1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
|
#!/usr/bin/perl
#
# Copyright 2007-2012 SPARTA, Inc. All rights reserved. See the COPYING
# file distributed with this software for details.
#
#
# keyarch
#
# This script archives old KSK and ZSK keys.
#
#
# If we're executing from a packed environment, make sure we've got the
# library path for the packed modules.
#
BEGIN
{
if($ENV{'PAR_TEMP'})
{
unshift @INC, ("$ENV{'PAR_TEMP'}/inc/lib");
}
}
use strict;
use Getopt::Long qw(:config no_ignore_case_always);
use Net::DNS::SEC::Tools::conf;
use Net::DNS::SEC::Tools::dnssectools;
use Net::DNS::SEC::Tools::keyrec;
use Net::DNS::SEC::Tools::rollrec;
#
# Version information.
#
my $NAME = "keyarch";
my $VERS = "$NAME version: 1.13.0";
my $DTVERS = "DNSSEC-Tools Version: 1.13";
##########################################
#
# Data required for command line options.
#
my $fnarg; # Rollrec file to be managed.
my %dtconf = (); # DNSSEC-Tools config file values.
my %opts = (); # Filled option array.
my @opts =
(
"zone=s", # Zone to archive.
"kskonly", # Only archives KSKs.
"zskonly", # Only archives ZSKs.
"dtconfig=s", # Execution-specific config file.
"help", # Give a usage message and exit.
"quiet", # Quiet output.
"verbose", # Verbose output.
"Version", # Display the version number.
);
#
# Flag values for the various options. Variable/option connection should
# be obvious.
#
my $zone; # Zone to archive.
my $kskonly = 1; # KSK-only flag.
my $zskonly = 1; # ZSK-only flag.
my $verbose = 0; # Verbose option.
my $quiet = 0; # Quiet option.
#
# Count of archived keys.
#
my $keycount = 0;
#
# Command paths.
#
my $MV = "/bin/mv";
#######################################################################
#
# Do Everything.
#
my $ret = main();
exit($ret);
#-----------------------------------------------------------------------------
# Routine: main()
#
# Purpose: Do Everything.
#
sub main
{
my $ftype; # Type of file argument.
#
# Set up how to handle module errors.
#
erraction(ERR_MSG);
#
# Use a local config file if we're running as part of a packed
# configuration.
#
if(runpacked())
{
setconffile("$ENV{'PAR_TEMP'}/inc/dnssec-tools.conf");
}
#
# Check our options and arguments.
#
optsandargs();
#
# Ensure we have a valid file argument.
#
$ftype = dt_filetype($fnarg);
if(($ftype eq "mixed") || ($ftype eq "unknown"))
{
print STDERR "file argument must be either a keyrec file OR a rollrec file\n";
exit(-2);
}
#
# If we were given a rollrec file, we'll handle a single zone (if
# -zone was given) or all the file's zones (if -zone wasn't given.)
#
# If we were given a keyrec file, we'll handle a single zone (if
# -zone was given) or all the file's zones (if -zone wasn't given.)
#
if($ftype eq "rollrec")
{
#
# Read the rollrec file.
#
rollrec_read($fnarg);
#
# Check the zone (if specified) or the whole rollrec file.
#
if(defined($zone))
{
chkzone($zone,0);
}
else
{
#
# Check all the file's zones.
#
foreach my $rrn (sort(rollrec_names()))
{
chkzone($rrn,0);
}
}
rollrec_close();
}
else
{
#
# Read the keyrec file.
#
keyrec_read($fnarg);
#
# Check the zone (if specified) or the whole keyrec file.
#
if(defined($zone))
{
chkzone($zone,1);
}
else
{
#
# Check each zone in the keyrec file.
#
foreach my $krn (sort(keyrec_names()))
{
my $kt; # Keyrec's type.
$kt = keyrec_recval($krn,'keyrec_type');
next if($kt ne 'zone');
chkzone($krn,1);
}
}
}
#
# Close up shop.
#
vprint("$keycount keys archived");
return($keycount);
}
#-----------------------------------------------------------------------------
# Routine: chkzone()
#
# Purpose: Check this zone for obsolete signing sets. If we find
# any of the requested types, its keys will be moved to the
# proper archive directory.
#
sub chkzone
{
my $zone = shift; # Zone to check.
my $krfflag = shift; # Keyrec-read flag.
my $krf; # Zone's keyrec file.
my $archdir; # Zone's archive dir.
my $saved = 0; # Saved-keys flag.
#
# Read the zone's keyrec file.
#
if(!$krfflag)
{
$krf = rollrec_recval($zone,'keyrec');
keyrec_read($krf);
}
#
# Get the zone's archive directory.
#
# This check is performed here (instead of with other options)
# so that each zone can have its own personal archive directory.
#
$archdir = keyrec_recval($zone,'archivedir') || $dtconf{'archivedir'};
return if(!checkdir($zone,$archdir));
vprint("archive directory: $archdir\t\t($zone)");
#
# Check this zone for obsolete signing sets. If we find any of
# the requested types, we'll archive its keys.
#
foreach my $krn (sort(keyrec_names()))
{
my $keytype; # Key's type.
my $keyprv; # Private key file.
my $keypub; # Public key file.
$keytype = keyrec_recval($krn,'keyrec_type');
#
# Skip non-obsolete and non-revoked keys.
#
next if($keytype !~ /obs/);
#
# Skip KSKs if we're only archiving ZSKs.
#
next if(($keytype =~ /ksk/) && !$kskonly);
#
# Skip ZSKs if we're only archiving KSKs.
#
next if(($keytype =~ /zsk/) && !$zskonly);
#
# Build the key file names.
#
$keyprv = "$krn.private";
$keypub = "$krn.key";
#
# Save the keys.
#
archit($zone,$krn,$keyprv,$archdir,0);
archit($zone,$krn,$keypub,$archdir,1);
$saved++;
}
#
# Close up the keyrec file.
#
keyrec_write() if($saved);
keyrec_close();
}
#-----------------------------------------------------------------------------
# Routine: archit()
#
# Purpose: Archive the actual key file.
#
sub archit
{
my $zone = shift; # Key's zone.
my $keyname = shift; # Key's name
my $keyfile = shift; # Key to archive.
my $archdir = shift; # Archive directory.
my $pubflag = shift; # Public-key flag.
my $kronos = time; # Timestamp.
my $newname; # New key path.
#
# Go home if the key file doesn't exist.
#
return if(!-e $keyfile);
#
# Build the new name.
#
$newname = "$archdir/$kronos.$keyfile";
#
# Move the key and maybe give a message.
#
system("$MV $keyfile $newname");
if($verbose)
{
print("archived $keyfile\t\t($zone)\n");
}
else
{
nqprint("archived $keyfile");
}
#
# If this is a public key, we'll reset the key's path in the keyrec.
#
keyrec_setval('key',$keyname,'keypath',$newname) if($pubflag);
#
# Bump our count of archived keys.
#
$keycount++;
}
#-----------------------------------------------------------------------------
# Routine: optsandargs()
#
# Purpose: Parse our options and arguments.
#
sub optsandargs
{
my $argc = @ARGV; # Number of arguments.
my $dir; # Execution directory.
#
# Check our options.
#
GetOptions(\%opts,@opts) || usage();
$verbose = $opts{'verbose'};
$quiet = $opts{'quiet'};
$zone = $opts{'zone'};
$kskonly = $opts{'kskonly'};
$zskonly = $opts{'zskonly'};
#
# Show the usage or version number if requested.
#
usage() if(defined($opts{'help'}));
version() if(defined($opts{'version'}));
#
# Check for a rollrec file name.
#
$fnarg = $ARGV[0] || rollrec_default();
if(($fnarg eq "") || !defined($fnarg))
{
print STDERR "no rollrec file specified\n";
exit(-1);
}
#
# Ensure we weren't given both -quiet and -verbose.
#
if($quiet && $verbose)
{
print STDERR "-quiet and -verbose are mutually exclusive\n";
exit(-1);
}
#
# Ensure we weren't given both -kskonly and -zskonly.
#
if($kskonly && $zskonly)
{
print STDERR "-kskonly and -zskonly are mutually exclusive\n";
exit(-1);
}
#
# Ensure we weren't given both -kskonly and -zskonly.
#
$zskonly = 0 if($kskonly);
$kskonly = 0 if($zskonly);
#
# If -kskonly and -zskonly weren't given, turn 'em both on.
#
if(!$kskonly && !$zskonly)
{
$kskonly = 1;
$zskonly = 1;
}
#
# If there's a -dtconfig command line option, we'll use that,
# if we're running packed.
#
if(exists($opts{'dtconfig'}))
{
setconffile($opts{'dtconfig'});
}
#
# Check for a rollrec file name.
#
%dtconf = parseconfig();
}
#----------------------------------------------------------------------
# Routine: checkdir()
#
# Purpose: Ensures archive directory exists and is a writable directory.
#
sub checkdir
{
my $zone = shift; # Zone name.
my $archdir = shift; # Zone's archive directory.
