From: Wouter Wijngaards Date: Thu, 2 Oct 2008 09:22:02 +0000 (+0000) Subject: Easier update script. X-Git-Tag: release-1.1.0~71 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7d242d400f186c4b2ba3f2b180b80012a3d44a31;p=thirdparty%2Funbound.git Easier update script. git-svn-id: file:///svn/unbound/trunk@1280 be551aaa-1e26-0410-a405-d3ace91eadb9 --- diff --git a/contrib/update-anchor.sh b/contrib/update-anchor.sh index c2a167964..ba001c0ca 100755 --- a/contrib/update-anchor.sh +++ b/contrib/update-anchor.sh @@ -21,7 +21,9 @@ usage ( ) echo " name the files br.anchor se.anchor ..., and include them in" echo " the validating resolver config file." echo " put keys for the root in a file with the name root.anchor." - exit 1 + echo "" + echo "Exit code 0 means anchors updated, 1 no changes, others are errors." + exit 2 } if test $# -eq 0; then @@ -43,6 +45,7 @@ do_update ( ) { # arguments: zonename="$1" keyfile="$2" + tmp2=$tmpfile.2 tmpfile="/tmp/update-anchor.$$" $ubhost -v $filearg "$keyfile" -t DNSKEY "$zonename" >$tmpfile @@ -67,22 +70,22 @@ do_update ( ) { if test $bindformat = "yes"; then # are there any KSK keys on board? - echo 'trusted-keys {' > "$keyfile" + echo 'trusted-keys {' > "$tmp2" if grep ' has DNSKEY record 257' $tmpfile >/dev/null 2>&1; then # store KSK keys in anchor file grep '(secure)$' $tmpfile | \ grep ' has DNSKEY record 257' | \ sed -e 's/ (secure)$/";/' | \ sed -e 's/ has DNSKEY record \([0-9]*\) \([0-9]*\) \([0-9]*\) /. \1 \2 \3 "/' | \ - sed -e 's/^\.\././' >> "$keyfile" + sed -e 's/^\.\././' >> "$tmp2" else # store all keys in the anchor file grep '(secure)$' $tmpfile | \ sed -e 's/ (secure)$/";/' | \ sed -e 's/ has DNSKEY record \([0-9]*\) \([0-9]*\) \([0-9]*\) /. \1 \2 \3 "/' | \ - sed -e 's/^\.\././' >> "$keyfile" + sed -e 's/^\.\././' >> "$tmp2" fi - echo '};' >> "$keyfile" + echo '};' >> "$tmp2" else #not bindformat # are there any KSK keys on board? if grep ' has DNSKEY record 257' $tmpfile >/dev/null 2>&1; then @@ -91,21 +94,30 @@ do_update ( ) { grep ' has DNSKEY record 257' | \ sed -e 's/ (secure)$//' | \ sed -e 's/ has DNSKEY record /. IN DNSKEY /' | \ - sed -e 's/^\.\././' > "$keyfile" + sed -e 's/^\.\././' > "$tmp2" else # store all keys in the anchor file grep '(secure)$' $tmpfile | \ sed -e 's/ (secure)$//' | \ sed -e 's/ has DNSKEY record /. IN DNSKEY /' | \ - sed -e 's/^\.\././' > "$keyfile" + sed -e 's/^\.\././' > "$tmp2" fi fi # endif-bindformat - echo "$zonename key file $keyfile updated." + # copy over if changed + diff $tmp2 $keyfile >/dev/null 2>&1 + if test $? -eq 1; then # 0 means no change, 2 means trouble. + cat $tmp2 > $keyfile + no_updated=0 + echo "$zonename key file $keyfile updated." + else + echo "$zonename key file $keyfile unchanged." + fi - rm -f $tmpfile + rm -f $tmpfile $tmp2 } +no_updated=1 if test X"$1" = "X-d"; then tdir="$2" echo "start updating in $2" @@ -128,7 +140,5 @@ else fi kfile="$2" do_update $zname $kfile - exit $? fi - -exit 0 +exit $no_updated diff --git a/doc/Changelog b/doc/Changelog index 289022465..b0a3e0e3f 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,6 +1,10 @@ 2 October 2008: Wouter - fixup unlink of pidfile. - fixup SHA256 algorithm collation code. + - contrib/update-anchor.sh does not overwrite anchors if not needed. + exits 0 when a restart is needed, other values if not. + so, update-anchor.sh -d mydir && /etc/rc.d/unbound restart + can restart unbound exactly when needed. 30 September 2008: Wouter - fixup SHA256 DS downgrade, no longer possible to downgrade to SHA1.