#!/bin/sh # shellcheck shell=sh # Written to comply with POSIX IEEE Std 1003.1-2017 # NOTE(Krey): Define die() command -v die 1>/dev/null || die() { ${PRINTF:-printf} "${DIE_FORMAT_STRING:-"%s\\n"}" "$2"; ${EXIT:-exit} "$1";} # NOTE(Krey): Functions are a rewrite of https://git.dotya.ml/RXT0112/Exheredrey/src/branch/master/packages/net-dns/bind/bind.exher#L247 designed for Mokleus GNU/Linux ###! Binder function that signs the zonefiles for provided domain assuming FSH3_0 standard followed ###! SYNOPSIS: binder_signzone [DOMAIN(dotya.ml)] ###! Copyright: Created by Jacob Hrbek identified using a GPG key assigned to the electronic mail based on the keyserver as GPLv3 license in 30/10/2020-EU binder_signzone() { # Define input domainInput="$1" # Expects domains alike 'dotya.ml' for domain in $domainInput; do # NOTE(Krey): Make sure that all zonefiles are valid for zonefile in /etc/bind/zonefiles/"${domain##*.}"/"${domain%%.*}"/*.zonefile; do ${NAMED_CHECKZONE:-named-checkzone} domain "$zonefile" || die 1 "Check for zonefile '$zonefile' of domain '$domain' failed" # NOTE(Krey): Sign the zone ${DNSSEC_SIGNZONE:-dnssec-signzone} \ -g \ -K "/var/cache/named/bind/keys/${domain##*.}/${domain%%.*}" \ -T 300 \ -n "$(nproc 2>/dev/null || printf 1)" \ "/etc/bind/zonefiles/${domain##*.}/${domain%%.*}/$zonefile" || { case "$LANG" in en-*|*) die 1 "Signing zone dotya.ml failed" esac } done done } ###! Generate the rndc.conf and secret.rndc-key ###! Copyright: Created by Jacob Hrbek identified using a GPG key assigned to the electronic mail based on the keyserver as GPLv3 license in 30/10/2020-EU binder_generate_rndc_key() { # NOTE(Krey): rndc.key is harder to manage for public review [ ! -f /etc/bind/rndc.key ] || ${MV:mv} /etc/bind/rndc.key /etc/bind/rndc.key.bk # Generate the rndc.conf [ -s /etc/bind/rndc.conf ] || { ${RNDC_CONFGEN:-rndc-confgen} \ -A hmac-sha512 \ -b 512 \ -u bind \ -p 953 \ > /etc/bind/rndc.conf ;} || { case "$LANG" in en-*|*) die 1 "Command '${RNDC_CONFGEN:-rndc-confgen}' was unable to generate the '/etc/bind/rndc.conf' file" esac } [ -s "/etc/bind/secret.rndc-key" ] || { { ${GREP:-grep} "^#" "/etc/bind/rndc.conf" | ${GREP:-grep} "^# key" -A 3 | ${SED:-sed} "s/# //" > "/etc/bind/secret.rndc-key" } || die 1 "Unable to generate 'secret.rndc-key'" ;} # FIXME-QA(Krey): Sanitize # SECURITY(Krey): Set the apropriate perms on secret.rndc-key ${CHMOD:-chmod} 0640 "/etc/bind/secret.rndc-key" || die 1 "Unable to set the expected permission on file '/etc/bind/secret.rndc-key'" # FIXME-QA(Krey): Sanitize # SECURITY(Krey): Set the apropriate perms on secret.rndc-key ${CHOWN:-chown} bind:bind "/etc/bind/secret.rndc-key" || die 1 "Unable to set the expected ownership on file '/etc/bind/secret.rndc-key'" # SECURITY(Krey): By default rndc.conf has CONFIDENTIAL INFORMATIONS, this will strip them ${GREP:-grep} "^# " "/etc/bind/rndc.conf" >/dev/null || { { ${PRINTF:-printf} 'g/# .*/d\nw\nq\n' | ${ED:-ed} -s "/etc/bind/rndc.conf" ;} || die 28 "SECURITY WARNING UNABLE TO REMOVE CONFIDENTIAL INFORMATIONS FROM FILE '/etc/bind/rndc.conf'" ;} } ###! Function used to generate the KSK and ZSK ###! SYNOPSIS: binder_generate_keys [DOMAIN(dotya.ml)] ###! Copyright: Created by Jacob Hrbek identified using a GPG key assigned to the electronic mail based on the keyserver as GPLv3 license in 30/10/2020-EU binder_generate_keys() { # Define input domainInput="$1" # Expects domains alike 'dotya.ml' for domain in $domainInput; do # FIXME-QA(Krey): Sanitize # Generate Key-Signing Key (KSK) ${DNSSEC_KEYGEN:-dnssec-keygen} \ -a "ECDSAP384SHA384" \ -f KSK \ -c IN \ -L 300 \ -K "/var/cache/named/bind/keys/${domain##*.}/${domain%%.*}" "$domain" || die 1 "Unable to generate Key-Signing Key (KSK) for domain '$domain'" # Generate Zone-Signing Key (ZSK) ${DNSSEC_KEYGEN:-dnssec-keygen} \ -a ECDSAP384SHA384\ -n ZONE \ -c IN \ -L 300 \ -K "/var/cache/named/bind/keys/${domain##*.}/${domain%%.*}" "$domain" || die 1 "Unable to generate Zone-Signing Key (ZSK) for domain '$domain'" done }