fix(nslord): harden secure-zones script, fixes desec-io/desec-interna…

…l#18 - Deal correctly with domain names starting with dashes or otherwise weird - Also, don't use unnecessarily large amounts of entropy for salting
desec-io · Aug 19, 2017 · 69a6444 · 69a6444
1 parent e83550e
commit 69a6444
Showing 1 changed file with 6 additions and 3 deletions.
diff --git a/nslord/cronhook/secure-zones.sh b/nslord/cronhook/secure-zones.sh
@@ -9,10 +9,13 @@ for ZONE in `echo "SELECT name FROM domains WHERE type = 'NATIVE' && id NOT IN(S
 	set -ex
 
 	PARENT=${ZONE#*.}
-	SALT=`head -c300 /dev/urandom | sha512sum | cut -b 1-16`
+	SALT=`head -c32 /dev/urandom | sha256sum | cut -b 1-16`
 
-	# Set up DNSSEC and switch zone type to MASTER
-	pdnsutil secure-zone $ZONE && pdnsutil set-nsec3 $ZONE "1 0 300 $SALT" && pdnsutil set-kind $ZONE MASTER && pdnsutil increase-serial $ZONE
+	# Set up DNSSEC, switch zone type to MASTER, and increase serial for notify
+	pdnsutil secure-zone -- "$ZONE" \
+	    && pdnsutil set-nsec3 -- "$ZONE" "1 0 300 $SALT" \
+	    && pdnsutil set-kind -- "$ZONE" MASTER \
+	    && pdnsutil increase-serial -- "$ZONE"
 
 	# Take care of delegations
 	if [ "$PARENT" == "dedyn.io" ]; then