kaworu · April 19, 2020 14:28
diff --git a/DNSSEC.sh b/DNSSEC.sh
 #!/bin/sh

 set -e

 ACTION="$1"
 DOMAIN="$2"
 ZONE="`dirname "$0"`/master/${DOMAIN}.db"
 ZSKDIR="`dirname "$0"`/keys/ZSK"
 KSKDIR="`dirname "$0"`/keys/KSK"
 KEYGENALGORITHM=RSASHA256 # see `/usr/local/bin/ldns-keygen -a list'
 EXPIRE=365 # days before a signed zone expire, usually 3 months (90 days)

 # show usage and exit.
 usage() {
    echo "Usage: $0 [zsk|ksk|sign] myzone" > /dev/stderr
    exit 1
 }

 [ $# -eq 2 ] || usage

 case "$ACTION" in
    ksk) # generate a KSK key
        echo "[$DOMAIN] Generating Key Signing Key (KSK)"
        # create the required KSK directories if needed
        test -d "${KSKDIR}/old" || /bin/mkdir -p "${KSKDIR}/old"
        (
            cd "$KSKDIR"
            # save the previous KSK for this domain into .old
            for f in "K${DOMAIN}."*; do
                test -f "$f" && /bin/mv "$f" ./old
            done
            # generate a new KSK key for this domain.
            key=`/usr/local/bin/ldns-keygen -a "$KEYGENALGORITHM" -b 2048 -k "$DOMAIN"`
            /bin/ln -sf "${key}.ds"      "${DOMAIN}.ds"
            /bin/ln -sf "${key}.key"     "${DOMAIN}.key"
            /bin/ln -sf "${key}.private" "${DOMAIN}.private"
            echo "[$DOMAIN] new KSK key: $key"
        )
    ;;
    zsk) # generate a ZSK key
        echo "[$DOMAIN] Generating Zone Signing Key (ZSK)"
        # create the required ZSK directories if needed
        test -d "${ZSKDIR}/old" || /bin/mkdir -p "${ZSKDIR}/old"
        (
            cd "$ZSKDIR"
            # save the previous ZSK for this domain into .old
            for f in "K${DOMAIN}."*; do
                test -f "$f" && /bin/mv "$f" ./old
            done
            # generate a new ZSK key for this domain.
            key=`/usr/local/bin/ldns-keygen -a "$KEYGENALGORITHM" -b 1024 "$DOMAIN"`
            /bin/ln -sf "${key}.ds"      "${DOMAIN}.ds"
            /bin/ln -sf "${key}.key"     "${DOMAIN}.key"
            /bin/ln -sf "${key}.private" "${DOMAIN}.private"
            echo "[$DOMAIN] new ZSK key: $key"
        )
    ;;
    sign) # Sign a zone
        KSK="${KSKDIR}/${DOMAIN}"
        ZSK="${ZSKDIR}/${DOMAIN}"
        if   [ ! -f "${KSK}.private" ] || [ ! -f "${KSK}.key" ]; then
            echo "[$DOMAIN] KSK key not found." > /dev/stderr
            exit 1
        elif [ ! -f "${ZSK}.private" ] || [ ! -f "${ZSK}.key" ]; then
            echo "[$DOMAIN] ZSK key not found." > /dev/stderr
            exit 1
        fi
        # set expiration
        expire=$(($(/bin/date "+%s") + 60 * 60 * 24 * $EXPIRE))
        echo -n "[$DOMAIN] Signing zone $ZONE ("
        echo -n "KSK=`/usr/bin/readlink "${KSK}.private" | /usr/bin/sed -e 's/\.private$//'`, "
        echo    "ZSK=`/usr/bin/readlink "${ZSK}.private" | /usr/bin/sed -e 's/\.private$//'`)"
        /usr/local/bin/ldns-signzone -e "$expire" "$ZONE" "$KSK" "$ZSK"
        echo "[$DOMAIN] done."
    ;;
    *)
        usage
    ;;
 esac
	#!/bin/sh

	set -e

	ACTION="$1"
	DOMAIN="$2"
	ZONE="`dirname "$0"`/master/${DOMAIN}.db"
	ZSKDIR="`dirname "$0"`/keys/ZSK"
	KSKDIR="`dirname "$0"`/keys/KSK"
	KEYGENALGORITHM=RSASHA256 # see `/usr/local/bin/ldns-keygen -a list'
	EXPIRE=365 # days before a signed zone expire, usually 3 months (90 days)

