aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMarcello Coutinho <marcellocoutinho@gmail.com>2013-10-24 19:25:05 -0200
committerMarcello Coutinho <marcellocoutinho@gmail.com>2013-10-24 19:25:05 -0200
commit146956ced860734364f56b412d32dd2ad58dab3e (patch)
tree438202be126ec32f39c2a01d3d1c6fe4a717a4c6
parentf48cf8164b8cfc25752213ecba7c430535b42c57 (diff)
downloadpfsense-packages-146956ced860734364f56b412d32dd2ad58dab3e.tar.gz
pfsense-packages-146956ced860734364f56b412d32dd2ad58dab3e.tar.bz2
pfsense-packages-146956ced860734364f56b412d32dd2ad58dab3e.zip
bind - include dnssec backup to xml option, include a lot of logging options and forward it to resolver systemlog tab via syslog.
add more info on sync tab
-rw-r--r--config/bind/bind.inc114
-rw-r--r--config/bind/bind.xml64
-rw-r--r--config/bind/bind_zones.xml7
-rw-r--r--config/bind/pkg_bind.inc2
-rw-r--r--pkg_config.8.xml4
-rw-r--r--pkg_config.8.xml.amd644
6 files changed, 161 insertions, 34 deletions
diff --git a/config/bind/bind.inc b/config/bind/bind.inc
index 60fa23d5..66ed6301 100644
--- a/config/bind/bind.inc
+++ b/config/bind/bind.inc
@@ -204,26 +204,40 @@ EOD;
$bind_conf .= "\t};\n\n";
if ($bind_logging == on){
-$bind_conf .= <<<EOD
-
- logging {
- channel custom {
- file "/var/log/named.log";
- print-time yes;
- print-category yes;
- };
-
- category config {custom;};
- category notify {custom;};
- category dnssec {custom;};
- category general {custom;};
- category security {custom;};
- category xfer-out {custom;};
- category lame-servers {custom;};
- };
+ //check if bind is included on syslog
+ $syslog_files=array("/etc/inc/system.inc","/var/etc/syslog.conf");
+ $restart_syslog=0;
+ foreach ($syslog_files as $syslog_file){
+ $syslog_file_data=file_get_contents($syslog_file);
+ if (!preg_match("/dnsmasq,named,filterdns/",$syslog_file_data)){
+ $syslog_file_data=preg_replace("/dnsmasq,filterdns/","dnsmasq,named,filterdns",$syslog_file_data);
+ file_put_contents($syslog_file,$syslog_file_data);
+ $restart_syslog++;
+ }
+ }
+ if ($restart_syslog > 0){
+ system("/usr/bin/killall -HUP syslogd");
+ }
+ $log_categories=explode(",",$bind['log_options']);
+ $log_severity=($bind['log_severity']?$bind['log_severity']:'default');
+ if (sizeof($log_categories) > 0 && $log_categories[0]!=""){
+ $bind_conf .= <<<EOD
+
+ logging {
+ channel custom {
+ syslog daemon;
+ print-time no;
+ print-severity yes;
+ print-category yes;
+ severity {$log_severity};
+ };
EOD;
- }
+ foreach ($log_categories as $category)
+ $bind_conf .="\t\t\tcategory $category\t{custom;};\n";
+ $bind_conf .="\t\t};\n\n";
+ }
+ }
#Config Zone domain
if(!is_array($config["installedpackages"]["bindacls"]) || !is_array($config["installedpackages"]["bindacls"]["config"])){
@@ -427,14 +441,28 @@ EOD;
$zone_found++;
}
if ($zone_found==0){
+ $key_restored=0;
+ if(is_array($config['installedpackages']['dnsseckeys']) && is_array($config['installedpackages']['dnsseckeys']['config'])){
+ foreach ($config['installedpackages']['dnsseckeys']['config']as $filer)
+ if (preg_match ("/K$zonename\.+/",$filer['fullfile'])){
+ file_put_contents($filer['fullfile'],base64_decode($filer['filedata']),LOCK_EX);
+ chmod($filer['fullfile'],0700);
+ chown($filer['fullfile'],"bind");
+ $key_restored++;
+ }
+ }
+ if ($key_restored > 0){
+ log_error("[bind] {$key_restored} DNSSEC keys restored from XML backup for {$zonename} zone.");
+ }
$dnssec_bin="/usr/local/sbin/dnssec-keygen";
- if (file_exists($dnssec_bin)){
+ if (file_exists($dnssec_bin) && $key_restored==0){
exec("{$dnssec_bin} -K ".CHROOT_LOCALBASE."/etc/namedb/keys {$zonename}",$kout);
exec("{$dnssec_bin} -K ".CHROOT_LOCALBASE."/etc/namedb/keys -fk {$zonename}",$kout);
foreach($kout as $filename){
chown(CHROOT_LOCALBASE."/etc/namedb/keys/{$filename}.key","bind");
chown(CHROOT_LOCALBASE."/etc/namedb/keys/{$filename}.private","bind");
}
+ log_error("[bind] DNSSEC keys for {$zonename} created.");
}
}
//get ds keys
@@ -447,6 +475,30 @@ EOD;
$write_config++;
}
}
+ //save dnssec keys to xml
+
+ if($zone['backupkeys']=="on"){
+ $dnssec_keys=0;
+ foreach (glob(CHROOT_LOCALBASE."/etc/namedb/keys/*{$zonename}*",GLOB_NOSORT) as $filename){
+ $file_found=0;
+ if(is_array($config['installedpackages']['dnsseckeys']) && is_array($config['installedpackages']['dnsseckeys']['config'])){
+ foreach ($config['installedpackages']['dnsseckeys']['config']as $filer){
+ if ($filer['fullfile']==$filename)
+ $file_found++;
+ }
+ }
+ if ($file_found==0){
+ $config['installedpackages']['dnsseckeys']['config'][]=array('fullfile'=> $filename,
+ 'description'=> "bind {$zonename} DNSSEC backup file",
+ 'filedata'=> base64_encode(file_get_contents($filename)));
+ $write_config++;
+ $dnssec_keys++;
+ }
+ }
+ if($dnssec_keys>0){
+ log_error("[bind] {$dnssec_keys} DNSSEC keys for {$zonename} zone saved on XML config.");
+ }
+ }
}
break;
case "slave":
@@ -454,11 +506,21 @@ EOD;
chown(CHROOT_LOCALBASE."/etc/namedb/$zonetype","bind");
chown(CHROOT_LOCALBASE."/etc/namedb/$zonetype/$zoneview","bind");
//check if exists slave zone file
- if (file_exists(CHROOT_LOCALBASE."/etc/namedb/$zonetype/$zoneview/$zonename.DB")){
- $slave_file=file_get_contents(CHROOT_LOCALBASE."/etc/namedb/$zonetype/$zoneview/$zonename.DB");
- $config["installedpackages"]["bindzone"]["config"][$x][resultconfig]=base64_encode($slave_file);
- $write_config++;
+ $rsconfig="";
+ if ($zone['dnssec']=="on"){
+ if (file_exists(CHROOT_LOCALBASE."/etc/namedb/$zonetype/$zoneview/$zonename.DB.signed"))
+ exec("/usr/local/sbin/named-checkzone -D -f raw -o - {$zonename} ".CHROOT_LOCALBASE."/etc/namedb/$zonetype/$zoneview/$zonename.DB.signed",$slave_file);
+ }
+ else{
+ if (file_exists(CHROOT_LOCALBASE."/etc/namedb/$zonetype/$zoneview/$zonename.DB"))
+ $slave_file=file(CHROOT_LOCALBASE."/etc/namedb/$zonetype/$zoneview/$zonename.DB");
}
+ if (is_array($slave_file)){
+ foreach ($slave_file as $zfile)
+ $rsconfig.= $zfile;
+ $config["installedpackages"]["bindzone"]["config"][$x][resultconfig]=base64_encode($rsconfig);
+ $write_config++;
+ }
break;
}
}
@@ -534,6 +596,7 @@ function bind_print_javascript_type_zone(){
document.iform.reverso.disabled = 0;
document.iform.forwarders.disabled = 1;
document.iform.dnssec.disabled = 0;
+ document.iform.backupkeys.disabled = 0;
document.iform.ipns.disabled = 0;
document.iform.mail.disabled = 0;
document.iform.serial.disabled = 0;
@@ -549,6 +612,7 @@ function bind_print_javascript_type_zone(){
document.iform.reverso.disabled = 0;
document.iform.forwarders.disabled = 1;
document.iform.dnssec.disabled = 0;
+ document.iform.backupkeys.disabled = 0;
document.iform.ipns.disabled = 1;
document.iform.mail.disabled = 1;
document.iform.serial.disabled = 1;
@@ -564,6 +628,7 @@ function bind_print_javascript_type_zone(){
document.iform.reverso.disabled = 1;
document.iform.forwarders.disabled = 0;
document.iform.dnssec.disabled = 1;
+ document.iform.backupkeys.disabled = 1;
document.iform.ipns.disabled = 1;
document.iform.mail.disabled = 1;
document.iform.serial.disabled = 1;
@@ -579,6 +644,7 @@ function bind_print_javascript_type_zone(){
document.iform.reverso.disabled = 1;
document.iform.forwarders.disabled = 1;
document.iform.dnssec.disabled = 1;
+ document.iform.backupkeys.disabled = 1;
document.iform.ipns.disabled = 1;
document.iform.mail.disabled = 0;
document.iform.serial.disabled = 0;
@@ -728,6 +794,8 @@ function bind_do_xmlrpc_sync($sync_to_ip, $username, $password, $synctimeout,$ma
$xml['bindacls'] = $config['installedpackages']['bindacls'];
$xml['bindviews'] = $config['installedpackages']['bindviews'];
$xml['bindzone'] = $config['installedpackages']['bindzone'];
+ if (is_array($config['installedpackages']['dnsseckeys']))
+ $xml['dnsseckeys']=$config['installedpackages']['dnsseckeys'];
//change master zone to slave on backup servers
if(is_array($xml['bindzone']["config"]))
for ($x=0; $x<sizeof($xml['bindzone']["config"]); $x++){
diff --git a/config/bind/bind.xml b/config/bind/bind.xml
index 9a309a81..2e44a80f 100644
--- a/config/bind/bind.xml
+++ b/config/bind/bind.xml
@@ -152,12 +152,6 @@
<multiple/>
</field>
<field>
- <fielddescr>Enable logging</fielddescr>
- <fieldname>bind_logging</fieldname>
- <description>Enable Bind logs, /var/log/named.log</description>
- <type>checkbox</type>
- </field>
- <field>
<fielddescr>Enable Notify</fielddescr>
<fieldname>bind_notify</fieldname>
<description>Notify slave server after any update on master.</description>
@@ -179,6 +173,64 @@
</field>
<field>
<type>listtopic</type>
+ <name>Logging options</name>
+ <fieldname>temp01</fieldname>
+ </field>
+ <field>
+ <fielddescr>Enable logging</fielddescr>
+ <fieldname>bind_logging</fieldname>
+ <description><![CDATA[Enable Bind logs on status-> system logs -> resolver menu.]]></description>
+ <type>checkbox</type>
+ </field>
+ <field>
+ <fielddescr>Loggin serverity</fielddescr>
+ <fieldname>log_severity</fieldname>
+ <description><![CDATA[Select logging levels for selected categories.<BR>
+ use CTRL+click to select/unselect.<br>
+ The value 'dynamic' means assume the global level defined by either the command line parameter -d or by running rndc trace.]]></description>
+ <type>select</type>
+ <options>
+ <option><name>Critital</name><value>critical</value></option>
+ <option><name>Error</name><value>error</value></option>
+ <option><name>Warning</name><value>warning</value></option>
+ <option><name>Notice</name><value>Notice</value></option>
+ <option><name>info</name><value>info</value></option>
+ <option><name>Debug level 1</name><value>debug 1</value></option>
+ <option><name>Debug level 3</name><value>debug 3</value></option>
+ <option><name>Debug level 5</name><value>debug 5</value></option>
+ <option><name>Dynamic</name><value>dynamic</value></option>
+ </options>
+ </field>
+ <field>
+ <fielddescr>Loggin options</fielddescr>
+ <fieldname>log_options</fieldname>
+ <description><![CDATA[Select categories to log.<BR>
+ use CTRL+click to select/unselect.]]></description>
+ <type>select</type>
+ <options>
+ <option><name>Default-if this is the only category selected, it will log all categories except queries</name><value>default</value></option>
+ <option><name>General-Anything that is not classified as any other item in this list defaults to this category</name><value>general</value></option>
+ <option><name>Database-The value 'dynamic' means assume the global level defined by either the command line parameter -d or by running rndc trace</name><value>database</value></option>
+ <option><name>Security-Approval and denial of requests</name><value>security</value></option>
+ <option><name>Config-Configuration file parsing and processing</name><value>config</value></option>
+ <option><name>Resolver-Name resolution including recursive lookups</name><value>resolver</value></option>
+ <option><name>Xfer-in-Details of zone transfers the server is receiving.</name><value>xfer-in</value></option>
+ <option><name>Xfer-out-Details of zone transfers the server is sending.</name><value>xfer-out</value></option>
