Skip to content

Support DNSSEC single type signing scheme without ZSK #157

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
pecharmin wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Support DNSSEC single type signing scheme without ZSK #157

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions Gemfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ group :test do
gem "rspec", '> 3.4.0'
gem "rspec-puppet"
gem "rspec-puppet-facts"
gem "rspec-command"
gem 'rubocop', '> 0.47.0', '< 0.49.0'
gem 'simplecov', '>= 0.11.0'
gem 'simplecov-console'
Expand Down
2 changes: 2 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -182,6 +182,8 @@ bind::zone { 'example.com-external':
}
```

Set parameter `dnssec_ksk_only => true` if a DNSSEC zone should only be signed with a key signing key and no zone signing key should be created.

A master zone which is initialized with a pre-existing zone file (for example, to migrate an existing zone to a
bind-module controlled server or to recover from a backup):

Expand Down
12 changes: 9 additions & 3 deletions files/dnssec-init
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,13 +7,19 @@ KEY_DIRECTORY="${4:-${CACHEDIR}/${NAME}}"
RANDOM_DEVICE="$5"
NSEC3_SALT="$6"
ZONE_FILE="$7"
DNSSEC_KSK_ONLY="$8"
PATH=/bin:/sbin:/usr/bin:/usr/sbin

dnssec-keygen -a RSASHA256 -b 1024 -r "${RANDOM_DEVICE}" -K "${KEY_DIRECTORY}" "${DOMAIN}"
if [ "$DNSSEC_KSK_ONLY" != "true" ]; then
dnssec-keygen -a RSASHA256 -b 1024 -r "${RANDOM_DEVICE}" -K "${KEY_DIRECTORY}" "${DOMAIN}"
fi
dnssec-keygen -a RSASHA256 -b 2048 -r "${RANDOM_DEVICE}" -f KSK -K "${KEY_DIRECTORY}" "${DOMAIN}"

if [ "$DNSSEC_KSK_ONLY" ]; then
DNSSEC_KSK_ONLY_SIGN_OPTIONS="-z"
fi
if [ "$NSEC3_SALT" != '' ]; then
dnssec-signzone -S -u -3 "${NSEC3_SALT}" -d "${CACHEDIR}" -K "${KEY_DIRECTORY}" -o "${DOMAIN}" "${CACHEDIR}/${NAME}/${ZONE_FILE}"
dnssec-signzone -S ${DNSSEC_KSK_ONLY_SIGN_OPTIONS} -u -3 "${NSEC3_SALT}" -d "${CACHEDIR}" -K "${KEY_DIRECTORY}" -o "${DOMAIN}" "${CACHEDIR}/${NAME}/${ZONE_FILE}"
else
dnssec-signzone -S -d "${CACHEDIR}" -K "${KEY_DIRECTORY}" -o "${DOMAIN}" "${CACHEDIR}/${NAME}/${ZONE_FILE}"
dnssec-signzone -S ${DNSSEC_KSK_ONLY_SIGN_OPTIONS} -d "${CACHEDIR}" -K "${KEY_DIRECTORY}" -o "${DOMAIN}" "${CACHEDIR}/${NAME}/${ZONE_FILE}"
fi
3 changes: 2 additions & 1 deletion manifests/zone.pp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@
$update_policies = '',
$allow_transfers = '',
$dnssec = false,
Boolean $dnssec_ksk_only = false,
$nsec3_salt = '',
$key_directory = '',
$ns_notify = true,
Expand Down Expand Up @@ -131,7 +132,7 @@
exec { "dnssec-keygen-${name}":
command => "/usr/local/bin/dnssec-init '${cachedir}' '${name}'\
'${_domain}' '${key_directory}' '${random_device}' '${nsec3_salt}'\
'${zone_file}'",
'${zone_file}' '${dnssec_ksk_only}'",
cwd => $cachedir,
user => $bind_user,
creates => "${cachedir}/${name}/${zone_file}.signed",
Expand Down
9 changes: 9 additions & 0 deletions spec/fixtures/files/zones/example.com/example.com.zone
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
$TTL 86400
@ IN SOA localhost. root.localhost. (
1 ; Serial
60 ; Refresh
30 ; Retry
300 ; Expire
10 ) ; Negative Cache TTL
;
@ IN NS example.com.
16 changes: 16 additions & 0 deletions spec/integration/dnssec-init_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
# ex: syntax=ruby ts=2 sw=2 si et
require 'spec_helper'

describe 'dnssec-init should create RSASHA256 KSK and ZSK' do
fixture_file '../../files/dnssec-init'
fixture_file 'files/zones'
command '/bin/sh dnssec-init . example.com example.com . /dev/urandom 12345678 example.com.zone'
its(:stdout) { is_expected.to match(/^Kexample\.com\.\+008\+[0-9]+\nKexample\.com\.\+008\+[0-9]+\n\.\/example\.com\/example\.com\.zone\.signed$/m) }
end

describe 'dnssec-init should create RSASHA256 KSK only' do
fixture_file '../../files/dnssec-init'
fixture_file 'files/zones'
command '/bin/sh dnssec-init . example.com example.com . /dev/urandom 12345678 example.com.zone true'
its(:stdout) { is_expected.to match(/^Kexample\.com\.\+008\+[0-9]+\n\.\/example\.com\/example\.com\.zone\.signed$/m) }
end
2 changes: 2 additions & 0 deletions spec/spec_helper.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,10 +1,12 @@
require 'puppetlabs_spec_helper/module_spec_helper'
require 'rspec-puppet-facts'
require 'rspec-puppet'
require 'rspec_command'

include RspecPuppetFacts

RSpec.configure do |c|
c.include RSpecCommand
c.hiera_config = File.expand_path(File.join(__FILE__, '../fixtures/hiera.yaml'))
c.after(:suite) do
RSpec::Puppet::Coverage.report!
Expand Down
3 changes: 3 additions & 0 deletions templates/zone.conf.erb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,9 @@ zone "<%= @_domain %>" {
type <%= @zone_type %>;
<%- if @dnssec -%>
auto-dnssec maintain;
<%- if @dnssec_ksk_only -%>
update-check-ksk no;
<%- end -%>
<%- if @key_directory and @key_directory != '' -%>
key-directory "<%= @key_directory %>";
<%- else -%>
Expand Down