Skip to content

Commit cb009ea

Browse files
author
A. Täffner
committed
first test (proof of concept)
Signing is not working, I need a energy drink to proceed...
1 parent b8611ce commit cb009ea

File tree

1 file changed

+20
-13
lines changed

1 file changed

+20
-13
lines changed

server/plugins-available/bind_plugin.inc.php

Lines changed: 20 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -86,8 +86,11 @@ function soa_dnssec_create($data) {
8686
//* load the server configuration options
8787
$dns_config = $app->getconf->get_server_config($conf["server_id"], 'dns');
8888

89+
//TODO : change this when distribution information has been integrated into server record
90+
$filespre = (file_exists('/etc/gentoo-release')) ? 'pri/' : 'pri.';
91+
8992
$domain = substr($data['new']['origin'], 0, strlen($data['new']['origin'])-1);
90-
if (!file_exists($dns_config['bind_zonefiles_dir'].'/'.$domain)) return false;
93+
if (!file_exists($dns_config['bind_zonefiles_dir'].'/'.$filespre.$domain)) return false;
9194

9295
//* Check Entropy
9396
if (file_get_contents('/proc/sys/kernel/random/entropy_avail') < 400) {
@@ -115,38 +118,41 @@ function soa_dnssec_create($data) {
115118
$dnssecdata .= file_get_contents($keyfile)."\n\n";
116119
}
117120

118-
$app->db->query('UPDATE dns_soa SET dnssec_info=\''.$dnssecdata.'\' WHERE id='.$data['new']['id']);
121+
$app->db->query('UPDATE dns_soa SET dnssec_info=\''.$dnssecdata.'\', dnssec_initialized=\'Y\' WHERE id='.$data['new']['id']);
119122
}
120123

121124
function soa_dnssec_update($data, $new=false) {
122125
global $app, $conf;
123126

124127
//* Load libraries
125128
$app->uses("getconf,tpl");
126-
127-
$domain = substr($data['new']['origin'], 0, strlen($data['new']['origin'])-1);
128-
if (!file_exists($dns_config['bind_zonefiles_dir'].'/'.$domain)) return false;
129129

130130
//* load the server configuration options
131131
$dns_config = $app->getconf->get_server_config($conf["server_id"], 'dns');
132132

133-
//* Check Entropy
133+
//TODO : change this when distribution information has been integrated into server record
134+
$filespre = (file_exists('/etc/gentoo-release')) ? 'pri/' : 'pri.';
135+
136+
$domain = substr($data['new']['origin'], 0, strlen($data['new']['origin'])-1);
137+
if (!file_exists($dns_config['bind_zonefiles_dir'].'/'.$filespre.$domain)) return false;
138+
139+
//* Check for available entropy
134140
if (file_get_contents('/proc/sys/kernel/random/entropy_avail') < 200) {
135141
$app->log('DNSSEC ERROR: We are low on entropy. This could cause server script to fail. Please consider installing package haveged.', LOGLEVEL_ERR);
136142
return false;
137143
}
138144

139145
if (!$new && !file_exists($dns_config['bind_zonefiles_dir'].'/dsset-'.$domain.'.')) return $this->soa_dnssec_create($data);
140146

141-
//TODO : change this when distribution information has been integrated into server record
142-
$filespre = (file_exists('/etc/gentoo-release')) ? 'pri/' : 'pri.';
143-
144147
$dbdata = $app->db->queryOneRecord('SELECT id,serial FROM dns_soa WHERE id='.$data['new']['id']);
145-
$newserial = exec('cd '.escapeshellcmd($dns_config['bind_zonefiles_dir']).';'.
146-
'/usr/sbin/named-checkzone '.escapeshellcmd($domain).' '.escapeshellcmd($dns_config['bind_zonefiles_dir']).'/'.$filespre.escapeshellcmd($domain).' | egrep -ho \'[0-9]{10}\'');
148+
exec('cd '.escapeshellcmd($dns_config['bind_zonefiles_dir']).';'.
149+
'/usr/sbin/named-checkzone '.escapeshellcmd($domain).' '.escapeshellcmd($dns_config['bind_zonefiles_dir']).'/'.$filespre.escapeshellcmd($domain).' | egrep -ho \'[0-9]{10}\'', $serial, $retState);
150+
if ($retState != 0) {
151+
$app->log('DNSSEC Error: Error in Zonefile for '.$domain, LOGLEVEL_ERR);
152+
return false;
153+
}
147154

148155
opendir($dns_config['bind_zonefiles_dir']);
149-
$includeline=array();
150156
$zonefile = file_get_contents(escapeshellcmd($dns_config['bind_zonefiles_dir']).'/'.$filespre.escapeshellcmd($domain));
151157
$keycount=0;
152158
foreach (glob('K'.$domain.'*.key') as $keyfile) {
@@ -157,8 +163,9 @@ function soa_dnssec_update($data, $new=false) {
157163
if ($keycount > 2) $app->log('DNSSEC Warning: There are more than 2 keyfiles for zone '.$domain, LOGLEVEL_WARN);
158164
file_put_contents($dns_config['bind_zonefiles_dir'].'/'.$filespre.$domain, $zonefile);
159165

166+
//Sign the zone and set it valid for max. 16 days
160167
exec('cd '.escapeshellcmd($dns_config['bind_zonefiles_dir']).';'.
161-
'/usr/sbin/dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N increment -o '.escapeshellcmd($domain).' -t '.$filespre.escapeshellcmd($domain));
168+
'/usr/sbin/dnssec-signzone -A -e +1382400 -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N increment -o '.escapeshellcmd($domain).' -t '.$filespre.escapeshellcmd($domain));
162169
}
163170

164171
function soa_insert($event_name, $data) {

0 commit comments

Comments
 (0)