Skip to content

Instantly share code, notes, and snippets.

@mat813

mat813/Makefile

Last active May 30, 2017 12:51
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save mat813/8114791 to your computer and use it in GitHub Desktop.
Save mat813/8114791 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
add.sh
#!/bin/sh
set -e
policy=default
while getopts "p:" _opt; do
case "$_opt" in
p) policy="$OPTARG" ;;
esac
done
shift $((OPTIND - 1))
if [ $# -eq 0 ]
then
echo "$0 [-p policy] some/file [some/file...]"
exit 1
fi
unsigned=$(make -V UNSIGNED)
for i in "$@"
do
zone=$(basename "$i")
cp -f "$i" "$i.signed"
make "$unsigned$zone"
ods-ksmutil zone add --zone "$zone" --policy "$policy" --output "/etc/namedb/$i.signed"
done
ods-ksmutil key generate --policy "$policy" --interval PT0H -A
make unsigned
Raw
check-expire
#!/bin/sh
cd /etc/namedb/
(
if [ "a$1" = "aaxfr" ]
then
for i in `/usr/bin/make -VSIGNED:R:T | random -w 10`
do
if [ -z "$2" ]
then
dig +noall +answer axfr @127.0.0.1 $i
else
dig +noall +answer axfr @$2 $i
fi
done
else
cat `/usr/bin/make -VSIGNED`
fi
) | /usr/bin/awk -f check-expire.awk
Raw
check-expire.awk
#!/usr/bin/awk
BEGIN {
# States nagios
STATE_OK=0
STATE_WARNING=1
STATE_CRITICAL=2
# refresh = 3 days
# resign = 12 hours
# -> 2d10h avec une petite marge pour parer aux lags du signer en cas de grosse
# resign partie, mais pas trop pour bien voir quand ça chie quand
# même.
"/usr/bin/make -C /etc/namedb -VEXPIRY" | getline expiry
"/usr/local/bin/gdate -u -d '" expiry " - 1 hour' +'%Y%m%d%H%M%S'" | getline date_warn
"/usr/local/bin/gdate -u -d '" expiry " - 1 day' +'%Y%m%d%H%M%S'" | getline date_crit
"/usr/local/bin/gdate -u -d '5 minutes ago' +'%Y%m%d%H%M%S'" | getline now
# expiration
expir = 0
expir_count = 0
expir_ok = 0
# inception
incep = 0
incep_count = 0
incep_ok = 0
# count
sig_count = 0
# warn ou crit
crit = 0
zones = 0
}
$4 == "SOA" { # store the zone in case of error
zone=$1
zones = zones + 1
}
$4 == "RRSIG" {
sig_count = sig_count + 1
# for OK result
if ($9 < expir_ok || expir_ok == 0) { # store the first to expire
expir_ok = $9
expir_enr = $1
}
if ($10 > incep_ok) { # store the last to have been created
incep_ok = $10
incep_enr = $1
}
# those are errors :
# if the inception is after *now* it's a very very bad thing
if ($10 > now) {
if ($10 > incep) {
error = "zone " zone " has record " $1 " with inception in the future at " $9
incep = $10
}
incep_count = incep_count + 1
}
# if the expiration date is before the allowed one, and there is no inception error, store that error message
if ($9 < date_warn && incep_count == 0) {
if ($9 < expir || expir == 0) {
error = "zone " zone " has record " $1 " expiring at " $9 ", less than " expiry
expir = $9
if ($9 < date_crit) {
crit = 1
}
}
expir_count = expir_count + 1
}
}
function datetostr(diff) {
ret = ""
go = 0
if (int(diff/86400) > 0) {
go = 1
ret = sprintf("%dd", int(diff/86400))
}
if (go == 1 || int(diff%86400/3600) > 0) {
go = 1
ret = sprintf("%s%02dh", ret, int(diff%86400/3600))
