adds initial KEY delegation helper script

prototypefund · Jun 14, 2024 · 1085287 · 1085287
1 parent 71a9402
commit 1085287
Show file tree

Hide file tree

Showing 2 changed files with 161 additions and 0 deletions.
diff --git a/dyn_key b/dyn_key
@@ -0,0 +1,96 @@
+#!/bin/bash
+#
+# Manages KEY entries under a writable domain
+# usage
+# 	./dyn_key fqdn pkey pkey ....
+# where
+# 	- fqdn is the fully qualified domain name to place the public keys
+# 	- pkey is the fqdn of the key(s) to add
+#
+# by default all key RRs of pkey are added or deleted from fqdn
+# if no pkey is specified, all exisiting KEY RRs at fqdn are listed
+#------------------------------------------------------------------------------
+
+
+# load helpful functions
+for i in functions/*.sh
+do
+        . ${i}
+        [[ -n ${DEBUG_SET_VARS} ]] && echo "Sourced ${PWD}/$i ..."
+done
+
+set_vars $*
+
+#------------------------------------------------------------------------------
+
+# define default update add
+NSUPDATE_ACTION=${NSUPDATE_ACTION:-"add"}
+NSUPDATE_TTL="60"
+
+# For a given ${NEW_FQDN}, recursively search keystore for closest (most particular) keypair
+subdomain="${NEW_FQDN}"
+while [[ ! -n "${NSUPDATE_AUTH_SIG0_KEYID}" ]] && [[ "${subdomain}" == *"."* ]]
+do
+	[[ -n ${DEBUG} ]] && echo "DEBUG: get_sig0_keyid NSUPDATE_AUTH_SIG0_KEYID '${subdomain}' '${NSUPDATE_SIG0_KEYPATH}'"
+	get_sig0_keyid NSUPDATE_AUTH_SIG0_KEYID "${subdomain}" "${NSUPDATE_SIG0_KEYPATH}"
+	[[ ! -n "${NSUPDATE_AUTH_SIG0_KEYID}" ]] && subdomain="${subdomain#*.}" || NSUPDATE_AUTH_SIG0_KEY_FQDN="${subdomain}"
+done
+
+if [[ -n ${DEBUG} ]]; then
+        echo
+        echo "NEW_FQDN='${NEW_FQDN}'"
+        echo "subdomain='${subdomain}'"
+        echo "NSUPDATE_AUTH_SIG0_KEYID='${NSUPDATE_AUTH_SIG0_KEYID}'"
+        echo "NSUPDATE_AUTH_SIG0_KEY_FQDN='${NSUPDATE_AUTH_SIG0_KEY_FQDN}'"
+        echo "ZONE='${ZONE}'"
+        echo "---"
+        #echo "cat ${NSUPDATE_SIG0_KEYPATH}/${NSUPDATE_AUTH_SIG0_KEYID}.key | cut -f4- -d' '"
+        echo "keystore  public key for ${NSUPDATE_AUTH_SIG0_KEY_FQDN}: $(cat ${NSUPDATE_SIG0_KEYPATH}/${NSUPDATE_AUTH_SIG0_KEYID}.key)"
+        #echo "dig +short ${NSUPDATE_AUTH_SIG0_KEY_FQDN} KEY"
+        echo "DNS named public key for ${NSUPDATE_AUTH_SIG0_KEY_FQDN}: $(dig +noall +nottlid +answer ${NSUPDATE_AUTH_SIG0_KEY_FQDN} KEY)"
+        echo "---"
+        echo "Processing named KEY parameters"
+fi
+
+# loop over command line parameter (post getops()) for IPv[4,6] assignments
+
+NSUPDATE_ITEM_RR=""
+for keyname in ${CMDLINE_EXTRA_PARAMS}; do
+        if validateKEY "${keyname}";then
+		NSUPDATE_RRTYPE="KEY"
+		[[ -n ${DEBUG} ]] && echo "KEY '${keyname}' resolves, marked to ${NSUPDATE_ACTION}"
+		NSUPDATE_ITEM_RR="${NSUPDATE_ITEM_RR}update ${NSUPDATE_ACTION} ${NEW_FQDN} ${NSUPDATE_TTL} ${NSUPDATE_RRTYPE} $(dig +short ${keyname} ${NSUPDATE_RRTYPE})\n"
+	else
+                echo "Warning: Skipping no KEY resolved with FQDN '${keyname}'"
+        fi
