tuend/DirectAdmin-1.62.4
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3c7e9f311663a519d349af86efd1b7c55af78846
DirectAdmin-1.62.4/directadmin-1.62.4/scripts/dnssec.sh
tuend-work 0b28a76e20 ud
2025-11-12 23:24:15 +07:00

364 lines
7.6 KiB
Bash
Raw Blame History

#!/bin/sh
#This is not finished.
#Do not use
OS=`uname`
DA=/usr/local/directadmin/directadmin
if [ ! -s ${DA} ]; then
echo "Cannot find DirectAdmin binary:";
echo " ${DA}";
exit 1;
fi
DA_CONF=/usr/local/directadmin/conf/directadmin.conf
if [ ! -s ${DA_CONF} ]; then
echo "Cannot find DirectAdmin Config File:";
echo " ${DA_CONF}";
exit 2;
fi
TASK_Q=`${DA} c | grep ^taskqueuecb= | cut -d= -f2`
if [ "${TASK_Q}" = "" ]; then
echo "Cannot task.queue.cb from:";
echo "${DA} c | grep ^taskqueuecb=";
exit 3;
fi
DATASKQ="/usr/local/directadmin/dataskq --custombuild"
BIND_PATH=/etc
NAMED_BIN=/usr/sbin/named
DNSSEC_KEYGEN=/usr/sbin/dnssec-keygen
DNSSEC_SIGNZONE=/usr/sbin/dnssec-signzone
DNSSEC_RANDOMDEV='-r /dev/urandom'
if [ "${OS}" = "FreeBSD" ]; then
BIND_PATH=/etc/namedb
NAMED_BIN=/usr/local/sbin/named
DNSSEC_KEYGEN=/usr/local/sbin/dnssec-keygen
DNSSEC_SIGNZONE=/usr/local/sbin/dnssec-signzone
DNSSEC_RANDOMDEV=
elif [ -e /etc/debian_version ]; then
BIND_PATH=/etc/bind
fi
NAMED_PATH=`${DA} c | grep ^nameddir= | cut -d= -f2 2>/dev/null`
if [ "${NAMED_PATH}" = "" ]; then
echo "Cannot find nameddir from:";
echo "${DA} c | grep ^nameddir=";
exit 3;
fi
DNSSEC_KEYS_PATH=${NAMED_PATH}
NAMED_CONF=${BIND_PATH}/named.conf
NAMED_CONF=`${DA} c | grep namedconfig= | cut -d= -f2`
if [ -e /etc/debian_version ] && [ -e /etc/bind/named.conf.options ]; then
NAMED_CONF=/etc/bind/named.conf.options
fi
if [ ! -s ${NAMED_BIN} ]; then
echo "Cannot find ${NAMED_BIN}";
exit 4;
fi
NAMED_VER=`${NAMED_BIN} -v | cut -d\ -f2 | cut -d- -f1 | cut -d. -f1,2`
BIND_KEYS_FILE=${BIND_PATH}/named.iscdlv.key
if [ ! -x ${DNSSEC_KEYGEN} ]; then
echo "Cannot find ${DNSSEC_KEYGEN}. Please install dnssec tools";
exit 12;
fi
ENC_TYPE=RSASHA1
if [ `$DNSSEC_KEYGEN -h 2>&1 | grep -c RSASHA256` -gt 0 ]; then
ENC_TYPE=RSASHA256
fi
if [ ! -s ${DNSSEC_SIGNZONE} ]; then
echo "Cannot find ${DNSSEC_SIGNZONE}. Please install dnssec tools";
exit 13;
fi
HAS_SOA_FORMAT=0
SF=`${DNSSEC_SIGNZONE} -h 2>&1 | grep -c '\-N format:'`
if [ "${SF}" -gt 0 ]; then
HAS_SOA_FORMAT=1
fi
SATZ=skip-add-to-zone
show_help()
{
echo "Usage:";
echo " $0 install";
echo " $0 keygen <domain>"; # [${SATZ}]";
echo " $0 sign <domain>";
echo "";
echo "The ${SATZ} option will create the keys, but will not trigger the dataskq to add the keys to the zone.";
echo "";