}
if (go == 1 || int(diff%3600/60) > 0) {
ret = sprintf("%s%02dm", ret, int(diff%3600/60))
}
ret = sprintf("%s%02ds", ret, int(diff%60))
return ret
}
END {
"/usr/local/bin/gdate -u +%s" | getline now_ts
if (expir_count == 0 && incep_count == 0) {
# get unix timestampts for the first expiration and last inception
"/usr/local/bin/gdate -u -d '" substr(expir_ok, 1, 4) "-" substr(expir_ok, 5, 2) "-" substr(expir_ok, 7, 2) " " substr(expir_ok, 9, 2) ":" substr(expir_ok, 11, 2) ":" substr(expir_ok, 13, 2) "' +%s" | getline expir_ts
"/usr/local/bin/gdate -u -d '" substr(incep_ok, 1, 4) "-" substr(incep_ok, 5, 2) "-" substr(incep_ok, 7, 2) " " substr(incep_ok, 9, 2) ":" substr(incep_ok, 11, 2) ":" substr(incep_ok, 13, 2) "' +%s" | getline incep_ts
# and print all good :-)
print sig_count " signatures are OK in " zones " zones (first expiry : "expir_enr" at "expir_ok" in "datetostr(expir_ts - now_ts)") (last inception : "incep_enr" at "incep_ok", "datetostr(now_ts - incep_ts)" ago)"
exit STATE_OK
} else {
# if there's inceptions errors, show the right count
if (incep_count > 0) {
"/usr/local/bin/gdate -u -d '" substr(incep, 1, 4) "-" substr(incep, 5, 2) "-" substr(incep, 7, 2) " " substr(incep, 9, 2) ":" substr(incep, 11, 2) ":" substr(incep, 13, 2) "' +%s" | getline incep_ts
incep_diff = now_ts - incep_ts
incep_str = int(incep_diff/86400) "d" int(incep_diff%86400/3600) "h" int(incep_diff%3600/60) "m" int(incep_diff%60) "s"
print error ", " incep_str " ago"
if (incep_count > 1) {
print " (" (incep_count-1) " other)"
}
} else {
"/usr/local/bin/gdate -u -d '" substr(expir, 1, 4) "-" substr(expir, 5, 2) "-" substr(expir, 7, 2) " " substr(expir, 9, 2) ":" substr(expir, 11, 2) ":" substr(expir, 13, 2) "' +%s" | getline expir_ts
print error ", in " datetostr(expir_ts - now_ts)
if (expir_count > 1) {
print " (" (expir_count-1) " other)"
}
}
if (crit == 0) {
exit STATE_WARNING
} else {
exit STATE_CRITICAL
}
}
}
Raw
check-soa.sh
#!/bin/sh
set -e
nssearch=$(dig +nssearch "$1" | awk '$1 == "SOA" {print $4}'| sort -u)
if [ -z "$nssearch" ] || ! echo "$nssearch" | wc -w | grep -q 1
then
# Si c'est vide, ou si y'a plus d'un mot, c'est mal
exit 1
else
if [ -n "$2" ]
then
# Si y'a un fichier, on teste
file=$(awk '$4 == "SOA" {print $7}' "$2")
if ! (echo "$nssearch"; echo "$file") | sort -u | wc -w | grep -q 1
then
# plus d'un, toujours mal
exit 1
fi
fi
fi
exit 0
Raw
del.sh
#!/bin/sh
# Supprime une zone
for d in "$@"
do
# La virer de la base sql
echo "delete from domains where domain like '$d';"|mysql -u dns -pmaitreesclave -h localhost dns
# La virer du disque
zone=$(make "-VSIGNED:R:M*/$d")
if [ -n "$zone" ]
then
rm -v "$zone.signed"
[ -L "$zone" ] && rm -v "$zone"
fi
# Au cas où la zone existe toujours mais sur d'autre NS, virer nos clefs DNSSEC
cd /root/dnssec
file=$(mktemp)
ods-ksmutil key export -t KSK -z "$d" > "$file"
for script in afnic.rb gandi.rb smallregistry.rb ripe.rb
do
ruby "$script" "retire" < "$file"
done
rm -f "$file"
