Skip to content

Instantly share code, notes, and snippets.

@BoresXP
Created Sep 7, 2018
Embed
What would you like to do?
Script to generate keys and sign zone for DNSSEC.
#!/bin/bash
if [ $# -eq 0 ]; then
echo "Script that generates keys for domain."
fi
if [ $# -lt 1 -o $# -gt 2 ]; then
echo "Illegan number of arguments!"
echo "Usage:"
echo " $0 <domain> [mode]"
echo "Where:"
echo " domain - domain name."
echo " mode - 0 = resign zone (default), 1 = generate keys and sign zone, 2 = generate ZSK and sign zone."
exit
fi
confirm() {
# call with a prompt string or use a default
read -r -p "${1:-Are you sure? [y/N]} " response
if [[ "$response" =~ ^([yY][eE][sS]|[yY])+$ ]]; then
true
else
false
fi
}
MODE=$2
[ -z $MODE ] && MODE=0
REMODE="^[012]$"
if [[ ! "$MODE" =~ $REMODE ]]; then
echo "Invalid mode!"
exit
fi
KEYS=$(find . -name "K$1.+007+*.key" | sed "s/.*\(K.\+\)\.key/\1/")
if [ $MODE -ne 1 -a -z "$KEYS" ]; then
confirm "No keys found. Create new? [y/N]" && MODE=1
fi
# Signing algorithm. Use 6 or 7 here because we calling signzone with -n option.
ALGO="RSASHA1-NSEC3-SHA1"
# Random source. Change to /dev/urandom to speed up the process.
RNDEV="/dev/random"
if [ $MODE -eq 1 -o $MODE -eq 2 ]; then
echo "Generating ZSK"
/usr/bin/ldns-keygen -a $ALGO -b 1024 -r $RNDEV "$1"
fi
if [ $MODE -eq 1 ]; then
echo "Generating KSK"
/usr/bin/ldns-keygen -a $ALGO -k -b 2048 -r $RNDEV "$1"
fi
KEYS=$(find . -name "K$1.+007+*.key" | sed "s/.*\(K.\+\)\.key/\1/")
echo "Generating salt"
SALT=$(head -c 447 $RNDEV | shasum | cut -b 1-16)
echo "Signing zone '$1'"
echo "Keys found: $KEYS"
# Change path to ldns-signzone wrapper.
/root/ldns-signzone.sh -e 20181231 -n -s $SALT -p $1 $KEYS
@BoresXP
Copy link
Author

BoresXP commented Sep 7, 2018

Typical usage:

  1. Create zone file. The best idea is to name file as zone - myzone.com.
  2. Run script:
    sign.sh myzone.com
  3. It will generate keys (because they are missing) and sign zone. You will get new zone file - myzone.com.signed.
  4. Use the new file in NSD or your DNS server.

If you want change a zone:

  1. Make changed in original file (myzone.com). Don't forget to change serial.
  2. Run script again:
    sign.sh myzone.com
  3. It will resign zone (with existing keys, script will search for them) and update myzone.com.signed.
  4. Reload zone in NSD or DNS-server on your choice.

If you need to recreate ZSK:
Run script with mode = 2:
sign.sh myzone.com 2

IMPORTANT NOTE:
Change path to ldns-signzone wrapper (that supports include) in the bottom the the file.
https://gist.github.com/BoresXP/4d1c2310aa22aa352e58f8c9cfb5f14b

You need to have package ldnsutils installed in your system.

@BoresXP
Copy link
Author

BoresXP commented Sep 7, 2018

Скрипт подписывания файла зоны для DNSSEC.

Пример использования:

  1. Создайте файл зоны. Лучше сего назвать его по имени зоны - myzone.ru.
  2. Запустите скрипт:
    sign.sh myzone.ru
  3. Скрипт создаст ключи и файл подписанной зоны - myzone.ru.signed.
  4. Используйте последний файл в сервере DNS.

При внесении изменений в файл зоны:

  1. Внесите изменения в первичный файл. Не забудьте изменить serial зоны.
  2. Снова запустите скрипт:
    sign.sh myzone.ru
  3. Он переподпишет зону (существующими ключами, которые он создал ранее) и обновит файл .signed.
  4. Перезагрузите зону в сервере DNS.

Если нужно обновить ZSK:
Запустите скрипт с режимом = 2:
sign.sh myzone.com 2

ВАЖНОЕ ЗАМЕЧАНИЕ:
Не забудьте изменить путь к обёртке ldns-signzone (которая поддерживает include):
https://gist.github.com/BoresXP/4d1c2310aa22aa352e58f8c9cfb5f14b

Также у вас должен быть установлен пакет ldnsutils.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment