diff options
author | Marcello Coutinho <marcellocoutinho@gmail.com> | 2013-10-24 19:25:05 -0200 |
---|---|---|
committer | Marcello Coutinho <marcellocoutinho@gmail.com> | 2013-10-24 19:25:05 -0200 |
commit | 146956ced860734364f56b412d32dd2ad58dab3e (patch) | |
tree | 438202be126ec32f39c2a01d3d1c6fe4a717a4c6 /config/bind | |
parent | f48cf8164b8cfc25752213ecba7c430535b42c57 (diff) | |
download | pfsense-packages-146956ced860734364f56b412d32dd2ad58dab3e.tar.gz pfsense-packages-146956ced860734364f56b412d32dd2ad58dab3e.tar.bz2 pfsense-packages-146956ced860734364f56b412d32dd2ad58dab3e.zip |
bind - include dnssec backup to xml option, include a lot of logging options and forward it to resolver systemlog tab via syslog.
add more info on sync tab
Diffstat (limited to 'config/bind')
-rw-r--r-- | config/bind/bind.inc | 114 | ||||
-rw-r--r-- | config/bind/bind.xml | 64 | ||||
-rw-r--r-- | config/bind/bind_zones.xml | 7 | ||||
-rw-r--r-- | config/bind/pkg_bind.inc | 2 |
4 files changed, 157 insertions, 30 deletions
diff --git a/config/bind/bind.inc b/config/bind/bind.inc index 60fa23d5..66ed6301 100644 --- a/config/bind/bind.inc +++ b/config/bind/bind.inc @@ -204,26 +204,40 @@ EOD; $bind_conf .= "\t};\n\n"; if ($bind_logging == on){ -$bind_conf .= <<<EOD - - logging { - channel custom { - file "/var/log/named.log"; - print-time yes; - print-category yes; - }; - - category config {custom;}; - category notify {custom;}; - category dnssec {custom;}; - category general {custom;}; - category security {custom;}; - category xfer-out {custom;}; - category lame-servers {custom;}; - }; + //check if bind is included on syslog + $syslog_files=array("/etc/inc/system.inc","/var/etc/syslog.conf"); + $restart_syslog=0; + foreach ($syslog_files as $syslog_file){ + $syslog_file_data=file_get_contents($syslog_file); + if (!preg_match("/dnsmasq,named,filterdns/",$syslog_file_data)){ + $syslog_file_data=preg_replace("/dnsmasq,filterdns/","dnsmasq,named,filterdns",$syslog_file_data); + file_put_contents($syslog_file,$syslog_file_data); + $restart_syslog++; + } + } + if ($restart_syslog > 0){ + system("/usr/bin/killall -HUP syslogd"); + } + $log_categories=explode(",",$bind['log_options']); + $log_severity=($bind['log_severity']?$bind['log_severity']:'default'); + if (sizeof($log_categories) > 0 && $log_categories[0]!=""){ + $bind_conf .= <<<EOD + + logging { + channel custom { + syslog daemon; + print-time no; + print-severity yes; + print-category yes; + severity {$log_severity}; + }; EOD; - } + foreach ($log_categories as $category) + $bind_conf .="\t\t\tcategory $category\t{custom;};\n"; + $bind_conf .="\t\t};\n\n"; + } + } #Config Zone domain if(!is_array($config["installedpackages"]["bindacls"]) || !is_array($config["installedpackages"]["bindacls"]["config"])){ @@ -427,14 +441,28 @@ EOD; $zone_found++; } if ($zone_found==0){ + $key_restored=0; + if(is_array($config['installedpackages']['dnsseckeys']) && is_array($config['installedpackages']['dnsseckeys']['config'])){ + foreach ($config['installedpackages']['dnsseckeys']['config']as $filer) + if (preg_match ("/K$zonename\.+/",$filer['fullfile'])){ + file_put_contents($filer['fullfile'],base64_decode($filer['filedata']),LOCK_EX); + chmod($filer['fullfile'],0700); + chown($filer['fullfile'],"bind"); + $key_restored++; + } + } + if ($key_restored > 0){ + log_error("[bind] {$key_restored} DNSSEC keys restored from XML backup for {$zonename} zone."); + } $dnssec_bin="/usr/local/sbin/dnssec-keygen"; - if (file_exists($dnssec_bin)){ + if (file_exists($dnssec_bin) && $key_restored==0){ exec("{$dnssec_bin} -K ".CHROOT_LOCALBASE."/etc/namedb/keys {$zonename}",$kout); exec("{$dnssec_bin} -K ".CHROOT_LOCALBASE."/etc/namedb/keys -fk {$zonename}",$kout); foreach($kout as $filename){ chown(CHROOT_LOCALBASE."/etc/namedb/keys/{$filename}.key","bind"); chown(CHROOT_LOCALBASE."/etc/namedb/keys/{$filename}.private","bind"); } + log_error("[bind] DNSSEC keys for {$zonename} created."); } } //get ds keys @@ -447,6 +475,30 @@ EOD; $write_config++; } } + //save dnssec keys to xml + + if($zone['backupkeys']=="on"){ + $dnssec_keys=0; + foreach (glob(CHROOT_LOCALBASE."