add.sh

#!/bin/sh

set -e

policy=default

while getopts "p:" _opt; do
	case "$_opt" in
		p) policy="$OPTARG" ;;
	esac
done
shift $((OPTIND - 1))

if [ $# -eq 0 ]
then
	echo "$0 [-p policy] some/file [some/file...]"
	exit 1
fi

unsigned=$(make -V UNSIGNED)

for i in "$@"
do
	zone=$(basename "$i")
	cp -f "$i" "$i.signed"
	make "$unsigned$zone"
	ods-ksmutil zone add --zone "$zone" --policy "$policy" --output "/etc/namedb/$i.signed"
done

ods-ksmutil key generate --policy "$policy" --interval PT0H -A
make unsigned

check-expire

#!/bin/sh

cd /etc/namedb/

(
	if [ "a$1" = "aaxfr" ]
	then
		for i in `/usr/bin/make -VSIGNED:R:T | random -w 10`
		do
			if [ -z "$2" ]
			then
				dig +noall +answer axfr @127.0.0.1 $i
			else
				dig +noall +answer axfr @$2 $i
			fi
		done
	else
		cat `/usr/bin/make -VSIGNED`
	fi
) | /usr/bin/awk -f check-expire.awk

check-expire.awk

#!/usr/bin/awk

BEGIN {
	# States nagios
	STATE_OK=0
	STATE_WARNING=1
	STATE_CRITICAL=2

	# refresh = 3 days
	# resign  = 12 hours
	# -> 2d10h avec une petite marge pour parer aux lags du signer en cas de grosse
	#          resign partie, mais pas trop pour bien voir quand ça chie quand
	#          même.
	"/usr/bin/make -C /etc/namedb -VEXPIRY" | getline expiry
	"/usr/local/bin/gdate -u -d '" expiry " - 1 hour' +'%Y%m%d%H%M%S'" | getline date_warn
	"/usr/local/bin/gdate -u -d '" expiry " - 1 day' +'%Y%m%d%H%M%S'" | getline date_crit
	"/usr/local/bin/gdate -u -d '5 minutes ago' +'%Y%m%d%H%M%S'" | getline now

  	# expiration
	expir = 0
	expir_count = 0
	expir_ok = 0
	# inception
	incep = 0
	incep_count = 0
	incep_ok = 0
	# count
	sig_count = 0
	# warn ou crit
	crit = 0
	zones = 0
}
$4 == "SOA" { # store the zone in case of error
	zone=$1
	zones = zones + 1
}
$4 == "RRSIG" {
	sig_count = sig_count + 1
	# for OK result
	if ($9 < expir_ok || expir_ok == 0) { # store the first to expire
		expir_ok = $9
		expir_enr = $1
	}
	if ($10 > incep_ok) { # store the last to have been created
		incep_ok = $10
		incep_enr = $1
	}
	# those are errors :
	# if the inception is after *now* it's a very very bad thing
	if ($10 > now) {
		if ($10 > incep) {
			error = "zone " zone " has record " $1 " with inception in the future at " $9
			incep = $10
		}
		incep_count = incep_count + 1
	}
	# if the expiration date is before the allowed one, and there is no inception error, store that error message
	if ($9 < date_warn && incep_count == 0) {
		if ($9 < expir || expir == 0) {
			error = "zone " zone " has record " $1 " expiring at " $9 ", less than " expiry
			expir = $9
			if ($9 < date_crit) {
				crit = 1
			}
		}
		expir_count = expir_count + 1
	}
}
function datetostr(diff) {
	ret = ""
	go = 0
	if (int(diff/86400) > 0) {
		go = 1
		ret = sprintf("%dd", int(diff/86400))
	}
	if (go == 1 || int(diff%86400/3600) > 0) {
		go = 1
		ret = sprintf("%s%02dh", ret, int(diff%86400/3600))
	}
	if (go == 1 || int(diff%3600/60) > 0) {
		ret = sprintf("%s%02dm", ret, int(diff%3600/60))
	}
	ret = sprintf("%s%02ds", ret, int(diff%60))
	return ret
}
END {
	"/usr/local/bin/gdate -u +%s" | getline now_ts
	if (expir_count == 0 && incep_count == 0) {
		# get unix timestampts for the first expiration and last inception
		"/usr/local/bin/gdate -u -d '" substr(expir_ok, 1, 4) "-" substr(expir_ok, 5, 2) "-" substr(expir_ok, 7, 2) " " substr(expir_ok, 9, 2) ":" substr(expir_ok, 11, 2) ":" substr(expir_ok, 13, 2) "' +%s" | getline expir_ts
		"/usr/local/bin/gdate -u -d '" substr(incep_ok, 1, 4) "-" substr(incep_ok, 5, 2) "-" substr(incep_ok, 7, 2) " " substr(incep_ok, 9, 2) ":" substr(incep_ok, 11, 2) ":" substr(incep_ok, 13, 2) "' +%s" | getline incep_ts

