DNSSEC-Switch: Implementation finished, tested

And found a small bug (privkeys were not deleted on zone deletion) which is now fixed
Testing successful. Doing last test then if everything goes well this will be the new merge request

Author: A. Täffner

install/tpl/dnssec-delete.sh.master

@@ -17,6 +17,7 @@ if [ "$mysqlcheck" = 0 ];then
 fi
 
 rm $bindpath/K$pardomain.+*.key
+rm $bindpath/K$pardomain.+*.private
 rm "$bindpath/$filespre$pardomain.signed"
 rm "$bindpath/dsset-$pardomain."
 

install/tpl/dnssec-update.sh.master

@@ -1,13 +1,14 @@
 #!/bin/bash
 source {dnssec_conffile}
 pardomain="${1::-1}"
+cd $bindpath
 
 if [ ! -d $backuppath ]; then mkdir -p $backuppath; fi
 #connect to database for testing
 mysqlcheck=`mysql -u $dbuser --password=$dbpass -h $dbhost -Bse "use $dbase; show tables;" | wc -c`
 if [ "$mysqlcheck" = 0 ];then
  echo "$0 could not connect to database"
- cd $curdir
+ cd $curpath
  exit 0
 fi
 
@@ -33,8 +34,8 @@ mysqlcheck=`mysql -u $dbuser --password=$dbpass -h $dbhost -Bse "use $dbase; sel
       fi
 
     /usr/sbin/dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N increment -o $domain -t $filespre$domain
-    mysql -u $dbuser --password=$dbpass -h $dbhost -Bse "use $dbase; update dns_soa set serial='$fserial' where origin='$domain.'; update dns_rr set serial='$fserial' WHERE zone=$zoneid"
+    mysql -u $dbuser --password=$dbpass -h $dbhost -Bse "use $dbase; update dns_soa set serial='$fserial', dnssec_info='`cat /tmp/.dnssec-$domain`' where origin='$domain.'; update dns_rr set serial='$fserial' WHERE zone=$zoneid"
 
 echo "DNSSEC for $pardomain has been configured"
-cd $curdir
+cd $curpath
 exit 0

interface/web/dns/lib/lang/de_dns_soa.lng

@@ -13,6 +13,7 @@ $wb['xfer_txt'] = 'Zonentransfer zu diesen IP Adressen erlauben (mit Komma getre
 $wb['active_txt'] = 'Aktiv';
 $wb['dnssec_info_txt'] = 'DNSSEC DS-Daten für Registry';
 $wb['dnssec_wanted_txt'] = 'Zone signieren (DNSSEC)';
+$wb['dnssec_wanted_info'] = 'Wenn DNSSEC bereits aktiviert war und ein Key erstellt wurde, wird dieser durch deaktivieren nicht gelöscht. Die Zone wird dann jedoch nicht länger signiert ausgeliefert.';
 $wb['limit_dns_zone_txt'] = 'Die maximale Anzahl an DNS Einträgen für Ihr Konto wurde erreicht.';
 $wb['client_txt'] = 'Kunde';
 $wb['no_zone_perm'] = 'Sie haben nicht die Berechtigung, einen Eintrag zu dieser DNS Zone hinzuzufügen.';

interface/web/dns/lib/lang/en_dns_soa.lng

@@ -13,6 +13,7 @@ $wb["xfer_txt"] = 'Allow zone transfers to <br />these IPs (comma separated list
 $wb["active_txt"] = 'Active';
 $wb['dnssec_info_txt'] = 'DNSSEC DS-Data for registry';
 $wb['dnssec_wanted_txt'] = 'Sign zone (DNSSEC)';
+$wb['dnssec_wanted_info'] = 'When disabling DNSSEC keys are not going to be deleted if DNSSEC was enabled before and keys already have been generated but the zone will no longer be delievered in signed format afterwards.';
 $wb["limit_dns_zone_txt"] = 'The max. number of DNS zones for your account is reached.';
 $wb["client_txt"] = 'Client';
 $wb["no_zone_perm"] = 'You do not have the permission to add a record to this DNS zone.';

interface/web/dns/templates/dns_soa_edit.htm

@@ -128,12 +128,12 @@ <h1><tmpl_var name="list_head_txt"></h1>
 		    <div class="form-group">
                 <label class="col-sm-3 control-label">{tmpl_var name='dnssec_wanted_txt'}</label>
                 <div class="col-sm-9">
-                    {tmpl_var name='dnssec_wanted'}
-                </div>
+                    {tmpl_var name='dnssec_wanted'}<br /><small>({tmpl_var name='dnssec_wanted_info'})</small>
+                </div> 
             </div>
             <div class="form-group">
                 <label for="update_acl" class="col-sm-3 control-label">{tmpl_var name='dnssec_info_txt'}</label>
-                <div class="col-sm-9"><textarea readonly="true" rows="5" class="form-control">{tmpl_var name='dnssec_info'}</textarea></div>
+                <div class="col-sm-9"><textarea readonly="true" rows="5" id="dnssec_info" name="dnssec_info" class="form-control">{tmpl_var name='dnssec_info'}</textarea></div>
 			</div>
 
