Skip to content

Instantly share code, notes, and snippets.

@lampeh
Created January 29, 2017 02:48
Show Gist options
  • Save lampeh/140b03c8dca2e6e92fcad6d36fcd4cfb to your computer and use it in GitHub Desktop.
Save lampeh/140b03c8dca2e6e92fcad6d36fcd4cfb to your computer and use it in GitHub Desktop.
#!/bin/bash
export LC_TIME=C
#set -x
keydir=/var/cache/bind/keys
zone="$1"
keytype="$2"
bits="$3"
keyttl="230042"
## see RFC 7583 - https://tools.ietf.org/html/rfc7583#section-3.2.1
Lzsk="4 months" ## cronjob interval
Dprp="1 day +7 days" ## soa refresh + soa expire
Ipub="$Dprp +3 days" ## Dprp + key ttl
#Ipub="$Ipub +$Lzsk" ## use as standby key for one interval
#Iret="10 days +$Dprp +3 days" ## sig (val-min) + Dprp + max ttl
Iret="21 days" ## max sig lifetime
now="`date -u -d "+2 days 00:00:00"`" ## buffer for script runtime, dst offset and loadkeys interval
Tpub="`date -u -d "$now" "+%Y%m%d%H%M%S"`"
Tact="`date -u -d "$now +$Ipub" "+%Y%m%d%H%M%S"`"
Tret="`date -u -d "$now +$Ipub +$Lzsk" "+%Y%m%d%H%M%S"`"
Trem="`date -u -d "$now +$Ipub +$Lzsk +$Iret" "+%Y%m%d%H%M%S"`"
[ -z "$zone" ] && { echo "$0: no zone name given"; exit 1; }
[ -z "$keytype" ] && keytype=RSASHA256
[ -z "$bits" ] && bits=$((1537 + ($RANDOM % 512)))
newkeyname="`dnssec-keygen \
-a $keytype \
-b $bits \
-K $keydir \
-L $keyttl \
-P "$Tpub" -A "$Tact" -I "$Tret" -D "$Trem" \
$zone`"
[ -z "$newkeyname" ] && { echo "dnssec-keygen for $zone failed!" >&2; exit 1; };
#echo "New key: $newkeyname"
newkeyname="$keydir/$newkeyname"
chmod 640 ${newkeyname}.key ${newkeyname}.private
chown root.bind ${newkeyname}.key ${newkeyname}.private
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment