unbound/contrib/update-anchor.sh

238106Sdes#!/bin/sh
238106Sdes# update-anchor.sh, update a trust anchor.
238106Sdes# Copyright 2008, W.C.A. Wijngaards
238106Sdes# This file is BSD licensed, see doc/LICENSE.
238106Sdes
238106Sdes# which validating lookup to use.
238106Sdesubhost=unbound-host
238106Sdes
238106Sdesusage ( )
238106Sdes{
238106Sdes	echo "usage: update-anchor [-r hs] [-b] <zone name> <trust anchor file>"
238106Sdes	echo "    performs an update of trust anchor file"
238106Sdes	echo "    the trust anchor file is overwritten with the latest keys"
238106Sdes	echo "    the trust anchor file should contain only keys for one zone"
238106Sdes	echo "    -b causes keyfile to be made in bind format."
238106Sdes	echo "       without -b the file is made in unbound format."
238106Sdes	echo "    "
238106Sdes	echo "alternate:"
238106Sdes	echo "    update-anchor [-r hints] [-b] -d directory"
238106Sdes	echo "    update all <zone>.anchor files in the directory."
238106Sdes	echo "    "
238106Sdes	echo "    name the files br.anchor se.anchor ..., and include them in"
238106Sdes	echo "    the validating resolver config file."
238106Sdes	echo "    put keys for the root in a file with the name root.anchor."
238106Sdes	echo ""
238106Sdes	echo "-r root.hints	use different root hints. Strict option order."
238106Sdes	echo ""
238106Sdes	echo "Exit code 0 means anchors updated, 1 no changes, others are errors."
238106Sdes	exit 2
238106Sdes}
238106Sdes
238106Sdesif test $# -eq 0; then
238106Sdes	usage
238106Sdesfi
238106Sdesbindformat="no"
238106Sdesfilearg='-f'
238106Sdesroothints=""
238106Sdesif test X"$1" = "X-r"; then
238106Sdes	shift
238106Sdes	roothints="$1"
238106Sdes	shift
238106Sdesfi
238106Sdesif test X"$1" = "X-b"; then
238106Sdes	shift
238106Sdes	bindformat="yes"
238106Sdes	filearg='-F'
238106Sdesfi
238106Sdesif test $# -ne 2; then
238106Sdes	echo "arguments wrong."
238106Sdes	usage
238106Sdesfi
238106Sdes
238106Sdesdo_update ( ) {
238106Sdes	# arguments: <zonename> <keyfile>
238106Sdes	zonename="$1"
238106Sdes	keyfile="$2"
238106Sdes	tmpfile="/tmp/update-anchor.$$"
238106Sdes	tmp2=$tmpfile.2
238106Sdes	tmp3=$tmpfile.3
238106Sdes	rh=""
238106Sdes	if test -n "$roothints"; then
238106Sdes		echo "server: root-hints: '$roothints'" > $tmp3
238106Sdes		rh="-C $tmp3"
238106Sdes	fi
238106Sdes	$ubhost -v $rh $filearg "$keyfile" -t DNSKEY "$zonename" >$tmpfile
238106Sdes	if test $? -ne 0; then
238106Sdes		rm -f $tmpfile
238106Sdes		echo "Error: Could not update zone $zonename anchor file $keyfile"
238106Sdes		echo "Cause: $ubhost lookup failed"
238106Sdes		echo "    (Is the domain decommissioned? Is connectivity lost?)"
238106Sdes		return 2
238106Sdes	fi
238106Sdes
238106Sdes	# has the lookup been DNSSEC validated?
238106Sdes	if grep '(secure)$' $tmpfile >/dev/null 2>&1; then
238106Sdes		:
238106Sdes	else
238106Sdes		rm -f $tmpfile
238106Sdes		echo "Error: Could not update zone $zonename anchor file $keyfile"
238106Sdes		echo "Cause: result of lookup was not secure"
238106Sdes		echo "    (keys too far out of date? domain changed ownership? need root hints?)"
