From 146956ced860734364f56b412d32dd2ad58dab3e Mon Sep 17 00:00:00 2001
From: Marcello Coutinho <marcellocoutinho@gmail.com>
Date: Thu, 24 Oct 2013 19:25:05 -0200
Subject: bind - include dnssec backup to xml option, include a lot of logging
 options and forward it to resolver systemlog tab via syslog. add more info on
 sync tab

---
 config/bind/bind.inc       | 114 ++++++++++++++++++++++++++++++++++++---------
 config/bind/bind.xml       |  64 ++++++++++++++++++++++---
 config/bind/bind_zones.xml |   7 +++
 config/bind/pkg_bind.inc   |   2 +-
 4 files changed, 157 insertions(+), 30 deletions(-)

(limited to 'config/bind')

diff --git a/config/bind/bind.inc b/config/bind/bind.inc
index 60fa23d5..66ed6301 100644
--- a/config/bind/bind.inc
+++ b/config/bind/bind.inc
@@ -204,26 +204,40 @@ EOD;
 	$bind_conf .= "\t};\n\n";
 	
 	if ($bind_logging == on){
-$bind_conf .= <<<EOD
-
-	logging {
-		channel custom {
-			file "/var/log/named.log";
-			print-time yes;
-			print-category yes;
-		};
-
-		category config         {custom;};
-		category notify         {custom;};
-		category dnssec         {custom;};
-		category general        {custom;};
-		category security       {custom;};
-		category xfer-out       {custom;};
-		category lame-servers   {custom;};
-	}; 
+		//check if bind is included on syslog
+		$syslog_files=array("/etc/inc/system.inc","/var/etc/syslog.conf");
+		$restart_syslog=0;
+		foreach ($syslog_files as $syslog_file){
+			$syslog_file_data=file_get_contents($syslog_file);
+			if (!preg_match("/dnsmasq,named,filterdns/",$syslog_file_data)){
+				$syslog_file_data=preg_replace("/dnsmasq,filterdns/","dnsmasq,named,filterdns",$syslog_file_data);
+				file_put_contents($syslog_file,$syslog_file_data);
+				$restart_syslog++;
+				}
+			}
+		if ($restart_syslog > 0){
+			system("/usr/bin/killall -HUP syslogd");
+		}
+		$log_categories=explode(",",$bind['log_options']);
+		$log_severity=($bind['log_severity']?$bind['log_severity']:'default');
+		if (sizeof($log_categories) > 0 && $log_categories[0]!=""){
+			$bind_conf .= <<<EOD
+			
+		logging {
+			channel custom {
+				syslog daemon;
+				print-time no;
+				print-severity yes;
+				print-category yes;
+				severity {$log_severity};
+				};
 
 EOD;
-	}
+		foreach ($log_categories as $category)
+			$bind_conf .="\t\t\tcategory $category\t{custom;};\n";
+		$bind_conf .="\t\t};\n\n";				
+				}
+		 }
 
