-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathprocess_requests
executable file
·111 lines (100 loc) · 5.99 KB
/
process_requests
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
#!/bin/bash
#
# process_key
# Processes signal "requests" to _signal.<zone> ie CDS, CDNSKEY, and KEY records to zone master.
#------------------------------------------------------------------------------
# load helpful functions
for i in functions/*.sh
do
. ${i}
[[ -n ${DEBUG_SOURCED} ]] && echo "Sourced ${PWD}/functions/$i ..."
done
#------------------------------------------------------------------------------
set_vars $*
# find zone master for ${SIGNAL_SUBZONE}.${ZONE} which may be different from zone master of ${ZONE}
SIGNAL_SOA_MASTER=$( get_soa_master "${SIGNAL_SUBZONE}.${ZONE}" )
if [[ ! -n ${SIGNAL_SOA_MASTER} ]]; then
echo "Warning: ZONE ${SIGNAL_SUBZONE}.${ZONE} SOA record does not resolve"
exit 1
fi
# if not set, set default update auth key to zonename
if [[ ! -n ${NSUPDATE_AUTH_SIG0_KEY_FQDN} ]]; then
[[ -n ${DEBUG_PROCESS_REQUESTS} ]] && echo "Warning: ZONE update KEY FQDN not set, setting default to zone FQDN '${ZONE}'"
NSUPDATE_AUTH_SIG0_KEY_FQDN="${NSUPDATE_AUTH_SIG0_KEY_FQDN:-${ZONE}}"
fi
# find existing SIG0 auth keypair for nsupdate parameter
[[ ! -n ${NSUPDATE_AUTH_SIG0_KEYID} ]] && get_sig0_keyid NSUPDATE_AUTH_SIG0_KEYID ${NSUPDATE_AUTH_SIG0_KEY_FQDN} ${NSUPDATE_SIG0_KEYPATH}
if [[ ! -n ${NSUPDATE_AUTH_SIG0_KEYID} ]]; then
echo "Warning: ZONE ${ZONE}: SIG(0) keypair for ${NSUPDATE_AUTH_SIG0_KEY_FQDN} not found in keystore ${NSUPDATE_AUTH_SIG0_KEYPATH}"
exit 1
fi
NSUPDATE_ACTION=${NSUPDATE_ACTION:-"add"} # ensures default action
NSUPDATE_TTL=${NSUPDATE_TTL:-"60"} # ensures default TTLs for RRs
REQUEST_QUEUE="`dig @${SIGNAL_SOA_MASTER} +short ${SIGNAL_SUBZONE}.${ZONE} PTR`"
# [[ -n ${TEST_REQUEST} ]] && REQUEST_QUEUE="${REQUEST_QUEUE} testzone._signal.zenr.io _signal._signal.zenr.io below.test._signal.zenr.io"
# TODO: handle timeout errors from dig (error lines start with ';;')
for request_ptr in ${REQUEST_QUEUE}; do
# get requested KEY from SIGNAL_SOA_MASTER
request_key="`dig @${SIGNAL_SOA_MASTER} +noall +answer ${request_ptr} KEY`"
# remove signal zone FQDN
request_key="`echo ${request_key} | cut -f3- -d' '`"
request_key_subzone="${request_ptr%%\.${SIGNAL_SUBZONE}*}"
request_key_fqdn="${request_key_subzone}.${ZONE}"
case ${NSUPDATE_ACTION} in
add)
# test for ANY usual DNS RR, as well as NS delegation RRs (which are not covered by ANY)
request_key_fqdn_dig="`dig @${ZONE_SOA_MASTER} +noall +answer +nocrypto +dnssec ${request_key_fqdn} ANY``dig @${ZONE_SOA_MASTER} +noall +authority +nocrypto +nodnssec ${request_key_fqdn} NS | grep -v SOA`"
# send add update iff no DNS RR or NS exists
if [[ ! -n ${request_key_fqdn_dig} ]]; then
# set SOA_MASTER & NEW_SUBZONE for send_update()
# SOA_MASTER="${ZONE_SOA_MASTER}"
NSUPDATE_PRECONDITION_SET="nxdomain"
NEW_SUBZONE="${request_key_subzone}"
NEW_SUBZONE_SIG0_KEY=${request_key##*.}
NSUPDATE_PRECONDITION="prereq ${NSUPDATE_PRECONDITION_SET} ${NEW_SUBZONE}.${ZONE}"
NSUPDATE_ITEM_SIG0_KEY="update ${NSUPDATE_ACTION} ${NEW_SUBZONE}.${ZONE} ${NSUPDATE_TTL} ${NEW_SUBZONE_SIG0_KEY}"
# add successful request
send_nsupdate "${ZONE}" "$(echo ${NSUPDATE_PRECONDITION};echo ${NSUPDATE_ITEM_SIG0_KEY})" "${NSUPDATE_AUTH_SIG0_KEY_FQDN}"
#send_update
key_display="`dig @${ZONE_SOA_MASTER} +noall +answer +nottl +noclass +nocrypto +idnout ${request_key_fqdn} KEY`"
request_key_fqdn_status="KEY '${request_key_fqdn}' submitted to ${NSUPDATE_ACTION} under zone '${ZONE}' with '[${key_display#*[}', IDN '${key_display%.*}' by KEY FQDN: ${NSUPDATE_AUTH_SIG0_KEY_FQDN} KEYID: ${NSUPDATE_AUTH_SIG0_KEYID} ."
