DNSSEC tweaks

- Add package to generate KS and ZS keys - Clean up the build - Generalize domain support
2021-04-08 00:39:17 +00:00 · 2021-04-08 00:39:17 +00:00 · 2d228098ba
commit 2d228098ba
parent 551ea8337d
3 changed files with 72 additions and 16 deletions
--- a/config/unbound/APKBUILD
+++ b/config/unbound/APKBUILD
@ -5,10 +5,11 @@ _svcname=unbound
 . ../APKBUILD-config.common

 _dkim_date=2021.03.28
-pkgver=2021.04.04
-pkgrel=0
+_dnssec_date=2021.04.05
+pkgver=2021.04.05
+pkgrel=1
 depends="alpine-baselayout ca-certificates-bundle dns-root-hints dnssec-root"
-makedepends="redxen-secret-opendkim-dns~$_dkim_date"
+makedepends="redxen-secret-opendkim-dns~$_dkim_date bind-dnssec-tools redxen-secret-dnssec~$_dnssec_date"
 checkdepends="bind-tools unbound"
 subpackages="$pkgname-acl $pkgname-rctrl $pkgname-internal $pkgname-auth-rx:auth_rx $pkgname-auth-crxn:auth_crxn"
 source="
@ -24,6 +25,19 @@ source="
 	zones/crxn
 "
 options="checkroot"
+builddir="$srcdir"
+
+prepare() {
+	default_prepare
+	# Add everything dynamic
+	cat redxen.eu /etc/opendkim/redxen/dns-record /etc/dns/redxen.eu/*.key > redxen.eu-cat
+}
+
+# DNSSEC signing happens here
+build() {
+	msg "Signing redxen.eu zone"
+	dnssec-signzone -K /etc/dns/redxen.eu -f redxen.eu-signed -e "+90d" -o redxen.eu -t redxen.eu-cat
+}

 check() {
 	msg "Checking configuration validity"
@ -34,36 +48,47 @@ check() {

 	# Cannot be checked because it expects files in a read-only path, not crucial
 	#/usr/sbin/unbound-checkconf auth-zones.conf
-	cat redxen.eu /etc/opendkim/redxen/dns-record > redxen.eu-concat
-	/usr/sbin/named-checkzone redxen.eu ./redxen.eu-concat
+	/usr/sbin/named-checkzone redxen.eu ./redxen.eu-signed
 	/usr/sbin/named-checkzone crxn ./crxn
 }

 package() {
-	install -Dm644 "$srcdir"/includes.conf "$pkgdir"/etc/unbound/includes.conf
-	install -Dm644 "$srcdir"/base.conf "$pkgdir"/etc/unbound/base.conf
+	for i in includes.conf base.conf acl.conf rctrl.conf internal.conf auth-redxen.conf auth-crxn.conf; do
+		install -Dm644 "$i" "$pkgdir"/etc/unbound/"$i"
+	done
+	# Unsigned zones
+	for i in crxn; do
+		install -Dm644 "$i" "$pkgdir"/etc/unbound/zones/"$i"
+	done
+	# Signed zones
+	for i in redxen.eu; do
+		install -Dm644 "$i-signed" "$pkgdir"/etc/unbound/zones/"${i%%-signed}"
+		install -Dm644 "dsset-$i." "$pkgdir"/etc/dns/"$i"/"dsset-$i."
+	done
 }

 acl() {
-	install -Dm644 "$srcdir"/acl.conf "$subpkgdir"/etc/unbound/acl.conf
+	amove etc/unbound/acl.conf
 }

 rctrl() {
-	install -Dm644 "$srcdir"/rctrl.conf "$subpkgdir"/etc/unbound/rctrl.conf
+	amove etc/unbound/rctrl.conf
 }

 internal() {
-	install -Dm644 "$srcdir"/internal.conf "$subpkgdir"/etc/unbound/internal.conf
+	amove etc/unbound/internal.conf
 }

 auth_rx() {
-	install -Dm644 "$srcdir"/redxen.eu-concat "$subpkgdir"/etc/unbound/zones/redxen.eu
-	install -Dm644 "$srcdir"/auth-redxen.conf "$subpkgdir"/etc/unbound/auth-redxen.conf
+	amove etc/unbound/auth-redxen.conf
+	amove etc/unbound/zones/redxen.eu
+	# Zone is signed, include the DS key in the package
+	amove etc/dns/redxen.eu
 }

