if [ "$TEST" ]; then # Accelerated test setup validity=1350 # ZSK signature validity period sbefore=$(( $validity / 4 )) # resign if less than this left in sig sbefore ~ validity/4 sigfrsh=$(( $sbefore / 3 )) # How often to try to refesh signatures sigfrsh < sbefore jitter=$(( $sigfrsh / 3 )) # vary sigs expire time by this < sigfrsh else sigfrsh=86400 # 1d How often to try to refesh signatures sigfrsh < 604800 validity=1296000 # 15d ZSK signature validity period sbefore=604800 # 7d resign if less than this left in sig sbefore ~ validity/4 jitter=86400 # 1d vary sigs expire time by this < sigfrsh fi # # Simple demo signer (/bin/bash) script # This script uses dnssec-signzone to maintain a signed zone # in master/$dn.zone with reasonable default RRSIG timing values. # May want to make it trigger on NOTIFY messages instead of polling. # inputs: slave/$dn.zone keys/2012...$dn.keybundle.tar.gz (from KC) # outputs: master/$dn.zone # execute this every 15 min via crontab # echo `date -u`" $0 $1 $2" # execution timestamp if [ $# -lt 1 ]; then echo "error: Usage: $0 domain"; exit 1; fi if [ $# -eq 2 ]; then # if we need to run forever echo "$0 $1 will be run every $2 seconds" while [ "ok" ]; do $0 $1 if [ $? -ne 0 ]; then exit 1; fi sleep $2 done exit 0 fi # For HSM/smartcard ZSKs if [ -z "$PKCS11_LIBRARY_PIN" ]; then export PKCS11_LIBRARY_PATH="/opt/dccom/lib/opensc-pkcs11.so" read -s -p "HSM PIN: " PKCS11_LIBRARY_PIN echo "" export PKCS11_LIBRARY_PIN fi dn=$1 now=`date -u +%Y%m%d%H%M%S` uzonef="slave/$dn.zone" szonef="master/$dn.zone" # updated zones go into $uzonef. could be via BIND, A/IXFR, rsync, etc.. if [ ! -f $uzonef ]; then echo "Unsigned zone $uzonef missing"; exit 1; fi # find most recent keyundle nextb="" kblst=`ls -r keys | grep -P [0-9]{14}.$dn.keybundle.tar.gz` bcnt=0 for i in $kblst; do tdt=`echo $i | cut -f1 -d'.' | cut -f2 -d'/'` if [ $tdt -le $now ]; then if [ -z "$nextb" ]; then nextb="$i"; else rm -f keys/$i; fi else bcnt=$(( $bcnt + 1 )); fi done if [ $bcnt -lt 2 ]; then echo "warning: Only $bcnt remaining keybundles"; fi if [ "$nextb" ]; then echo "New keybundle $nextb left:$bcnt" cat keys/$nextb | tar -C keys -zxf - if [ $? -ne 0 ]; then exit 1; fi rm -f keys/$nextb touch $dn.signit fi # Cause this to sign at least once a day to refresh expiring signatures t1=0 if [ -f $szonef ]; then t1=`stat --format=%Y $szonef`; fi # change for BSD t2=`date +%s` # change for BSD t2=$(( $t2 - $t1 )) echo "$t2 seconds have passed since $dn was signed" if [ $t2 -gt $sigfrsh ]; then echo "Freshen $dn zone"; touch $dn.signit; fi # "dsoaupdate" maintains unsigned and signed zone SOA serial. Signed ser is at least # unsigned ser. Signed ser incremented when unsigned ser increased as per soa serial # arithmetic. Removing $uzonef.lastserialin also causes increment. if [ -f "$dn.signit" ]; then rm -f $dn.signit $uzonef.lastserialin; fi dsoaupdate $uzonef > $szonef.tmp if [ $? -eq 0 ]; then rm $szonef.tmp; exit 0; fi # DONT SIGN mv $szonef.tmp $szonef echo -n "SOA Serial out: "; cat $uzonef.lastserialout if [ ! -f keys/$dn.zsk.private ]; then echo "keys/$dn.zsk.private missing"; exit 1; fi # include pre KSK signed DNSKEY RRset if [ ! -f keys/$dn.dnskeyrrset ]; then echo "keys/$dn.dnskeyrrset missing"; exit 1; fi echo "\$include keys/$dn.dnskeyrrset" >> $szonef touch $szonef.signed echo "\$include $szonef.signed" >> $szonef # include RRSIGs from last siging cp -p $szonef.signed $szonef.signed.0 # save last one for debugging # update RRSIGs for any RRsets that need it or are close to expiry. add jitter dnssec-signzone -t -v 3 -s now -e +$validity -i $sbefore -j $jitter -D -x -o $dn $szonef keys/$dn.zsk if [ $? -ne 0 ]; then exit 1; fi # remove DNSKEY RRSIGs since we supply them ourselves removednskeyrrsig $dn < $szonef.signed > $szonef.signed.tmp mv $szonef.signed.tmp $szonef.signed rndc reload $dn # reload the hidden master # # end #