Add support for DNSSEC (hestiacp#2938)

* Solve issues with DNSKEY in v-add-dns-record


Bug in v-add-dns-record


Fix


A new NS DNSKEY Mix up


Don't add " 


Fix error 


Fix few typos

* Add support for DS record

* Apply changes to user account

Bind need write access to the folder where .db file is stored

* Add support for DS  type and allow . in common name

* Add support for DNSSEC

* Remove hardcoded domain

* Fix permission issues

* Make sure DS record is last and fix small issues

* Add option to enable existing DNS domain and clean up everything

* Get public key

Need to improved to support json

* Don't add DS records

* Rebuild on changes

* Update rebuild.sh

* Add rebuild.sh

* Remove non needed lines

* Fix error

* Add support for zonetransfer but Hestia create the slave record

* Fix error

* Fix error

* Add new options to v-insert-dns-domain

* Solve issue with remote creation

* Update error

* Adjust spacing

* Remove double space

* Add inline signing

* Update some other scripts that might use v-insert-domain

* Check if DNS-CLUSTER is set to yes and not if exists

* Fix issues with IDN domains

* Fix error

* Execute pipe before continue

* Fix issue in sync-dns-cluster breaking everything

* DNS_CLUSTER_SYSTEM caused issues with DNS_CLUSTER

* Fixed an issue with rebuild and key is 4 digits long instead of 5

* Update v-list-dns-domain to include DNSSEC

* Add more information

* Add UI interface

* Fix bug in v-delete-dns-domain

When deleting DNS domain it doesn't delete the keys

* Backup DNSSEC keys

* Fix restore

* Include DS record also

* Update from element

* Add missing  <div class="form-check">

Co-authored-by: Raphael <rs@scit.ch>

Author: jaapmarcus

bin/v-add-dns-domain

@@ -27,6 +27,7 @@ ns6=$9
 ns7=${10}
 ns8=${11}
 restart=${12}
+dnssec=${13}
 
 # Includes
 # shellcheck source=/etc/hestiacp/hestia.conf
@@ -35,6 +36,8 @@ source /etc/hestiacp/hestia.conf
 source $HESTIA/func/main.sh
 # shellcheck source=/usr/local/hestia/func/domain.sh
 source $HESTIA/func/domain.sh
+# shellcheck source=/usr/local/hestia/func/rebuild.sh
+source $HESTIA/func/rebuild.sh
 # load config file
 source_conf "$HESTIA/conf/hestia.conf"
 
@@ -70,6 +73,10 @@ if [ -n "$restart" ]; then
     is_format_valid 'restart'
 fi
 
+if [ -n "$dnssec" ]; then
+    is_boolean_format_valid "$dnssec" 'dnssec'
+fi
+
 is_package_full 'DNS_DOMAINS'
 template=$(get_user_value '$DNS_TEMPLATE')
 is_dns_template_valid "$template"
@@ -152,6 +159,9 @@ fi
 if [ -z "$ns8" ]; then
     template_data=$(echo "$template_data" |grep -v %ns8%)
 fi
+if [ -z "$dnssec" ]; then
+    dnssec="no"
+fi
 
 # Generating timestamp
 time_n_date=$(date +'%T %F')
@@ -180,36 +190,15 @@ records="$(wc -l $USER_DATA/dns/$domain.conf |cut -f 1 -d ' ')"
 # Adding dns.conf record
 dns_rec="DOMAIN='$domain' IP='$ip' TPL='$template' TTL='$ttl' EXP='$exp'"
 dns_rec="$dns_rec SOA='$soa' SERIAL='$serial' SRC='' RECORDS='$records'"
-dns_rec="$dns_rec SUSPENDED='no' TIME='$time' DATE='$date'"
+dns_rec="$dns_rec DNSSEC='$dnssec' KEY='' SLAVE='no' MASTER='' SUSPENDED='no' TIME='$time' DATE='$date'"
 
