Last active
May 30, 2017 12:51
-
-
Save mat813/5952962 to your computer and use it in GitHub Desktop.
OpenDNSSEC to RIPE
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env ruby | |
| # frozen_string_literal: true | |
| # ods-ksmutil key export --keystate ready -t KSK --all | ruby ripe.rb ready | |
| # ods-ksmutil key export --keystate retire -t KSK --all | ruby ripe.rb retire | |
| require 'pp' | |
| require 'rubygems' | |
| require 'dnsruby' | |
| require 'net/smtp' | |
| PASSWD = 'XXXX' | |
| FROM = 'noc@toi' | |
| QUOI = ARGV[0] | |
| def debug(*rest) | |
| puts(*rest) if STDOUT.tty? | |
| end | |
| if QUOI.nil? || !%w[ready retire].include?(QUOI) | |
| puts 'usage : ripe.rb [ready|retire]' | |
| exit 1 | |
| end | |
| module Dnsruby | |
| class RR | |
| # tripoter | |
| class DS | |
| # Tripoter le rdata_to_string pour avoir ce dont on a besoin. | |
| def rdata_to_string | |
| return '' if @key_tag.nil? | |
| "#{@key_tag.to_i} #{@algorithm.code} #{@digest_type.code} #{@digest.upcase}" | |
| end | |
| end | |
| end | |
| end | |
| thingstodo = [] | |
| domain_found = false | |
| while (line = STDIN.gets) | |
| next unless line =~ /^[a-z0-9]/ | |
| new_key = Dnsruby::RR::DNSKEY.new_from_string(line) | |
| domain = new_key.name.to_s | |
| debug "Domaine #{domain}" | |
| if domain =~ /\.(ip6|in-addr)\.arpa$/ | |
| whois = `/usr/local/bin/whois3 -Br #{domain}`.split(/\n/).reject { |l| l =~ /^%/ || l == '' }.map { |l| l.split(/:\s*/) } | |
| # Le domaine est bien ce qu'on a demande et qu'on est mntner dessus. | |
| if whois.any? { |k, v| k == 'domain' && v == domain } && whois.any? { |k, v| k == 'mnt-by' && v == 'ABSO-DNS-MNT' } | |
| domain_found = true | |
| debug "clef consideree #{new_key.rdata}" | |
| changed = false | |
| case QUOI | |
| when 'ready' | |
| new_ds = [1, 2, 4].map { |v| Dnsruby::RR::DS.from_key(new_key, v) } | |
| new_ds.each do |ds| | |
| if whois.any? { |k, v| k == 'ds-rdata' && ds == Dnsruby::RR::DS.new_from_string("#{domain}. IN DS #{v}") } | |
| debug "DS #{ds.digest_type} deja la" | |
| else | |
| idx = whois.index { |k, _v| k == 'ds-rdata' || k == 'notify' } | |
| puts "DS ajoute #{ds.digest_type}" | |
| whois[idx..idx] = [['ds-rdata', ds.rdata_to_string], whois[idx]] | |
| changed = true | |
| end | |
| end | |
| when 'retire' | |
| if whois.any? { |k, v| k == 'ds-rdata' && v =~ /^#{new_key.key_tag}\b/ } | |
| whois.reject! { |k, v| k == 'ds-rdata' && v =~ /^#{new_key.key_tag}\b/ } | |
| puts "Clef supprime #{new_key.key_tag}" | |
| changed = true | |
| else | |
| debug "Clef #{new_key.key_tag} absent" | |
| end | |
| end | |
| if changed | |
| whois << ['password', PASSWD] | |
| thingstodo << "% #{domain}" | |
| thingstodo << '' | |
| thingstodo += whois.map { |k, v| k + ':' + ' ' * (15 - k.size) + v } | |
| thingstodo << '' | |
| else | |
| debug 'rien a changer' | |
| end | |
| else | |
| debug 'Domaine pas a nous' | |
| end | |
| else | |
| debug 'Domaine pas bon format' | |
| end | |
| end | |
| unless thingstodo.empty? | |
| message = <<~eot | |
| From: #{FROM} | |
| To: auto-dbm@ripe.net | |
| Cc: #{FROM} | |
| Subject: DIFF | |
| eot | |
| message << thingstodo.join("\n") | |
| Net::SMTP.start('localhost') do |smtp| | |
| smtp.send_message message, FROM, ['auto-dbm@ripe.net', FROM] | |
| end | |
| end | |
| exit domain_found ? 0 : 1 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment