Archive

Kategorien

Sign DNS zone files with DNSSec

#!/bin/bash
 
# bash script to sign zone files with dnssec for bind
# needs zonesigner command (for debian given in dnssec-tools package) 
 
NEED_RESTART=0
# defines the path to the dnssec key directory
# change to fit your environment
KEY_DIR='/var/bind9/chroot/var/cache/bind/keys'
 
# reloads slave servers via rndc reload ZONE command
function reloadSlaves () {
 # loop over slaves hostnames
 for i in slave1 slave2 slav3 slav4 ; do
  # loop over the choosen zones on hostname
  for z in $ZONE ; do
   # connect to slave via ssh and perform rndc reload ZONE
   # the sed command adds zonename and hostname to the output of the remote ssh command
   ssh root@$i "rndc reload $z" | sed 's/^\(zone\)\(.*\)$/\1 '$z' on '$i'\2/'
  done
 done
}
 
# get args from command line and set variables for the script
while (( $# ))
 do
  case "$1" in
   '-z' | '--zone')
        shift
        ZONE="$ZONE $1"
        shift
   ;;
   '-a' | '--all')
        ZONE="zone1.tld zone2.tld zone3.tld zone4.tld"
	shift
   ;;
   '-n' | '--new')
	DAT="$(date +'%Y%m%d')00"
	shift
   ;;
   '-s' | '--serial')
	shift
	DAT="$1"
	shift
   ;;
   *)
	echo "Usage $0 -z|--zone ZONENAME -a|--all -n|--new -s|--serial SERIAL"
 	exit 0
   ;;
  esac
done
# no zone given
# exit with help display
[ "x$ZONE" = 'x' ] && $0 -h && exit 0
 
# no serial specified for zone or parameter -n for new serial not set
[ "x$DAT" = 'x' ] && echo 'eighter specify a serial or use -n|--new to generate a new one. See help ' && $0 -h && exit 0
# cwd to key directory
cd $KEY_DIR >/dev/null 2>&1
# exit with error if cwd not successfull
[ $? -ne 0 ] && echo 'Could not change to dir '$KEY_DIR && exit 1
for i in $ZONE ; do
 # serial given or new serial specified
 # change the serial number in zone's conf file
 # expects zone files in ../master
 # in the form zone.ZONE_NAME.zone
 # change path and form to fit your environment 
 [ "x$DAT" != 'x' ] && sed -i "s/\s*[0-9]\{10\}\s*;\s*serial/\t\t\t\t$DAT ; serial/" ../master/zone.${i}.zone
 zonesigner -zone $i ../master/zone.${i}.zone
 NEED_RESTART=1
done
[ $NEED_RESTART -eq 1 ] && /etc/init.d/bind9 restart && reloadSlaves

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <pre lang="" line="" escaped="" cssfile="">

  

  

  

seventeen + sixteen =

Diese Website verwendet Akismet, um Spam zu reduzieren. Erfahren Sie mehr darüber, wie Ihre Kommentardaten verarbeitet werden .