DNSSEC zone signing helper shell script
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
README
dnsseczonetool
dnsseczonetool.ja.txt

README

# dnsseczonetool : Simple DNSSEC key management and zone signing tool
#
# https://github.com/kfujiwara/dnsseczonetool
#
# Installation and Configuration:
#
#   1. Copy dnsseczonetool into some directory.
#        Example: copy it to /etc/namedb/master.
#
#   2. Create dnsseczonetool.conf into the same directory of dnsseczonetool.
#      if you want to change the default values.
#        Example: touch /etc/namedb/master/dnsseczonetool.conf
#
#   3. Prepare traditional zone files. File name should be equal to zone name.
#        Example: /etc/namedb/master/example.com
#
#   4. Generate first key.
#        Example: /etc/namedb/master/dnsseczonetool keygen example.com
#
#   5. Sign zone
#        Example: /etc/namedb/master/dnsseczonetool sign example.com
#
#   6. Edit named.conf/nsd.conf to load signed zone file
#        Example: zone "example.com" {
#                        type master;
#                        file "/etc/namedb/master/exapmle.com.signed";
#                 }
#
#   7. Periodic zone signing: Add one entry to your crontab
#        Example: "0 7 * * * /etc/namedb/dnsseczonetool sign exapmle.com"
#
#   dnsseczonetool.conf:
#     FATAL_MAIL: Send an email to $FATAL_MAIL when fatal error occurs.
#     MASTERDIR: Zone file directory
#                Default: MASTERDIR="/etc/namedb/master"
#     KSK_PARAM: Default dnssec-keygen's options for KSK
#                Default: KSK_PARAM_DEFAULT="-n zone -a RSASHA1 -b 2048 -f ksk"
#     KSK_PARAM_$zone: dnssec-keygen's options for zone's KSK
#                Default: KSK_PARAM
#     ZSK_PARAM: Default dnssec-keygen's options for ZSK
#                Default: ZSK_PARAM_DEFAULT="-n zone -a RSASHA1 -b 1024"
#     ZSK_PARAM_$zone: dnssec-keygen's options for zone's ZSK
#                Default: ZSK_PARAM
#     SIGN_PARAM: Default dnssec-signzone options
#                Default: SIGN_PARAM_DEFAULT="-N unixtime"
#     SIGN_PARAM_$zone: dnssec-signzone options for zone
#                Default: SIGN_PARAM
#     DS_PARAM:  Default dsfromkey options for zone
#                Default: SIGN_PARAM_DEFAULT="-2"
#     DS_PARAM_$zone: dsfromkey options for zone
#                Default: SIGN_PARAM
#     keygen:    dnssec-keygen path
#                Default: keygen="/usr/local/sbin/dnssec-keygen"
#     signzone:  dnssec-signzone path
#                Default: signzone="/usr/local/sbin/dnssec-signzone"
#     dsfromkey: dnssec-dsfromkey path
#                Default: dsfromkey="/usr/local/sbin/dnssec-dsfromkey"
#     rndc:      rndc path
#                Default: rndc="/usr/local/sbin/rndc"
#     CONFIGDIR: directory where dnsseczonetool uses.
#                Default: CONFIGDIR="$MASTERDIR/config"
#     KEYDIR:    directory where dnsseczonetool puts zone keys.
#                Default: KEYDIR="$MASTERDIR/config/keydir"
#     KEYBACKUPDIR: directory where dnsseczonetool puts old keys.
#                Default: KEYBACKUPDIR="$MASTERDIR/config/backup"
#     RNDC_OPTION: rndc options or OFF
#                Default: RNDC_OPTION="-k $MASTERDIR/rndc.key"
#     ZONE_PREPROCESS: zone preprocess command
#                Default: cat
#     RELOADALL_COMMAND:  reload all command
#                Default: none
#     PRESERVE_REMOVED_KEY: NO|YES
#                Default: YES
#     TWOFACE_$zone: The zone has two face zone file for split DNS
#                  The value is another zone file name
#                  When signing, both zone files are signed
#                Default: none
#
#     caution: $zone is zone name
#              whose '.' and '-' characters are replaced by '_'.
#		 All zone name must be lowercase.
#
# Usage:
#        
#   1. Generate KSK and ZSK
#       dnsseczonetool keygen zone(s)
#
#   2. Sign zone using keys generated in step 1
#       dnsseczonetool sign zone(s)
#
#   3. Add next ZSK for ZSK rollover (generate new ZSK and sign with old key)
#       dnsseczonetool add-next-zsk zone(s)
#
#   4. ZSK Rollover (Change current ZSK as unused previous ZSK,
#                    and sign new ZSK generated by step.3)
#       dnsseczonetool zsk-rollover zone(s)
#
#   4'. ZSK Rollover 2 (Change current ZSK as unused previous ZSK,
#                              stand-by ZSK as current ZSK,
#			Generate new ZSK as a stand-by ZSK,
#                       and sign the zone by new ZSK.)
#       dnsseczonetool zskroll zone(s)
#
#   5. Add next KSK for KSK rollover (generate new KSK and sign with both keys)
#       dnsseczonetool add-next-ksk zone(s)
#
#   6. KSK Rollover (Remove old KSK and sign new KSK generated by step.5)
#       dnsseczonetool ksk-rollover zone(s)
#
#   7. Zone key status
#       dnsseczonetool status zone(s)
#
#   8. Zone key status-dnskey (Show KSK DNSKEY for DLV registration)
#       dnsseczonetool status-dnskey zone(s)
#
#
# Using LDNS and NSD instead of BIND 9 dnssec-* tools
#
#  http://www.nlnetlabs.nl/projects/ldns/
#  http://www.nlnetlabs.nl/projects/nsd/
#
#  ldns-signzone does not support unixtime serial number generaton and some 
#  pseudo definitions ($TTL? $ORIGIN?).
#  Change serial number field as _SERIAL_ at SOA RR in your zone file.
#  $ZONE_PREPROCESS command (=sed) will change _SERIAL_ as unixtime.
#
#  Suppose LDNS and NSD are installed in /usr/local. 
#  To use LDNS and NSD with unixtime serial generation,
#  add following entries in your dnsseczonetool.conf file.
#
#  keygen="/usr/local/bin/ldns-keygen"
#  signzone="/usr/local/bin/ldns-signzone"
#  dsfromkey="/usr/local/bin/ldns-key2ds -n"
#  RNDC_OPTION="OFF"
#  UNIXTIME=`date +%s`
#  ZONE_PREPROCESS="sed s/_SERIAL_/$UNIXTIME/"
#  RELOADALL_COMMAND="/usr/local/sbin/nsdc rebuild && /usr/local/sbin/nsdc reload"
#