 echo "$dns_rec" >> $USER_DATA/dns.conf
 chmod 660 $USER_DATA/dns.conf
 
-# Creating system configs
-if [[ "$DNS_SYSTEM" =~ named|bind ]]; then
-    if [ -e '/etc/named.conf' ]; then
-        dns_conf='/etc/named.conf'
-        dns_group='named'
-    else
-        dns_conf='/etc/bind/named.conf'
-        dns_group='bind'
-    fi
-
-    # Adding zone in named.conf
-    named="zone \"$domain_idn\" {type master; file"
-    named="$named \"$HOMEDIR/$user/conf/dns/$domain.db\";};"
-    echo "$named" >> $dns_conf
-
-    # Updating domain dns zone
-    update_domain_zone
-
-    # Changing permissions
-    chmod 640 $HOMEDIR/$user/conf/dns/$domain.db
-    chown root:$dns_group $HOMEDIR/$user/conf/dns/$domain.db
-fi
+rebuild_dns_domain_conf
 
 # Updating dns-cluster queue
-if [ -n "$DNS_CLUSTER" ]; then
+if [ "$DNS_CLUSTER"  = "yes" ]; then
     cmd="$BIN/v-add-remote-dns-domain $user $domain yes"
     echo "$cmd" >> $HESTIA/data/queue/dns-cluster.pipe
 fi

bin/v-add-dns-record

@@ -38,6 +38,8 @@ source /etc/hestiacp/hestia.conf
 source $HESTIA/func/main.sh
 # shellcheck source=/usr/local/hestia/func/domain.sh
 source $HESTIA/func/domain.sh
+# shellcheck source=/usr/local/hestia/func/rebuild.sh
+source $HESTIA/func/rebuild.sh
 # load config file
 source_conf "$HESTIA/conf/hestia.conf"
 
@@ -47,29 +49,32 @@ if [ "$rtype" != 'MX' ] && [ "$rtype" != 'SRV' ]; then
 fi
 
 # Add trailing dot at the end of NS/CNAME/MX/PTR/SRV record
-if [[ $rtype =~ NS|CNAME|MX|PTR|SRV ]]; then
+if [[ $rtype =~ ^NS|CNAME|MX|PTR|SRV ]]; then
     trailing_dot=$(echo $dvalue | grep "\.$")
     if [ -z "$trailing_dot" ]; then
         dvalue="$dvalue."
     fi
 fi
 
-if [[ $rtype =~ NS|CNAME|MX|PTR|SRV ]]; then
+if [[ $rtype =~ ^NS|CNAME|MX|PTR|SRV ]]; then
     dvalue=$(idn2 --quiet  "$dvalue" )
     record=$(idn2 --quiet  "$record" )
 fi
 
 # Cleanup quotes on dvalue
 # - [CAA] records will be left unchanged
-# - [SRV] will be  stripped of double quotes even when  containg spaces
+# - [SRV] will be  stripped of double quotes even when  containing spaces
+# - [DNSKEY] will be  stripped of double quotes even when  containing spaces
 # - Rest of record types will be striped of quotes and the final string
-#   will be enclosed in double quotes if  containg spaces or semicolons 
+#   will be enclosed in double quotes if containing spaces or semicolons 
 
 if [ "$rtype" != "CAA" ]; then
     dvalue=${dvalue//\"/}
-
-    if [ "$rtype" != 'SRV' ] && [[ "$dvalue" =~ [\;[:space:]] ]]; then
-        dvalue='"'"$dvalue"'"'
+    # Add support for DS key
+    if [ "$rtype" != "DNSKEY" ] && [ "$rtype" != "DS" ] ; then 
+        if [ "$rtype" != 'SRV' ] && [[ "$dvalue" =~ [\;[:space:]] ]]; then
+            dvalue='"'"$dvalue"'"'
+        fi
     fi
 fi
 
@@ -129,12 +134,12 @@ sort_dns_records
 
 # Updating zone
 if [[ "$DNS_SYSTEM" =~ named|bind ]]; then
-    update_domain_serial
-    update_domain_zone
+    # Do full rebuild due DNS SEC
+    rebuild_dns_domain_conf
 fi
 
