-
Notifications
You must be signed in to change notification settings - Fork 1
/
ods-keycheck
executable file
·79 lines (64 loc) · 2.29 KB
/
ods-keycheck
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
#!/usr/bin/env bash
# $Id: ods-keycheck 94810 2018-04-30 16:20:56Z cgielen $
# $URL: https://svn.uvt.nl/its-unix/systems/metagross/usr/local/sbin/ods-keycheck $
# Copyright 2011-2017 Casper Gielen
# Written for Tilburg University
# License: GPLv2 or later
# todo:
# - find an authorative list of ODS states
# https://wiki.opendnssec.org/display/DOCS/Key+States
# https://wiki.opendnssec.org/display/DOCS20/Key+States+Explained
# - reconsider the proper use of the standby KSK states
BASIC_STATES="publish ready dssub dspublish"
EXTRA_STATES="active retire revoke dead dsready keypublish"
usage()
{
echo "usage: $0 [--all-keys|--all-zones|-all] [zones]"
echo "Print DNSSEC Key Siging Keys to be published in the upstream DNS."
echo "--all-keys print all keys, not just those that need publishing."
echo "--all-zones print keys for all zones, not just those that need publishing."
echo "--all print all keys for all zones."
echo "[zones] optional list of zones to operate on."
echo "--help print this message."
exit 1
}
states=""
zones=""
while [ -n "$*" ]; do
arg="$1"
shift
case $arg in
--all-keys) states="all" ;;
--all-zones) zones="all" ;;
--all) states="all"; zones="all" ;;
-*) usage ;;
*) zones="$zones $arg"
esac
done
if [ "$states" = "all" ]; then
states="$BASIC_STATES $EXTRA_STATES"
else
states="$BASIC_STATES"
fi
# make regex from filter
state_filter=$(echo $BASIC_STATES| tr ' ' '|')
# get list of /all/ zones
if [ "$zones" == "all" ]; then
zones=$(ods-enforcer key list -v -p 2>&1 | awk 'BEGIN { FS=";" } {print $1}' | sort -u | tr '\n' ' ')
fi
# get list of zones that need to publish a key
if [ -z "$zones" ]; then
zones=$(ods-enforcer key list -v -p 2>&1 | awk -v filter="$state_filter" 'BEGIN { FS=";" } $2 ~ /KSK/ && $3 ~ filter {print $1}' | sort -u | tr '\n' ' ')
fi
[ -z "$zones" ] && exit 0 # nothing to do
echo "Summary: $zones"
echo
echo "Keys:"
for zone in $zones; do
for state in $states; do
ods-enforcer key export --zone $zone --keystate $state -t KSK 2>&1 | egrep 'IN[[:space:]]+DNSKEY[[:space:]]+257'
ods-enforcer key export --zone $zone --keystate $state -t KSK --ds 2>&1 | egrep 'IN[[:space:]]+DS[[:space:]]+[[:digit:]]+'
done
done
echo
echo "Summary: $zones"