#!/bin/bash # bash script to sign zone files with dnssec for bind # needs zonesigner command (for debian given in dnssec-tools package) NEED_RESTART=0 # defines the path to the dnssec key directory # change to fit your environment KEY_DIR='/var/bind9/chroot/var/cache/bind/keys' # reloads slave servers via rndc reload ZONE command function reloadSlaves () { # loop over slaves hostnames for i in slave1 slave2 slav3 slav4 ; do # loop over the choosen zones on hostname for z in $ZONE ; do # connect to slave via ssh and perform rndc reload ZONE # the sed command adds zonename and hostname to the output of the remote ssh command ssh root@$i "rndc reload $z" | sed 's/^\(zone\)\(.*\)$/\1 '$z' on '$i'\2/' done done } # get args from command line and set variables for the script while (( $# )) do case "$1" in '-z' | '--zone') shift ZONE="$ZONE $1" shift ;; '-a' | '--all') ZONE="zone1.tld zone2.tld zone3.tld zone4.tld" shift ;; '-n' | '--new') DAT="$(date +'%Y%m%d')00" shift ;; '-s' | '--serial') shift DAT="$1" shift ;; *) echo "Usage $0 -z|--zone ZONENAME -a|--all -n|--new -s|--serial SERIAL" exit 0 ;; esac done # no zone given # exit with help display [ "x$ZONE" = 'x' ] && $0 -h && exit 0 # no serial specified for zone or parameter -n for new serial not set [ "x$DAT" = 'x' ] && echo 'eighter specify a serial or use -n|--new to generate a new one. See help ' && $0 -h && exit 0 # cwd to key directory cd $KEY_DIR >/dev/null 2>&1 # exit with error if cwd not successfull [ $? -ne 0 ] && echo 'Could not change to dir '$KEY_DIR && exit 1 for i in $ZONE ; do # serial given or new serial specified # change the serial number in zone's conf file # expects zone files in ../master # in the form zone.ZONE_NAME.zone # change path and form to fit your environment [ "x$DAT" != 'x' ] && sed -i "s/\s*[0-9]\{10\}\s*;\s*serial/\t\t\t\t$DAT ; serial/" ../master/zone.${i}.zone zonesigner -zone $i ../master/zone.${i}.zone NEED_RESTART=1 done [ $NEED_RESTART -eq 1 ] && /etc/init.d/bind9 restart && reloadSlaves