From 23d50a0b0c00dc318b23f7a11c974407e4900fdc Mon Sep 17 00:00:00 2001 From: Pinga <121483313+getpinga@users.noreply.github.com> Date: Fri, 23 Feb 2024 01:13:48 +0200 Subject: [PATCH] Added easier OpenDNSSEC support --- automation/write-zone.php | 22 ++++++++- docs/install.md | 93 ++++++++++++++++++++++++++++++++++++++- 2 files changed, 112 insertions(+), 3 deletions(-) diff --git a/automation/write-zone.php b/automation/write-zone.php index 4c85270..a9dc1de 100644 --- a/automation/write-zone.php +++ b/automation/write-zone.php @@ -135,7 +135,7 @@ Coroutine::create(function () use ($pool, $log, $c) { $zone->addResourceRecord($dsRecord); } } - + $builder = new ZoneBuilder(); $completed_zone = $builder->build($zone); @@ -151,6 +151,12 @@ Coroutine::create(function () use ($pool, $log, $c) { } file_put_contents("{$basePath}/{$cleanedTld}.zone", $completed_zone); + + if ($c['dns_server'] == 'opendnssec') { + chown("{$basePath}/{$cleanedTld}.zone", 'opendnssec'); + chgrp("{$basePath}/{$cleanedTld}.zone", 'opendnssec'); + } + } if ($c['dns_server'] == 'bind') { @@ -178,6 +184,20 @@ Coroutine::create(function () use ($pool, $log, $c) { if ($return_var != 0) { $log->error('Failed to notify secondary servers. ' . $return_var); } + } elseif ($c['dns_server'] == 'opendnssec') { + exec("ods-signer sign {$cleanedTld}"); + sleep(1); + copy("/var/lib/opendnssec/signed/{$cleanedTld}", "/var/lib/bind/{$cleanedTld}.zone.signed"); + + exec("rndc reload {$cleanedTld}.", $output, $return_var); + if ($return_var != 0) { + $log->error('Failed to reload BIND. ' . $return_var); + } + + exec("rndc notify {$cleanedTld}.", $output, $return_var); + if ($return_var != 0) { + $log->error('Failed to notify secondary servers. ' . $return_var); + } } else { // Default exec("rndc reload {$cleanedTld}.", $output, $return_var); diff --git a/docs/install.md b/docs/install.md index 4062474..9717666 100644 --- a/docs/install.md +++ b/docs/install.md @@ -699,7 +699,42 @@ key "test.key" { Copy this output for use in the configuration files of both the master and slave DNS servers. (```/etc/bind/named.conf.local```) -### Configure the Named Configuration File: +### Configure the Named Configuration File (Please Choose One): + +1. Without DNSSEC: + +Edit the named.conf.local file: + +```bash +nano /etc/bind/named.conf.local +``` + +Add the following zone definition: + +```bash +zone "test." { + type master; + file "/var/lib/bind/test.zone"; + allow-transfer { key "test.key"; }; + also-notify { ; }; +}; +``` + +Replace `````` with the actual IP address of your slave server. Replace ```test``` with your TLD. + +Use rndc to reload BIND: + +```bash +systemctl restart bind9 +``` + +Configure the `Zone Writer` in Registry Automation and run it manually the first time. + +```bash +php /opt/registry/automation/write-zone.php +``` + +2. Using DNSSEC with BIND9: Edit the named.conf.local file: @@ -755,7 +790,61 @@ systemctl restart bind9 rndc loadkeys test. ``` -Configure the ```write-zone.php``` file and activate it in the automation script. +Configure the `Zone Writer` in Registry Automation and run it manually the first time. + +```bash +php /opt/registry/automation/write-zone.php +``` + +3. Using DNSSEC with OpenDNSSEC: + +Edit the named.conf.local file: + +```bash +nano /etc/bind/named.conf.local +``` + +Add the following zone definition: + +```bash +zone "test." { + type master; + file "/var/lib/bind/test.zone.signed"; + allow-transfer { key "test.key"; }; + also-notify { ; }; +}; +``` + +Replace `````` with the actual IP address of your slave server. Replace ```test``` with your TLD. + +Install OpenDNSSEC: + +```bash +apt install opendnssec opendnssec-enforcer-sqlite3 opendnssec-signer softhsm2 +``` + +Update files in `/etc/opendnssec` to match your registry policy. As minimum, please enable at least Signer Threads in `/etc/opendnssec/conf.xml`, but we recommend to fully review [all the files](https://wiki.opendnssec.org/configuration/confxml/). Then run the following commands: + +```bash +softhsm2-util --init-token --slot 0 --label OpenDNSSEC --pin 1234 --so-pin 1234 +ods-enforcer-db-setup +rm /etc/opendnssec/prevent-startup +ods-control start +ods-enforcer policy import +ods-enforcer zone add -z test -p default -i /var/lib/bind/test.zone +``` + +Use rndc to reload BIND: + +```bash +systemctl restart bind9 +``` + +Configure the `Zone Writer` in Registry Automation and run it manually the first time. + +```bash +php /opt/registry/automation/write-zone.php +``` ### Check BIND9 Configuration: