Archive

Kategorien

Sign DNS zone files with DNSSec

#!/bin/bash   # bash script to sign zone files with dnssec for bind # needs zonesigner command (for debian given in dnssec-tools package)   NEED_RESTART=0 # defines the path to the dnssec key directory # change to fit your environment KEY_DIR=’/var/bind9/chroot/var/cache/bind/keys‘   # reloads slave servers via rndc reload ZONE command function reloadSlaves () {
# loop over slaves hostnames
for i in slave1 slave2 slav3 slav4 ; do
# loop over the choosen zones on hostname
for z in $ZONE ; do
# connect to slave via ssh and perform rndc reload ZONE
# the sed command adds zonename and hostname to the output of the remote ssh command
ssh root@$i "rndc reload $z" | sed ’s/^\(zone\)\(.*\)$/\1 ‚$z‘ on ‚$i’\2/‘
done
done
}
 
# get args from command line and set variables for the script
while (( $# ))
do
case "$1" in
‚-z‘ | ‚–zone’)
shift
ZONE="$ZONE $1"
shift
;;
‚-a‘ | ‚–all’)
ZONE="zone1.tld zone2.tld zone3.tld zone4.tld"
shift
;;
‚-n‘ | ‚–new’)
DAT="$(date +’%Y%m%d‘)00"
shift
;;
‚-s‘ | ‚–serial’)
shift
DAT="$1"
shift
;;
*)
echo "Usage $0 -z|–zone ZONENAME -a|–all -n|–new -s|–serial SERIAL"
exit 0
;;
esac
done
# no zone given
# exit with help display
[ "x$ZONE" = ‚x‘ ] && $0 -h && exit 0
 
# no serial specified for zone or parameter -n for new serial not set
[ "x$DAT" = ‚x‘ ] && echo ‚eighter specify a serial or use -n|–new to generate a new one. See help ‚ && $0 -h && exit 0
# cwd to key directory
cd $KEY_DIR >/dev/null 2>&1
# exit with error if cwd not successfull
[ $? -ne 0 ] && echo ‚Could not change to dir ‚$KEY_DIR && exit 1
for i in $ZONE ; do
# serial given or new serial specified
# change the serial number in zone’s conf file
# expects zone files in ../master
# in the form zone.ZONE_NAME.zone
# change path and form to fit your environment
[ "x$DAT" != ‚x‘ ] && sed -i "s/\s*[0-9]\{10\}\s*;\s*serial/\t\t\t\t$DAT ; serial/" ../master/zone.${i}.zone
zonesigner -zone $i ../master/zone.${i}.zone
NEED_RESTART=1
done
[ $NEED_RESTART -eq 1 ] && /etc/init.d/bind9 restart && reloadSlaves