From fbe021c4ba36bf2e89b9e2f114d74fcca6c542e8 Mon Sep 17 00:00:00 2001 From: Fabio Rauber Date: Mon, 17 Oct 2016 11:28:49 -0200 Subject: [PATCH] Added script to periodically enable DNSSEC for all zones, if SECALLZONES_CRONJOB is set to yes --- pdns/Dockerfile | 9 +++++++-- pdns/fixdsrrs.sh | 47 +++++++++++++++++++++++++++++++++++++++++++++ pdns/secallzones.sh | 24 +++++++++++++++++++++++ pdns/start.sh | 12 ++++++++++++ 4 files changed, 90 insertions(+), 2 deletions(-) create mode 100755 pdns/fixdsrrs.sh create mode 100755 pdns/secallzones.sh diff --git a/pdns/Dockerfile b/pdns/Dockerfile index 0a82da8..27a8b26 100644 --- a/pdns/Dockerfile +++ b/pdns/Dockerfile @@ -8,7 +8,8 @@ ENV PDNSCONF_LAUNCH="gmysql" \ PDNSCONF_GMYSQL_PASSWORD='' \ PDNSCONF_INCLUDE_DIR="/etc/powerdns/pdns.d" \ PDNSCONF_GMYSQL_DNSSEC="yes" \ - PDNSCONF_API_KEY="" + PDNSCONF_API_KEY="" \ + SECALLZONES_CRONJOB="no" ADD pdns.list /etc/apt/sources.list.d/pdns.list ADD pdns.preference /etc/apt/preferences.d/pdns @@ -18,11 +19,15 @@ RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -q -y curl RUN DEBIAN_FRONTEND=noninteractive apt-get install -q -y pdns-server pdns-backend-mysql mysql-client && \ rm /etc/powerdns/pdns.d/*.conf && rm /etc/powerdns/*.conf && \ + DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends cron jq && \ + rm /etc/cron.daily/* && \ apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* EXPOSE 53/udp 53/tcp ADD start.sh /usr/local/bin/start.sh -RUN chmod a+x /usr/local/bin/start.sh +ADD fixdsrrs.sh /usr/local/bin/fixdsrrs.sh +ADD secallzones.sh /usr/local/bin/secallzones.sh +RUN chmod a+x /usr/local/bin/*.sh CMD ["/usr/local/bin/start.sh"] diff --git a/pdns/fixdsrrs.sh b/pdns/fixdsrrs.sh new file mode 100755 index 0000000..f4e5e41 --- /dev/null +++ b/pdns/fixdsrrs.sh @@ -0,0 +1,47 @@ +#!/bin/bash + +APISERVER="http://localhost:8081" + +INVALIDARG=0 +while getopts "d:" opt; do + case "$opt" in + d) ZONES="$OPTARG." + ;; + *) INVALIDARG=1 + ;; + esac +done + +if [ $INVALIDARG == 1 ]; then + echo "EXITING: Invalid argument!" + exit 1 +fi + + +if [ -z "$ZONES" ]; then + ZONES=`curl -s -X GET -H "X-API-Key: $PDNSCONF_API_KEY" $APISERVER/api/v1/servers/localhost/zones | jq -c '.[] | .id' | sed -e 's/"//g'` +fi + +while read -r d; do + IFS='. ' read -r -a dcs <<< "$d" + NODCS="${#dcs[@]}" + if [ $NODCS -gt 3 ]; then + # $d is not a top domain + TOPDOM="${dcs[-3]}.${dcs[-2]}.${dcs[-1]}." + # get current DNS for $d + CURRDSRAW=`curl -s -f -X GET --data '{"rrsets": [ { "name": "'"$TOPDOM"'." } ] }' -H "X-API-Key: $ +PDNSCONF_API_KEY" $APISERVER/api/v1/servers/localhost/zones/$TOPDOM` + if [ $? -ne 0 ]; then + echo "Domain $TOPDOM does not exist in this server. Skipping $d.." + continue + fi + CURRDS=`echo $CURRDSRAW | jq -c '[ .rrsets[] | select( .type == "DS" ) | select ( .name == "'$d'" +) ][0]["records"][0]["content"]'` + # get DS that should have been configured + CORRDS=`curl -s -X GET -H "X-API-Key: $PDNSCONF_API_KEY" $APISERVER/api/v1/servers/localhost/zones/$d/cryptokeys | jq -c '.[] | select( .keytype == "csk") ["ds"][0] '` + if [ "$CURRDS" != "$CORRDS" ]; then + echo -n "INFO: Fixing $d DS records..." + curl -s -X PATCH --data '{"rrsets": [ {"name": "'$d'", "type": "DS", "changetype": "REPLACE", "ttl": "86400", "records": [ {"content": '"$CORRDS"', "disabled": false, "name": "'$d'", "ttl": 86400, "type": "DS", "priority": 0 } ] } ] }' -H "X-API-Key: $PDNSCONF_API_KEY" $APISERVER/api/v1/servers/localhost/zones/$TOPDOM | jq . && echo " OK." + fi + fi +done <<< "$ZONES" diff --git a/pdns/secallzones.sh b/pdns/secallzones.sh new file mode 100755 index 0000000..0cb4efa --- /dev/null +++ b/pdns/secallzones.sh @@ -0,0 +1,24 @@ +#!/bin/bash + +echo "[`date +"%T"`] Secallzones starting... " +ZONES=`pdnsutil list-all-zones | grep -v "All zonecount"` +while read -r d; do + pdnsutil show-zone $d | grep presigned >/dev/null 2>&1 + if [ $? -eq 0 ] ; then + echo "Securing $d..." + pdnsutil unset-presigned $d + pdnsutil secure-zone $d + pdnsutil rectify-zone $d + fixdsrrs.sh -d $d + else + pdnsutil show-zone $d | grep "not actively secured" >/dev/null 2>&1 + if [ $? -eq 0 ] ; then + echo "Securing $d..." + pdnsutil secure-zone $d + pdnsutil rectify-zone $d + fixdsrrs.sh -d $d + fi + fi + +done <<< "$ZONES" +echo "[`date +"%T"`] Secallzones finished." diff --git a/pdns/start.sh b/pdns/start.sh index 351163a..b6c6bbd 100644 --- a/pdns/start.sh +++ b/pdns/start.sh @@ -58,6 +58,18 @@ mysqlcheck() { mysqlcheck +if [ "$SECALLZONES_CRONJOB" == "yes" ]; then + cat > /etc/crontab < /var/log/cron.log 2>&1 +EOF + ln -sf /proc/1/fd/1 /var/log/cron.log + cron -f & +fi + # Start PowerDNS # same as /etc/init.d/pdns monitor echo "Starting PowerDNS..."