Re: [Opendnssec-user] Is there script for checking if DS is in TLD

Tue, 02 Sep 2014 07:11:43 -0700 

Op 30-08-14 om 09:26 schreef Volker Janzen:
> Hi Bas,
> 
> Am 28.08.2014 um 10:29 schrieb Bas van den Dikkenberg
> <[email protected] <mailto:[email protected]>>:
>
>> Hi,
>>
>>
>>
>> Does anyone have script to check if the DS records are published at
>> the TLD , and if so do a ds-seen .
>>
>> I want to automate the ds-seen process
>
> I'm using a script from Casper Gielen for this purpose.

Hi Volker,
thanks for the endorsement. Bas contacted me in private and has a copy
of the script.

I've attached the latest version of the script for the archives. The
script targets ODS 1.3. If you use 1.4 you might need to adjust the
column in line 78.
-- 
Casper Gielen <[email protected]> | LIS UNIX
PGP fingerprint = 16BD 2C9F 8156 C242 F981  63B8 2214 083C F80E 4AF7

Universiteit van Tilburg | Postbus 90153, 5000 LE
Warandelaan 2 | Telefoon 013 466 4100 | G 236 | http://www.uvt.nl



#!/usr/bin/env bash

# $Id: ods-dsseen 68966 2014-08-04 16:04:40Z cgielen $
# $URL: 
https://its-unix-vc.uvt.nl/its-unix/group/dns/opendnssec/usr/local/sbin/ods-dsseen
 $
#
# Check if new DSes have been published in DNS and activate them.
# 
# Copyright 2013-2014 Casper Gielen
# Written for Tilburg University
# License: GPLv2 or later

#
# TODO
# - do not use a caching resolver
# - use dig ods-ksmutil in batch-mode instead of making seperate calls for each 
zone
# - match on CKAID instead of keytag
#

usage() {
        echo "usage: $0 [--activate|--force|--quiet|--help] <zone|...>" 
        echo "Check if all DS-records are available through DNS and 
(optionally) activate the key."
        echo "--help         Display this help text."
        echo "--activate     Activate the key if the DS is found."
        echo "--force        Force activation of keys that are not available 
(implies --activate)."
        echo "--quiet        Surpress output."
        echo "--all          Apply to all zones with outstanding DSes."
        echo "--really-all   Apply to all zones, required or not."
        exit -1
}

nosql() {
        egrep -v '^MySQL database' 
}

# TODO
# Eigenlijk moet hier _geen_ /caching/-resolver worden gebruikt.
# formaat: @HOSTNAME of leeg om de default servers te gebruiken
# server="@dns1.uvt.nl"
server=""

activate="no" # do not activate by default
quiet="no"    # be verbose by default
force="no"    # only activate keys that are really available
zones=""

# cli options
until [ -z "$*" ];
do
        option="$1"
        shift
        case $option in
                -h|--help)     usage ;;
                --activate)    activate="yes" ;;
                --force)       activate="yes" ; force="yes";;
                --quiet)       quiet="yes" ;;
                --all)         zones=$(echo " "; ods-ksmutil key list 2>&1 | 
nosql | egrep -v 'Keys:|Zone:' | awk '/waiting for ds-seen/ {print $1}' | sort 
-u);;
                --really-all)  zones=$(echo " "; ods-ksmutil key list 2>&1 | 
nosql | egrep -v 'Keys:|Zone:' | awk '{print $1}' | sort -u);;
                *)             zones="$zones $option" ;;
        esac
done

if [ -z "$zones" ]; then
        usage
fi

dns=$(mktemp)
ods=$(mktemp)
for zone in $zones; do
        # Keytags that can be retrieved from DNS
        # dig: 39269 8 2 
9EC50E7BBCC4095355A776D6183773197C05F320FDDE87E513022DB9 6A1E2F48
        dig +adflag +aaonly  +short -t DS $zone $server | cut -d ' ' -f 1| sort 
> $dns
        if [ ! -s "$dns" ]; then # $dns should never be empty
                echo "warning: no key(s) for $zone found in DNS at all"
        fi

        # Keytags of dnskeys that are 'waiting for ds-seen'
        # ods-ksmutil: mijnuvt.nl  KSK ready  waiting for ds-seen    
d3fe6d5bc1ea73bed16d449d42dcf5e7  LocalHSM  39269
        ods-ksmutil key list -v  --zone $zone 2>&1 |nosql | awk '/waiting for 
ds-seen/ {print $9}' |sort -u > $ods

        available=$(  comm -12 $ods $dns)
        unavailable=$(comm -23 $ods $dns)

        # activation
        if [ "$activate" == "yes" ]; then
                if [ "$force" == "yes" ]; then
                        available=$(cat $ods)
                        echo "warning: forced activation of key(s) 
$available:$zone"
                fi
                for keytag in $available; do
                        ods-ksmutil key ds-seen --zone $zone --keytag $keytag 
2>&1 | nosql
                        echo "Key $keytag:$zone activated."
                done
        fi

        # logging
        if [ "$quiet" == "no" ]; then
                if [ -n "$unavailable" ]; then
                        echo "The key(s) with tag $unavailable:$zone are not 
present in DNS."
                else
                        if [ -n "$available" ]; then
                                echo "All keys for $zone are present in DNS."
                        else
                                echo "No unactivated keys for $zone found in 
DNS."
                        fi
                fi
        fi
done
rm $dns $ods

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

Reply via email to