing
1111
// the all-0's placeholder.
1212

1313
// forwarders {
@@ -21,8 +21,9 @@ options {
2121
dnssec-enable yes;
2222
dnssec-validation yes;
2323
dnssec-lookaside auto;
24+
25+
allow-transfer {none;};
2426

2527
auth-nxdomain no; # conform to RFC1035
2628
listen-on-v6 { any; };
2729
};
28-

server/plugins-available/bind_plugin.inc.php

Lines changed: 35 additions & 37 deletions
Original file line numberDiff line numberDiff line change
@@ -85,17 +85,17 @@ function soa_dnssec_create(&$data) {
8585

8686
//* load the server configuration options
8787
$dns_config = $app->getconf->get_server_config($conf["server_id"], 'dns');
88-
88+
8989
$domain = substr($data['new']['origin'], 0, strlen($data['new']['origin'])-1);
9090
if (!file_exists($dns_config['bind_zonefiles_dir'].'/'.$this->zone_file_prefix().$domain)) return false;
91-
91+
9292
//* Check Entropy
9393
if (file_get_contents('/proc/sys/kernel/random/entropy_avail') < 400) {
9494
$app->log('DNSSEC ERROR: We are low on entropy. Not generating new Keys for '.$domain.'. Please consider installing package haveged.', LOGLEVEL_WARN);
9595
echo "DNSSEC ERROR: We are low on entropy. Not generating new Keys for $domain. Please consider installing package haveged.\n";
9696
return false;
9797
}
98-
98+
9999
//* Verify that we do not already have keys (overwriting-protection)
100100
if($data['old']['dnssec_algo'] == $data['new']['dnssec_algo']) {
101101
if (file_exists($dns_config['bind_zonefiles_dir'].'/dsset-'.$domain.'.')) {
@@ -111,10 +111,10 @@ function soa_dnssec_create(&$data) {
111111
}
112112
}
113113
}
114-
114+
115115
// Get DNSSEC Algorithms
116116
$dnssec_algo = explode(',',$data['new']['dnssec_algo']);
117-
117+
118118
//* Create the Zone Signing and Key Signing Keys
119119
if(in_array('ECDSAP256SHA256',$dnssec_algo) && count(glob($dns_config['bind_zonefiles_dir'].'/K'.$domain.'.+013*.key')) == 0) {
120120
$app->system->exec_safe('cd ?; dnssec-keygen -3 -a ECDSAP256SHA256 -n ZONE ?; dnssec-keygen -f KSK -3 -a ECDSAP256SHA256 -n ZONE ?', $dns_config['bind_zonefiles_dir'], $domain, $domain);
@@ -126,27 +126,27 @@ function soa_dnssec_create(&$data) {
126126
$this->soa_dnssec_sign($data); //Now sign the zone for the first time
127127
$data['new']['dnssec_initialized']='Y';
128128
}
129-
129+
130130
function soa_dnssec_sign(&$data) {
131131
global $app, $conf;
132-
132+
133133
//* Load libraries
134134
$app->uses("getconf,tpl");
135135

