Reimplemented DNSSEC signing.

Till Brehm · Till Brehm · commit 6863f325eaf2 · 2020-08-10T18:00:39.000+02:00
diff --git a/install/sql/incremental/upd_dev_collection.sql b/install/sql/incremental/upd_dev_collection.sql
@@ -66,6 +66,6 @@ ALTER TABLE `client` CHANGE `id_rsa` `id_rsa` TEXT CHARACTER SET utf8 COLLATE ut
 ALTER TABLE `directive_snippets` ADD `update_sites` ENUM('y','n') NOT NULL DEFAULT 'n' ;
 
 -- Add DNSSEC Algorithm setting
-ALTER TABLE `dns_soa` ADD `dnssec_algo` ENUM('sha1','sha256') NULL DEFAULT NULL AFTER `dnssec_wanted`;
-UPDATE `dns_soa` SET `dnssec_algo` = 'sha1' WHERE `dnssec_algo` IS NULL;
-ALTER TABLE `dns_soa` CHANGE `dnssec_algo` `dnssec_algo` ENUM('sha1','sha256') CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL DEFAULT 'sha256';
+ALTER TABLE `dns_soa` ADD `dnssec_algo` SET('NSEC3RSASHA1','ECDSAP256SHA256') NULL DEFAULT NULL AFTER `dnssec_wanted`;
+UPDATE `dns_soa` SET `dnssec_algo` = 'NSEC3RSASHA1' WHERE `dnssec_algo` IS NULL;
+ALTER TABLE `dns_soa` CHANGE `dnssec_algo` `dnssec_algo` SET('NSEC3RSASHA1','ECDSAP256SHA256') CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL DEFAULT 'ECDSAP256SHA256';
diff --git a/install/sql/ispconfig3.sql b/install/sql/ispconfig3.sql
@@ -626,7 +626,7 @@ CREATE TABLE `dns_soa` (
   `update_acl` varchar(255) default NULL,
   `dnssec_initialized` ENUM('Y','N') NOT NULL DEFAULT 'N',
   `dnssec_wanted` ENUM('Y','N') NOT NULL DEFAULT 'N',
-  `dnssec_algo` ENUM('sha1','sha256') NOT NULL DEFAULT 'sha256',
+  `dnssec_algo` SET('NSEC3RSASHA1','ECDSAP256SHA256') NOT NULL DEFAULT 'ECDSAP256SHA256',
   `dnssec_last_signed` BIGINT NOT NULL DEFAULT '0',
   `dnssec_info` TEXT NULL,
   PRIMARY KEY  (`id`),
diff --git a/interface/web/dns/dns_soa_edit.php b/interface/web/dns/dns_soa_edit.php
@@ -296,6 +296,8 @@ function onSubmit() {
 
 		$this->dataRecord["xfer"] = preg_replace('/\s+/', '', $this->dataRecord["xfer"]);
 		$this->dataRecord["also_notify"] = preg_replace('/\s+/', '', $this->dataRecord["also_notify"]);
+		
+		if(isset($this->dataRecord['dnssec_wanted']) && $this->dataRecord['dnssec_wanted'] == 'Y' && $this->dataRecord['dnssec_algo'] == '') $this->dataRecord['dnssec_algo'] = 'ECDSAP256SHA256';
 
