[Opendnssec-user] Is there script for checking if DS is in TLD

Casper Gielen c.gielen at uvt.nl
Tue Sep 2 14:10:42 UTC 2014


Op 30-08-14 om 09:26 schreef Volker Janzen:
> Hi Bas,
> 
> Am 28.08.2014 um 10:29 schrieb Bas van den Dikkenberg
> <bas at Dikkenberg.net <mailto:bas at Dikkenberg.net>>:
>
>> Hi,
>>
>>
>>
>> Does anyone have script to check if the DS records are published at
>> the TLD , and if so do a ds-seen .
>>
>> I want to automate the ds-seen process
>
> I'm using a script from Casper Gielen for this purpose.

Hi Volker,
thanks for the endorsement. Bas contacted me in private and has a copy
of the script.

I've attached the latest version of the script for the archives. The
script targets ODS 1.3. If you use 1.4 you might need to adjust the
column in line 78.
-- 
Casper Gielen <cgielen at uvt.nl> | LIS UNIX
PGP fingerprint = 16BD 2C9F 8156 C242 F981  63B8 2214 083C F80E 4AF7

Universiteit van Tilburg | Postbus 90153, 5000 LE
Warandelaan 2 | Telefoon 013 466 4100 | G 236 | http://www.uvt.nl


-------------- next part --------------
#!/usr/bin/env bash

# $Id: ods-dsseen 68966 2014-08-04 16:04:40Z cgielen $
# $URL: https://its-unix-vc.uvt.nl/its-unix/group/dns/opendnssec/usr/local/sbin/ods-dsseen $
#
# Check if new DSes have been published in DNS and activate them.
# 
# Copyright 2013-2014 Casper Gielen
# Written for Tilburg University
# License: GPLv2 or later

#
# TODO
# - do not use a caching resolver
# - use dig ods-ksmutil in batch-mode instead of making seperate calls for each zone
# - match on CKAID instead of keytag
#

usage() {
	echo "usage: $0 [--activate|--force|--quiet|--help] <zone|...>" 
	echo "Check if all DS-records are available through DNS and (optionally) activate the key."
	echo "--help         Display this help text."
	echo "--activate     Activate the key if the DS is found."
	echo "--force        Force activation of keys that are not available (implies --activate)."
	echo "--quiet        Surpress output."
	echo "--all          Apply to all zones with outstanding DSes."
	echo "--really-all   Apply to all zones, required or not."
	exit -1
}

nosql() {
	egrep -v '^MySQL database' 
}

# TODO
# Eigenlijk moet hier _geen_ /caching/-resolver worden gebruikt.
# formaat: @HOSTNAME of leeg om de default servers te gebruiken
# server="@dns1.uvt.nl"
server=""

activate="no" # do not activate by default
quiet="no"    # be verbose by default
force="no"    # only activate keys that are really available
zones=""

# cli options
until [ -z "$*" ];
do
        option="$1"
        shift
        case $option in
                -h|--help)     usage ;;
                --activate)    activate="yes" ;;
                --force)       activate="yes" ; force="yes";;
                --quiet)       quiet="yes" ;;
		--all)         zones=$(echo " "; ods-ksmutil key list 2>&1 | nosql | egrep -v 'Keys:|Zone:' | awk '/waiting for ds-seen/ {print $1}' | sort -u);;
		--really-all)  zones=$(echo " "; ods-ksmutil key list 2>&1 | nosql | egrep -v 'Keys:|Zone:' | awk '{print $1}' | sort -u);;
                *)             zones="$zones $option" ;;
        esac
done

if [ -z "$zones" ]; then
	usage
fi

dns=$(mktemp)
ods=$(mktemp)
for zone in $zones; do
	# Keytags that can be retrieved from DNS
	# dig: 39269 8 2 9EC50E7BBCC4095355A776D6183773197C05F320FDDE87E513022DB9 6A1E2F48
	dig +adflag +aaonly  +short -t DS $zone $server | cut -d ' ' -f 1| sort > $dns
	if [ ! -s "$dns" ]; then # $dns should never be empty
		echo "warning: no key(s) for $zone found in DNS at all"
	fi

	# Keytags of dnskeys that are 'waiting for ds-seen'
	# ods-ksmutil: mijnuvt.nl  KSK ready  waiting for ds-seen    d3fe6d5bc1ea73bed16d449d42dcf5e7  LocalHSM  39269
	ods-ksmutil key list -v  --zone $zone 2>&1 |nosql | awk '/waiting for ds-seen/ {print $9}' |sort -u > $ods

	available=$(  comm -12 $ods $dns)
	unavailable=$(comm -23 $ods $dns)

	# activation
	if [ "$activate" == "yes" ]; then
		if [ "$force" == "yes" ]; then
			available=$(cat $ods)
			echo "warning: forced activation of key(s) $available:$zone"
		fi
		for keytag in $available; do
			ods-ksmutil key ds-seen --zone $zone --keytag $keytag 2>&1 | nosql
			echo "Key $keytag:$zone activated."
		done
	fi

	# logging
	if [ "$quiet" == "no" ]; then
		if [ -n "$unavailable" ]; then
			echo "The key(s) with tag $unavailable:$zone are not present in DNS."
		else
			if [ -n "$available" ]; then
				echo "All keys for $zone are present in DNS."
			else
				echo "No unactivated keys for $zone found in DNS."
			fi
		fi
	fi
done
rm $dns $ods
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20140902/ff4334de/attachment.bin>


More information about the Opendnssec-user mailing list