136136
//* load the server configuration options
137137
$dns_config = $app->getconf->get_server_config($conf["server_id"], 'dns');
138-
138+
139139
$filespre = $this->zone_file_prefix();
140140
$domain = substr($data['new']['origin'], 0, strlen($data['new']['origin'])-1);
141141
if (!file_exists($dns_config['bind_zonefiles_dir'].'/'.$filespre.$domain)) return false;
142-
142+
143143
//* Get DNSSEC Algorithms
144144
$dnssec_algo = explode(',',$data['new']['dnssec_algo']);
145-
145+
146146
//* Get Zone file content
147147
$zonefile = file_get_contents($dns_config['bind_zonefiles_dir'].'/'.$filespre.$domain);
148148
$keycount=0;
149-
149+
150150
//* Include ECDSAP256SHA256 keys in zone
151151
if(in_array('ECDSAP256SHA256',$dnssec_algo)) {
152152
foreach (glob($dns_config['bind_zonefiles_dir'].'/K'.$domain.'.+013*.key') as $keyfile) {
@@ -155,7 +155,7 @@ function soa_dnssec_sign(&$data) {
155155
$keycount++;
156156
}
157157
}
158-
158+
159159
//* Include NSEC3RSASHA1 keys in zone
160160
if(in_array('NSEC3RSASHA1',$dnssec_algo)) {
161161
foreach (glob($dns_config['bind_zonefiles_dir'].'/K'.$domain.'.+007*.key') as $keyfile) {
@@ -164,35 +164,35 @@ function soa_dnssec_sign(&$data) {
164164
$keycount++;
165165
}
166166
}
167-
167+
168168
$keycount_wanted = count(explode(',',$data['new']['dnssec_algo']))*2;
169-
169+
170170
if ($keycount != $keycount_wanted) $app->log('DNSSEC Warning: There are more or less than 2 keyfiles for each algorithm for zone '.$domain.'. Found: '.$keycount. ' Expected: '.$keycount_wanted, LOGLEVEL_WARN);
171171
file_put_contents($dns_config['bind_zonefiles_dir'].'/'.$filespre.$domain, $zonefile);
172-
172+
173173
//* Sign the zone and set it valid for max. 16 days
174174
$app->system->exec_safe('cd ?; dnssec-signzone -A -e +1382400 -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N increment -o ? -t ?', $dns_config['bind_zonefiles_dir'], $domain, $filespre.$domain);
175-
175+
176176
//* Write Data back ino DB
177177
$dnssecdata = "DS-Records:\n".file_get_contents($dns_config['bind_zonefiles_dir'].'/dsset-'.$domain.'.');
178178
$dnssecdata .= "\n------------------------------------\n\nDNSKEY-Records:\n";
179-
179+
180180
if(in_array('ECDSAP256SHA256',$dnssec_algo)) {
181181
foreach (glob($dns_config['bind_zonefiles_dir'].'/K'.$domain.'.+013*.key') as $keyfile) {
182182
$dnssecdata .= file_get_contents($keyfile)."\n\n";
183183
}
184184
}
185-
185+
186186
if(in_array('NSEC3RSASHA1',$dnssec_algo)) {
187187
foreach (glob($dns_config['bind_zonefiles_dir'].'/K'.$domain.'.+007*.key') as $keyfile) {
188188
$dnssecdata .= file_get_contents($keyfile)."\n\n";
189189
}
190190
}
191-
191+
192192
if ($app->dbmaster !== $app->db) $app->dbmaster->query('UPDATE dns_soa SET dnssec_info=?, dnssec_initialized=\'Y\', dnssec_last_signed=? WHERE id=?', $dnssecdata, intval(time()), intval($data['new']['id']));
193193
$app->db->query('UPDATE dns_soa SET dnssec_info=?, dnssec_initialized=\'Y\', dnssec_last_signed=? WHERE id=?', $dnssecdata, intval(time()), intval($data['new']['id']));
194194
}
195-
195+
196196
function soa_dnssec_update(&$data, $new=false) {
197197
global $app, $conf;
198198

@@ -201,31 +201,31 @@ function soa_dnssec_update(&$data, $new=false) {
201201

202202
//* load the server configuration options
203203
$dns_config = $app->getconf->get_server_config($conf["server_id"], 'dns');
204-
204+
205205
$filespre = $this->zone_file_prefix();
206206
$domain = substr($data['new']['origin'], 0, strlen($data['new']['origin'])-1);
207207
if (!file_exists($dns_config['bind_zonefiles_dir'].'/'.$filespre.$domain)) return false;
208-
208+
209209
//* Check for available entropy
210210
if (file_get_contents('/proc/sys/kernel/random/entropy_avail') < 200) {
211211
$app->log('DNSSEC ERROR: We are low on entropy. This could cause server script to fail. Please consider installing package haveged.', LOGLEVEL_ERR);
212212
echo "DNSSEC ERROR: We are low on entropy. This could cause server script to fail. Please consider installing package haveged.\n";
213213
return false;
214214
}
215-
215+
216216
if (!$new && !file_exists($dns_config['bind_zonefiles_dir'].'/dsset-'.$domain.'.')) $this->soa_dnssec_create($data);
217-
217+
218218
$dbdata = $app->db->queryOneRecord('SELECT id,serial FROM dns_soa WHERE id=?', intval($data['new']['id']));
219219
$app->system->exec_safe('cd ?; named-checkzone ? ? | egrep -ho \'[0-9]{10}\'', $dns_config['bind_zonefiles_dir'], $domain, $dns_config['bind_zonefiles_dir'].'/'.$filespre.$domain);
220220
$retState = $app->system->last_exec_retcode();
221221
if ($retState != 0) {
222222
$app->log('DNSSEC Error: Error in Zonefile for '.$domain, LOGLEVEL_ERR);
223223
return false;
224224
}
225-
225+
226226
$this->soa_dnssec_sign($data);
227227
}
228-
228+
229229
function soa_dnssec_delete(&$data) {
230230
global $app, $conf;
231231

@@ -234,16 +234,16 @@ function soa_dnssec_delete(&$data) {
234234

235235
//* load the server configuration options
236236
$dns_config = $app->getconf->get_server_config($conf["server_id"], 'dns');
237-
237+
238238
$domain = substr($data['new']['origin'], 0, strlen($data['new']['origin'])-1);
239-
239+
240240
$key_files = glob($dns_config['bind_zonefiles_dir'].'/K'.$domain.'.+*');
241241
foreach($key_files as $file) {
242242
unlink($file);
243243
}
244244
unlink($dns_config['bind_zonefiles_dir'].'/'.$this->zone_file_prefix().$domain.'.signed');
245245
unlink($dns_config['bind_zonefiles_dir'].'/dsset-'.$domain.'.');
246-
246+
247247
if ($app->dbmaster !== $app->db) $app->dbmaster->query('UPDATE dns_soa SET dnssec_info=\'\', dnssec_initialized=\'N\' WHERE id=?', intval($data['new']['id']));
248248
$app->db->query('UPDATE dns_soa SET dnssec_info=\'\', dnssec_initialized=\'N\' WHERE id=?', intval($data['new']['id']));
249249
}
@@ -345,9 +345,9 @@ function soa_update($event_name, $data) {
345345
unset($records_out);
346346
unset($zone);
347347
}
348-
348+
349349
//* DNSSEC-Implementation
350-
if($data['old']['origin'] != $data['new']['origin']) {
350+
if($data['old']['origin'] != $data['new']['origin']) {
351351
if (@$data['old']['dnssec_initialized'] == 'Y' && strlen(@$data['old']['origin']) > 3) $this->soa_dnssec_delete($data); //delete old keys
352352
if ($data['new']['dnssec_wanted'] == 'Y') $this->soa_dnssec_create($data);
353353
} elseif($data['old']['dnssec_algo'] != $data['new']['dnssec_algo']) {
@@ -362,7 +362,7 @@ function soa_update($event_name, $data) {
362362
$this->soa_dnssec_update($data);
363363
}
364364
// END DNSSEC
365-
365+
366366
//* rebuild the named.conf file if the origin has changed or when the origin is inserted.
367367
//if($this->action == 'insert' || $data['old']['origin'] != $data['new']['origin']) {
368368
$this->write_named_conf($data, $dns_config);
@@ -376,7 +376,7 @@ function soa_update($event_name, $data) {
376376
if(is_file($filename.'.err')) unlink($filename.'.err');
377377
if(is_file($filename.'.signed')) unlink($filename.'.signed');
378378
}
379-
379+
380380
//* Restart bind nameserver if update_acl is not empty, otherwise reload it
381381
if($data['new']['update_acl'] != '') {
382382
$app->services->restartServiceDelayed('bind', 'restart');
@@ -407,7 +407,7 @@ function soa_delete($event_name, $data) {
407407
//delete keys
408408
$app->system->exec_safe('/usr/local/ispconfig/server/scripts/dnssec-delete.sh ?', $data['old']['origin']);
409409
}
410-
410+
411411
//* Reload bind nameserver
412412
$app->services->restartServiceDelayed('bind', 'reload');
413413

@@ -532,8 +532,6 @@ function write_named_conf($data, $dns_config) {
532532
$options = '';
533533
if(trim($tmp['xfer']) != '') {
534534
$options .= " allow-transfer {".str_replace(',', ';', $tmp['xfer']).";};\n";
535-
} else {
536-
$options .= " allow-transfer {none;};\n";
537535
}
538536
if(trim($tmp['also_notify']) != '') $options .= ' also-notify {'.str_replace(',', ';', $tmp['also_notify']).";};\n";
539537
if(trim($tmp['update_acl']) != '') $options .= " allow-update {".str_replace(',', ';', $tmp['update_acl']).";};\n";
@@ -557,7 +555,7 @@ function write_named_conf($data, $dns_config) {
557555
foreach($tmps_sec as $tmp) {
558556

559557
// When you have more than one master, the serial number is used to determine which Master has the most current version of the zone by the
560-
// slaves. The slaves actually ask for the SOA record from each Master when refreshing.
558+
// slaves. The slaves actually ask for the SOA record from each Master when refreshing.
561559
$options = " masters {".str_replace(',', ';', $tmp['ns']).";};\n";
562560
if(trim($tmp['xfer']) != '') {
563561
$options .= " allow-transfer {".str_replace(',', ';', $tmp['xfer']).";};\n";

0 commit comments

Comments
 (0)