/etc/namedb/keys/*{$zonename}*",GLOB_NOSORT) as $filename){ + $file_found=0; + if(is_array($config['installedpackages']['dnsseckeys']) && is_array($config['installedpackages']['dnsseckeys']['config'])){ + foreach ($config['installedpackages']['dnsseckeys']['config']as $filer){ + if ($filer['fullfile']==$filename) + $file_found++; + } + } + if ($file_found==0){ + $config['installedpackages']['dnsseckeys']['config'][]=array('fullfile'=> $filename, + 'description'=> "bind {$zonename} DNSSEC backup file", + 'filedata'=> base64_encode(file_get_contents($filename))); + $write_config++; + $dnssec_keys++; + } + } + if($dnssec_keys>0){ + log_error("[bind] {$dnssec_keys} DNSSEC keys for {$zonename} zone saved on XML config."); + } + } } break; case "slave": @@ -454,11 +506,21 @@ EOD; chown(CHROOT_LOCALBASE."/etc/namedb/$zonetype","bind"); chown(CHROOT_LOCALBASE."/etc/namedb/$zonetype/$zoneview","bind"); //check if exists slave zone file - if (file_exists(CHROOT_LOCALBASE."/etc/namedb/$zonetype/$zoneview/$zonename.DB")){ - $slave_file=file_get_contents(CHROOT_LOCALBASE."/etc/namedb/$zonetype/$zoneview/$zonename.DB"); - $config["installedpackages"]["bindzone"]["config"][$x][resultconfig]=base64_encode($slave_file); - $write_config++; + $rsconfig=""; + if ($zone['dnssec']=="on"){ + if (file_exists(CHROOT_LOCALBASE."/etc/namedb/$zonetype/$zoneview/$zonename.DB.signed")) + exec("/usr/local/sbin/named-checkzone -D -f raw -o - {$zonename} ".CHROOT_LOCALBASE."/etc/namedb/$zonetype/$zoneview/$zonename.DB.signed",$slave_file); + } + else{ + if (file_exists(CHROOT_LOCALBASE."/etc/namedb/$zonetype/$zoneview/$zonename.DB")) + $slave_file=file(CHROOT_LOCALBASE."/etc/namedb/$zonetype/$zoneview/$zonename.DB"); } + if (is_array($slave_file)){ + foreach ($slave_file as $zfile) + $rsconfig.= $zfile; + $config["installedpackages"]["bindzone"]["config"][$x][resultconfig]=base64_encode($rsconfig); + $write_config++; + } break; } } @@ -534,6 +596,7 @@ function bind_print_javascript_type_zone(){ document.iform.reverso.disabled = 0; document.iform.forwarders.disabled = 1; document.iform.dnssec.disabled = 0; + document.iform.backupkeys.disabled = 0; document.iform.ipns.disabled = 0; document.iform.mail.disabled = 0; document.iform.serial.disabled = 0; @@ -549,6 +612,7 @@ function bind_print_javascript_type_zone(){ document.iform.reverso.disabled = 0; document.iform.forwarders.disabled = 1; document.iform.dnssec.disabled = 0; + document.iform.backupkeys.disabled = 0; document.iform.ipns.disabled = 1; document.iform.mail.disabled = 1; document.iform.serial.disabled = 1; @@ -564,6 +628,7 @@ function bind_print_javascript_type_zone(){ document.iform.reverso.disabled = 1; document.iform.forwarders.disabled = 0; document.iform.dnssec.disabled = 1; + document.iform.backupkeys.disabled = 1; document.iform.ipns.disabled = 1; document.iform.mail.disabled = 1; document.iform.serial.disabled = 1; @@ -579,6 +644,7 @@ function bind_print_javascript_type_zone(){ document.iform.reverso.disabled = 1; document.iform.forwarders.disabled = 1; document.iform.dnssec.disabled = 1; + document.iform.backupkeys.disabled = 1; document.iform.ipns.disabled = 1; document.iform.mail.disabled = 0; document.iform.serial.disabled = 0; @@ -728,6 +794,8 @@ function bind_do_xmlrpc_sync($sync_to_ip, $username, $password, $synctimeout,$ma $xml['bindacls'] = $config['installedpackages']['bindacls']; $xml['bindviews'] = $config['installedpackages']['bindviews']; $xml['bindzone'] = $config['installedpackages']['bindzone']; + if (is_array($config['installedpackages']['dnsseckeys'])) + $xml['dnsseckeys']=$config['installedpackages']['dnsseckeys']; //change master zone to slave on backup servers if(is_array($xml['bindzone']["config"])) for ($x=0; $x<sizeof($xml['bindzone']["config"]); $x++){ diff --git a/config/bind/bind.xml b/config/bind/bind.xml index 9a309a81..2e44a80f 100644 --- a/config/bind/bind.xml +++ b/config/bind/bind.xml @@ -152,12 +152,6 @@ <multiple/> </field> <field> - <fielddescr>Enable logging</fielddescr> - <fieldname>bind_logging</fieldname> - <description>Enable Bind logs, /var/log/named.log</description> - <type>checkbox</type> - </field> - <field> <fielddescr>Enable Notify</fielddescr> <fieldname>bind_notify</fieldname> <description>Notify slave server after any update on master.</description> @@ -179,6 +173,64 @@ </field> <field> <type>listtopic</type> + <name>Logging options</name> + <fieldname>temp01</fieldname> + </field> + <field> + <fielddescr>Enable logging</fielddescr> + <fieldname>bind_logging</fieldname> + <description><![CDATA[Enable Bind logs on status-> system logs -> resolver menu.]]></description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Loggin serverity</fielddescr> + <fieldname>log_severity</fieldname> + <description><![CDATA[Select logging levels for selected categories.<BR> + use CTRL+click to select/unselect.