cd -
# Et enfin, la virer d'OpenDNSSEC.
ods-ksmutil zone delete -z "$d"
done
Raw
Makefile
# $Abso: Makefile,v 55f370ca4feb 2013/08/27 12:21:04 hg $
all: commit unsigned sign
SIGNED!= find -s * -name '*.signed'
sign: ${SIGNED}
COMMIT?=Update
UNSIGNED=/usr/local/var/opendnssec/unsigned/
unsigned: ${SIGNED:T:R:S/^/${UNSIGNED}/}
signed2: ${SIGNED:R:S/$/.signed2/}
check: ${SIGNED:R:S/$/.check/}
check-soa: check-serial
.for i in ${SIGNED:R}
clean::
-@rm -f $i.unsigned $i.signed2
$i.unsigned: $i
/usr/local/sbin/named-compilezone -o $@ -s relative ${i:T:S/_/\//} $>
${UNSIGNED}${i:T}: $i
/usr/local/sbin/named-compilezone -o $@ ${i:T:S/_/\//} $>
$i.signed: ${UNSIGNED}${i:T}
/usr/local/sbin/ods-signer sign ${i:T:S/_/\//}
$i.signed2: $i.signed
/usr/local/sbin/named-compilezone -o $@ -s relative ${i:T:S/_/\//} $>
$i.check::
-@/usr/local/sbin/named-checkzone ${i:T} ${i:S/_/\//}
-@/usr/local/sbin/named-checkzone ${i:T} ${i:S/_/\//}.signed
check-serial: check-serial-${i:T}
check-serial-${i:T}::
-@(./check-soa.sh ${i:T:S/_/\//} ${i}.signed || (echo $i; grep "IN SOA" ${i}.signed; dig +nssearch ${i:T:S/_/\//}))
check-serial-notify: check-serial-notify-${i:T}
check-serial-notify-${i:T}::
-@(./check-soa.sh ${i:T:S/_/\//} ${i}.signed || (echo $i; grep "IN SOA" ${i}.signed; dig +nssearch ${i:T:S/_/\//}; /usr/local/sbin/rndc notify ${i:T:S/_/\//}))
notify:: notify-${i:T}
notify-${i:T}::
@/usr/local/sbin/rndc notify ${i:T:S/_/\//}
valid-all: valid-${i:T}
valid: valid-${i:T}
valid-${i:T}::
-@/usr/local/bin/validns -p all -z ${i:T} ${i}.signed
valid-resign: valid-resign-${i:T}
valid-resign-${i:T}::
-@/usr/local/bin/validns -p all -z ${i:T} ${i}.signed || /usr/local/sbin/ods-signer sign ${i:T:S/_/\//}
.for n in 1 2 3 4
valid-all: valid-ns${n}-${i:T}
valid-ns${n}: valid-ns${n}-${i:T}
valid-ns${n}-${i:T}::
-@/usr/local/bin/dig +noall +answer axfr @ns$n.absolight.net ${i:T} | /usr/local/bin/validns -p all -z ${i:T} -
.endfor
regen-serial: regen-serial-${i:T}
regen-serial-${i:T}::
@(./check-soa.sh ${i:T:S/_/\//} ${i}.signed || \
( echo $i; \
ods-signer sign ${i:T:S/_/\//} --serial `date +%Y%m%d``date +'%H*4+%M/15'|bc -q|xargs printf %02d`; \
) \
)
.endfor
# Resigne tout, et force un serial = anne-mois-jour-heure*4+minutes/15
# (histoire d'avoir un serial qui s'incremente toutes les 15mn et pas juste
# toutes les heures)
resign::
@export LANG=C; \
zones="${SIGNED:T:R}"; \
count=`echo $$zones | wc -w`; \
time=`mysql -u opendnssec -pIvGhipovVu opendnssec -e "select value from parameters_policies where parameter_id = 1 and policy_id = 1;"|tail -1`; \
sleep=`echo $$count | awk '{print int(10*'$$time'/$$1)/10}'`; \
c=0; \
for i in $$(echo $$zones | /usr/bin/random -w); \
do \
c=$$((c+1)); \
printf "%5i / %5i = %s\\n" $$c $$count "$$i"; \
/usr/local/sbin/ods-signer sign $$i --serial `date +%Y%m%d``date +'%H*4+%M/15'|bc -q|xargs printf %02d`; \
sleep $$sleep; \
done
commit::
-@/usr/bin/env HGUSER=namedb@ns1.absolight.net /usr/local/bin/hg commit -A -m "${COMMIT}"
# refresh = 4 days
# resign = 24 hours
# -> 2d12h avec une petite marge pour parer aux lags du signer en cas de grosse
# resign partie, mais pas trop pour bien voir quand ça chie quand
# même.
EXPIRY?=2 days 12 hours
check-expire: check-expire-local
check-expire-local::
-@./check-expire
.for i in 1 2 3 4
check-expire: check-expire-axfr-${i}
check-expire-axfr-${i}::
-@./check-expire axfr ns${i}.absolight.net
.endfor
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment