forked from dotya.ml/bind-configs
96 lines
4.5 KiB
Plaintext
96 lines
4.5 KiB
Plaintext
|
#!/bin/sh
|
||
|
# shellcheck shell=sh # Written to comply with POSIX IEEE Std 1003.1-2017
|
||
|
|
||
|
# NOTE(Krey): Define die()
|
||
|
command -v die 1>/dev/null || die() { ${PRINTF:-printf} "${DIE_FORMAT_STRING:-"%s\\n"}" "$2"; ${EXIT:-exit} "$1";}
|
||
|
|
||
|
# NOTE(Krey): Functions are a rewrite of https://git.dotya.ml/RXT0112/Exheredrey/src/branch/master/packages/net-dns/bind/bind.exher#L247 designed for Mokleus GNU/Linux
|
||
|
|
||
|
###! Binder function that signs the zonefiles for provided domain assuming FSH3_0 standard followed
|
||
|
###! SYNOPSIS: binder_signzone [DOMAIN(dotya.ml)]
|
||
|
###! Copyright: Created by Jacob Hrbek identified using a GPG key assigned to the electronic mail <kreyren@rixotstudio.cz> based on the keyserver <https://keys.openpgp.org> as GPLv3 license <https://www.gnu.org/licenses/gpl-3.0.en.html> in 30/10/2020-EU
|
||
|
binder_signzone() {
|
||
|
# Define input
|
||
|
domainInput="$1" # Expects domains alike 'dotya.ml'
|
||
|
|
||
|
for domain in $domainInput; do
|
||
|
# NOTE(Krey): Make sure that all zonefiles are valid
|
||
|
for zonefile in /etc/bind/zonefiles/"${domain##*.}"/"${domain%%.*}"/*.zonefile; do
|
||
|
${NAMED_CHECKZONE:-named-checkzone} domain "$zonefile" || die 1 "Check for zonefile '$zonefile' of domain '$domain' failed"
|
||
|
|
||
|
# NOTE(Krey): Sign the zone
|
||
|
${DNSSEC_SIGNZONE:-dnssec-signzone} \
|
||
|
-g \
|
||
|
-K "/var/cache/named/bind/keys/${domain##*.}/${domain%%.*}" \
|
||
|
-T 300 \
|
||
|
-n "$(nproc 2>/dev/null || printf 1)" \
|
||
|
"/etc/bind/zonefiles/${domain##*.}/${domain%%.*}/$zonefile" || {
|
||
|
case "$LANG" in
|
||
|
# NOTE-TRANSLATE(Krey): Translated via youtube(https://www.youtube.com/watch?v=ZIdrH9p8wek), might need spellcheck
|
||
|
sk-*) die 1 "ČOBOLO! AHO! AHO!" ;;
|
||
|
en-*|*) die 1 "Signing zone dotya.ml failed"
|
||
|
esac
|
||
|
}
|
||
|
done
|
||
|
done
|
||
|
}
|
||
|
|
||
|
###! Generate the rndc.conf and secret.rndc-key
|
||
|
###! Copyright: Created by Jacob Hrbek identified using a GPG key assigned to the electronic mail <kreyren@rixotstudio.cz> based on the keyserver <https://keys.openpgp.org> as GPLv3 license <https://www.gnu.org/licenses/gpl-3.0.en.html> in 30/10/2020-EU
|
||
|
binder_generate_rndc_key() {
|
||
|
# NOTE(Krey): rndc.key is harder to manage for public review
|
||
|
[ ! -f /etc/bind/rndc.key ] || ${MV:mv} /etc/bind/rndc.key /etc/bind/rndc.key.bk
|
||
|
|
||
|
# Generate the rndc.conf
|
||
|
[ -s /etc/bind/rndc.conf ] || { ${RNDC_CONFGEN:-rndc-confgen} \
