100200300400500600
  
 
 

In continuation to this

DLV is gone. mobi zone is not yet signed. What to do? Wait and be prepared

I've inquired afilias regarding potential mobi signing. They assured me it's on the list, no precise ETA though. Nevertheless the statement was We are currently in the process of signing the .MOBI Zone. This may take upwards of two or more months to complete.. Pretty encouraging uh?

Anyway. With DLV key rollover doesn't really matter. You just submit your zone key and that's it. With signature you submit DS record to the upstream, which maybe zone signing or key signing key's DS. So here is the newer version of the script to manage zone signing for NSD using Makefile.

Makefile itself could be used from previous part with slight modification or actual version will be at the bottom.

In this script key rollover is performed, hence it has now commands apart from pure zone signing. Command roll will just do anything usefull when executed at key expiration boundary - original key expiration or roll margin crossing. In all other circumstances it will just exit as it has nothing to do.

#!/bin/bash

# Input parameters:
CMD=$1
ZONE=$2
FILE=$3
if [ $# -lt 2 ]; then
	echo "Usage: $0 <cmd> <zone-file|zone file>"
	echo "    cmd:       sign, roll, or any other word."
	echo "        - sign: will ultimately try to sign zone file,"
	echo "                generating keys on the fly when needed"
	echo "        - roll: will only check for key rollover time"
	echo "                and generate/sign when keys are expired"
	echo "        - any other word, eg. test, will make a dry run"
	echo "    zone-file: unsigned zone file having \$ORIGIN at start"
	echo "               zone will be extracted from the \$ORIGIN"
	echo "    zone:      target zone name - explicitly provided"
	echo "    file:      target file to be signed"
	echo "    Note that zone is used to find keys in \$PWD/K\$ZONE.*"
	echo
	exit 1
fi

# key validity time
ZKT=365
KKT=999
# key validity shift time - rotation margin
KST=7
# Ok, but I'm always using $ORIGIN at the beginning of the zone, so why bother
if [ -z $FILE ]
then
	FILE=$ZONE
	ZONE=$(head -5 $FILE | awk '/^\$ORIGIN /{print$2}' | sed 's/\.$//')
fi

# Checking existing keys - keys should be at least one year old
KSK=$(find . -name "K$ZONE.+0*+*.key" -mtime -$KKT -exec grep -q ksk \{} \; \
		-printf '%T@ %f\n' |\
	 sort -rn | head -1 | sed 's/[0-9.]\+ //;s/.key$//')
ZSK=$(find . -name "K$ZONE.+0*+*.key" -mtime -$ZKT -exec grep -q zsk \{} \; \
		-printf '%T@ %f\n' |\
	 sort -rn | head -1 | sed 's/[0-9.]\+ //;s/.key$//')
# Find old keys for rotation
KKO=$(find . -name "K$ZONE.+0*+*.key" -mtime +$KKT -mtime -$(($KKT+$KST)) \
	 	-exec grep -q ksk \{} \; -printf '%T@ %f\n'\
	| sort -rn | head -1 | sed 's/[0-9.]\+ //;s/.key$//')
ZKO=$(find . -name "K$ZONE.+0*+*.key" -mtime +$ZKT -mtime -$(($ZKT+$KST)) \
		-exec grep -q zsk \{} \; -printf '%T@ %f\n'\
	| sort -rn | head -1 | sed 's/[0-9.]\+ //;s/.key$//')
# If there're no suitable keys
if [ "x" = "x$KSK" ]
then
	# Generating new key
	echo "No valid KSK found, generating new for $ZONE"
	# ISC DLV is not doing EC, switch to RSASHA1 for ISC DLV
	#KSK=$(ldns-keygen -a RSASHA1_NSEC3 -b 2048 -k $ZONE)
	[ "x$CMD" = "xroll" ] && KSK=$(ldns-keygen -a ECDSAP384SHA384 -k $ZONE)
fi
if [ "x" = "x$ZSK" ]
then
	# Generating new keys
	echo "No valid ZSK found, generating new for $ZONE"
	# ISC DLV is not doing EC, switch to RSASHA1 for ISC DLV
	#ZSK=$(ldns-keygen -a RSASHA1_NSEC3 -b 1024 $ZONE)
	[ "x$CMD" = "xroll" ] && ZSK=$(ldns-keygen -a ECDSAP256SHA256    $ZONE)
fi
# do rolled keys cleanup, also skip if nothing to roll
if [ "x$CMD" = "xroll" -o "x$CMD" = "xsign" ] && [ -z "$ZKO" -a -z "$KKO" ]; then
    K=$(find . -name "K$ZONE.+0*+*.key" -mtime +$(($KKT+$KST)) -exec grep -q ksk \{} \;\
		 -print -delete)
    Z=$(find . -name "K$ZONE.+0*+*.key" -mtime +$(($ZKT+$KST)) -exec grep -q zsk \{} \;\
		 -print -delete)
    #if we're rolling keys but have nothing to roll in or roll out - just exit
    if [ "x$CMD" = "xroll" ] && [ -z $K -a -z $Z ]; then
	echo "Nothing to roll ($ZKO/$Z $KKO/$K), exiting"
	exit 0
    fi
fi
echo "Found keys $KSK & $ZSK, proceeding"
# Key file mtime in secs since epoch + number of seconds in ZSK+KST days
EXP=$( date '+%Y%m%d' -d  @$(( `stat -c '%Y' $ZSK.key` + ($ZKT+$KST)*24*60*60 )) )
OLDSER=0
# Signed zone will have SOA in one line with full spec (name class type params)
test -f "$FILE.signed" && \
	OLDSER=$( awk '/[ \t]+IN[ \t]+SOA[ \t]+/{print$7}' $FILE.signed 2>/dev/null )
# Unsigned zone file need to have comment '; serial' next to serial being on separate line
SERIAL=$( awk '/; serial/{print$1}' $FILE )

# !!! TODO:We're not following RFC 1982 to check wraps !!!
# !!! Preroll it to 1 if using bind style SN for safety!!!
if [ $(( $OLDSER + 0 )) -ge $SERIAL ]
then
	# Incrementing zone's serial
	echo "Adjusting zone's serial"
	NEWSER=$(( $SERIAL + 1 ))
	[ "x$CMD" = "xsign" -o "x$CMD" = "xroll" ] && \
		sed -i "/; serial/s/$SERIAL/$NEWSER/" $FILE
fi
# Signing zone
echo "Signing zone file $FILE with keys $KSK & $ZSK ($KKO & $ZKO) untill $EXP"
[ "x$CMD" = "xsign" -o "x$CMD" = "xroll" ] && \
ldns-signzone -n -e $EXP $FILE $KSK $KKO $ZSK $ZKO

And the corresponding Makefile will sound like

BINHOME=$(PWD)
BINPROG=sh $(BINHOME)/dnsec
DNSHOME=/etc/nsd
ZONES:=$(wildcard $(DNSHOME)/*.signed)
VPATH=$(DNSHOME)
NSDC=nsd-control
NSDB=/var/lib/nsd/nsd.db

all: $(NSDB)

$(NSDB): $(ZONES)
	#nsdc rebuild
	$(NSDC) reload
	#nsdc restart
	$(NSDC) notify

%.zone.signed: %.zone
	$(BINPROG) sign $?
Wed Dec 9 23:08:21 2015
 
 
© ruff 2011