Added script to periodically enable DNSSEC for all zones, if SECALLZONES_CRONJOB is set to yes

8 years ago · fbe021c4ba
4 changed files with 90 additions and 2 deletions
--- a/pdns/Dockerfile
+++ b/pdns/Dockerfile
@ -8,7 +8,8 @@ ENV PDNSCONF_LAUNCH="gmysql" \
    PDNSCONF_GMYSQL_PASSWORD='' \
    PDNSCONF_INCLUDE_DIR="/etc/powerdns/pdns.d" \
    PDNSCONF_GMYSQL_DNSSEC="yes" \
-    PDNSCONF_API_KEY=""
+    PDNSCONF_API_KEY="" \
+    SECALLZONES_CRONJOB="no"

 ADD pdns.list /etc/apt/sources.list.d/pdns.list
 ADD pdns.preference /etc/apt/preferences.d/pdns 
@ -18,11 +19,15 @@ RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -q -y curl

 RUN DEBIAN_FRONTEND=noninteractive apt-get install -q -y pdns-server pdns-backend-mysql mysql-client && \
    rm /etc/powerdns/pdns.d/*.conf && rm /etc/powerdns/*.conf && \
+    DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends cron jq && \
+    rm /etc/cron.daily/* && \
    apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*

 EXPOSE 53/udp 53/tcp

 ADD start.sh /usr/local/bin/start.sh
-RUN chmod a+x /usr/local/bin/start.sh
+ADD fixdsrrs.sh /usr/local/bin/fixdsrrs.sh
+ADD secallzones.sh /usr/local/bin/secallzones.sh
+RUN chmod a+x /usr/local/bin/*.sh

 CMD ["/usr/local/bin/start.sh"]
--- a/pdns/fixdsrrs.sh
+++ b/pdns/fixdsrrs.sh
@ -0,0 +1,47 @@
+#!/bin/bash
+
+APISERVER="http://localhost:8081"
+
+INVALIDARG=0
+while getopts "d:" opt; do
+    case "$opt" in
+    d)  ZONES="$OPTARG."
+        ;;
+    *)  INVALIDARG=1
+        ;;
+    esac
+done
+
+if [ $INVALIDARG == 1 ]; then
+    echo "EXITING: Invalid argument!"
+    exit 1
+fi
+
+
+if [ -z "$ZONES" ]; then
+  ZONES=`curl -s -X GET -H "X-API-Key: $PDNSCONF_API_KEY" $APISERVER/api/v1/servers/localhost/zones | jq -c '.[] | .id' | sed -e 's/"//g'`
+fi
+ 
+while read -r d; do
+  IFS='. ' read -r -a dcs <<< "$d"
+  NODCS="${#dcs[@]}"
+  if [ $NODCS -gt 3 ]; then
+    # $d is not a top domain
+    TOPDOM="${dcs[-3]}.${dcs[-2]}.${dcs[-1]}."
+    # get current DNS for $d
+    CURRDSRAW=`curl -s -f -X GET --data '{"rrsets": [ { "name": "'"$TOPDOM"'." } ] }' -H "X-API-Key: $
+PDNSCONF_API_KEY" $APISERVER/api/v1/servers/localhost/zones/$TOPDOM`
+    if [ $? -ne 0 ]; then
+      echo "Domain $TOPDOM does not exist in this server. Skipping $d.."
+      continue
+    fi
+    CURRDS=`echo $CURRDSRAW | jq -c '[ .rrsets[] | select( .type ==  "DS" ) | select ( .name == "'$d'"
+) ][0]["records"][0]["content"]'`
+    # get DS that should have been configured
+    CORRDS=`curl -s -X GET -H "X-API-Key: $PDNSCONF_API_KEY" $APISERVER/api/v1/servers/localhost/zones/$d/cryptokeys | jq -c '.[] | select( .keytype == "csk") ["ds"][0] '`
+    if [ "$CURRDS" != "$CORRDS" ]; then
+      echo -n "INFO: Fixing $d DS records..."
+      curl -s -X PATCH --data '{"rrsets": [ {"name": "'$d'", "type": "DS", "changetype": "REPLACE", "ttl": "86400", "records": [ {"content": '"$CORRDS"', "disabled": false, "name": "'$d'", "ttl": 86400, "type": "DS", "priority": 0 } ] } ] }' -H "X-API-Key: $PDNSCONF_API_KEY" $APISERVER/api/v1/servers/localhost/zones/$TOPDOM | jq . && echo " OK."
+    fi 
+  fi
+done <<< "$ZONES"
--- a/pdns/secallzones.sh
+++ b/pdns/secallzones.sh
@ -0,0 +1,24 @@
+#!/bin/bash
+
+echo "[`date +"%T"`] Secallzones starting... "
+ZONES=`pdnsutil list-all-zones | grep -v "All zonecount"`
+while read -r d; do
+  pdnsutil show-zone $d | grep presigned >/dev/null 2>&1
+  if [ $? -eq 0 ] ; then
+    echo "Securing $d..."
+    pdnsutil unset-presigned $d
+    pdnsutil secure-zone $d
+    pdnsutil rectify-zone $d
+    fixdsrrs.sh -d $d
+  else
+    pdnsutil show-zone $d | grep "not actively secured" >/dev/null 2>&1
+    if [ $? -eq 0 ] ; then
+      echo "Securing $d..."
+      pdnsutil secure-zone $d
+      pdnsutil rectify-zone $d
+      fixdsrrs.sh -d $d
+    fi
+  fi
+
+done <<< "$ZONES"
+echo "[`date +"%T"`] Secallzones finished."
--- a/pdns/start.sh
+++ b/pdns/start.sh
@ -58,6 +58,18 @@ mysqlcheck() {

 mysqlcheck

+if [ "$SECALLZONES_CRONJOB" == "yes" ]; then
+  cat > /etc/crontab <<EOF
+PDNSCONF_API_KEY=$PDNSCONF_API_KEY
+SHELL=/bin/bash
+PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
+# m  h dom mon dow user    command
+0,30 *  *   *   *  root    /usr/local/bin/secallzones.sh > /var/log/cron.log 2>&1
+EOF
+  ln -sf /proc/1/fd/1 /var/log/cron.log
+  cron -f &
+fi
+
 # Start PowerDNS
 # same as /etc/init.d/pdns monitor
 echo "Starting PowerDNS..."