|
||
|
-A hmac-sha512 \
|
||
|
-b 512 \
|
||
|
-u bind \
|
||
|
-p 953 \
|
||
|
> /etc/bind/rndc.conf ;} || {
|
||
|
case "$LANG" in
|
||
|
en-*|*) die 1 "Command '${RNDC_CONFGEN:-rndc-confgen}' was unable to generate the '/etc/bind/rndc.conf' file"
|
||
|
esac
|
||
|
}
|
||
|
[ -s "/etc/bind/secret.rndc-key" ] || {
|
||
|
{ ${GREP:-grep} "^#" "/etc/bind/rndc.conf" | ${GREP:-grep} "^# key" -A 3 | ${SED:-sed} "s/# //" > "/etc/bind/secret.rndc-key"
|
||
|
} || die 1 "Unable to generate 'secret.rndc-key'" ;}
|
||
|
|
||
|
# FIXME-QA(Krey): Sanitize
|
||
|
# SECURITY(Krey): Set the apropriate perms on secret.rndc-key
|
||
|
${CHMOD:-chmod} 0640 "/etc/bind/secret.rndc-key" || die 1 "Unable to set the expected permission on file '/etc/bind/secret.rndc-key'"
|
||
|
|
||
|
# FIXME-QA(Krey): Sanitize
|
||
|
# SECURITY(Krey): Set the apropriate perms on secret.rndc-key
|
||
|
${CHOWN:-chown} bind:bind "/etc/bind/secret.rndc-key" || die 1 "Unable to set the expected ownership on file '/etc/bind/secret.rndc-key'"
|
||
|
|
||
|
# SECURITY(Krey): By default rndc.conf has CONFIDENTIAL INFORMATIONS, this will strip them
|
||
|
${GREP:-grep} "^# " "/etc/bind/rndc.conf" >/dev/null || { { ${PRINTF:-printf} 'g/# .*/d\nw\nq\n' | ${ED:-ed} -s "/etc/bind/rndc.conf" ;} || die 28 "SECURITY WARNING UNABLE TO REMOVE CONFIDENTIAL INFORMATIONS FROM FILE '/etc/bind/rndc.conf'" ;}
|
||
|
}
|
||
|
|
||
|
###! Function used to generate the KSK and ZSK
|
||
|
###! SYNOPSIS: binder_generate_keys [DOMAIN(dotya.ml)]
|
||
|
###! Copyright: Created by Jacob Hrbek identified using a GPG key assigned to the electronic mail <kreyren@rixotstudio.cz> based on the keyserver <https://keys.openpgp.org> as GPLv3 license <https://www.gnu.org/licenses/gpl-3.0.en.html> in 30/10/2020-EU
|
||
|
binder_generate_keys() {
|
||
|
# Define input
|
||
|
domainInput="$1" # Expects domains alike 'dotya.ml'
|
||
|
|
||
|
for domain in $domainInput; do
|
||
|
# FIXME-QA(Krey): Sanitize
|
||
|
# Generate Key-Signing Key (KSK)
|
||
|
${DNSSEC_KEYGEN:-dnssec-keygen} \
|
||
|
-a "ECDSAP384SHA384" \
|
||
|
-f KSK \
|
||
|
-c IN \
|
||
|
-L 300 \
|
||
|
-K "/var/cache/named/bind/keys/${domain##*.}/${domain%%.*}" "$domain" || die 1 "Unable to generate Key-Signing Key (KSK) for domain '$domain'"
|
||
|
|
||
|
# Generate Zone-Signing Key (ZSK)
|
||
|
${DNSSEC_KEYGEN:-dnssec-keygen} \
|
||
|
-a ECDSAP384SHA384\
|
||
|
-n ZONE \
|
||
|
-c IN \
|
||
|
-L 300 \
|
||
|
-K "/var/cache/named/bind/keys/${domain##*.}/${domain%%.*}" "$domain" || die 1 "Unable to generate Zone-Signing Key (ZSK) for domain '$domain'"
|
||
|
done
|
||
|
}
|