[Opendnssec-user] bind signer with ods

Miek Gieben miek.gieben at sidn.nl
Mon May 30 08:16:50 UTC 2011 

Hello,

I've created three scripts that parse the XML config from ODS and
create a BIND9 dnssec-signzone commandline that is (or should be)
identical to the ODS signer.

Disclaimer: these scripts are not tested by SIDN and haven't seen
production (yet).

The included README reads:

    BIND Alternative (Altbind)

    These scripts look at the XML from OpenDNSSEC and use that
    to import the relevant keys from our HSM (Luna's from SafeNet).
    The keys are formatted for BIND9 consumption (.key/.private files).

    Timing meta data from OpenDNSSEC is applied to the keys, then
    dnssec-signzone -S (smart signing) is executed.

    Scripts:
    keyconf.pl
            Create a dnssec-keyfromlabel command line according to
            the signconf.xml from ODS. Notably it sets the publish 
            and active times.

    signconf.pl
            Creates a dnssec-signzone command line equivalent to
            the settings in signconf.xml

    sign-nl:
            Script that calls the above scripts to sign a .nl zone.

The sign-nl script is useless, unless you want to sign a .nl zone, but
it does show how to use keyconf.pl and signconf.pl together.

Feedback (bugs/feature requests) are welcome. The scripts are attached
to this mail.

Kind regards,

--
 Miek Gieben
 Technical Advisor SIDN
-------------- next part --------------
A non-text attachment was scrubbed...
Name: keyconf.pl
Type: text/x-perl
Size: 1725 bytes
Desc: not available
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20110530/570de8ca/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signconf.pl
Type: text/x-perl
Size: 3332 bytes
Desc: not available
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20110530/570de8ca/attachment-0001.bin>
-------------- next part --------------
#!/bin/bash

DEBUG=false
ZONE=nl
ZONEFILE=/var/lib/opendnssec/unsigned/nl
ENGINE=LunaCA3
KEYDIR="/tmp/keys-$(date +%s)"
XML=/var/lib/opendnssec/signconf/nl.xml

mkdir $KEYDIR

# extremely dumb PIN extractor
PIN=$(grep PIN /etc/opendnssec/conf.xml | sed 's/<PIN>'// | sed 's|</PIN>||' | awk '{ print $1 }')

# Login to the SafeNet HSM
echo "Opening connection to the HSM"
if $DEBUG; then
    echo /usr/local/sautil/bin/sautil -v -s 1 -i 10:11 -o -p "<PIN>"
else
    /usr/local/sautil/bin/sautil -v -s 1 -i 10:11 -o -p "$PIN"
fi

keyconf.pl -x $XML $ENGINE $KEYDIR $ZONE | while read line; do
    if $DEBUG; then
        echo $line
    else
        echo $line
        $line
    fi
done

# should have the keys in the right directory now
if $DEBUG; then
    signconf.pl -x $XML $ENGINE $KEYDIR $ZONE $ZONEFILE
else
    signconf.pl -x $XML $ENGINE $KEYDIR $ZONE $ZONEFILE | while read line; do
    echo $line
    $line
done
fi

if [ -f $ZONEFILE.signed ]; then
    echo "Copying zone file"
    Z="$(basename $ZONEFILE)"
    cp "$ZONEFILE".signed /var/lib/opendnssec/signed/"$Z".$$
    mv /var/lib/opendnssec/signed/"$Z".$$ /var/lib/opendnssec/signed/"$Z"
    rm $ZONEFILE.signed
fi

# remove DS set
if [ -f dsset-$ZONE. ]; then
    rm dsset-$ZONE.
fi

# No matter what remove our garbage
if ! $DEBUG; then rm -rf $KEYDIR; fi

echo "Closing connection to the HSM"
if $DEBUG; then
    echo /usr/local/sautil/bin/sautil -v -s 1 -i 10:11 -c
else
    /usr/local/sautil/bin/sautil -v -s 1 -i 10:11 -c
fi

More information about the Opendnssec-user mailing list