 # Updating dns-cluster queue
-if [ -n "$DNS_CLUSTER" ]; then
+if [ "$DNS_CLUSTER"  = "yes" ]; then
     # Check for first sync
     dlock=$(grep "domain $user $domain" $HESTIA/data/queue/dns-cluster.pipe)
     if [ -z "$dlock" ]; then

bin/v-add-remote-dns-domain

@@ -69,22 +69,37 @@ for cluster in $(grep "SUSPENDED='no'" $HESTIA/conf/dns-cluster.conf); do
     # Parsing domain parameters
     parse_object_kv_list "$str"
 
-    # Syncing domain data
-    cluster_cmd v-insert-dns-domain $DNS_USER "$str" $HOSTNAME $flush 'no'
-    check_result $? "$HOST connection failed" "$E_CONNECT"
-
-    # Syncing domain records
-    tmp_file="/tmp/vst-sync.$DOMAIN"
-    cluster_file $USER_DATA/dns/$DOMAIN.conf $tmp_file
-    check_result $? "$HOST connection failed" "$E_CONNECT"
-
-    # Inserting synced records
-    cluster_cmd v-insert-dns-records $DNS_USER $DOMAIN $tmp_file 'no'
-    check_result $? "$HOST connection failed" "$E_CONNECT"
-
-    # Rebuilding dns zone
-    cluster_cmd v-rebuild-dns-domain $DNS_USER $domain 'yes' 'no'
-    check_result $? "$HOST connection failed" "$E_CONNECT"
+    if [ "$DNS_CLUSTER_SYSTEM" = "zone" ]; then
+        str=$(echo "$str" | sed "s/SLAVE='no'/SLAVE='yes'/g");
+        ip=$($BIN/v-list-sys-ips plain | cut -f1);
+        str=$(echo "$str" | sed "s/MASTER='*'/MASTER='$ip'/g");
+            
+        # Syncing domain data
+        cluster_cmd v-insert-dns-domain $DNS_USER "$str" $HOSTNAME $flush 'no'
+        check_result $? "$HOST connection failed" "$E_CONNECT"
+        
+        cluster_cmd v-rebuild-dns-domain $DNS_USER $domain 'yes' 'no'
+        check_result $? "$HOST connection failed" "$E_CONNECT"
+        
+        rndc notify $domain  > /dev/null 2>&1
+    else
+        # Syncing domain data
+        cluster_cmd v-insert-dns-domain $DNS_USER "$str" $HOSTNAME $flush 'no'
+        check_result $? "$HOST connection failed" "$E_CONNECT"
+    
+        # Syncing domain records
+        tmp_file="/tmp/vst-sync.$DOMAIN"
+        cluster_file $USER_DATA/dns/$DOMAIN.conf $tmp_file
+        check_result $? "$HOST connection failed" "$E_CONNECT"
+    
+        # Inserting synced records
+        cluster_cmd v-insert-dns-records $DNS_USER $DOMAIN $tmp_file 'no'
+        check_result $? "$HOST connection failed" "$E_CONNECT"
+    
+        # Rebuilding dns zone
+        cluster_cmd v-rebuild-dns-domain $DNS_USER $domain 'yes' 'no'
+        check_result $? "$HOST connection failed" "$E_CONNECT"
+    fi
 done
 
 #----------------------------------------------------------#

bin/v-add-remote-dns-host

@@ -92,7 +92,7 @@ echo "$str" >> $HESTIA/conf/dns-cluster.conf
 chmod 660 $HESTIA/conf/dns-cluster.conf
 
 # Enabling DNS_CLUSTER
-if [ -z "$(grep DNS_CLUSTER $HESTIA/conf/hestia.conf)" ]; then
+if [ -z "$(grep DNS_CLUSTER= $HESTIA/conf/hestia.conf)" ]; then
     sed -i "s/^STATS_/DNS_CLUSTER='yes'\nSTATS_/g" $HESTIA/conf/hestia.conf
 else
     sed -i "s/DNS_CLUSTER=.*/DNS_CLUSTER='yes'/g" $HESTIA/conf/hestia.conf

bin/v-add-remote-dns-record

@@ -63,9 +63,13 @@ for cluster in $(grep "SUSPENDED='no'" $HESTIA/conf/dns-cluster.conf); do
 
