1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
|
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# SPDX-License-Identifier: MPL-2.0
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
from __future__ import print_function
import os, sys, argparse, glob, re, time, calendar, pprint
from collections import defaultdict
prog = "dnssec-keymgr"
from isc import dnskey, keydict, keyseries, policy, parsetab, utils
############################################################################
# print a fatal error and exit
############################################################################
def fatal(*args, **kwargs):
print(*args, **kwargs)
sys.exit(1)
############################################################################
# find the location of an external command
############################################################################
def set_path(command, default=None):
"""find the location of a specified command. If a default is supplied,
exists and it's an executable, we use it; otherwise we search PATH
for an alternative.
:param command: command to look for
:param default: default value to use
:return: PATH with the location of a suitable binary
"""
fpath = default
if not fpath or not os.path.isfile(fpath) or not os.access(fpath, os.X_OK):
path = os.environ["PATH"]
if not path:
path = os.path.defpath
for directory in path.split(os.pathsep):
fpath = directory + os.sep + command
if os.path.isfile(fpath) and os.access(fpath, os.X_OK):
break
fpath = None
return fpath
############################################################################
# parse arguments
############################################################################
def parse_args():
"""Read command line arguments, returns 'args' object
:return: args object properly prepared
"""
keygen = set_path(
"dnssec-keygen", os.path.join(utils.prefix("sbin"), "dnssec-keygen")
)
settime = set_path(
"dnssec-settime", os.path.join(utils.prefix("sbin"), "dnssec-settime")
)
parser = argparse.ArgumentParser(
description=prog + ": schedule "
"DNSSEC key rollovers according to a "
"pre-defined policy"
)
parser.add_argument(
"zone",
type=str,
nargs="*",
default=None,
help="Zone(s) to which the policy should be applied "
+ "(default: all zones in the directory)",
)
parser.add_argument(
"-K", dest="path", type=str, help="Directory containing keys", metavar="dir"
)
parser.add_argument(
"-c", dest="policyfile", type=str, help="Policy definition file", metavar="file"
)
parser.add_argument(
"-g",
dest="keygen",
default=keygen,
type=str,
help="Path to 'dnssec-keygen'",
metavar="path",
)
parser.add_argument(
"-r",
dest="randomdev",
type=str,
default=None,
help="DEPRECATED",
metavar="path",
)
parser.add_argument(
"-s",
dest="settime",
default=settime,
type=str,
help="Path to 'dnssec-settime'",
metavar="path",
)
parser.add_argument(
"-k",
dest="no_zsk",
action="store_true",
default=False,
help="Only apply policy to key-signing keys (KSKs)",
)
parser.add_argument(
"-z",
dest="no_ksk",
action="store_true",
default=False,
help="Only apply policy to zone-signing keys (ZSKs)",
)
parser.add_argument(
"-f",
"--force",
dest="force",
action="store_true",
default=False,
help="Force updates to key events " + "even if they are in the past",
)
parser.add_argument(
"-q",
"--quiet",
dest="quiet",
action="store_true",
default=False,
help="Update keys silently",
)
parser.add_argument("-v", "--version", action="version", version=utils.version)
args = parser.parse_args()
if args.randomdev:
fatal("ERROR: -r option has been deprecated.")
if args.no_zsk and args.no_ksk:
fatal("ERROR: -z and -k cannot be used together.")
if args.keygen is None:
fatal("ERROR: dnssec-keygen not found")
if args.settime is None:
fatal("ERROR: dnssec-settime not found")
# if a policy file was specified, check that it exists.
# if not, use the default file, unless it doesn't exist
if args.policyfile is not None:
if not os.path.exists(args.policyfile):
fatal('ERROR: Policy file "%s" not found' % args.policyfile)
else:
args.policyfile = os.path.join(utils.sysconfdir, "dnssec-policy.conf")
if not os.path.exists(args.policyfile):
args.policyfile = None
return args
############################################################################
# main
############################################################################
def main():
args = parse_args()
# As we may have specific locations for the binaries, we put that info
# into a context object that can be passed around
context = {
"keygen_path": args.keygen,
"settime_path": args.settime,
"keys_path": args.path,
"randomdev": args.randomdev,
}
try:
dp = policy.dnssec_policy(args.policyfile)
except Exception as e:
fatal("Unable to load DNSSEC policy: " + str(e))
try:
kd = keydict(dp, path=args.path, zones=args.zone)
except Exception as e:
fatal("Unable to build key dictionary: " + str(e))
try:
ks = keyseries(kd, context=context)
except Exception as e:
fatal("Unable to build key series: " + str(e))
try:
ks.enforce_policy(
dp, ksk=args.no_zsk, zsk=args.no_ksk, force=args.force, quiet=args.quiet
)
except Exception as e:
fatal("Unable to apply policy: " + str(e))
|