<br> + The value 'dynamic' means assume the global level defined by either the command line parameter -d or by running rndc trace.]]></description> + <type>select</type> + <options> + <option><name>Critital</name><value>critical</value></option> + <option><name>Error</name><value>error</value></option> + <option><name>Warning</name><value>warning</value></option> + <option><name>Notice</name><value>Notice</value></option> + <option><name>info</name><value>info</value></option> + <option><name>Debug level 1</name><value>debug 1</value></option> + <option><name>Debug level 3</name><value>debug 3</value></option> + <option><name>Debug level 5</name><value>debug 5</value></option> + <option><name>Dynamic</name><value>dynamic</value></option> + </options> + </field> + <field> + <fielddescr>Loggin options</fielddescr> + <fieldname>log_options</fieldname> + <description><![CDATA[Select categories to log.<BR> + use CTRL+click to select/unselect.]]></description> + <type>select</type> + <options> + <option><name>Default-if this is the only category selected, it will log all categories except queries</name><value>default</value></option> + <option><name>General-Anything that is not classified as any other item in this list defaults to this category</name><value>general</value></option> + <option><name>Database-The value 'dynamic' means assume the global level defined by either the command line parameter -d or by running rndc trace</name><value>database</value></option> + <option><name>Security-Approval and denial of requests</name><value>security</value></option> + <option><name>Config-Configuration file parsing and processing</name><value>config</value></option> + <option><name>Resolver-Name resolution including recursive lookups</name><value>resolver</value></option> + <option><name>Xfer-in-Details of zone transfers the server is receiving.</name><value>xfer-in</value></option> + <option><name>Xfer-out-Details of zone transfers the server is sending.</name><value>xfer-out</value></option> + <option><name>Notify-Logs all NOTIFY operations.</name><value>notify</value></option> + <option><name>Client-Processing of client requests</name><value>client</value></option> + <option><name>Unmatched-No matching view clause or unrecognized class value.</name><value>unmatched</value></option> + <option><name>Queries-Logs all query transactions</name><value>queries</value></option> + <option><name>Network-Logs all network operations</name><value>network</value></option> + <option><name>Update-Logging of all dynamic update (DDNS) transactions</name><value>update</value></option> + <option><name>Dispatch-Dispatching of incoming packets to the server modules</name><value>dispatch</value></option> + <option><name>DNSSEC-DNSSEC and TSIG protocol processing</name><value>dnssec</value></option> + <option><name>lame-servers-Mis-configuration in the delegation of domains discovered by BIND</name><value>lame-servers</value></option> + </options> + <multiple/> + <size>18</size> + </field> + <field> + <type>listtopic</type> <name>Response Rate Limit</name> <fieldname>temp01</fieldname> </field> diff --git a/config/bind/bind_zones.xml b/config/bind/bind_zones.xml index db68d26c..d3adf630 100644 --- a/config/bind/bind_zones.xml +++ b/config/bind/bind_zones.xml @@ -183,10 +183,17 @@ <field> <fielddescr>Inline Signing</fielddescr> <fieldname>dnssec</fieldname> + <enablefields>backupkeys</enablefields> <description><![CDATA[<a target=_new href='https://kb.isc.org/article/AA-00626/109/Inline-Signing-in-ISC-BIND-9.9.0-Examples.html'>Enable inline DNSSEC Signing</a> afor this zones.]]></description> <type>checkbox</type> </field> <field> + <fielddescr>backup keys</fielddescr> + <fieldname>backupkeys</fieldname> + <description><![CDATA[Enable this option to include all DNSSEC key files on XML.]]></description> + <type>checkbox</type> + </field> + <field> <fielddescr>DS set</fielddescr> <fieldname>dsset</fieldname> <description><![CDATA[Digest fingerprint of the Key Signing KeyResulting for this zone.<br> diff --git a/config/bind/pkg_bind.inc b/config/bind/pkg_bind.inc index 23daed8e..3ed3351d 100644 --- a/config/bind/pkg_bind.inc +++ b/config/bind/pkg_bind.inc @@ -4,7 +4,7 @@ global $shortcuts; $shortcuts['bind'] = array(); $shortcuts['bind']['main'] = "pkg_edit.php?xml=bind.xml"; -$shortcuts['bind']['log'] = "diag_logs.php"; +$shortcuts['bind']['log'] = "diag_logs_resolver.php"; $shortcuts['bind']['status'] = "status_services.php"; $shortcuts['bind']['service'] = "named"; |