238106Sdes		return 3
238106Sdes	fi
238106Sdes
238106Sdes	if test $bindformat = "yes"; then
238106Sdes		# are there any KSK keys on board?
238106Sdes		echo 'trusted-keys {' > "$tmp2"
238106Sdes		if grep ' has DNSKEY record 257' $tmpfile >/dev/null 2>&1; then
238106Sdes			# store KSK keys in anchor file
238106Sdes			grep '(secure)$' $tmpfile | \
238106Sdes			grep ' has DNSKEY record 257' | \
238106Sdes			sed -e 's/ (secure)$/";/' | \
238106Sdes			sed -e 's/ has DNSKEY record \([0-9]*\) \([0-9]*\) \([0-9]*\) /. \1 \2 \3 "/' | \
238106Sdes			sed -e 's/^\.\././' | sort >> "$tmp2"
238106Sdes		else
238106Sdes			# store all keys in the anchor file
238106Sdes			grep '(secure)$' $tmpfile | \
238106Sdes			sed -e 's/ (secure)$/";/' | \
238106Sdes			sed -e 's/ has DNSKEY record \([0-9]*\) \([0-9]*\) \([0-9]*\) /. \1 \2 \3 "/' | \
238106Sdes			sed -e 's/^\.\././' | sort >> "$tmp2"
238106Sdes		fi
238106Sdes		echo '};' >> "$tmp2"
238106Sdes	else #not bindformat
238106Sdes		# are there any KSK keys on board?
238106Sdes		if grep ' has DNSKEY record 257' $tmpfile >/dev/null 2>&1; then
238106Sdes			# store KSK keys in anchor file
238106Sdes			grep '(secure)$' $tmpfile | \
238106Sdes			grep ' has DNSKEY record 257' | \
238106Sdes			sed -e 's/ (secure)$//' | \
238106Sdes			sed -e 's/ has DNSKEY record /. IN DNSKEY /' | \
238106Sdes			sed -e 's/^\.\././' | sort > "$tmp2"
238106Sdes		else
238106Sdes			# store all keys in the anchor file
238106Sdes			grep '(secure)$' $tmpfile | \
238106Sdes			sed -e 's/ (secure)$//' | \
238106Sdes			sed -e 's/ has DNSKEY record /. IN DNSKEY /' | \
238106Sdes			sed -e 's/^\.\././' | sort > "$tmp2"
238106Sdes		fi
238106Sdes	fi # endif-bindformat
238106Sdes
238106Sdes	# copy over if changed
238106Sdes	diff $tmp2 $keyfile >/dev/null 2>&1
238106Sdes	if test $? -eq 1; then   # 0 means no change, 2 means trouble.
238106Sdes		cat $tmp2 > $keyfile
238106Sdes		no_updated=0
238106Sdes		echo "$zonename key file $keyfile updated."
238106Sdes	else
238106Sdes		echo "$zonename key file $keyfile unchanged."
238106Sdes	fi
238106Sdes
238106Sdes	rm -f $tmpfile $tmp2 $tmp3
238106Sdes}
238106Sdes
238106Sdesno_updated=1
238106Sdesif test X"$1" = "X-d"; then
238106Sdes	tdir="$2"
238106Sdes	echo "start updating in $2"
238106Sdes	for x in $tdir/*.anchor; do
238106Sdes		if test `basename "$x"` = "root.anchor"; then
238106Sdes			zname="."
238106Sdes		else
238106Sdes			zname=`basename "$x" .anchor`
238106Sdes		fi
238106Sdes		do_update "$zname" "$x"
238106Sdes	done
238106Sdes	echo "done updating in $2"
238106Sdeselse
238106Sdes	# regular invocation
238106Sdes	if test X"$1" = "X."; then
238106Sdes		zname="$1"
238106Sdes	else
238106Sdes		# strip trailing dot from zone name
238106Sdes		zname="`echo $1 | sed -e 's/\.$//'`"
238106Sdes	fi
238106Sdes	kfile="$2"
238106Sdes	do_update $zname $kfile
238106Sdesfi
238106Sdesexit $no_updated