-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathrequest_key
executable file
·131 lines (112 loc) · 5.71 KB
/
request_key
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
#!/bin/bash
#
# register_key
# Sends signal "requests" to ${SIGNAL_SUBZONE}.<zone> ie CDS, CDNSKEY, and KEY records to zone master.
#------------------------------------------------------------------------------
# load helpful functions
for i in functions/*.sh
do
. ${i}
[[ -n ${DEBUG_SOURCED} ]] && echo "Sourced ${PWD}/$i ..."
done
#------------------------------------------------------------------------------
set_vars $*
# Define NEW_SUBZONE as a name (subdomain or subzone) within ZONE for requested SIG0 key FQDN
#
if [[ ! -n ${NEW_SUBZONE} ]]; then
echo
echo "Error: NEW_SUBZONE ${NEW_SUBZONE} environment variable is undefined."
exit 1
fi
# find zone master for ${SIGNAL_SUBZONE}.${ZONE} which may be different from zone master of ${ZONE}
SIGNAL_SOA_MASTER=$( get_soa_master "${SIGNAL_SUBZONE}.${ZONE}" )
if [[ ! -n ${SIGNAL_SOA_MASTER} ]]; then
echo "Error: ZONE ${SIGNAL_SUBZONE}.${ZONE} SOA record does not resolve"
exit 1
fi
# set requested final FQDN of key to be submitted to zone
SIG0_KEY_FQDN="${NEW_SUBZONE}.${ZONE}"
# find any existing key from keystore
# Note: NEW_SUBZONE_SIG0_KEYID value updated by reference in get_sig0_keyid()
get_sig0_keyid NEW_SUBZONE_SIG0_KEYID ${SIG0_KEY_FQDN} ${NSUPDATE_SIG0_KEYPATH}
# if no such key exists in keystore, create a new keypair in keystore
if [[ ! -n ${NEW_SUBZONE_SIG0_KEYID} ]]; then
[[ -n ${DEBUG} ]] && echo "No SIG0 keypair for ${SIG0_KEY_FQDN} found in ${NSUPDATE_SIG0_KEYPATH}"
SIG0_KEY_ALGO=${SIG0_KEY_ALGO:-"ED25519"}
dnssec-keygen -K ${NSUPDATE_SIG0_KEYPATH} -a ${SIG0_KEY_ALGO} -n HOST -T KEY ${SIG0_KEY_FQDN} || exit 1
echo "New SIG0 keypair for ${SIG0_KEY_FQDN} generated in ${NSUPDATE_SIG0_KEYPATH}"
get_sig0_keyid NEW_SUBZONE_SIG0_KEYID ${SIG0_KEY_FQDN} ${NSUPDATE_SIG0_KEYPATH}
[[ ! -n ${NEW_SUBZONE_SIG0_KEYID} ]] && echo "Error creating new key for ${SIG0_KEY_FQDN} in keystore ${NSUPDATE_SIG0_KEYPATH}" && exit 1
fi
# form input for nsupdate
NSUPDATE_TTL=${NSUPDATE_TTL:-"60"}
NSUPDATE_ACTION=${NSUPDATE_ACTION:-"add"}
NEW_SUBZONE_SIG0_KEY="`cat ${NSUPDATE_SIG0_KEYPATH}/${NEW_SUBZONE_SIG0_KEYID}.key`"
# create item for *request* with KEY RR under ${SIGNAL_SUBZONE}.${ZONE}
NSUPDATE_ITEM_SIG0_KEY="update ${NSUPDATE_ACTION} ${NEW_SUBZONE}.${SIGNAL_SUBZONE}.${ZONE} ${NSUPDATE_TTL} ${NEW_SUBZONE_SIG0_KEY##*.}"
# create pointer RR to request processing
NSUPDATE_ITEM_PTR="update ${NSUPDATE_ACTION} ${SIGNAL_SUBZONE}.${ZONE} ${NSUPDATE_TTL} PTR ${NEW_SUBZONE}.${SIGNAL_SUBZONE}.${ZONE}."