 		//* Check if a secondary zone with the same name already exists
 		$tmp = $app->db->queryOneRecord("SELECT count(id) as number FROM dns_slave WHERE origin = ? AND server_id = ?", $this->dataRecord["origin"], $this->dataRecord["server_id"]);
diff --git a/interface/web/dns/dns_wizard.php b/interface/web/dns/dns_wizard.php
@@ -339,7 +339,7 @@
 	$section = '';
 	$vars = array();
 	$vars['xfer']='';
-	$vars['dnssec_algo']='sha256';
+	$vars['dnssec_algo']='ECDSAP256SHA256';
 	$dns_rr = array();
 	foreach($tpl_rows as $row) {
 		$row = trim($row);
diff --git a/interface/web/dns/form/dns_soa.tform.php b/interface/web/dns/form/dns_soa.tform.php
@@ -278,9 +278,10 @@
 		),
 		'dnssec_algo' => array (
 			'datatype' => 'VARCHAR',
-			'formtype' => 'SELECT',
-			'default' => 'sha256',
-			'value'  => array('sha1' => 'SHA1','sha256' => 'SHA256'),
+			'formtype' => 'CHECKBOXARRAY',
+			'separator' => ',',
+			'default' => 'ECDSAP256SHA256',
+			'value'  => array('NSEC3RSASHA1' => '7 (NSEC3RSASHA1)','ECDSAP256SHA256' => '13 (ECDSAP256SHA256)'),
 			'width'  => '30',
 			'maxlength' => '255'
 		),
diff --git a/server/plugins-available/bind_plugin.inc.php b/server/plugins-available/bind_plugin.inc.php
@@ -110,10 +110,14 @@ function soa_dnssec_create(&$data) {
 			}
 		}
 		
+		// Get DNSSEC Algorithms
+		$dnssec_algo = explode(',',$data['new']['dnssec_algo']);
+		
 		//Do some magic...
-		if($data['new']['dnssec_algo'] == 'sha256') {
+		if(in_array('ECDSAP256SHA256',$dnssec_algo)) {
 			$app->system->exec_safe('cd ?; dnssec-keygen -3 -a ECDSAP256SHA256 -n ZONE ?; dnssec-keygen -f KSK -3 -a ECDSAP256SHA256 -n ZONE ?', $dns_config['bind_zonefiles_dir'], $domain, $domain);
-		} else {
+		}
+		if(in_array('NSEC3RSASHA1',$dnssec_algo)) {
 			$app->system->exec_safe('cd ?; dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE ?; dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE ?', $dns_config['bind_zonefiles_dir'], $domain, $domain);
 		}
 
@@ -141,7 +145,10 @@ function soa_dnssec_sign(&$data) {
 			if (!preg_match('@'.preg_quote($includeline).'@', $zonefile)) $zonefile .= "\n".$includeline."\n";
 			$keycount++;
 		}
-		if ($keycount != 2) $app->log('DNSSEC Warning: There are more or less than 2 keyfiles for zone '.$domain, LOGLEVEL_WARN);
+		
+		$keycount_wanted = count(explode(',',$data['new']['dnssec_algo']))*2;
+		
+		if ($keycount != $keycount_wanted) $app->log('DNSSEC Warning: There are more or less than 2 keyfiles for each algorithm for zone '.$domain, LOGLEVEL_WARN);
 		file_put_contents($dns_config['bind_zonefiles_dir'].'/'.$filespre.$domain, $zonefile);
 		
 		//Sign the zone and set it valid for max. 16 days
@@ -309,9 +316,11 @@ function soa_update($event_name, $data) {
 		}
 		
 		//* DNSSEC-Implementation
-		if($data['old']['origin'] != $data['new']['origin'] || $data['old']['dnssec_algo'] != $data['new']['dnssec_algo']) {			
+		if($data['old']['origin'] != $data['new']['origin']) {			
 			if (@$data['old']['dnssec_initialized'] == 'Y' && strlen(@$data['old']['origin']) > 3) $this->soa_dnssec_delete($data); //delete old keys
-			if ($data['new']['dnssec_wanted'] == 'Y') $this->soa_dnssec_create($data);	
+			if ($data['new']['dnssec_wanted'] == 'Y') $this->soa_dnssec_create($data);
+		} elseif($data['old']['dnssec_algo'] != $data['new']['dnssec_algo']) {
+			if ($data['new']['dnssec_wanted'] == 'Y') $this->soa_dnssec_create($data);
 		} elseif ($data['new']['dnssec_wanted'] == 'Y' && $data['old']['dnssec_initialized'] == 'N') {
 			$this->soa_dnssec_create($data);
 		} elseif ($data['new']['dnssec_wanted'] == 'N' && $data['old']['dnssec_initialized'] == 'Y') {	//delete old signed file if dnssec is no longer wanted