		# and print all good :-)
		print sig_count " signatures are OK in " zones " zones (first expiry : "expir_enr" at "expir_ok" in "datetostr(expir_ts - now_ts)") (last inception : "incep_enr" at "incep_ok", "datetostr(now_ts - incep_ts)" ago)"
		exit STATE_OK
	} else {
		# if there's inceptions errors, show the right count
		if (incep_count > 0) {
			"/usr/local/bin/gdate -u -d '" substr(incep, 1, 4) "-" substr(incep, 5, 2) "-" substr(incep, 7, 2) " " substr(incep, 9, 2) ":" substr(incep, 11, 2) ":" substr(incep, 13, 2) "' +%s" | getline incep_ts
			incep_diff = now_ts - incep_ts
			incep_str = int(incep_diff/86400) "d" int(incep_diff%86400/3600) "h" int(incep_diff%3600/60) "m" int(incep_diff%60) "s"
			print error ", " incep_str " ago"
			if (incep_count > 1) {
				print " (" (incep_count-1) " other)"
			}
		} else {
			"/usr/local/bin/gdate -u -d '" substr(expir, 1, 4) "-" substr(expir, 5, 2) "-" substr(expir, 7, 2) " " substr(expir, 9, 2) ":" substr(expir, 11, 2) ":" substr(expir, 13, 2) "' +%s" | getline expir_ts
			print error ", in " datetostr(expir_ts - now_ts)
			if (expir_count > 1) {
				print " (" (expir_count-1) " other)"
			}
		}
		if (crit == 0) {
			exit STATE_WARNING
		} else {
			exit STATE_CRITICAL
		}
	}
}

check-soa.sh

#!/bin/sh

set -e

nssearch=$(dig +nssearch "$1" | awk '$1 == "SOA" {print $4}'| sort -u)

if [ -z "$nssearch" ] || ! echo "$nssearch" | wc -w | grep -q 1
then
	# Si c'est vide, ou si y'a plus d'un mot, c'est mal
	exit 1
else
	if [ -n "$2" ]
	then
		# Si y'a un fichier, on teste
		file=$(awk '$4 == "SOA" {print $7}' "$2")
		if ! (echo "$nssearch"; echo "$file") | sort -u | wc -w | grep -q 1
		then
			# plus d'un, toujours mal
			exit 1
		fi
	fi
fi

exit 0

del.sh

#!/bin/sh

# Supprime une zone

for d in "$@"
do
	# La virer de la base sql
	echo "delete from domains where domain like '$d';"|mysql -u dns -pmaitreesclave -h localhost dns

	# La virer du disque
	zone=$(make "-VSIGNED:R:M*/$d")
	if [ -n "$zone" ]
	then
		rm -v "$zone.signed"
		[ -L "$zone" ] && rm -v "$zone"
	fi

	# Au cas où la zone existe toujours mais sur d'autre NS, virer nos clefs DNSSEC
	cd /root/dnssec
	file=$(mktemp)
	ods-ksmutil key export -t KSK -z "$d" > "$file"
	for script in afnic.rb gandi.rb smallregistry.rb ripe.rb
	do
		ruby "$script" "retire" < "$file"
	done
	rm -f "$file"
	cd -

	# Et enfin, la virer d'OpenDNSSEC.
	ods-ksmutil zone delete -z "$d"
done

Makefile

# $Abso: Makefile,v 55f370ca4feb 2013/08/27 12:21:04 hg $

all: commit unsigned sign

SIGNED!= find -s * -name '*.signed'

sign: ${SIGNED}

COMMIT?=Update
UNSIGNED=/usr/local/var/opendnssec/unsigned/

unsigned: ${SIGNED:T:R:S/^/${UNSIGNED}/}
signed2: ${SIGNED:R:S/$/.signed2/}
check: ${SIGNED:R:S/$/.check/}
check-soa: check-serial

