I wrote the attached script to help me with key rollover.
I am not sure where to go with this. If anybody is interested take a
look and make what use of you will.
Comments and suggestions please.
John A
#!/bin/bash
#
# Why this script, the ISC has do created a number of tools to manage and
generate DNSSEC keys etc.
# The dnssec-keygen tool works very nicely in that it can use the inactivate
date of one key to generate a new key with an appropriate activate date.
# The problems that I have are it does not automagically
# 1. select either the current key, or the key with an Inactive date furthest
in the future as the roll base.
# 2. nor does it set the inactive or delete dates for the new key, based
either on the new keysetys active date or on the selected keyset inactive date
#
# This script is intended to automatically generate new DNSSEC keysets based
upon the inactive date furthest in the future.
#
# The idea being that it would be run as a cron or anacron job every n days,
where n is equal to the key life.
#
#=================================================
autoDelete=0 # The automatic deletion of keysets
where the Delete date has passed - default Off
keyLife=90 # how often you roll the ZSK in days
keyDeleteInterval=30 # interval; between inactivation and
deletion
keyDirectory=. # Where the Keys live, if we are not
told otherwise
inactiveDate=20010101000000 # date a ZSK goes Inactive
today=$(date -u +%Y%m%d%H%M%S) # todays date UTC based to determine if
ZSKs marked for deletion can be removed
domainName="" # which domain are we interested in
rollTime=040000 # what time of day do you want to roll,
may not be important
function display_help() {
#===================================================================================================================================
echo ""
echo " klam-autoroll [-h] [-X] [-l nnn] [-d nnn] [-r hh[mm[ss]] [-K]
/etc/bind/keys domain-name"
echo ""
echo " -h Display this help information"
echo ""
echo " -X automatically remove keysets whose delete date has passed."
echo ""
echo " -l the life of the keyset, this is the time in days from active
to inactive."
echo " It is added to the new keysets activation date to set its
inactive date."
echo ""
echo " -d the delete delay, the length time in days between a keyset
becoming inactive and being eligible for deletion."
echo " It is added to the new keysets inactive date to set its
delete date."
echo ""
echo " -r roll time of day, when during the day you would prefer
rollover to occur."
echo " In most case not needed, but some people may prefer rollover
to occur at a specific time of day."
echo ""
echo " -K Directory where your DNSSEC keys are stored."
echo ""
echo " domain-name the domain used as the basis for key generation."
echo ""
#===================================================================================================================================
}
temp=
tempI=$today
tempD=$today
if [ $# -ne 0 ]; then
while getopts "d:l:r:hK:X" option; do
case $option in
d ) if [[ $OPTARG == ?([0-9]*) ]] && [[ $OPTARG -lt 730 ]]; then
keyDeleteInterval=$OPTARG
echo "The interval between a key becoming inactive and
being eligable for removal has been set to $keyDeleteInterval days."
fi
;;
l ) if [[ $OPTARG == ?([0-9]*) ]] && [[ $OPTARG -lt 730 ]]; then
keyLife=$OPTARG
echo "Key life set to $keyLife days."
fi
;;
r ) if [[ $OPTARG == ?([0-9]*) ]] && [[ $OPTARG -lt 235959 ]]; then
rollTime=$OPTARG
echo "Roll TOD set to $keyLife \(HHMMSS\)."
fi
;;
h ) display_help
exit
;;
K ) if [[ -d $OPTARG ]]; then
keyDirectory=$OPTARG
fi
;;
X ) autoDelete=1
echo "Auto Delete enabled"
;;
* ) echo "An unknown paramter was found. OPERATION TERMINATED"
;;
esac
done
shift $((OPTIND-1))
domainName=$@
else
echo "ERROR - A domain name must be provided"
exit 1
fi
keyDeleteInterval=$((keyLife+$keyDeleteInterval))d
keyLife="$keyLife"d
for file in $( find "$keyDirectory" -maxdepth 1 -type f -name
"K$domainName.*.key" )
do
if [ "$file" ]; then
temp=$(sed -n -e 's/.*\([I|D]\).*\([0-9]\{14\}\).*/\2/ p' $file )
tempI=${temp:0:14}
tempD=${temp:15:14}
if [ $tempD ] && [ $tempD -lt $today ]; then
# do we have a delete date and is it in the past
if [ $autoDelete -eq 1 ]; then
# are we in auto delete mode
dname=$(basename $file .key)
# clean up the file name so we can wildcard delete all elements
echo "auto remove $dname keyset with Delete date = $tempD"
# tell people whats happen(ing|ed)
rm $dname.*
# delete the keyset
fi
elif [ $tempI ] && [ $tempI -ge $inactiveDate ]; then
# do we have a inactive date and is it greater then any seen so far
inactiveDate=$tempI
# save this date for further comparison
fileName=$(basename $file .key)
# together with the relavaent file name
fi
fi
done
if [ $fileName ]; then
echo "A search of the Bind key store has result in $fileName being
considered a suitable candidate as a predessor for -S keygen"
inactiveDate=${inactiveDate:0:8}
dnssec-keygen -i14d -K$keyDirectory -S$fileName
-I$inactiveDate$rollTime+$keyLife -D$inactiveDate$rollTime+$keyDeleteInterval
else
echo "No DNSSEC records available for for rollover base"
fi
exit 0
