Hello, I've written a little script that checks if a DS is available from DNS and, if so, automatically issues the ds-seen command. It's a replacement for manually checking the DS and calling "ods-ksmutil key ds-seen ....".
Warning 1: This may be a stupid idea. It could be argued that human validation of this step is a good thing. Do not use this script if you do not completely understand what it does. Warning 2: This script has not been properly tested. Do not use it in a production environment. I'm looking for opinions on if this is a useful solution or accident waiting to happen. example: root@ramanujan:~# ods-dsseen usage: ./ods-dsseen [--activate|--force|--quiet|--help] <zone|...> Check if all DS-records are available through DNS and (optionally) activate the key. --help Display this help text. --activate Activate the key if the DS is found. --force Force activation of keys that are not available (implies --activate). --all Apply to all zones known to ODS with outstanding DSes. --really-all Apply to all zones, required or not. root@ramanujan:~# ods-dsseen --activate --all The key(s) with tag example1.com:17467 are not available from DNS. The key(s) with tag example2:com:63143 are not available from DNS. The key(s) with tag example3.com:78321 are not available from DNS. The key(s) with tag example4.com:12371 are available from DNS. Found key with CKA_ID 41a90b0939a55045059afa599c53e9ee Key 41a90b0939a55045059afa599c53e9ee made active Old key retired Key example4.com:12371 activated. All keys for example4.com are available from DNS. The key(s) with tag example5:com:63143 is not available from DNS. The key(s) with tag example6.com:78321 is not available from DNS. -- Casper Gielen <[email protected]> | LIS UNIX PGP fingerprint = 16BD 2C9F 8156 C242 F981 63B8 2214 083C F80E 4AF7 Universiteit van Tilburg | Postbus 90153, 5000 LE Warandelaan 2 | Telefoon 013 466 4100 | G 236 | http://www.uvt.nl
#!/usr/bin/env bash # $Id: ods-dsseen 59454 2013-02-21 15:54:10Z cgielen $ # $URL: https://its-unix-vc.uvt.nl/its-unix/group/opendnssec/usr/local/sbin/ods-dsseen $ # # Controleer of nieuwe DS'en al beschikbaar zijn via DNS en activeer deze. # # Casper Gielen, 2013 # [email protected] # # license: GPLv3+ # # version: 2012022101 # # TODO # - do not use a caching resolver # - use dig ods-ksmutil in batch-mode instead of making seperate calls for each zone # - match on CKAID instead of keytag # usage() { echo "usage: $0 [--activate|--force|--quiet|--help] <zone|...>" echo "Check if all DS-records are available through DNS and (optionally) activate the key." echo "--activate Activate the key if the DS is found." echo "--force Force activation of keys that are not available (implies --activate)." echo "--all Apply to all zones with outstanding DSes." echo "--really-all Apply to all zones, required or not." exit -1 } nosql() { egrep -v '^MySQL database' } # TODO # Eigenlijk moet hier _geen_ /caching/-resolver worden gebruikt. # formaat: @HOSTNAME of leeg om de default servers te gebruiken # server="@dns1.uvt.nl" server="" activate="no" # do not activate by default quiet="no" # be verbose by default force="no" # only activate keys that are really available zones="" # cli options until [ -z "$*" ]; do option="$1" shift case $option in -h|--help) usage ;; --activate) activate="yes" ;; --force) activate="yes" ; force="yes";; --quiet) quiet="yes" ;; --all) zones=$(ods-ksmutil key list 2>&1 | nosql | awk '/waiting for ds-seen/ {print $1}' | sort -u);; --really-all) zones=$(ods-ksmutil key list 2>&1 | nosql | awk '{print $1}' | sort -u);; *) zones="$zones $option" ;; esac done if [ -z "$zones" ]; then usage fi for zone in $zones; do # Keytags that can be retrieved from DNS # dig: 39269 8 2 9EC50E7BBCC4095355A776D6183773197C05F320FDDE87E513022DB9 6A1E2F48 dns=$(dig +adflag +aaonly +short -t DS $zone $server | cut -d ' ' -f 1) if [ -z "$dns" ]; then # this string should never be empty dns="dummy" fi # Keytags of dnskeys that are 'waiting for ds-seen' # ods-ksmutil: mijnuvt.nl KSK ready waiting for ds-seen d3fe6d5bc1ea73bed16d449d42dcf5e7 LocalHSM 39269 ods=$(ods-ksmutil key list -v --zone $zone 2>&1 |nosql | awk '/waiting for ds-seen/ {print $9}' |sort -u) available=$( echo "$ods" | grep -x -F "$dns") unavailable=$(echo "$ods" | grep -v -x -F "$dns") # activation if [ "$activate" == "yes" ]; then if [ "$force" == "yes" ]; then available="$ods" echo "warning: forced activation of key(s) $available:$zone" fi for keytag in $available; do ods-ksmutil key ds-seen --zone $zone --keytag $keytag 2>&1 | nosql echo "Key $keytag:$zone activated." done fi # logging if [ "$quiet" == "no" ]; then if [ -n "$unavailable" ]; then echo "The key(s) with tag $unavailable:$zone are not present in DNS." else if [ -n "$available" ]; then echo "All keys for $zone are present in DNS." else echo "No keys for $zone found in DNS." fi fi fi done
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
