Merge pull request #59 from nerdlich/dnssec_more_secure

use modern dnssec key algorithm and provide option to use NSEC3

files/dnssec-init

@@ -5,7 +5,14 @@ NAME="$2"
 DOMAIN="$3"
 KEY_DIRECTORY="${4:-${CACHEDIR}/${NAME}}"
 RANDOM_DEVICE="$5"
+NSEC3_SALT="$6"
 PATH=/bin:/sbin:/usr/bin:/usr/sbin
-dnssec-keygen -r "${RANDOM_DEVICE}" -K "${KEY_DIRECTORY}" "${DOMAIN}"
+
-dnssec-keygen -r "${RANDOM_DEVICE}" -f KSK -K "${KEY_DIRECTORY}" "${DOMAIN}"
+dnssec-keygen -a RSASHA256 -b 1024 -r "${RANDOM_DEVICE}" -K "${KEY_DIRECTORY}" "${DOMAIN}"
-dnssec-signzone -S -d "${CACHEDIR}" -K "${KEY_DIRECTORY}" -o "${DOMAIN}" "${CACHEDIR}/${NAME}/${DOMAIN}"
+dnssec-keygen -a RSASHA256 -b 2048 -r "${RANDOM_DEVICE}" -f KSK -K "${KEY_DIRECTORY}" "${DOMAIN}"
+
+if [ $NSEC3_SALT != '' ]; then
+    dnssec-signzone -S -u -3 ${NSEC3_SALT} -d "${CACHEDIR}" -K "${KEY_DIRECTORY}" -o "${DOMAIN}" "${CACHEDIR}/${NAME}/${DOMAIN}"
+else
+    dnssec-signzone -S -d "${CACHEDIR}" -K "${KEY_DIRECTORY}" -o "${DOMAIN}" "${CACHEDIR}/${NAME}/${DOMAIN}"
+fi

manifests/zone.pp

@@ -10,6 +10,7 @@ define bind::zone (
     $update_policies = '',
     $allow_transfers = '',
     $dnssec          = false,
+    $nsec3_salt      = '',
     $key_directory   = '',
     $ns_notify       = true,
     $also_notify     = '',
@@ -110,7 +111,7 @@ define bind::zone (
     if $dnssec {
         exec { "dnssec-keygen-${name}":
             command => "/usr/local/bin/dnssec-init '${cachedir}' '${name}'\
-                '${_domain}' '${key_directory}' '${random_device}'",
+                '${_domain}' '${key_directory}' '${random_device}' '${nsec3_salt}'",
             cwd     => $cachedir,
             user    => $::bind::params::bind_user,
             creates => "${cachedir}/${name}/${_domain}.signed",