exit 1;
}
if [ $# = 0 ]; then
show_help;
fi
##################################################################################################################################################
#
# Installer code
#
ensure_bind_key()
{
#http://ftp.isc.org/isc/bind9/keys/9.7/bind.keys.v9_7
#http://ftp.isc.org/isc/bind9/keys/9.6/bind.keys.v9_6
#http://ftp.isc.org/isc/bind9/keys/9.8/bind.keys.v9_8
SERVER=http://ftp.isc.org/isc/bind9/keys
BIND_KEYS_PATH=9.7/bind.keys.v9_7
case "${NAMED_VER}" in
9.2|9.3|9.4|9.5|9.6) BIND_KEYS_PATH=9.6/bind.keys.v9_6
;;
9.7) BIND_KEYS_PATH=9.7/bind.keys.v9_7
;;
9.8|9.9) BIND_KEYS_PATH=9.8/bind.keys.v9_8
esac
BIND_KEYS_URL=${SERVER}/${BIND_KEYS_PATH}
DL=0
if [ ! -s ${BIND_KEYS_FILE} ]; then
DL=1
elif [ "`grep -c trusted-keys ${BIND_KEYS_FILE}`" -eq 0 ] && [ "`grep -c managed-keys ${BIND_KEYS_FILE}`" -eq 0 ]; then
DL=1
fi
if [ "${DL}" -eq 1 ]; then
wget -O ${BIND_KEYS_FILE} ${BIND_KEYS_URL}
fi
}
ensure_named_conf()
{
if [ ! -s "${NAMED_CONF}" ] || [ "${NAMED_CONF}" = "" ]; then
echo "Cannot find ${NAMED_CONF}";
exit 1;
fi
ADD_TO_NC=""
if [ "`grep -c 'dnssec-enable yes' ${NAMED_CONF}`" -eq 0 ]; then
ADD_TO_NC="${ADD_TO_NC} dnssec-enable yes;
"
fi
if [ "`grep -c 'dnssec-validation auto' ${NAMED_CONF}`" -eq 1 ]; then
perl -pi -e 's/dnssec-validation auto/dnssec-validation yes/' ${NAMED_CONF}
fi
if [ "`grep -c 'dnssec-validation yes' ${NAMED_CONF}`" -eq 0 ]; then
ADD_TO_NC="${ADD_TO_NC} dnssec-validation yes;
"
fi
if [ "`grep -c 'dnssec-lookaside auto' ${NAMED_CONF}`" -eq 0 ]; then
ADD_TO_NC="${ADD_TO_NC} dnssec-lookaside auto;
"
fi
if [ "`grep -c ${BIND_KEYS_FILE} ${NAMED_CONF}`" -eq 0 ]; then
ADD_TO_NC="${ADD_TO_NC} bindkeys-file \"${BIND_KEYS_FILE}\";
"
fi
if [ "${ADD_TO_NC}" = "" ]; then
return;
fi
echo "Please add the following to the 'options { .... }' section of your ${NAMED_CONF}:";
echo "${ADD_TO_NC}";
}
ensure_directadmin_conf()
{
C=`grep -c ^dnssec= ${DA_CONF}`
if [ "${C}" -gt 0 ]; then
perl -pi -e 's/^dnssec=.*/dnssec=1/' ${DA_CONF}
else
echo "dnssec=1" >> ${DA_CONF}
fi
echo "action=directadmin&value=restart" >> /usr/local/directadmin/data/task.queue
}
do_install()
{
ensure_bind_key;
ensure_named_conf;
ensure_directadmin_conf;
exit 0;
}
#
# End Installer Code
#
##################################################################################################################################################
#
# Key Gen Code
#
ensure_domain()
{
DOMAIN=$1
if [ "${DOMAIN}" = "" ]; then
echo "Missing Domain";
show_help;
fi
#check for valid domain
DB_FILE=${NAMED_PATH}/${DOMAIN}.db
if [ ! -s "${DB_FILE}" ]; then