else
request_key_fqdn_status="KEY '${request_key_fqdn}' IS NOT submitted to ${NSUPDATE_ACTION} under zone '${ZONE}', as DNS resource records for '${request_key_fqdn}' already exist."
fi
# now delete PTR & KEY record
# optionally they could be archived somwhere else first ...
# NSUPDATE_PRECONDITION_SET="yxdomain"
# NSUPDATE_PRECONDITION=""
NSUPDATE_ITEM_SIGNAL_PTR="update delete ${SIGNAL_SUBZONE}.${ZONE}. PTR ${request_ptr}"
NSUPDATE_ITEM_SIGNAL_KEY="update delete ${request_ptr} ${request_key}"
send_nsupdate "${ZONE}" "$(echo ${NSUPDATE_ITEM_SIGNAL_PTR};echo ${NSUPDATE_ITEM_SIGNAL_KEY})" "${NSUPDATE_AUTH_SIG0_KEY_FQDN}"
;;
delete)
# test for KEY DNS RR to delete (only deletes KEY & no other RR)
request_key_fqdn_dig="`dig @${ZONE_SOA_MASTER} +noall +answer +nocrypto +dnssec ${request_key_fqdn} KEY`"
# send delete update iff KEY FQDN exists in zone
if [[ -n ${request_key_fqdn_dig} ]]; then
# SOA_MASTER="${ZONE_SOA_MASTER}"
NSUPDATE_PRECONDITION_SET="yxdomain"
NEW_SUBZONE="${request_key_subzone}"
NEW_SUBZONE_SIG0_KEY=${request_key##*.}
NSUPDATE_PRECONDITION="prereq ${NSUPDATE_PRECONDITION_SET} ${NEW_SUBZONE}.${ZONE}"
NSUPDATE_ITEM_SIG0_KEY="update ${NSUPDATE_ACTION} ${NEW_SUBZONE}.${ZONE} ${NSUPDATE_TTL} ${NEW_SUBZONE_SIG0_KEY}"
# add successful request
key_display="`dig @${ZONE_SOA_MASTER} +noall +answer +nottl +noclass +nocrypto +idnout ${request_key_fqdn} KEY`"
send_nsupdate "${ZONE}" "$(echo ${NSUPDATE_PRECONDITION};echo ${NSUPDATE_ITEM_SIG0_KEY})" "${NSUPDATE_AUTH_SIG0_KEY_FQDN}"
# send_update
request_key_fqdn_status="KEY '${request_key_fqdn}' submitted to ${NSUPDATE_ACTION} under zone '${ZONE}', with '[${key_display#*[}', IDN '${key_display%.*}'."
else
request_key_fqdn_status="KEY '${request_key_fqdn}' IS NOT submitted to ${NSUPDATE_ACTION} under zone '${ZONE}', as no DNS KEY resource record exists."
fi
;;
*)
# NSUPDATE_ACTION should default to "add" - should never get here
echo "Error: NSUPDATE_ACTION is set to '${NSUPDATE_ACTION}', but must be set to 'add' or 'delete'."
exit 1
;;
esac
echo "${request_key_fqdn_status}"
logger "${request_key_fqdn_status}"
done