+done
+
+if [[ -n ${DEBUG} ]]; then
+	echo "---"
+	echo NSUPDATE_ITEM_RR
+	echo -e ${NSUPDATE_ITEM_RR}
+fi
+# form nsupdate RR update statements
+case ${NSUPDATE_ACTION} in
+	add)
+		# NSUPDATE_PRECONDITION_SET="nxrrset"
+		# NSUPDATE_PRECONDITION="prereq ${NSUPDATE_PRECONDITION_SET} ${word}._dns-sd._udp.${DNSSD_DOMAIN}. IN PTR"
+		# NSUPDATE_ITEM_RR="update ${NSUPDATE_ACTION} ${word}._dns-sd._udp.${DNSSD_DOMAIN} ${NSUPDATE_TTL} PTR ${DNSSD_DOMAIN}."
+		send_nsupdate "${NEW_FQDN}" "$(echo ${NSUPDATE_PRECONDITION};echo -e ${NSUPDATE_ITEM_RR})" "${subdomain}"
+		;;
+	delete)
+		# NSUPDATE_PRECONDITION_SET="yxrrset"
+		# NSUPDATE_PRECONDITION="prereq ${NSUPDATE_PRECONDITION_SET} ${word}._dns-sd._udp.${DNSSD_DOMAIN}. IN PTR"
+		# NSUPDATE_ITEM_RR="update ${NSUPDATE_ACTION} ${word}._dns-sd._udp.${DNSSD_DOMAIN} ${NSUPDATE_TTL} PTR ${DNSSD_DOMAIN}."
+		send_nsupdate "${NEW_FQDN}" "$(echo ${NSUPDATE_PRECONDITION};echo -e ${NSUPDATE_ITEM_RR})" "${subdomain}"
+		;;
+	*)
+		# NSUPDATE_ACTION should default to "add" - should never get here
+		echo "Error: NSUPDATE_ACTION is set to '${NSUPDATE_ACTION}', but must be set to 'add' or 'delete'."
+		exit 1
+		;;
+esac
+
+
+DIG_QUERY_PARAM="@${ZONE_SOA_MASTER} +noall +answer +dnssec"
+echo "$( dig ${DIG_QUERY_PARAM} ${NEW_FQDN} KEY )"
diff --git a/functions/validateKEY.sh b/functions/validateKEY.sh
@@ -0,0 +1,65 @@
+#!/bin/bash
+function validateKEY()
+{
+
+	# validate KEY RR presence at key_fqdn
+	#
+	#       ip[6,4]: 1 or more IPv6 or IPv4 addresses
+	#
+	#       return value 0 = valid address
+	#	non zero value = invalid address
+	local key_fqdn=$1
+	local query_answer=$(dig +short ${key_fqdn} KEY)
+	local stat=$?
+	# echo "validateKEY() DEBUG: resolve ${key_fqdn} KEY query_answer='${query_answer}'"
+	# echo "length of query_answer=${#query_answer}"
+	[[ ${#query_answer} > 0 ]] && stat=0 || stat=1
+	return $stat
+}
+
+#function validateIPv6()
+#{
+#	local ip=$1
+#	ipcalc -s -6 -c ${ip}
+#	local stat=$?
+#	#TODO: doesn't handle arbitrary zero compression yet
+#	#local stat=1
+#	#if [[ $ip =~ ^[0-9,a-f,A-F]{1,4}\:[0-9,a-f,A-F]{1,4}\:[0-9,a-f,A-F]{1,4}\:[0-9,a-f,A-F]{1,4}\:[0-9,a-f,A-F]{1,4}\:\:[0-9,a-f,A-F]{1,4}$ ]]; then
+#	#	# OIFS=$IFS
+#	#	# IFS=':'
+#	#	# ip=($ip)
+#	#	# IFS=$OIFS
+#	#	# [[ ${ip[0]} -le 255 && ${ip[1]} -le 255 \
+#	#	# && ${ip[2]} -le 255 && ${ip[3]} -le 255 ]]
+#	#	stat=0
+#	#fi
+#	#echo "$stat"
+#	return $stat
+#}
+#
+#if [[ -n ${TEST} ]]; then
+#	test_list=(
+#		127.0.0.1
+#		1.2.3.4
+#		10.20.30.40
+#		100.200.100.100
+#		123.256.123.12
+#		3.3.3.
+#		3.3.3
+#		5.5.5.5.5
+#		fe80::eeb4:b20e:7677:6144
+#		fe80::eeb4:b20e:7677:6144:8888:9999:AAAAA
+#		fe80:eeb4:b20e:
+#		2a01:4f8:c17:3dd5:8000::10
+#	)
+#	echo "-- TEST -- ipv4"
+#	for ip in "${test_list[@]}"; do
+#		res=$(validateIPv4 ${ip})
+#		echo "${ip}= '${res}' : '$?' "
+#	done
+#	echo "-- TEST -- ipv6"
+#	for ip in "${test_list[@]}"; do
+#		res="$(validateIPv6 ${ip})"
+#		echo "${ip}= '${res}' : '$?' "
+#	done
+#fi