echo "Cannot find valid zone at ${DB_FILE}";
exit 10;
fi
}
ensure_keys_path()
{
if [ ! -d ${DNSSEC_KEYS_PATH} ]; then
mkdir ${DNSSEC_KEYS_PATH};
fi
if [ ! -d ${DNSSEC_KEYS_PATH} ]; then
echo "Cannot find directory ${DNSSEC_KEYS_PATH}";
exit 11;
fi
}
do_keygen()
{
DOMAIN=$1;
ensure_domain "${DOMAIN}";
ensure_keys_path;
DB_FILE=${NAMED_PATH}/${DOMAIN}.db
echo "Starting keygen process for $DOMAIN";
cd ${DNSSEC_KEYS_PATH};
#ZSK
KEY_STR=`${DNSSEC_KEYGEN} ${DNSSEC_RANDOMDEV} -a $ENC_TYPE -b 1024 -n ZONE ${DOMAIN}`
K=${KEY_STR}.key
P=${KEY_STR}.private
if [ ! -s $K ] || [ ! -s $P ]; then
echo "Cannot find ${DNSSEC_KEYS_PATH}/${K} or ${DNSSEC_KEYS_PATH}/${P}";
exit 14;
fi
mv -f $K ${DOMAIN}.zsk.key
mv -f $P ${DOMAIN}.zsk.private
#KSK
KEY_STR=`${DNSSEC_KEYGEN} ${DNSSEC_RANDOMDEV} -a $ENC_TYPE -b 2048 -n ZONE -f KSK ${DOMAIN}`
RET=$?
K=${KEY_STR}.key
P=${KEY_STR}.private
if [ ! -s $K ] || [ ! -s $P ]; then
echo "Cannot find ${DNSSEC_KEYS_PATH}/${K} or ${DNSSEC_KEYS_PATH}/${P}";
exit 15;
fi
mv -f $K ${DOMAIN}.ksk.key
mv -f $P ${DOMAIN}.ksk.private
echo "${DOMAIN} now has keys.";
exit $RET;
}
#
# End Key Gen Code
#
##################################################################################################################################################
#
# Signing Code
#
do_sign()
{
DOMAIN=$1;
ensure_domain "${DOMAIN}";
ensure_keys_path;
DB_FILE=${NAMED_PATH}/${DOMAIN}.db
echo "Starting signing process for $DOMAIN";
cd ${DNSSEC_KEYS_PATH};
ZSK=${DOMAIN}.zsk.key
KSK=${DOMAIN}.ksk.key
if [ ! -s ${ZSK} ] || [ ! -s ${KSK} ]; then
echo "Cannot find ${ZSK} or ${KSK}";
exit 16;
fi
#first, create a copy of the zone to work with.
T=${DB_FILE}.dnssec_temp
cat ${DB_FILE} > ${T}
#add the key includes
echo "\$include ${DNSSEC_KEYS_PATH}/${DOMAIN}.zsk.key;" >> ${T};
echo "\$include ${DNSSEC_KEYS_PATH}/${DOMAIN}.ksk.key;" >> ${T};
N_INC="-N INCREMENT"
if [ "${HAS_SOA_FORMAT}" -eq 0 ]; then
N_INC=""
fi
${DNSSEC_SIGNZONE} -l dlv.isc.org ${DNSSEC_RANDOMDEV} -e +3024000 ${N_INC} -o ${DOMAIN} -k ${KSK} ${T} ${ZSK}
RET=$?
rm -f ${T}
if [ -s ${T}.signed ]; then
mv -f ${T}.signed ${DB_FILE}.signed
else
if [ "$RET" -eq 0 ]; then
echo "cannot find ${T}.signed to rename to ${DB_FILE}.signed";
fi
fi
exit $RET;
}
#
# End Signing Code
#
##################################################################################################################################################
case "$1" in
install) do_install;
;;
keygen) do_keygen "$2" "$3";
;;
sign) do_sign "$2";
;;
*) show_help;
;;
esac
exit 1;
Reference in New Issue View Git Blame Copy Permalink