     # Parsing remote host parameters
     parse_object_kv_list "$cluster"
-
+    
     # Syncing serial
     str=$(grep "DOMAIN='$domain'" $USER_DATA/dns.conf)
+    # Parsing domain parameters
+    parse_object_kv_list "$str"
+    
+    if [ "$DNS_CLUSTER_SYSTEM" != "zone" ]; then
     cluster_cmd v-insert-dns-domain $DNS_USER "$str" $HOSTNAME 'domain' 'no'
     check_result $? "$HOST connection failed (soa sync)" "$E_CONNECT"
 
@@ -77,9 +81,12 @@ for cluster in $(grep "SUSPENDED='no'" $HESTIA/conf/dns-cluster.conf); do
     # Rebuilding dns zone
     cluster_cmd v-rebuild-dns-domain $DNS_USER $domain 'yes' 'no'
     check_result $? "$HOST connection failed (rebuild)" "$E_CONNECT"
-
+    fi
 done
 
+if [ "$DNS_CLUSTER_SYSTEM" != "zone" ]; then
+    rndc notify $domain  > /dev/null 2>&1
+fi
 #----------------------------------------------------------#
 #                       Hestia                             #
 #----------------------------------------------------------#

bin/v-add-user

@@ -117,8 +117,14 @@ if [ -n "$MAIL_SYSTEM" ]; then
 fi
 
 if [ -n "$DNS_SYSTEM" ]; then
+    if [ "$DNS_SYSTEM" = 'named' ]; then
+        dns_group='named'
+    else
+        dns_group='bind'
+    fi
     mkdir $HOMEDIR/$user/conf/dns
-    chmod 751 $HOMEDIR/$user/conf/dns
+    chmod 771 $HOMEDIR/$user/conf/dns
+    chown root:$dns_group $HOMEDIR/$user/conf/dns
 fi 
 
 # Create default writeable folders

bin/v-backup-user

@@ -419,6 +419,7 @@ if [ -n "$DNS_SYSTEM" ] && [ "$DNS" != '*' ]; then
 
         # Building directory tree
         mkdir -p $tmpdir/dns/$domain/conf
+        mkdir -p $tmpdir/dns/$domain/conf/keys
         mkdir -p $tmpdir/dns/$domain/hestia
 
         # Backup dns.conf
@@ -431,6 +432,12 @@ if [ -n "$DNS_SYSTEM" ] && [ "$DNS" != '*' ]; then
         if [ "$DNS_SYSTEM" != 'remote' ]; then
             cp $HOMEDIR/$user/conf/dns/$domain.db conf/$domain.db
         fi
+        # Backup DNSSEC public and private key if enabled
+        dnssec=$(grep "DOMAIN='$domain'" $USER_DATA/dns.conf |grep "DNSSEC='yes'")
+        if [ -n "$dnssec" ]; then
+            format_domain_idn
+            cp $USER_DATA/keys/K$domain_idn*.* $tmpdir/dns/$domain/conf/keys
+        fi
     done
 