 	#Config Zone domain
 	if(!is_array($config["installedpackages"]["bindacls"]) || !is_array($config["installedpackages"]["bindacls"]["config"])){
@@ -427,14 +441,28 @@ EOD;
 								$zone_found++;
 	        					}
 							if ($zone_found==0){
+								$key_restored=0;
+								if(is_array($config['installedpackages']['dnsseckeys']) && is_array($config['installedpackages']['dnsseckeys']['config'])){
+									foreach ($config['installedpackages']['dnsseckeys']['config']as $filer)
+										if (preg_match ("/K$zonename\.+/",$filer['fullfile'])){
+											file_put_contents($filer['fullfile'],base64_decode($filer['filedata']),LOCK_EX);
+											chmod($filer['fullfile'],0700);
+											chown($filer['fullfile'],"bind");
+											$key_restored++;
+											}
+										}
+								if ($key_restored > 0){
+									log_error("[bind] {$key_restored} DNSSEC keys restored from XML backup for {$zonename} zone.");
+									}
 								$dnssec_bin="/usr/local/sbin/dnssec-keygen";
-								if (file_exists($dnssec_bin)){
+								if (file_exists($dnssec_bin) && $key_restored==0){
 									exec("{$dnssec_bin} -K ".CHROOT_LOCALBASE."/etc/namedb/keys {$zonename}",$kout);
 									exec("{$dnssec_bin} -K ".CHROOT_LOCALBASE."/etc/namedb/keys -fk {$zonename}",$kout);
 									foreach($kout as $filename){
 										chown(CHROOT_LOCALBASE."/etc/namedb/keys/{$filename}.key","bind");
 										chown(CHROOT_LOCALBASE."/etc/namedb/keys/{$filename}.private","bind");
 										}
+									log_error("[bind] DNSSEC keys for {$zonename} created.");
 									}
 	        					}
 	        				//get ds keys
@@ -447,6 +475,30 @@ EOD;
 	        							$write_config++;
 	        							}
 								}
+							//save dnssec keys to xml
+							
+							if($zone['backupkeys']=="on"){
+								$dnssec_keys=0;
+								foreach (glob(CHROOT_LOCALBASE."/etc/namedb/keys/*{$zonename}*",GLOB_NOSORT) as $filename){
+									$file_found=0;
+									if(is_array($config['installedpackages']['dnsseckeys']) && is_array($config['installedpackages']['dnsseckeys']['config'])){
+										foreach ($config['installedpackages']['dnsseckeys']['config']as $filer){
+											if ($filer['fullfile']==$filename)
+												$file_found++;
+											}
+										}
+									if ($file_found==0){
+										$config['installedpackages']['dnsseckeys']['config'][]=array('fullfile'=> $filename,
+																								'description'=> "bind {$zonename} DNSSEC backup file",
+																								'filedata'=> base64_encode(file_get_contents($filename)));
+										$write_config++;
+										$dnssec_keys++;
+										}
+									}
+									if($dnssec_keys>0){
+										log_error("[bind] {$dnssec_keys} DNSSEC keys for {$zonename} zone saved on XML config.");
+									}
+								}
         					}
 					break;
 					case "slave":
@@ -454,11 +506,21 @@ EOD;
 					chown(CHROOT_LOCALBASE."/etc/namedb/$zonetype","bind");
 					chown(CHROOT_LOCALBASE."/etc/namedb/$zonetype/$zoneview","bind");
 					//check if exists slave zone file
-					if (file_exists(CHROOT_LOCALBASE."/etc/namedb/$zonetype/$zoneview/$zonename.DB")){
-						$slave_file=file_get_contents(CHROOT_LOCALBASE."/etc/namedb/$zonetype/$zoneview/$zonename.DB");
-						$config["installedpackages"]["bindzone"]["config"][$x][resultconfig]=base64_encode($slave_file);
-						$write_config++;
+					$rsconfig="";
+					if ($zone['dnssec']=="on"){
+						if (file_exists(CHROOT_LOCALBASE."/etc/namedb/$zonetype/$zoneview/$zonename.DB.signed"))
+						exec("/usr/local/sbin/named-checkzone -D -f raw -o - {$zonename} ".CHROOT_LOCALBASE."/etc/namedb/$zonetype/$zoneview/$zonename.DB.signed",$slave_file);
+						}
+					else{
+						if (file_exists(CHROOT_LOCALBASE."/etc/namedb/$zonetype/$zoneview/$zonename.DB"))
+							$slave_file=file(CHROOT_LOCALBASE."/etc/namedb/$zonetype/$zoneview/$zonename.DB");
 						}
+					if (is_array($slave_file)){
+					foreach ($slave_file as $zfile)
+						$rsconfig.= $zfile;
+					$config["installedpackages"]["bindzone"]["config"][$x][resultconfig]=base64_encode($rsconfig);
+					$write_config++;
+					}
 					break;
 					}
 				}
@@ -534,6 +596,7 @@ function bind_print_javascript_type_zone(){
