Added script to periodically enable DNSSEC for all zones, if SECALLZONES_CRONJOB is set to yes

8 years ago · fbe021c4ba
4 changed files with 90 additions and 2 deletions
--- a/pdns/Dockerfile
+++ b/pdns/Dockerfile
@ -8,7 +8,8 @@ ENV PDNSCONF_LAUNCH="gmysql" \
    PDNSCONF_GMYSQL_PASSWORD='' \
    PDNSCONF_INCLUDE_DIR="/etc/powerdns/pdns.d" \
    PDNSCONF_GMYSQL_DNSSEC="yes" \
-    PDNSCONF_API_KEY=""
+    PDNSCONF_API_KEY="" \
    SECALLZONES_CRONJOB="no"
 ADD pdns.list /etc/apt/sources.list.d/pdns.list
 ADD pdns.preference /etc/apt/preferences.d/pdns 
@ -18,11 +19,15 @@ RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -q -y curl
 RUN DEBIAN_FRONTEND=noninteractive apt-get install -q -y pdns-server pdns-backend-mysql mysql-client && \
    rm /etc/powerdns/pdns.d/*.conf && rm /etc/powerdns/*.conf && \
    DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends cron jq && \
    rm /etc/cron.daily/* && \
    apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
 EXPOSE 53/udp 53/tcp
 ADD start.sh /usr/local/bin/start.sh
-RUN chmod a+x /usr/local/bin/start.sh
+ADD fixdsrrs.sh /usr/local/bin/fixdsrrs.sh
 ADD secallzones.sh /usr/local/bin/secallzones.sh
 RUN chmod a+x /usr/local/bin/*.sh
 CMD ["/usr/local/bin/start.sh"]
--- a/pdns/fixdsrrs.sh
+++ b/pdns/fixdsrrs.sh
@ -0,0 +1,47 @@
 #!/bin/bash
 APISERVER="http://localhost:8081"
 INVALIDARG=0
 while getopts "d:" opt; do
    case "$opt" in
    d)  ZONES="$OPTARG."
        ;;
    *)  INVALIDARG=1
        ;;
    esac
 done
 if [ $INVALIDARG == 1 ]; then
    echo "EXITING: Invalid argument!"
    exit 1
 fi
 if [ -z "$ZONES" ]; then
  ZONES=`curl -s -X GET -H "X-API-Key: $PDNSCONF_API_KEY" $APISERVER/api/v1/servers/localhost/zones | jq -c '.[] | .id' | sed -e 's/"//g'`
 fi
 while read -r d; do
  IFS='. ' read -r -a dcs <<< "$d"
  NODCS="${#dcs[@]}"
  if [ $NODCS -gt 3 ]; then
    # $d is not a top domain
    TOPDOM="${dcs[-3]}.${dcs[-2]}.${dcs[-1]}."
    # get current DNS for $d
    CURRDSRAW=`curl -s -f -X GET --data '{"rrsets": [ { "name": "'"$TOPDOM"'." } ] }' -H "X-API-Key: $
 PDNSCONF_API_KEY" $APISERVER/api/v1/servers/localhost/zones/$TOPDOM`
    if [ $? -ne 0 ]; then
      echo "Domain $TOPDOM does not exist in this server. Skipping $d.."
      continue
    fi
    CURRDS=`echo $CURRDSRAW | jq -c '[ .rrsets[] | select( .type ==  "DS" ) | select ( .name == "'$d'"
 ) ][0]["records"][0]["content"]'`
    # get DS that should have been configured
    CORRDS=`curl -s -X GET -H "X-API-Key: $PDNSCONF_API_KEY" $APISERVER/api/v1/servers/localhost/zones/$d/cryptokeys | jq -c '.[] | select( .keytype == "csk") ["ds"][0] '`
    if [ "$CURRDS" != "$CORRDS" ]; then
      echo -n "INFO: Fixing $d DS records..."
      curl -s -X PATCH --data '{"rrsets": [ {"name": "'$d'", "type": "DS", "changetype": "REPLACE", "ttl": "86400", "records": [ {"content": '"$CORRDS"', "disabled": false, "name": "'$d'", "ttl": 86400, "type": "DS", "priority": 0 } ] } ] }' -H "X-API-Key: $PDNSCONF_API_KEY" $APISERVER/api/v1/servers/localhost/zones/$TOPDOM | jq . && echo " OK."
    fi 
  fi
 done <<< "$ZONES"
--- a/pdns/secallzones.sh
+++ b/pdns/secallzones.sh
@ -0,0 +1,24 @@
 #!/bin/bash
 echo "[`date +"%T"`] Secallzones starting... "
 ZONES=`pdnsutil list-all-zones | grep -v "All zonecount"`
 while read -r d; do
  pdnsutil show-zone $d | grep presigned >/dev/null 2>&1
  if [ $? -eq 0 ] ; then
    echo "Securing $d..."
    pdnsutil unset-presigned $d
    pdnsutil secure-zone $d
    pdnsutil rectify-zone $d
    fixdsrrs.sh -d $d
  else
    pdnsutil show-zone $d | grep "not actively secured" >/dev/null 2>&1
    if [ $? -eq 0 ] ; then
      echo "Securing $d..."
      pdnsutil secure-zone $d
      pdnsutil rectify-zone $d
      fixdsrrs.sh -d $d
    fi
  fi
 done <<< "$ZONES"
 echo "[`date +"%T"`] Secallzones finished."
--- a/pdns/start.sh
+++ b/pdns/start.sh
@ -58,6 +58,18 @@ mysqlcheck() {
 mysqlcheck
 if [ "$SECALLZONES_CRONJOB" == "yes" ]; then
  cat > /etc/crontab <<EOF
 PDNSCONF_API_KEY=$PDNSCONF_API_KEY
 SHELL=/bin/bash
 PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
 # m  h dom mon dow user    command
 0,30 *  *   *   *  root    /usr/local/bin/secallzones.sh > /var/log/cron.log 2>&1
 EOF
  ln -sf /proc/1/fd/1 /var/log/cron.log
  cron -f &
 fi
 # Start PowerDNS
 # same as /etc/init.d/pdns monitor
 echo "Starting PowerDNS..."