From 8078891a28eee0354c1088d82b240ff6d10b1d53 Mon Sep 17 00:00:00 2001 From: Wouter Wijngaards Date: Thu, 26 Jun 2008 18:47:09 +0000 Subject: [PATCH] script to update trust anchors. git-svn-id: file:///svn/unbound/trunk@1142 be551aaa-1e26-0410-a405-d3ace91eadb9 --- contrib/README | 2 + contrib/update-anchor.sh | 134 +++++++++++++++++++++++++++++++++++++++ doc/Changelog | 1 + 3 files changed, 137 insertions(+) create mode 100755 contrib/update-anchor.sh diff --git a/contrib/README b/contrib/README index 6fad11986..c796c9d52 100644 --- a/contrib/README +++ b/contrib/README @@ -5,3 +5,5 @@ distribution but may be helpful. * parseunbound.pl: perl script to run from cron that parses statistics from the log file and stores them. * unbound.spec and unbound.init: RPM specfile and Linux rc.d initfile. +* update-anchor.sh: shell script that uses unbound-host to update a set + of trust anchor files. Run from cron twice a month. diff --git a/contrib/update-anchor.sh b/contrib/update-anchor.sh new file mode 100755 index 000000000..111fa9907 --- /dev/null +++ b/contrib/update-anchor.sh @@ -0,0 +1,134 @@ +#!/bin/sh +# update-anchor.sh, update a trust anchor. +# this file is BSD licensed. + +# which validating lookup to use. +ubhost=unbound-host + +function usage() +{ + echo "usage: update-anchor [-b] " + echo " performs an update of trust anchor file" + echo " the trust anchor file is overwritten with the latest keys" + echo " the trust anchor file should contain only keys for one zone" + echo " -b causes keyfile to be made in bind format." + echo " without -b the file is made in unbound format." + echo " " + echo "alternate:" + echo " update-anchor [-b] -d directory" + echo " update all .anchor files in the directory." + echo " " + echo " name the files br.anchor se.anchor ..., and include them in" + echo " the validating resolver config file." + echo " put keys for the root in a file with the name root.anchor." + exit 1 +} + +if test $# -eq 0; then + usage +fi +bindformat="no" +filearg='-f' +if test X"$1" = "X-b"; then + shift + bindformat="yes" + filearg='-F' +fi +if test $# -ne 2; then + echo "arguments wrong." + usage +fi + +function do_update() { + # arguments: + zonename="$1" + keyfile="$2" + + tmpfile="/tmp/update-anchor.$$" + $ubhost -v $filearg "$keyfile" -t DNSKEY "$zonename" >$tmpfile + if test $? -ne 0; then + rm -f $tmpfile + echo "Error: Could not update zone $zonename anchor file $keyfile" + echo "Cause: $ubhost lookup failed" + echo " (Is the domain decommissioned? Is connectivity lost?)" + return 2 + fi + + # has the lookup been DNSSEC validated? + if grep '(secure)$' $tmpfile >/dev/null 2>&1; then + : + else + rm -f $tmpfile + echo "Error: Could not update zone $zonename anchor file $keyfile" + echo "Cause: result of lookup was not secure" + echo " (keys too far out of date? domain changed ownership?)" + return 3 + fi + + if test $bindformat = "yes"; then + # are there any KSK keys on board? + echo 'trusted-keys {' > "$keyfile" + if grep ' has DNSKEY record 257' $tmpfile >/dev/null 2>&1; then + # store KSK keys in anchor file + grep '(secure)$' $tmpfile | \ + grep ' has DNSKEY record 257' | \ + sed -e 's/ (secure)$/";/' | \ + sed -e 's/ has DNSKEY record \([0-9]*\) \([0-9]*\) \([0-9]*\) /. \1 \2 \3 "/' | \ + sed -e 's/^\.\././' >> "$keyfile" + else + # store all keys in the anchor file + grep '(secure)$' $tmpfile | \ + sed -e 's/ (secure)$/";/' | \ + sed -e 's/ has DNSKEY record \([0-9]*\) \([0-9]*\) \([0-9]*\) /. \1 \2 \3 "/' | \ + sed -e 's/^\.\././' >> "$keyfile" + fi + echo '};' >> "$keyfile" + else #not bindformat + # are there any KSK keys on board? + if grep ' has DNSKEY record 257' $tmpfile >/dev/null 2>&1; then + # store KSK keys in anchor file + grep '(secure)$' $tmpfile | \ + grep ' has DNSKEY record 257' | \ + sed -e 's/ (secure)$//' | \ + sed -e 's/ has DNSKEY record /. IN DNSKEY /' | \ + sed -e 's/^\.\././' > "$keyfile" + else + # store all keys in the anchor file + grep '(secure)$' $tmpfile | \ + sed -e 's/ (secure)$//' | \ + sed -e 's/ has DNSKEY record /. IN DNSKEY /' | \ + sed -e 's/^\.\././' > "$keyfile" + fi + fi # endif-bindformat + + echo "$zonename key file $keyfile updated." + + rm -f $tmpfile +} + +if test X"$1" = "X-d"; then + tdir="$2" + echo "start updating in $2" + for x in $tdir/*.anchor; do + if test `basename "$x"` = "root.anchor"; then + zname="." + else + zname=`basename "$x" .anchor` + fi + do_update "$zname" "$x" + done + echo "done updating in $2" +else + # regular invocation + if test X"$1" = "X."; then + zname="$1" + else + # strip trailing dot from zone name + zname="`echo $1 | sed -e 's/\.$//'`" + fi + kfile="$2" + do_update $zname $kfile + exit $? +fi + +exit 0 diff --git a/doc/Changelog b/doc/Changelog index 4033d8702..8d1137504 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,5 +1,6 @@ 26 June 2008: Wouter - fixup streamtcp bounds setting for udp mode, in the test framework. + - contrib item for updating trust anchors. 25 June 2008: Wouter - fixup fwd_ancil test typos. -- 2.47.2