 					document.iform.reverso.disabled = 0;
 					document.iform.forwarders.disabled = 1;
 					document.iform.dnssec.disabled = 0;
+					document.iform.backupkeys.disabled = 0;
 					document.iform.ipns.disabled = 0;
 					document.iform.mail.disabled = 0;
 					document.iform.serial.disabled = 0;
@@ -549,6 +612,7 @@ function bind_print_javascript_type_zone(){
 					document.iform.reverso.disabled = 0;
 					document.iform.forwarders.disabled = 1;
 					document.iform.dnssec.disabled = 0;
+					document.iform.backupkeys.disabled = 0;
 					document.iform.ipns.disabled = 1;
 					document.iform.mail.disabled = 1;
 					document.iform.serial.disabled = 1;
@@ -564,6 +628,7 @@ function bind_print_javascript_type_zone(){
 					document.iform.reverso.disabled = 1;
 					document.iform.forwarders.disabled = 0;
 					document.iform.dnssec.disabled = 1;
+					document.iform.backupkeys.disabled = 1;
 					document.iform.ipns.disabled = 1;
 					document.iform.mail.disabled = 1;
 					document.iform.serial.disabled = 1;
@@ -579,6 +644,7 @@ function bind_print_javascript_type_zone(){
 					document.iform.reverso.disabled = 1;
 					document.iform.forwarders.disabled = 1;
 					document.iform.dnssec.disabled = 1;
+					document.iform.backupkeys.disabled = 1;
 					document.iform.ipns.disabled = 1;
 					document.iform.mail.disabled = 0;
 					document.iform.serial.disabled = 0;
@@ -728,6 +794,8 @@ function bind_do_xmlrpc_sync($sync_to_ip, $username, $password, $synctimeout,$ma
 	$xml['bindacls'] = $config['installedpackages']['bindacls'];
 	$xml['bindviews'] = $config['installedpackages']['bindviews'];
 	$xml['bindzone'] = $config['installedpackages']['bindzone'];
+	if (is_array($config['installedpackages']['dnsseckeys']))
+		$xml['dnsseckeys']=$config['installedpackages']['dnsseckeys'];
 	//change master zone to slave on backup servers
 	if(is_array($xml['bindzone']["config"])) 
 		for ($x=0; $x<sizeof($xml['bindzone']["config"]); $x++){
diff --git a/config/bind/bind.xml b/config/bind/bind.xml
index 9a309a81..2e44a80f 100644
--- a/config/bind/bind.xml
+++ b/config/bind/bind.xml
@@ -151,12 +151,6 @@
                         <showvirtualips/>
                         <multiple/>
                 </field>
-                <field>
-                        <fielddescr>Enable logging</fielddescr>
-                        <fieldname>bind_logging</fieldname>
-                        <description>Enable Bind logs, /var/log/named.log</description>
-                        <type>checkbox</type>
-                </field>
                 <field>
                         <fielddescr>Enable Notify</fielddescr>
                         <fieldname>bind_notify</fieldname>
@@ -177,6 +171,64 @@
                 	<size>10</size>
 					<default_value>256M</default_value>
                	</field>
+                <field>
+                        <type>listtopic</type>
+                        <name>Logging options</name>
+                        <fieldname>temp01</fieldname>
+                </field>
+                <field>
+                        <fielddescr>Enable logging</fielddescr>
+                        <fieldname>bind_logging</fieldname>
+                        <description><![CDATA[Enable Bind logs on status-> system logs -> resolver menu.]]></description>
+                        <type>checkbox</type>
+                </field>
+				<field>
+					<fielddescr>Loggin serverity</fielddescr>
+					<fieldname>log_severity</fieldname>
+					<description><![CDATA[Select logging levels for selected categories.<BR>
+								use CTRL+click to select/unselect.<br>
+								The value 'dynamic' means assume the global level defined by either the command line parameter -d or by running rndc trace.]]></description>
+					<type>select</type>
+						<options>
+							<option><name>Critital</name><value>critical</value></option>
+							<option><name>Error</name><value>error</value></option>
+							<option><name>Warning</name><value>warning</value></option>
+							<option><name>Notice</name><value>Notice</value></option>
+							<option><name>info</name><value>info</value></option>
