More dnssec fixes

bind8/bind8-lib.pl

@@ -27,7 +27,7 @@ else {
 	$bind_version = &get_bind_version();
 	}
 
-$dnssec_cron_cmd = "$module_config_directory/renew.pl";
+$dnssec_cron_cmd = "$module_config_directory/resign.pl";
 
 # get_bind_version()
 # Returns the BIND verison number, or undef if unknown
@@ -2488,6 +2488,11 @@ if (-r $jnlfile) {
 	&lock_file($jnlfile);
 	unlink($jnlfile);
 	}
+local $signfile = $zonefile.".signed";
+if (-r $signfile) {
+	&lock_file($signfile);
+	unlink($signfile);
+	}
 }
 
 # move_zone_button(&config, current-view, zone-index)
@@ -2706,14 +2711,14 @@ local $dom = $z->{'members'} ? $z->{'values'}->[0] : $z->{'name'};
 
 # Get the old zone key record
 local @recs = &read_zone_file($fn, $dom);
-locla $zonerec;
+local $zonerec;
 foreach my $r (@recs) {
 	if ($r->{'type'} eq 'DNSKEY' && $r->{'values'}->[0] % 2 == 0) {
 		$zonerec = $r;
 		}
 	}
 $zonerec || return "Could not find DNSSEC zone key record";
-local @keys = &get_dnssec_keys($z);
+local @keys = &get_dnssec_key($z);
 @keys == 2 || return "Expected to find 2 keys, but found ".scalar(@keys);
 local ($zonekey) = grep { !$_->{'ksk'} } @keys;
 $zonekey || return "Could not find DNSSEC zone key";
@@ -2727,8 +2732,8 @@ if (!$pid) {
 
 # Work out zone key size
 local $zonesize;
-(undef, $zonesize) = &compute_dnssec_key_size($alg, 1);
 local $alg = $zonekey->{'algorithm'};
+(undef, $zonesize) = &compute_dnssec_key_size($alg, 1);
 
 # Generate a new zone key
 local $out = &backquote_logged(
@@ -2745,10 +2750,10 @@ if ($?) {
 &unlink_file($zonekey->{'publicfile'});
 
 # Update the zone file with the new key
-@keys = &get_dnssec_keys($z);
+@keys = &get_dnssec_key($z);
 local ($newzonekey) = grep { !$_->{'ksk'} } @keys;
 $newzonekey || return "Could not find new DNSSEC zone key";
-&modify_record($fn, $dom.".", undef, "IN", "DNSKEY",
+&modify_record($fn, $zonerec, $dom.".", undef, "IN", "DNSKEY",
 	       join(" ", @{$newzonekey->{'values'}}));
 &bump_soa_record($fn, \@recs);
 
@@ -2948,5 +2953,16 @@ else {
 return (1, $rv);
 }
 
+# get_dnssec_cron_job()
+# Returns the cron job object for re-signing DNSSEC domains
+sub get_dnssec_cron_job
+{
+&foreign_require("cron", "cron-lib.pl");
+local ($job) = grep { $_->{'user'} eq 'root' &&
+		      $_->{'command'} =~ /^\Q$dnssec_cron_cmd\E/ }
+		    &cron::list_cron_jobs();
+return $job;
+}
+
 1;
 

bind8/delete_zone.cgi

@@ -114,6 +114,9 @@ if ($f && $type ne 'hint') {
 	&delete_records_file($f->{'value'});
 	}
 
+# delete any keys
+&delete_dnssec_key($zconf);
+
 # remove the zone directive
 &lock_file(&make_chroot($zconf->{'file'}));
 &save_directive($parent, [ $zconf ], [ ]);

bind8/edit_zonekey.cgi

@@ -22,28 +22,28 @@ if ($keyrec) {
 	print $text{'zonekey_webmin'},"\n";
 	print "<p>\n";
 
-	# Collapsible section for key details
-	print &ui_hidden_start($text{'zonekey_expand'},
-			       "expand", 0, "edit_zonekey.cgi?$in");
-	print $text{'zonekey_public'},"<br>\n";
-	print &ui_textarea("keyline", $keyline, 5, 80, "off", 0,
-			   "readonly style='width:90%'"),"<p>\n";
-
 	@keys = &get_dnssec_key($zone);
-	if (@keys) {
-		foreach $key (@keys) {
-			print $text{'zonekey_private'},"<br>\n";
-			print &ui_textarea(
-				"private", $key->{'privatetext'}, 10, 80,
-				"off", 0, "readonly style='width:90%'");
-			}
+	foreach $key (@keys) {
+		# Collapsible section for key details
+		$kt = $key->{'ksk'} ? 'ksk' : 'zone';
+		print &ui_hidden_start($text{'zonekey_expand'.$kt},
+				       $kt, 0, "edit_zonekey.cgi?$in");
+		print $text{'zonekey_public'},"<br>\n";
+		print &ui_textarea("keyline", $keyline, 2, 80, "off", 0,
+				   "readonly style='width:90%'"),"<p>\n";
+
+		print $text{'zonekey_private'},"<br>\n";
+		print &ui_textarea(
+			"private", $key->{'privatetext'}, 8, 80,
+			"off", 0, "readonly style='width:90%'");
+		print &ui_hidden_end();
 		}
-	else {
+	if (!@keys) {
 		print &text('zonekey_noprivate'),"<p>\n";
 		}
-	print &ui_hidden_end();
 