     # Print total

bin/v-change-dns-domain-dnssec

@@ -0,0 +1,93 @@
+#!/bin/bash
+# info: change dns domain dnssec status
+# options: USER DOMAIN STATUS
+#
+# example: v-change-dns-domain-status admin domain.pp.ua yes
+
+#----------------------------------------------------------#
+#                Variables & Functions                     #
+#----------------------------------------------------------#
+
+# Argument definition
+user=$1
+domain=$2
+domain_idn=$2
+status=$3
+
+# Includes
+# shellcheck source=/etc/hestiacp/hestia.conf
+source /etc/hestiacp/hestia.conf
+# shellcheck source=/usr/local/hestia/func/main.sh
+source $HESTIA/func/main.sh
+# shellcheck source=/usr/local/hestia/func/rebuild.sh
+source $HESTIA/func/rebuild.sh
+# shellcheck source=/usr/local/hestia/func/domain.sh
+source $HESTIA/func/domain.sh
+# load config file
+source_conf "$HESTIA/conf/hestia.conf"
+
+# Additional argument formatting
+format_domain
+format_domain_idn
+
+#----------------------------------------------------------#
+#                    Verifications                         #
+#----------------------------------------------------------#
+
+check_args '3' "$#" 'USER DOMAIN STATUS'
+is_format_valid 'user' 'domain' ''
+is_system_enabled "$DNS_SYSTEM" 'DNS_SYSTEM'
+is_object_valid 'user' 'USER' "$user"
+is_object_unsuspended 'user' 'USER' "$user"
+is_object_valid 'dns' 'DOMAIN' "$domain"
+is_object_unsuspended 'dns' 'DOMAIN' "$domain"
+
+if [ -n "$status" ]; then
+    is_boolean_format_valid "$status" 'status'
+fi
+
+# Perform verification if read-only mode is enabled
+check_hestia_demo_mode
+
+#----------------------------------------------------------#
+#                       Action                             #
+#----------------------------------------------------------#
+
+if [ -f "$HESTIA/data/queue/dns-cluster.pipe" ]; then 
+    bash $HESTIA/data/queue/dns-cluster.pipe
+fi
+
+# Changing exp
+update_object_value 'dns' 'DOMAIN' "$domain" '$DNSSEC' "$status"
+
+# Rebuild DNS config
+
+rebuild_dns_domain_conf
+
+if [ $status = "no" ]; then
+    update_object_value 'dns' 'DOMAIN' "$domain" '$KEY' ""
+    # Delete existing keys
+    rm -fr  $HOMEDIR/$user/conf/dns/$domain.db.*
+    rm -fr /var/cache/bind/K$domain_idn.*
+    rm -fr $USER_DATA/keys/K$domain_idn.*
+fi
+
+# Updating dns-cluster queue
+if [ "$DNS_CLUSTER"  = "yes" ]; then
+    # Check for first sync
+    dlock=$(grep "domain $user $domain" $HESTIA/data/queue/dns-cluster.pipe)
+    if [ -z "$dlock" ]; then
+        cmd="$BIN/v-add-remote-dns-domain $user $domain yes"
+        echo "$cmd" >> $HESTIA/data/queue/dns-cluster.pipe
+    fi
+fi
+
+#----------------------------------------------------------#
+#                       Hestia                             #
+#----------------------------------------------------------#
+
+# Logging
+$BIN/v-log-action "$user" "Info" "DNS" "Updated DNS SOA expiration date (Domain: $domain, Value: $exp)."
+log_event "$OK" "$ARGUMENTS"
+
+exit

bin/v-change-dns-domain-exp

@@ -53,7 +53,7 @@ check_hestia_demo_mode
 update_object_value 'dns' 'DOMAIN' "$domain" '$EXP' "$exp"
 
 # Updating dns-cluster queue
-if [ -n "$DNS_CLUSTER" ]; then
+if [ "$DNS_CLUSTER"  = "yes" ]; then
     # Check for first sync
     dlock=$(grep "domain $user $domain" $HESTIA/data/queue/dns-cluster.pipe)
     if [ -z "$dlock" ]; then

bin/v-change-dns-domain-ip

@@ -24,6 +24,8 @@ source /etc/hestiacp/hestia.conf
 source $HESTIA/func/main.sh
 # shellcheck source=/usr/local/hestia/func/domain.sh
 source $HESTIA/func/domain.sh
+# shellcheck source=/usr/local/hestia/func/rebuild.sh
+source $HESTIA/func/rebuild.sh
 # load config file
 source_conf "$HESTIA/conf/hestia.conf"
 
@@ -63,12 +65,11 @@ sed -i "s/$old/$ip/g" $USER_DATA/dns/$domain.conf
 
 # Updating zone
 if [[ "$DNS_SYSTEM" =~ named|bind ]]; then
-    update_domain_serial
-    update_domain_zone
+    rebuild_dns_domain_conf
 fi
 
 # Updating dns-cluster queue
-if [ -n "$DNS_CLUSTER" ]; then
+if [ "$DNS_CLUSTER"  = "yes" ]; then
     # Check for first sync
     dlock=$(grep "domain $user $domain" $HESTIA/data/queue/dns-cluster.pipe)
     if [ -z "$dlock" ]; then