.for i in ${SIGNED:R}
clean::
	-@rm -f $i.unsigned $i.signed2
$i.unsigned: $i
	/usr/local/sbin/named-compilezone -o $@ -s relative ${i:T:S/_/\//} $>
${UNSIGNED}${i:T}: $i
	/usr/local/sbin/named-compilezone -o $@ ${i:T:S/_/\//} $>
$i.signed: ${UNSIGNED}${i:T}
	/usr/local/sbin/ods-signer sign ${i:T:S/_/\//}
$i.signed2: $i.signed
	/usr/local/sbin/named-compilezone -o $@ -s relative ${i:T:S/_/\//} $>
$i.check::
	-@/usr/local/sbin/named-checkzone ${i:T} ${i:S/_/\//}
	-@/usr/local/sbin/named-checkzone ${i:T} ${i:S/_/\//}.signed
check-serial: check-serial-${i:T}
check-serial-${i:T}::
	-@(./check-soa.sh ${i:T:S/_/\//} ${i}.signed || (echo $i; grep "IN	SOA" ${i}.signed; dig +nssearch ${i:T:S/_/\//}))
check-serial-notify: check-serial-notify-${i:T}
check-serial-notify-${i:T}::
	-@(./check-soa.sh ${i:T:S/_/\//} ${i}.signed || (echo $i; grep "IN	SOA" ${i}.signed; dig +nssearch ${i:T:S/_/\//}; /usr/local/sbin/rndc notify ${i:T:S/_/\//}))
notify:: notify-${i:T}
notify-${i:T}::
	@/usr/local/sbin/rndc notify ${i:T:S/_/\//}
valid-all: valid-${i:T}
valid: valid-${i:T}
valid-${i:T}::
	-@/usr/local/bin/validns -p all -z ${i:T} ${i}.signed
valid-resign: valid-resign-${i:T}
valid-resign-${i:T}::
	-@/usr/local/bin/validns -p all -z ${i:T} ${i}.signed || /usr/local/sbin/ods-signer sign ${i:T:S/_/\//}
.for n in 1 2 3 4
valid-all: valid-ns${n}-${i:T}
valid-ns${n}: valid-ns${n}-${i:T}
valid-ns${n}-${i:T}::
	-@/usr/local/bin/dig +noall +answer axfr @ns$n.absolight.net ${i:T} | /usr/local/bin/validns -p all -z ${i:T}  -
.endfor
regen-serial: regen-serial-${i:T}
regen-serial-${i:T}::
	@(./check-soa.sh ${i:T:S/_/\//} ${i}.signed || \
		( echo $i; \
			ods-signer sign ${i:T:S/_/\//} --serial `date +%Y%m%d``date +'%H*4+%M/15'|bc -q|xargs printf %02d`; \
		) \
	)
.endfor

# Resigne tout, et force un serial = anne-mois-jour-heure*4+minutes/15
# (histoire d'avoir un serial qui s'incremente toutes les 15mn et pas juste
#  toutes les heures)
resign::
	@export LANG=C; \
	zones="${SIGNED:T:R}"; \
	count=`echo $$zones | wc -w`; \
	time=`mysql -u opendnssec -pIvGhipovVu opendnssec -e "select value from parameters_policies where parameter_id = 1 and policy_id = 1;"|tail -1`; \
	sleep=`echo $$count | awk '{print int(10*'$$time'/$$1)/10}'`; \
	c=0; \
	for i in $$(echo $$zones | /usr/bin/random -w); \
	do \
		c=$$((c+1)); \
		printf "%5i / %5i = %s\\n" $$c $$count "$$i"; \
		/usr/local/sbin/ods-signer sign $$i --serial `date +%Y%m%d``date +'%H*4+%M/15'|bc -q|xargs printf %02d`; \
		sleep $$sleep; \
	done

commit::
	-@/usr/bin/env [email protected] /usr/local/bin/hg commit -A -m "${COMMIT}"

# refresh = 4 days
# resign  = 24 hours
# -> 2d12h avec une petite marge pour parer aux lags du signer en cas de grosse
#          resign partie, mais pas trop pour bien voir quand ça chie quand
#          même.
EXPIRY?=2 days 12 hours
check-expire: check-expire-local
check-expire-local::
	-@./check-expire
.for i in 1 2 3 4
check-expire: check-expire-axfr-${i}
check-expire-axfr-${i}::
	-@./check-expire axfr ns${i}.absolight.net
.endfor