Fix large TTLs in signed zones (BIND)

fix-signed-ttl

#!/bin/sh
#
# Fix signed zones with excessively high TTLs
#
# 20230425  Kimmo Suominen
#

set -eu

PATH=/bin:/usr/bin
export PATH

get_zone()
{
    case "${1}" in
    2[0-9a-f][0-9a-f][0-9a-f].*.rev)
	printf '%s.ip6.arpa\n' "$(rev_ipv6 "${1}")"
	;;
    *.rev)
	printf '%s.in-addr.arpa\n' "$(rev_ipv4 "${1}")"
	;;
    *)
	echo "${1}"
	;;
    esac
}

rev_ipv4()
{
    echo "${1}" \
    | tr . \\n \
    | tac \
    | sed 1d \
    | paste -d . -s
}

rev_ipv6()
{
    local line
    echo "${1}" \
    | sed 's/\.rev$//' \
    | tr . \\n \
    | while read line
      do
	  printf '%04x' "0x${line}"
      done \
    | rev \
    | sed 's/\(.\)/\1./g' \
    | sed 's/\.$//'
}

cd /var/cache/bind/pri

for file in *.signed
do
    base="$(basename "${file}" .signed)"
    zone="$(get_zone "${base}")"

    # printf '%35s  %-35s\n' "${file}" "${zone}"
    # continue

    if ! named-checkzone -l 86400 -f raw -j "${zone}" "${file}"
    then
	dnssec-signzone \
	    -K ../keys \
	    -M 86400 \
	    -N increment \
	    -I raw \
	    -O raw \
	    -o "${zone}" \
	    "${file}" \
	&& mv "${file}" "${file}.OLD" \
	&& mv "${file}.signed" "${file}"
    fi
done