+ <option><name>Notify-Logs all NOTIFY operations.</name><value>notify</value></option>
+ <option><name>Client-Processing of client requests</name><value>client</value></option>
+ <option><name>Unmatched-No matching view clause or unrecognized class value.</name><value>unmatched</value></option>
+ <option><name>Queries-Logs all query transactions</name><value>queries</value></option>
+ <option><name>Network-Logs all network operations</name><value>network</value></option>
+ <option><name>Update-Logging of all dynamic update (DDNS) transactions</name><value>update</value></option>
+ <option><name>Dispatch-Dispatching of incoming packets to the server modules</name><value>dispatch</value></option>
+ <option><name>DNSSEC-DNSSEC and TSIG protocol processing</name><value>dnssec</value></option>
+ <option><name>lame-servers-Mis-configuration in the delegation of domains discovered by BIND</name><value>lame-servers</value></option>
+ </options>
+ <multiple/>
+ <size>18</size>
+ </field>
+ <field>
+ <type>listtopic</type>
<name>Response Rate Limit</name>
<fieldname>temp01</fieldname>
</field>
diff --git a/config/bind/bind_zones.xml b/config/bind/bind_zones.xml
index db68d26c..d3adf630 100644
--- a/config/bind/bind_zones.xml
+++ b/config/bind/bind_zones.xml
@@ -183,10 +183,17 @@
<field>
<fielddescr>Inline Signing</fielddescr>
<fieldname>dnssec</fieldname>
+ <enablefields>backupkeys</enablefields>
<description><![CDATA[<a target=_new href='https://kb.isc.org/article/AA-00626/109/Inline-Signing-in-ISC-BIND-9.9.0-Examples.html'>Enable inline DNSSEC Signing</a> afor this zones.]]></description>
<type>checkbox</type>
</field>
<field>
+ <fielddescr>backup keys</fielddescr>
+ <fieldname>backupkeys</fieldname>
+ <description><![CDATA[Enable this option to include all DNSSEC key files on XML.]]></description>
+ <type>checkbox</type>
+ </field>
+ <field>
<fielddescr>DS set</fielddescr>
<fieldname>dsset</fieldname>
<description><![CDATA[Digest fingerprint of the Key Signing KeyResulting for this zone.<br>
diff --git a/config/bind/pkg_bind.inc b/config/bind/pkg_bind.inc
index 23daed8e..3ed3351d 100644
--- a/config/bind/pkg_bind.inc
+++ b/config/bind/pkg_bind.inc
@@ -4,7 +4,7 @@ global $shortcuts;
$shortcuts['bind'] = array();
$shortcuts['bind']['main'] = "pkg_edit.php?xml=bind.xml";
-$shortcuts['bind']['log'] = "diag_logs.php";
+$shortcuts['bind']['log'] = "diag_logs_resolver.php";
$shortcuts['bind']['status'] = "status_services.php";
$shortcuts['bind']['service'] = "named";
diff --git a/pkg_config.8.xml b/pkg_config.8.xml
index b8d80983..a00fcc8e 100644
--- a/pkg_config.8.xml
+++ b/pkg_config.8.xml
@@ -53,8 +53,8 @@
<descr><![CDATA[The most widely used name server software]]></descr>
<website>http://www.isc.org/downloads/BIND/</website>
<category>Services</category>
- <version>9.9.4 pkg v 0.2.1</version>
- <status>Beta</status>
+ <version>9.9.4 pkg v 0.3</version>
+ <status>RC</status>
<required_version>2.1</required_version>
<config_file>http://www.pfsense.com/packages/config/bind/bind.xml</config_file>
<configurationfile>bind.xml</configurationfile>
diff --git a/pkg_config.8.xml.amd64 b/pkg_config.8.xml.amd64
index 58580e15..e7b20c45 100644
--- a/pkg_config.8.xml.amd64
+++ b/pkg_config.8.xml.amd64
@@ -53,8 +53,8 @@
<descr><![CDATA[The most widely used name server software]]></descr>
<website>http://www.isc.org/downloads/BIND/</website>
<category>Services</category>
- <version>9.9.4 pkg v 0.2.1</version>
- <status>Beta</status>
+ <version>9.9.4 pkg v 0.3</version>
+ <status>RC</status>
<required_version>2.1</required_version>
<config_file>http://www.pfsense.com/packages/config/bind/bind.xml</config_file>
<configurationfile>bind.xml</configurationfile>