Archive

Kategorien

Sign DNS zone files with DNSSec

#!/bin/bash   # bash script to sign zone files with dnssec for bind # needs zonesigner command (for debian given in dnssec-tools package)   NEED_RESTART=0 # defines the path to the dnssec key directory # change to fit your environment KEY_DIR=’/var/bind9/chroot/var/cache/bind/keys›   # reloads slave servers via rndc reload ZONE command function reloadSlaves () {
# loop over slaves hostnames
for i in slave1 slave2 slav3 slav4 ; do
# loop over the choosen zones on hostname
for z in $ZONE ; do
# connect to slave via ssh and perform rndc reload ZONE
# the sed command adds zonename and hostname to the output of the remote ssh command
ssh root@$i "rndc reload $z" | sed ’s/^\(zone\)\(.*\)$/\1 ‹$z› on ‹$i’\2/›
done
done
}
 
# get args from command line and set variables for the script
while (( $# ))
do
case "$1" in
‹-z› | ‹–zone’)
shift
ZONE="$ZONE $1"
shift
;;
‹-a› | ‹–all’)
ZONE="zone1.tld zone2.tld zone3.tld zone4.tld"
shift
;;
‹-n› | ‹–new’)
DAT="$(date +’%Y%m%d›)00"
shift
;;
‹-s› | ‹–serial’)
shift
DAT="$1"
shift
;;
*)
echo "Usage $0 -z|–zone ZONENAME -a|–all -n|–new -s|–serial SERIAL"
exit 0
;;
esac
done
# no zone given
# exit with help display
[ "x$ZONE" = ‹x› ] && $0 -h && exit 0
 
# no serial specified for zone or parameter -n for new serial not set
[ "x$DAT" = ‹x› ] && echo ‹eighter specify a serial or use -n|–new to generate a new one. See help ‹ && $0 -h && exit 0
# cwd to key directory
cd $KEY_DIR >/dev/null 2>&1
# exit with error if cwd not successfull
[ $? -ne 0 ] && echo ‹Could not change to dir ‹$KEY_DIR && exit 1
for i in $ZONE ; do
# serial given or new serial specified
# change the serial number in zone’s conf file
# expects zone files in ../master
# in the form zone.ZONE_NAME.zone
# change path and form to fit your environment
[ "x$DAT" != ‹x› ] && sed -i "s/\s*[0-9]\{10\}\s*;\s*serial/\t\t\t\t$DAT ; serial/" ../master/zone.${i}.zone
zonesigner -zone $i ../master/zone.${i}.zone
NEED_RESTART=1
done
[ $NEED_RESTART -eq 1 ] && /etc/init.d/bind9 restart && reloadSlaves