-
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcron.sh
executable file
Β·249 lines (191 loc) Β· 4.4 KB
/
cron.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
#!/bin/bash
# Copyright 2014-2015 Richard Russon (FlatCap)
# Licensed under the GPLv3
KSK_MONTH1="06"
KSK_MONTH2="12"
SWAP_DAY="28"
# ----------------------------------------------------------
PATH="/var/named/bin:/usr/bin:/usr/sbin"
source log.sh
export TZ="UTC"
set -o errexit # set -e
set -o nounset # set -u
shopt -s nullglob
renice --priority 19 --pid $$ > /dev/null
ionice --class 3 --pid $$ > /dev/null
function finish()
{
local RETVAL=$?
[ $RETVAL = 0 ] || log_error "${0##*/} failed: $RETVAL"
}
trap finish EXIT
cd /var/named
if [ -e named.conf ]; then
# probably trampled by a dnf update
git restore named.conf
fi
source env.sh
# ----------------------------------------------------------
function month_plus()
{
[ $# = 2 ] || return
local M=$(( ( (10#$1-1)+(10#$2) ) %12 + 1))
printf "%02d" $M
}
function matching_ksk()
{
[ $# = 2 ] || return 1
local ZONE=$1
local TIMESTAMP=$2
local FILE
local k
local RESULT=1
for k in "$DNSSEC_KEY_DIR"/K$ZONE*.key; do
FILE=$(cat $k)
if [[ ! "$FILE" =~ key-signing.*Activate:\ *([0-9]{14}).*Inactive:\ ([0-9]{14}) ]]; then
# log bad file
continue
fi
local ACTIVATE=${BASH_REMATCH[1]}
local INACTIVE=${BASH_REMATCH[2]}
if [ $TIMESTAMP -lt $ACTIVATE -o $TIMESTAMP -gt $INACTIVE ]; then
continue
fi
log_warning "\tExisting KSK: $k ${BASH_REMATCH[1]} ${BASH_REMATCH[2]}"
RESULT=0
done
return $RESULT
}
function matching_zsk()
{
[ $# = 2 ] || return 1
local ZONE=$1
local TIMESTAMP=$2
local FILE
local k
local RESULT=1
for k in "$DNSSEC_KEY_DIR"/K$ZONE*.key; do
FILE=$(cat $k)
if [[ ! "$FILE" =~ zone-signing.*Activate:\ *([0-9]{14}).*Inactive:\ ([0-9]{14}) ]]; then
# log bad file
continue
fi
local ACTIVATE=${BASH_REMATCH[1]}
local INACTIVE=${BASH_REMATCH[2]}
if [ $TIMESTAMP -lt $ACTIVATE -o $TIMESTAMP -gt $INACTIVE ]; then
continue
fi
log_warning "\tExisting ZSK: $k ${BASH_REMATCH[1]} ${BASH_REMATCH[2]}"
RESULT=0
done
return $RESULT
}
function current_ksk()
{
[ $# = 1 ] || return 1
local ZONE=$1
# KSK - 6 months
log_info "Generate KSK for $ZONE"
if ! matching_ksk $ZONE $YEAR$MONTH$DAY$H$M$S; then
local M2
local Y2
if [ $MONTH -lt $KSK_MONTH1 ]; then
M2=$KSK_MONTH2
Y2=$((YEAR-1))
elif [ $MONTH -lt $KSK_MONTH2 ]; then
M2=$KSK_MONTH1
Y2=$YEAR
else
M2=$KSK_MONTH2
Y2=$YEAR
fi
echo Need to backdate a KSK: $ZONE $Y2 $M2
generate-ksk $ZONE $Y2 $M2
show-keys
matching_ksk $ZONE $YEAR$MONTH$DAY$H$M$S
fi
local K1=$(month_plus $KSK_MONTH1 11)
local K2=$(month_plus $KSK_MONTH2 11)
REGEX=$(printf "(%02d|%02d)%02d" $K1 $K2 $SWAP_DAY)
if [[ $MONTH$DAY =~ $REGEX ]]; then
local M2=$(month_plus $MONTH 1)
local Y2=$YEAR
[ $MONTH = 12 ] && Y2=$((Y2+1))
echo Time for a new KSK: $ZONE $Y2 $M2
generate-ksk $ZONE $Y2 $M2
show-keys
fi
}
function current_zsk()
{
[ $# = 1 ] || return 1
local ZONE=$1
# ZSK - 1 month
log_info "Generate ZSK for $ZONE"
if ! matching_zsk $ZONE $YEAR$MONTH$DAY$H$M$S; then
echo Need to backdate a ZSK: $ZONE $YEAR $MONTH
generate-zsk $ZONE $YEAR $MONTH
show-keys
matching_zsk $ZONE $YEAR$MONTH$DAY$H$M$S
fi
if [ $DAY = "$SWAP_DAY" ]; then
local M2=$(month_plus $MONTH 1)
local Y2=$YEAR
[ $MONTH = 12 ] && Y2=$((Y2+1))
echo Time for a new ZSK: $ZONE $Y2 $M2
generate-zsk $ZONE $Y2 $M2
show-keys
fi
}
function daily_prep()
{
generate-dns-glue
generate-root-certs
generate-ssh-fingerprint
generate-gpg
mkdir -p /var/named/{data,dynamic}
}
function daily_signing()
{
[ $# = 1 ] || return 1
local ZONE=$1
generate-tlsa $ZONE
generate-dkim $ZONE
update-serials -d $YEAR$MONTH$DAY $ZONE
sign-zone $ZONE $YEAR$MONTH$DAY$H$M$S
}
function daily_tidy()
{
delete-old-keys $TIMESTAMP
fix-perms
set-to-publish-date "$DNSSEC_KEY_DIR"/*
}
# ----------------------------------------------------------
TIMESTAMP=${1:-$(date "+%Y%m%d%H%M%S")}
if [[ "$TIMESTAMP" =~ ^[0-9]{8}$ ]]; then
TIMESTAMP="${TIMESTAMP}043000"
fi
if [[ ! "$TIMESTAMP" =~ ^[0-9]{14}$ ]]; then
echo "Invalid date: $TIMESTAMP"
exit 1
fi
YEAR=${TIMESTAMP:0:4}
MONTH=${TIMESTAMP:4:2}
DAY=${TIMESTAMP:6:2}
H=${TIMESTAMP:8:2}
M=${TIMESTAMP:10:2}
S=${TIMESTAMP:12:2}
log_info "Cron: for $YEAR-$MONTH-$DAY $H:$M:$S -- $TIMESTAMP"
daily_prep
for d in $DNSSEC_DOMAINS; do
current_ksk $d
current_zsk $d
daily_signing $d
done
daily_tidy
echo
show-keys
show-signed
ds-sync.pl
systemctl reload-or-restart named
systemctl status named