-
Notifications
You must be signed in to change notification settings - Fork 3
DNSSEC zone signing helper shell script
kfujiwara/dnsseczonetool
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Folders and files
Name | Name | Last commit message | Last commit date | |
---|---|---|---|---|
Repository files navigation
# dnsseczonetool : Simple DNSSEC key management and zone signing tool # # https://github.com/kfujiwara/dnsseczonetool # # Installation and Configuration: # # 1. Copy dnsseczonetool into some directory. # Example: copy it to /etc/namedb/master. # # 2. Create dnsseczonetool.conf into the same directory of dnsseczonetool. # if you want to change the default values. # Example: touch /etc/namedb/master/dnsseczonetool.conf # # 3. Prepare traditional zone files. File name should be equal to zone name. # Example: /etc/namedb/master/example.com # # 4. Generate first key. # Example: /etc/namedb/master/dnsseczonetool keygen example.com # # 5. Sign zone # Example: /etc/namedb/master/dnsseczonetool sign example.com # # 6. Edit named.conf/nsd.conf to load signed zone file # Example: zone "example.com" { # type master; # file "/etc/namedb/master/exapmle.com.signed"; # } # # 7. Periodic zone signing: Add one entry to your crontab # Example: "0 7 * * * /etc/namedb/dnsseczonetool sign exapmle.com" # # dnsseczonetool.conf: # FATAL_MAIL: Send an email to $FATAL_MAIL when fatal error occurs. # MASTERDIR: Zone file directory # Default: MASTERDIR="/etc/namedb/master" # KSK_PARAM: Default dnssec-keygen's options for KSK # Default: KSK_PARAM_DEFAULT="-n zone -a RSASHA1 -b 2048 -f ksk" # KSK_PARAM_$zone: dnssec-keygen's options for zone's KSK # Default: KSK_PARAM # ZSK_PARAM: Default dnssec-keygen's options for ZSK # Default: ZSK_PARAM_DEFAULT="-n zone -a RSASHA1 -b 1024" # ZSK_PARAM_$zone: dnssec-keygen's options for zone's ZSK # Default: ZSK_PARAM # SIGN_PARAM: Default dnssec-signzone options # Default: SIGN_PARAM_DEFAULT="-N unixtime" # SIGN_PARAM_$zone: dnssec-signzone options for zone # Default: SIGN_PARAM # DS_PARAM: Default dsfromkey options for zone # Default: SIGN_PARAM_DEFAULT="-2" # DS_PARAM_$zone: dsfromkey options for zone # Default: SIGN_PARAM # keygen: dnssec-keygen path # Default: keygen="/usr/local/sbin/dnssec-keygen" # signzone: dnssec-signzone path # Default: signzone="/usr/local/sbin/dnssec-signzone" # dsfromkey: dnssec-dsfromkey path # Default: dsfromkey="/usr/local/sbin/dnssec-dsfromkey" # rndc: rndc path # Default: rndc="/usr/local/sbin/rndc" # CONFIGDIR: directory where dnsseczonetool uses. # Default: CONFIGDIR="$MASTERDIR/config" # KEYDIR: directory where dnsseczonetool puts zone keys. # Default: KEYDIR="$MASTERDIR/config/keydir" # KEYBACKUPDIR: directory where dnsseczonetool puts old keys. # Default: KEYBACKUPDIR="$MASTERDIR/config/backup" # RNDC_OPTION: rndc options or OFF # Default: RNDC_OPTION="-k $MASTERDIR/rndc.key" # ZONE_PREPROCESS: zone preprocess command # Default: cat # RELOADALL_COMMAND: reload all command # Default: none # PRESERVE_REMOVED_KEY: NO|YES # Default: YES # TWOFACE_$zone: The zone has two face zone file for split DNS # The value is another zone file name # When signing, both zone files are signed # Default: none # # caution: $zone is zone name # whose '.' and '-' characters are replaced by '_'. # All zone name must be lowercase. # # Usage: # # 1. Generate KSK and ZSK # dnsseczonetool keygen zone(s) # # 2. Sign zone using keys generated in step 1 # dnsseczonetool sign zone(s) # # 3. Add next ZSK for ZSK rollover (generate new ZSK and sign with old key) # dnsseczonetool add-next-zsk zone(s) # # 4. ZSK Rollover (Change current ZSK as unused previous ZSK, # and sign new ZSK generated by step.3) # dnsseczonetool zsk-rollover zone(s) # # 4'. ZSK Rollover 2 (Change current ZSK as unused previous ZSK, # stand-by ZSK as current ZSK, # Generate new ZSK as a stand-by ZSK, # and sign the zone by new ZSK.) # dnsseczonetool zskroll zone(s) # # 5. Add next KSK for KSK rollover (generate new KSK and sign with both keys) # dnsseczonetool add-next-ksk zone(s) # # 6. KSK Rollover (Remove old KSK and sign new KSK generated by step.5) # dnsseczonetool ksk-rollover zone(s) # # 7. Zone key status # dnsseczonetool status zone(s) # # 8. Zone key status-dnskey (Show KSK DNSKEY for DLV registration) # dnsseczonetool status-dnskey zone(s) # # # Using LDNS and NSD instead of BIND 9 dnssec-* tools # # http://www.nlnetlabs.nl/projects/ldns/ # http://www.nlnetlabs.nl/projects/nsd/ # # ldns-signzone does not support unixtime serial number generaton and some # pseudo definitions ($TTL? $ORIGIN?). # Change serial number field as _SERIAL_ at SOA RR in your zone file. # $ZONE_PREPROCESS command (=sed) will change _SERIAL_ as unixtime. # # Suppose LDNS and NSD are installed in /usr/local. # To use LDNS and NSD with unixtime serial generation, # add following entries in your dnsseczonetool.conf file. # # keygen="/usr/local/bin/ldns-keygen" # signzone="/usr/local/bin/ldns-signzone" # dsfromkey="/usr/local/bin/ldns-key2ds -n" # RNDC_OPTION="OFF" # UNIXTIME=`date +%s` # ZONE_PREPROCESS="sed s/_SERIAL_/$UNIXTIME/" # RELOADALL_COMMAND="/usr/local/sbin/nsdc rebuild && /usr/local/sbin/nsdc reload" #
About
DNSSEC zone signing helper shell script
Resources
Stars
Watchers
Forks
Releases
No releases published
Packages 0
No packages published