         <input type="hidden" name="id" value="{tmpl_var name='id'}">

server/plugins-available/bind_plugin.inc.php

@@ -151,9 +151,8 @@ function soa_update($event_name, $data) {
 			if (@$data['old']['dnssec_initialized'] == 'Y' && strlen(@$data['old']['origin']) > 3) exec('/usr/local/ispconfig/server/scripts/dnssec-delete.sh '.escapeshellcmd($data['old']['origin'])); //delete old keys
 			if ($data['new']['dnssec_wanted'] == 'Y') exec('/usr/local/ispconfig/server/scripts/dnssec-create.sh '.escapeshellcmd($data['new']['origin'])); //Create new keys for new origin
 		}
-		if ($data['new']['dnssec_wanted'] == 'Y' AND $data['new']['dnssec_initialized'] == 'N') if ($data['new']['dnssec_wanted'] == 'Y') exec('/usr/local/ispconfig/server/scripts/dnssec-create.sh '.escapeshellcmd($data['new']['origin'])); //Create new keys for new origin
-		else if ($data['old']['dnssec_wanted'] == 'Y') exec('/usr/local/ispconfig/server/scripts/dnssec-update.sh '.escapeshellcmd($data['new']['origin']));
-		if($data['old']['dnssec_initialized'] == 'Y' && $data['new']['dnssec_wanted'] == 'N') {	//delete old signed file if dnssec is no longer wanted
+		else if ($data['new']['dnssec_wanted'] == 'Y' && $data['old']['dnssec_initialized'] == 'N') exec('/usr/local/ispconfig/server/scripts/dnssec-create.sh '.escapeshellcmd($data['new']['origin'])); //Create new keys for new origin
+		else if ($data['new']['dnssec_wanted'] == 'N' && $data['old']['dnssec_initialized'] == 'Y') {	//delete old signed file if dnssec is no longer wanted
 			//TODO : change this when distribution information has been integrated into server record
 			if (file_exists('/etc/gentoo-release')) {
 				$filename = $dns_config['bind_zonefiles_dir'].'/pri/'.str_replace("/", "_", substr($data['old']['origin'], 0, -1));
@@ -162,7 +161,7 @@ function soa_update($event_name, $data) {
 				$filename = $dns_config['bind_zonefiles_dir'].'/pri.'.str_replace("/", "_", substr($data['old']['origin'], 0, -1));
 			}
 			if(is_file($filename.'.signed')) unlink($filename.'.signed');
- 		}
+ 		} else if ($data['new']['dnssec_wanted'] == 'Y') exec('/usr/local/ispconfig/server/scripts/dnssec-update.sh '.escapeshellcmd($data['new']['origin']));
 		// END DNSSEC
 
 		//* rebuild the named.conf file if the origin has changed or when the origin is inserted.
@@ -346,7 +345,7 @@ function write_named_conf($data, $dns_config) {
 		global $app, $conf;
 
 		//* Only write the master file for the current server
-		$tmps = $app->db->queryAllRecords("SELECT origin, xfer, also_notify, update_acl, dnssec_initialized FROM dns_soa WHERE active = 'Y' AND server_id=?", $conf["server_id"]);
+		$tmps = $app->db->queryAllRecords("SELECT origin, xfer, also_notify, update_acl, dnssec_wanted FROM dns_soa WHERE active = 'Y' AND server_id=?", $conf["server_id"]);
 		$zones = array();
 
 		//* Check if the current zone that triggered this function has at least one NS record
@@ -364,9 +363,8 @@ function write_named_conf($data, $dns_config) {
 
 		//* Loop trough zones
 		foreach($tmps as $tmp) {
-
 			$zone_file = $pri_zonefiles_path.str_replace("/", "_", substr($tmp['origin'], 0, -1));
-			if ($tmp['dnssec_initialized'] == 'Y') $zone_file .= '.signed' //.signed is for DNSSEC-Implementation
+			if ($tmp['dnssec_wanted'] == 'Y') $zone_file .= '.signed'; //.signed is for DNSSEC-Implementation
 
 			$options = '';
 			if(trim($tmp['xfer']) != '') {