#
# Check for directory existence.
#
if(!-e $archdir)
{
print STDERR "$zone: archive directory \"$archdir\" does not exist\n";
return(0);
}
#
# Check that the directory is really a directory.
#
if(!-d $archdir)
{
print STDERR "$zone: archive directory \"$archdir\" is not a directory\n";
return(0);
}
#
# Check that the directory is writable.
#
if(!-w $archdir)
{
print STDERR "$zone: archive directory \"$archdir\" is not writable\n";
return(0);
}
return(1);
}
#----------------------------------------------------------------------
# Routine: vprint()
#
# Purpose: Verbose printing.
#
sub vprint
{
my $str = shift;
return if(!$verbose);
print "$str\n";
}
#----------------------------------------------------------------------
# Routine: nqprint()
#
# Purpose: Non-quiet printing.
#
sub nqprint
{
my $str = shift;
return if($quiet);
print "$str\n";
}
#----------------------------------------------------------------------
# Routine: version()
#
# Purpose: Print the version number(s) and exit.
#
sub version
{
print STDERR "$VERS\n";
print STDERR "$DTVERS\n";
exit(0);
}
#-----------------------------------------------------------------------------
# Routine: usage()
#
# Purpose: Print a usage message and exit.
#
sub usage
{
print STDERR "usage: keyarch [options] <keyrec-file | rollrec-file>\n";
print STDERR "\toptions:\n";
print STDERR "\t\t-zone <zonename>\n";
print STDERR "\t\t-kskonly\n";
print STDERR "\t\t-zskonly\n";
print STDERR "\t\t-dtconfig <config_file>\n";
print STDERR "\t\t-quiet\n";
print STDERR "\t\t-verbose\n";
print STDERR "\t\t-Version\n";
print STDERR "\t\t-help\n";
exit(0);
}
1;
##############################################################################
#
=pod
=head1 NAME
keyarch - DNSSEC-Tools daemon to archive old KSK and ZSK keys
=head1 SYNOPSIS
keyarch [options] <keyrec_file | rollrec_file>
=head1 DESCRIPTION
The B<keyarch> program archives old KSK and ZSK keys. Keys are considered old
if they are revoked or obsolete. Keys marked as either I<kskrev> or I<zskrev>
are revoked; keys marked as either I<kskobs> or I<zskobs> are obsolete.
Archived keys are prefixed with the seconds-since-epoch as a means of
distinguishing a zone's keys that have the same five digit number.
If the required file argument is a I<keyrec> file, then expired keys listed
in that file are archived. If the file argument is a I<rollrec> file, the
I<keyrec> files of the zones in that file are checked for expired keys.
If the B<-zone> option is given, then only revoked and obsolete keys belonging
to the specified zone will be archived.
The archive directory is either zone-specific (listed in the zone's I<keyrec>
record in the zone's I<keyrec> file) or the default archive directory given
in the DNSSEC-Tools configuration file.
The count of archived keys is given as the program's exit code. Error exit
codes are negative.
=head1 OPTIONS
The following options are recognized:
=over 4
=item B<-zone zone_file>
Name of the zone whose KSKs will be archived. If this is not given, then
all the zones defined in the I<rollrec> file will be checked.
=item B<-kskonly>
Only archive KSK keys.
=item B<-zskonly>
Only archive ZSK keys.
=item B<-dtconfig config_file>
Name of an alternate DNSSEC-Tools configuration file to be processed.
If specified, this configuration file is used I<in place> of the normal
DNSSEC-Tools configuration file B<not> in addition to it. Also, it will be
handled prior to I<keyrec> files, I<rollrec> files, and command-line options.
=item B<-quiet>
No output will be given.
=item B<-verbose>
Verbose output will be given.
=item B<-help>
Display a usage message.
=item B<-Version>
Displays the version information for B<keyarch> and the DNSSEC-Tools package.
=back
=head1 EXIT VALUES
On success, B<keyarch>'s exit code is the number of keys archived.
B<keyarch> has a 0 exit code if the help message is given.
B<keyarch> has a negative exit code if an error is encountered.
=head1 COPYRIGHT
Copyright 2007-2012 SPARTA, Inc. All rights reserved.
See the COPYING file included with the DNSSEC-Tools package for details.
=head1 AUTHOR
Wayne Morrison, tewok@tislabs.com
=head1 SEE ALSO
B<rollerd(8)>,
B<zonesigner(8)>
B<Net::DNS::SEC::Tools::conf.pm(3)>,
B<Net::DNS::SEC::Tools::dnssectools.pm(3)>,
B<Net::DNS::SEC::Tools::defaults.pm(3)>,
B<Net::DNS::SEC::Tools::keyrec.pm(3)>,
B<Net::DNS::SEC::Tools::rollrec.pm(3)>
B<keyrec(5)>,
B<rollrec(5)>
=cut
|