+							<option><name>Debug level 1</name><value>debug 1</value></option>
+							<option><name>Debug level 3</name><value>debug 3</value></option>
+							<option><name>Debug level 5</name><value>debug 5</value></option>
+							<option><name>Dynamic</name><value>dynamic</value></option>
+						</options>
+				</field>
+				<field>
+					<fielddescr>Loggin options</fielddescr>
+					<fieldname>log_options</fieldname>
+					<description><![CDATA[Select categories to log.<BR>
+								use CTRL+click to select/unselect.]]></description>
+					<type>select</type>
+						<options>
+							<option><name>Default-if this is the only category selected, it will log all categories except queries</name><value>default</value></option>
+							<option><name>General-Anything that is not classified as any other item in this list defaults to this category</name><value>general</value></option>
+							<option><name>Database-The value 'dynamic' means assume the global level defined by either the command line parameter -d or by running rndc trace</name><value>database</value></option>
+							<option><name>Security-Approval and denial of requests</name><value>security</value></option>
+							<option><name>Config-Configuration file parsing and processing</name><value>config</value></option>
+							<option><name>Resolver-Name resolution including recursive lookups</name><value>resolver</value></option>
+							<option><name>Xfer-in-Details of zone transfers the server is receiving.</name><value>xfer-in</value></option>
+							<option><name>Xfer-out-Details of zone transfers the server is sending.</name><value>xfer-out</value></option>
+							<option><name>Notify-Logs all NOTIFY operations.</name><value>notify</value></option>
+							<option><name>Client-Processing of client requests</name><value>client</value></option>
+							<option><name>Unmatched-No matching view clause or unrecognized class value.</name><value>unmatched</value></option>
+							<option><name>Queries-Logs all query transactions</name><value>queries</value></option>
+							<option><name>Network-Logs all network operations</name><value>network</value></option>
+							<option><name>Update-Logging of all dynamic update (DDNS) transactions</name><value>update</value></option>
+							<option><name>Dispatch-Dispatching of incoming packets to the server modules</name><value>dispatch</value></option>
+							<option><name>DNSSEC-DNSSEC and TSIG protocol processing</name><value>dnssec</value></option>
+							<option><name>lame-servers-Mis-configuration in the delegation of domains discovered by BIND</name><value>lame-servers</value></option>
+						</options>
+						<multiple/>
+						<size>18</size>
+				</field>
                 <field>
                         <type>listtopic</type>
                         <name>Response Rate Limit</name>
diff --git a/config/bind/bind_zones.xml b/config/bind/bind_zones.xml
index db68d26c..d3adf630 100644
--- a/config/bind/bind_zones.xml
+++ b/config/bind/bind_zones.xml
@@ -183,9 +183,16 @@
 		<field>
 			<fielddescr>Inline Signing</fielddescr>
 			<fieldname>dnssec</fieldname>
+			<enablefields>backupkeys</enablefields>
 			<description><![CDATA[<a target=_new href='https://kb.isc.org/article/AA-00626/109/Inline-Signing-in-ISC-BIND-9.9.0-Examples.html'>Enable inline DNSSEC Signing</a> afor this zones.]]></description>
 			<type>checkbox</type>
 		</field>
+		<field>
+			<fielddescr>backup keys</fielddescr>
+			<fieldname>backupkeys</fieldname>
+			<description><![CDATA[Enable this option to include all DNSSEC key files on XML.]]></description>
+			<type>checkbox</type>
+		</field>
 		<field>
 			<fielddescr>DS set</fielddescr>
 			<fieldname>dsset</fieldname>
diff --git a/config/bind/pkg_bind.inc b/config/bind/pkg_bind.inc
index 23daed8e..3ed3351d 100644
--- a/config/bind/pkg_bind.inc
+++ b/config/bind/pkg_bind.inc
@@ -4,7 +4,7 @@ global $shortcuts;
 
 $shortcuts['bind'] = array();
 $shortcuts['bind']['main'] = "pkg_edit.php?xml=bind.xml";
-$shortcuts['bind']['log'] = "diag_logs.php";
+$shortcuts['bind']['log'] = "diag_logs_resolver.php";
 $shortcuts['bind']['status'] = "status_services.php";
 $shortcuts['bind']['service'] = "named";
 
-- 
cgit v1.2.3