From 3928c7de6af83745fbda49711f27f42071fc67a7 Mon Sep 17 00:00:00 2001 From: Thomas Sturm Date: Sun, 25 Oct 2015 15:32:44 +0100 Subject: [PATCH] use modern dnssec key algorithm and provide option to use NSEC3 --- files/dnssec-init | 13 ++++++++++--- manifests/zone.pp | 3 ++- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/files/dnssec-init b/files/dnssec-init index 622df4b..d9e2526 100644 --- a/files/dnssec-init +++ b/files/dnssec-init @@ -5,7 +5,14 @@ NAME="$2" DOMAIN="$3" KEY_DIRECTORY="${4:-${CACHEDIR}/${NAME}}" RANDOM_DEVICE="$5" +NSEC3_SALT="$6" PATH=/bin:/sbin:/usr/bin:/usr/sbin -dnssec-keygen -r "${RANDOM_DEVICE}" -K "${KEY_DIRECTORY}" "${DOMAIN}" -dnssec-keygen -r "${RANDOM_DEVICE}" -f KSK -K "${KEY_DIRECTORY}" "${DOMAIN}" -dnssec-signzone -S -d "${CACHEDIR}" -K "${KEY_DIRECTORY}" -o "${DOMAIN}" "${CACHEDIR}/${NAME}/${DOMAIN}" + +dnssec-keygen -a RSASHA256 -b 1024 -r "${RANDOM_DEVICE}" -K "${KEY_DIRECTORY}" "${DOMAIN}" +dnssec-keygen -a RSASHA256 -b 2048 -r "${RANDOM_DEVICE}" -f KSK -K "${KEY_DIRECTORY}" "${DOMAIN}" + +if [ $NSEC3_SALT != '' ]; then + dnssec-signzone -S -u -3 ${NSEC3_SALT} -d "${CACHEDIR}" -K "${KEY_DIRECTORY}" -o "${DOMAIN}" "${CACHEDIR}/${NAME}/${DOMAIN}" +else + dnssec-signzone -S -d "${CACHEDIR}" -K "${KEY_DIRECTORY}" -o "${DOMAIN}" "${CACHEDIR}/${NAME}/${DOMAIN}" +fi diff --git a/manifests/zone.pp b/manifests/zone.pp index f4792d4..2b3000b 100644 --- a/manifests/zone.pp +++ b/manifests/zone.pp @@ -10,6 +10,7 @@ define bind::zone ( $update_policies = '', $allow_transfers = '', $dnssec = false, + $nsec3_salt = '', $key_directory = '', $ns_notify = true, $also_notify = '', @@ -110,7 +111,7 @@ define bind::zone ( if $dnssec { exec { "dnssec-keygen-${name}": command => "/usr/local/bin/dnssec-init '${cachedir}' '${name}'\ - '${_domain}' '${key_directory}' '${random_device}'", + '${_domain}' '${key_directory}' '${random_device}' '${nsec3_salt}'", cwd => $cachedir, user => $::bind::params::bind_user, creates => "${cachedir}/${name}/${_domain}.signed",