if [[ -n ${DEBUG} ]]; then
echo
echo "ZONE_SOA_MASTER = ${ZONE_SOA_MASTER}"
echo "SIGNAL_SOA_MASTER = ${ZONE_SOA_MASTER}"
echo
echo "SUBZONE KEY Request FQDN = ${NEW_SUBZONE}.${SIGNAL_SUBZONE}.${ZONE}"
echo " Requested SIG0 KEY FQDN = ${SIG0_KEY_FQDN}"
echo " Requested SIG0 DNS Update KEY ID = ${NEW_SUBZONE_SIG0_KEYID}"
echo " Requested SIG0 DNS Update KEY file = ${NEW_SUBZONE_SIG0_KEY}"
fi
DIG_SIG0_SIGNAL_FQDN="$( dig +short @${SIGNAL_SOA_MASTER} ${NEW_SUBZONE}.${SIGNAL_SUBZONE}.${ZONE} KEY )"
DIG_SIG0_FQDN="$( dig +short @${ZONE_SOA_MASTER} ${SIG0_KEY_FQDN} KEY )"
case ${NSUPDATE_ACTION} in
add)
if [[ ! -n ${DIG_SIG0_FQDN} ]]; then
# add request
[[ -n ${DIG_SIG0_SIGNAL_FQDN} ]] && echo "Existing KEY request '${NEW_SUBZONE}.${SIGNAL_SUBZONE}.${ZONE} ${DIG_SIG0_SIGNAL_FQDN}' in queue." && exit 1
send_nsupdate "${ZONE}" "$(echo ${NSUPDATE_ITEM_SIG0_KEY};echo ${NSUPDATE_ITEM_PTR})" "${NSUPDATE_AUTH_SIG0_KEY_FQDN}"
echo "KEY request '${NEW_SUBZONE}.${SIGNAL_SUBZONE}.${ZONE} ${NEW_SUBZONE_SIG0_KEY##*.}' added"
else
echo "Cannot request new KEY with FQDN '${SIG0_KEY_FQDN}' as KEY record already exists in zone '${ZONE}'."
echo "Please select a new key name under zone '${ZONE}'."
exit 1
fi
;;
delete)
if [[ -n ${DIG_SIG0_SIGNAL_FQDN} ]]; then
# delete request
[[ -n ${DIG_SIG0_FQDN} ]] && echo "KEY '${NEW_SUBZONE}.${ZONE} ${DIG_SIG0_FQDN}' is already deployed." && exit 1
send_nsupdate "${ZONE}" "$(echo ${NSUPDATE_ITEM_SIG0_KEY};echo ${NSUPDATE_ITEM_PTR})" "${NSUPDATE_AUTH_SIG0_KEY_FQDN}"
echo "KEY request '${NEW_SUBZONE}.${SIGNAL_SUBZONE}.${ZONE}' deleted"
else
echo "Cannot request deletion of KEY with FQDN '${NEW_SUBZONE}.${SIGNAL_SUBZONE}.${ZONE}' as KEY record does not exist in zone '${SIGNAL_SUBZONE}.${ZONE}'."
fi
;;
*)
# NSUPDATE_ACTION should default to "add" - should never get here
echo "Error: NSUPDATE_ACTION is set to '${NSUPDATE_ACTION}', but must be set to 'add' or 'delete'."
exit 1
;;
esac
# list pending requests for processor
if [[ -n ${DEBUG_LIST} ]]; then
echo
echo "ZONE KEY REQUESTS for '${ZONE}'"
echo
dig @${SIGNAL_SOA_MASTER} +noall +answer +nottl +noclass PTR ${SIGNAL_SUBZONE}.${ZONE}
echo
echo "ZONE KEY STATUS for '${ZONE}'"
echo
REQUEST_QUEUE="`dig @${SIGNAL_SOA_MASTER} +short ${SIGNAL_SUBZONE}.${ZONE} PTR`"
for request_ptr in ${REQUEST_QUEUE}; do
signal_key="`dig @${SIGNAL_SOA_MASTER} +noall +answer +nottl +noclass +nocrypto +idnout ${request_ptr} KEY`"
signal_key_fqdn="`echo ${signal_key} | cut -f1 -d' '`"
requested_keyname="${signal_key_fqdn%%\.${SIGNAL_SUBZONE}*}"
requested_key_fqdn="${requested_keyname}.${ZONE}"
echo "-- REQUEST FQDN: ${signal_key_fqdn} requests KEY '${requested_key_fqdn}' under zone '${ZONE}':"
# echo "${requested_key}"
# echo "${signal_key}"
deployed_key="`dig @${ZONE_SOA_MASTER} +noall +answer +idnin +idnout ${requested_key_fqdn} KEY`"
# echo "deployed_key='${deployed_key}'"
[[ -n ${deployed_key} ]] && echo "-- DEPLOYED KEY: ${deployed_key}" || echo "** ${requested_key_fqdn} is not deployed"
done
fi