 	# Offer to disable
+	print &ui_hr();
 	print &ui_buttons_start();
 	print &ui_buttons_row("disable_zonekey.cgi", $text{'zonekey_disable'},
 			      $text{'zonekey_disabledesc'},

bind8/lang/en

@@ -1024,13 +1024,15 @@ zonekey_already=The zone already has a DNSSEC key, and so is already signed.
 zonekey_webmin=Webmin will re-sign the zone automatically when any changes are made.
 zonekey_public=Public key record :
 zonekey_private=Private key details :
-zonekey_expand=Show public and private key details ..
-zonekey_eprivate=An error occurred fetching private key details : $1
+zonekey_expandksk=Show public and private key-signing-key details ..
+zonekey_expandzone=Show public and private zone-key details .
 zonekey_noprivate=However, Webmin could not find the private key associated with the zone, and so will not be able to re-sign it.
 zonekey_disable=Remove Key
 zonekey_disabledesc=Removes the DNSSEC key from this zone, and all signing records. Once this is done, you will be able to generate a new key.
 zonekey_sign=Sign Zone
 zonekey_signdesc=Immediately re-sign this zone, so that any changes to records made manually will be included in the signing records.
+zonekey_resign=Re-Sign Zone
+zonekey_resigndesc=Generate a new zone signing key, sign it with the zone's master key, and re-sign all records.
 
 sign_err=Failed to sign zone
 sign_emsg=DNSSEC signing after records change failed : $1

bind8/mass_delete.cgi

@@ -69,6 +69,9 @@ else {
 			&delete_records_file($f->{'value'});
 			}
 
+		# delete any keys
+		&delete_dnssec_key($zconf);
+
 		# remove the zone directive
 		&lock_file(&make_chroot($zconf->{'file'}));
 		&save_directive($view || &get_config_parent($zconf->{'file'}),

bind8/resign.pl

@@ -18,7 +18,7 @@ foreach $z (@zones) {
 	# Get the key
 	next if ($z->{'type'} ne 'master');
 	print STDERR "Considering zone $z->{'name'}\n" if ($debug);
-	@keys = &get_dnssec_keys($z);
+	@keys = &get_dnssec_key($z);
 	print STDERR "  Key count ",scalar(@keys),"\n" if ($debug);
 	next if (@keys != 2);
 	($zonekey) = grep { !$_->{'ksk'} } @keys;
@@ -27,8 +27,13 @@ foreach $z (@zones) {
 		if ($debug);
 
 	# Check if old enough
-	@st = stat($key->{'privatefile'});
-	$old = (time() - $st[9]) / (24*60*60)
+	@st = stat($zonekey->{'privatefile'});
+	if (!@st) {
+		print STDERR "  Private key file $zonekey->{'privatefile'} ",
+			     "missing\n" if ($debug);
+		next;
+		}
+	$old = (time() - $st[9]) / (24*60*60);
 	print STDERR "  Age in days $old\n" if ($debug);
 	if ($old > $config{'dnssec_period'}) {
 		# Too old .. signing

bind8/resign_zone.cgi

@@ -11,7 +11,7 @@ $dom = $zone->{'name'};
 
 # Do the signing
 &lock_file(&make_chroot(&absolute_path($zone->{'file'})));
-$err = &resign_dnssec_zone($zone);
+$err = &resign_dnssec_key($zone);
 &error($err) if ($err);
 &unlock_file(&make_chroot(&absolute_path($zone->{'file'})));
 

bind8/save_dnssec.cgi

@@ -31,7 +31,7 @@ elsif (!$job && $in{'enabled'}) {
 	&cron::create_cron_job($job);
 	&unlock_file(&cron::cron_file($job));
 	}
-&cron::create_wrapper($dnssec_cron_cmd, $module_name, "renew.pl");
+&cron::create_wrapper($dnssec_cron_cmd, $module_name, "resign.pl");
 
 &lock_file($module_config_file);
 $config{'dnssec_period'} = $in{'period'};