bind-configs/bin/binder

96 lines
4.5 KiB
Plaintext
Raw Normal View History

#!/bin/sh
# shellcheck shell=sh # Written to comply with POSIX IEEE Std 1003.1-2017
# NOTE(Krey): Define die()
command -v die 1>/dev/null || die() { ${PRINTF:-printf} "${DIE_FORMAT_STRING:-"%s\\n"}" "$2"; ${EXIT:-exit} "$1";}
# NOTE(Krey): Functions are a rewrite of https://git.dotya.ml/RXT0112/Exheredrey/src/branch/master/packages/net-dns/bind/bind.exher#L247 designed for Mokleus GNU/Linux
###! Binder function that signs the zonefiles for provided domain assuming FSH3_0 standard followed
###! SYNOPSIS: binder_signzone [DOMAIN(dotya.ml)]
###! Copyright: Created by Jacob Hrbek identified using a GPG key assigned to the electronic mail <kreyren@rixotstudio.cz> based on the keyserver <https://keys.openpgp.org> as GPLv3 license <https://www.gnu.org/licenses/gpl-3.0.en.html> in 30/10/2020-EU
binder_signzone() {
# Define input
domainInput="$1" # Expects domains alike 'dotya.ml'
for domain in $domainInput; do
# NOTE(Krey): Make sure that all zonefiles are valid
for zonefile in /etc/bind/zonefiles/"${domain##*.}"/"${domain%%.*}"/*.zonefile; do
${NAMED_CHECKZONE:-named-checkzone} domain "$zonefile" || die 1 "Check for zonefile '$zonefile' of domain '$domain' failed"
# NOTE(Krey): Sign the zone
${DNSSEC_SIGNZONE:-dnssec-signzone} \
-g \
-K "/var/cache/named/bind/keys/${domain##*.}/${domain%%.*}" \
-T 300 \
-n "$(nproc 2>/dev/null || printf 1)" \
"/etc/bind/zonefiles/${domain##*.}/${domain%%.*}/$zonefile" || {
case "$LANG" in
# NOTE-TRANSLATE(Krey): Translated via youtube(https://www.youtube.com/watch?v=ZIdrH9p8wek), might need spellcheck
sk-*) die 1 "ČOBOLO! AHO! AHO!" ;;
en-*|*) die 1 "Signing zone dotya.ml failed"
esac
}
done
done
}
###! Generate the rndc.conf and secret.rndc-key
###! Copyright: Created by Jacob Hrbek identified using a GPG key assigned to the electronic mail <kreyren@rixotstudio.cz> based on the keyserver <https://keys.openpgp.org> as GPLv3 license <https://www.gnu.org/licenses/gpl-3.0.en.html> in 30/10/2020-EU
binder_generate_rndc_key() {
# NOTE(Krey): rndc.key is harder to manage for public review
[ ! -f /etc/bind/rndc.key ] || ${MV:mv} /etc/bind/rndc.key /etc/bind/rndc.key.bk
# Generate the rndc.conf
[ -s /etc/bind/rndc.conf ] || { ${RNDC_CONFGEN:-rndc-confgen} \
-A hmac-sha512 \
-b 512 \
-u bind \
-p 953 \
> /etc/bind/rndc.conf ;} || {
case "$LANG" in
en-*|*) die 1 "Command '${RNDC_CONFGEN:-rndc-confgen}' was unable to generate the '/etc/bind/rndc.conf' file"
esac
}
[ -s "/etc/bind/secret.rndc-key" ] || {
{ ${GREP:-grep} "^#" "/etc/bind/rndc.conf" | ${GREP:-grep} "^# key" -A 3 | ${SED:-sed} "s/# //" > "/etc/bind/secret.rndc-key"
} || die 1 "Unable to generate 'secret.rndc-key'" ;}
# FIXME-QA(Krey): Sanitize
# SECURITY(Krey): Set the apropriate perms on secret.rndc-key
${CHMOD:-chmod} 0640 "/etc/bind/secret.rndc-key" || die 1 "Unable to set the expected permission on file '/etc/bind/secret.rndc-key'"
# FIXME-QA(Krey): Sanitize
# SECURITY(Krey): Set the apropriate perms on secret.rndc-key
${CHOWN:-chown} bind:bind "/etc/bind/secret.rndc-key" || die 1 "Unable to set the expected ownership on file '/etc/bind/secret.rndc-key'"
# SECURITY(Krey): By default rndc.conf has CONFIDENTIAL INFORMATIONS, this will strip them
${GREP:-grep} "^# " "/etc/bind/rndc.conf" >/dev/null || { { ${PRINTF:-printf} 'g/# .*/d\nw\nq\n' | ${ED:-ed} -s "/etc/bind/rndc.conf" ;} || die 28 "SECURITY WARNING UNABLE TO REMOVE CONFIDENTIAL INFORMATIONS FROM FILE '/etc/bind/rndc.conf'" ;}
}
###! Function used to generate the KSK and ZSK
###! SYNOPSIS: binder_generate_keys [DOMAIN(dotya.ml)]
###! Copyright: Created by Jacob Hrbek identified using a GPG key assigned to the electronic mail <kreyren@rixotstudio.cz> based on the keyserver <https://keys.openpgp.org> as GPLv3 license <https://www.gnu.org/licenses/gpl-3.0.en.html> in 30/10/2020-EU
binder_generate_keys() {
# Define input
domainInput="$1" # Expects domains alike 'dotya.ml'
for domain in $domainInput; do
# FIXME-QA(Krey): Sanitize
# Generate Key-Signing Key (KSK)
${DNSSEC_KEYGEN:-dnssec-keygen} \
-a "ECDSAP384SHA384" \
-f KSK \
-c IN \
-L 300 \
-K "/var/cache/named/bind/keys/${domain##*.}/${domain%%.*}" "$domain" || die 1 "Unable to generate Key-Signing Key (KSK) for domain '$domain'"
# Generate Zone-Signing Key (ZSK)
${DNSSEC_KEYGEN:-dnssec-keygen} \
-a ECDSAP384SHA384\
-n ZONE \
-c IN \
-L 300 \
-K "/var/cache/named/bind/keys/${domain##*.}/${domain%%.*}" "$domain" || die 1 "Unable to generate Zone-Signing Key (ZSK) for domain '$domain'"
done
}