 auth_crxn() {
-	install -Dm644 "$srcdir"/crxn "$subpkgdir"/etc/unbound/zones/crxn
-	install -Dm644 "$srcdir"/auth-crxn.conf "$subpkgdir"/etc/unbound/auth-crxn.conf
+	amove etc/unbound/auth-crxn.conf
+	amove etc/unbound/zones/crxn
 }

 sha512sums="428b251c4bdd8ca0cd6174b3c76d5fb6acf25734dc75325fd06ce5e867b2ba9c25ddd5d485f17562b7d8cdea62708e04bd44e854d028de9688298cb018b86d54  includes.conf
@ -73,5 +98,5 @@ d94ad338e2ea43c3ecdc62c861eddc0bb706807b738dd985309bcdf0b5fb435d7260bf272e2bbe40
 1eb7833b06f158f13b7c52ee14cd4e455acd9a8de344d6410092a5de98b1f4a62e209ce1e744cfc1a8afd588d3f54c5ce35a59ca31e3dd0fc16d517975fc6aa1  internal.conf
 28c917fe7f69643887097553312c4f1ffc747dffdbf150430e6c4b2e5833567922810716cb59a27887915664777ac3263be3c826956f504499f0ebdcc0b3aac5  auth-redxen.conf
 91847e65c48e585f298bb766b2b20c43f5380686b594233da3b722962b03f2f4c858bf299b745027dadd184408a87b1e85ebf03b027196756455afea69f79cf9  auth-crxn.conf
-372e0757f871fa9bf893ff85b11610317b57eed7e93c4f6f7c4cee1ceb96d1aac781791bc51e91361ff2f87f49950f8e5250a6edd9b0a339dc8fbfac904a7b92  redxen.eu
+9acdf83c65c808b8bcd101cc44efb755305afcd38d88f7b51dc53a1455f1a25d451074a035dab2e3bf72a3c6618ef8d17ced7e4e5b25ac061fdc2e9347d6a0f5  redxen.eu
 66a61bc8afe74cf98bc8214fe90f71e9e43e055ced9bbbca4bcf9afb14a91839911085a68509bf315a3110c7db6c6f5ba1383b50b17649ce8494057db227885d  crxn"
--- a/config/unbound/zones/redxen.eu
+++ b/config/unbound/zones/redxen.eu
@ -2,7 +2,7 @@
 ; redxen.eu zonefile
 ;

-@                                               IN      SOA     8101153.nbg1-dc3.hetzner admin 2020121401 ( 1800
+@                                               IN      SOA     8101153.nbg1-dc3.hetzner admin 2021040501 ( 1800
                                                                                                            120
                                                                                                            604800
                                                                                                            3600 )
--- a/secret/dnssec/APKBUILD
+++ b/secret/dnssec/APKBUILD
@ -0,0 +1,31 @@
+# Contributor: Alex Denes <caskd@redxen.eu>
+# Maintainer: Alex Denes <caskd@redxen.eu>
+pkgname=redxen-secret-dnssec
+pkgver="$(date +'%Y.%m.%d')"
+pkgrel=0
+pkgdesc="Generated DNSSEC keys"
+url="https://git.redxen.eu/RedXen/aports"
+arch="noarch"
+license="none"
+makedepends="bind-dnssec-tools"
+options="!check"
+builddir="$srcdir"
+_dom="
+	redxen.eu
+"
+
+build() {
+	for dom in $_dom; do
+		mkdir "$dom"
+		dnssec-keygen -K "$dom" -f KSK -a ECDSAP256SHA256 -n ZONE "$dom"
+		dnssec-keygen -K "$dom" -a ECDSAP256SHA256 -n ZONE "$dom"
+		chmod +r "$dom"/*.private # Required for other builds, not to be installed alone (security risk)
+	done
+}
+
+package() {
+	mkdir -p "$pkgdir/etc/dns"
+	for dom in $_dom; do
+		mv "$dom" "$pkgdir/etc/dns/$dom"
+	done
+}