	# show usage and exit.
	usage() {
	echo "Usage: $0 [zsk\|ksk\|sign] myzone" > /dev/stderr
	exit 1
	}

	[ $# -eq 2 ] \|\| usage

	case "$ACTION" in
	ksk) # generate a KSK key
	echo "[$DOMAIN] Generating Key Signing Key (KSK)"
	# create the required KSK directories if needed
	test -d "${KSKDIR}/old" \|\| /bin/mkdir -p "${KSKDIR}/old"
	(
	cd "$KSKDIR"
	# save the previous KSK for this domain into .old
	for f in "K${DOMAIN}."*; do
	test -f "$f" && /bin/mv "$f" ./old
	done
	# generate a new KSK key for this domain.
	key=`/usr/local/bin/ldns-keygen -a "$KEYGENALGORITHM" -b 2048 -k "$DOMAIN"`
	/bin/ln -sf "${key}.ds" "${DOMAIN}.ds"
	/bin/ln -sf "${key}.key" "${DOMAIN}.key"
	/bin/ln -sf "${key}.private" "${DOMAIN}.private"
	echo "[$DOMAIN] new KSK key: $key"
	)
	;;
	zsk) # generate a ZSK key
	echo "[$DOMAIN] Generating Zone Signing Key (ZSK)"
	# create the required ZSK directories if needed
	test -d "${ZSKDIR}/old" \|\| /bin/mkdir -p "${ZSKDIR}/old"
	(
	cd "$ZSKDIR"
	# save the previous ZSK for this domain into .old
	for f in "K${DOMAIN}."*; do
	test -f "$f" && /bin/mv "$f" ./old
	done
	# generate a new ZSK key for this domain.
	key=`/usr/local/bin/ldns-keygen -a "$KEYGENALGORITHM" -b 1024 "$DOMAIN"`
	/bin/ln -sf "${key}.ds" "${DOMAIN}.ds"
	/bin/ln -sf "${key}.key" "${DOMAIN}.key"
	/bin/ln -sf "${key}.private" "${DOMAIN}.private"
	echo "[$DOMAIN] new ZSK key: $key"
	)
	;;
	sign) # Sign a zone
	KSK="${KSKDIR}/${DOMAIN}"
	ZSK="${ZSKDIR}/${DOMAIN}"
	if [ ! -f "${KSK}.private" ] \|\| [ ! -f "${KSK}.key" ]; then
	echo "[$DOMAIN] KSK key not found." > /dev/stderr
	exit 1
	elif [ ! -f "${ZSK}.private" ] \|\| [ ! -f "${ZSK}.key" ]; then
	echo "[$DOMAIN] ZSK key not found." > /dev/stderr
	exit 1
	fi
	# set expiration
	expire=$(($(/bin/date "+%s") + 60 * 60 * 24 * $EXPIRE))
	echo -n "[$DOMAIN] Signing zone $ZONE ("
	echo -n "KSK=`/usr/bin/readlink "${KSK}.private" \| /usr/bin/sed -e 's/\.private$//'`, "
	echo "ZSK=`/usr/bin/readlink "${ZSK}.private" \| /usr/bin/sed -e 's/\.private$//'`)"
	/usr/local/bin/ldns-signzone -e "$expire" "$ZONE" "$KSK" "$ZSK"
	echo "[$DOMAIN] done."
	;;
	*)
	usage
	;;
	esac