--- /dev/null
+signzone=/usr/sbin/dnssec-signzone
+keygen=/usr/bin/dnssec-keygen
+salt_length=32
+resign_days=10
+
+num_nameservers=2
+
+ns1_public_name="ns1.example.com"
+ns1_ssh_access="root@ns1.example.com"
+ns1_conf_path="/opt/bind/etc/"
+ns1_rndc_path="/opt/bind/sbin/rndc"
+
+ns2_public_name="ns2.example.com"
+ns2_ssh_access="root@ns2.example.com"
+ns2_conf_path="/opt/bind/etc/"
+ns2_rndc_path="/opt/bind/sbin/rndc"
--- /dev/null
+#!/bin/bash
+source `dirname $0`/conf/settings
+cd `dirname $0`
+
+if [ $# -ne 1 ] ; then
+ echo "$0 <zone>"
+ exit
+fi
+if [ ! -d zones/$1 ] ; then
+ echo "$1 does not exist"
+ exit
+fi
+
+mv zones/$1 trash/
+./update-zone-conf.sh
--- /dev/null
+#!/bin/bash
+source `dirname $0`/conf/settings
+cd `dirname $0`
+
+if [ $# -ne 1 ] ; then
+ echo "$0 <zone>"
+ exit
+fi
+
+if [ ! -f zones/$1/$1 ] ; then
+ echo "$1 does not exist or is not prepared"
+ exit
+fi
+
+$EDITOR zones/$1/$1
+
+echo "You might want to run update-zone-conf or sign-zone scripts"
+
--- /dev/null
+#!/bin/bash
+source `dirname $0`/conf/settings
+cd `dirname $0`
+
+if [ $# -ne 1 ] ; then
+ echo "$0 <domain.tld>"
+ exit
+fi
+if [ ! -d zones/$1 ] ; then
+ echo "zone $1 does not exists"
+ exit
+fi
+
+echo "Listing keys for $1"
+for ksk in $( find . -name "*.key" -exec grep -q " 257 " {} \; -exec ls {} \; ) ; do
+ ksk=$(basename $ksk .key)
+ date=$(date -r zones/$1/${ksk}.key +%Y-%m-%d )
+ echo " ... found KSK $ksk modified $date"
+done
+for zsk in $( find . -name "*.key" -exec grep -q " 256 " {} \; -exec ls {} \; ) ; do
+ zsk=$(basename $zsk .key)
+ date=$(date -r zones/$1/${zsk}.key +%Y-%m-%d )
+ echo " ... found ZSK $zsk modified $date"
+done
--- /dev/null
+#!/bin/bash
+source `dirname $0`/conf/settings
+cd `dirname $0`
+
+if [ $# -ne 1 ] ; then
+ echo "$0 <domain.tld>"
+ exit
+fi
+if [ ! -d zones/$1 ] ; then
+ echo "zone $1 does not exists"
+ exit
+fi
+
+echo "Listing keys for $1"
+for ksk in $( find . -name "*.oldkey" -exec grep -q " 257 " {} \; -exec ls {} \; ) ; do
+ ksk=$(basename $ksk .oldkey)
+ date=$(date -r zones/$1/${ksk}.oldkey +%Y-%m-%d )
+ echo " ... found KSK $ksk modified $date"
+done
+for zsk in $( find . -name "*.oldkey" -exec grep -q " 256 " {} \; -exec ls {} \; ) ; do
+ zsk=$(basename $zsk .oldkey)
+ date=$(date -r zones/$1/${zsk}.oldkey +%Y-%m-%d )
+ echo " ... found ZSK $zsk modified $date"
+done
--- /dev/null
+#!/bin/bash
+source `dirname $0`/conf/settings
+cd `dirname $0`
+
+if [ $# -ne 1 ] ; then
+ echo "$0 <zone>";
+ exit;
+fi
+if [ ! -d zones/$1 ] ; then
+ mkdir zones/$1;
+fi
+cd zones/$1
+$keygen -f KSK -a NSEC3RSASHA1 -b 2048 -n ZONE $1
--- /dev/null
+#!/bin/bash
+source `dirname $0`/conf/settings
+cd `dirname $0`
+
+if [ $# -ne 1 ] ; then
+ echo "$0 <zone>";
+ exit;
+fi
+if [ ! -d zones/$1 ] ; then
+ mkdir zones/$1;
+fi
+cd zones/$1
+$keygen -a NSEC3RSASHA1 -b 2048 -e -n ZONE $1
--- /dev/null
+#!/bin/bash
+source `dirname $0`/conf/settings
+cd `dirname $0`
+
+if [ $# -ne 2 ] ; then
+ echo "prepare-zone.sh <domain.tld> <maintainer.mail>"
+ exit
+fi
+if [ -d zones/$1 ] ; then
+ echo "Zone $1 already exists ... did you want to use edit-zone ? "
+ exit
+fi
+mainmail=$(echo $2 | tr @ . )
+mkdir zones/$1
+cat > zones/$1/$1 <<EOF
+\$TTL 1h
+
+@ IN SOA $ns1_public_name. $mainmail. (
+ 1 ; serial
+ 1h ; refresh
+ 30m ; retry
+ 7d ; expiration
+ 1h ) ; minimum
+
+EOF
+
+for i in `seq $num_nameservers` ; do
+ ns=ns$i
+ eval public_name=\$${ns}_public_name
+
+ echo " NS $public_name." >> zones/$1/$1
+done
+
+echo "Generatign KSK and ZSK keys... "
+echo
+echo "This uses a LOT of random data and may take quiet a while..."
+echo
+echo "If you are anticipating to do this often, consider acquireing a fast h/w random number generator"
+
+./make-ksk.sh $1
+./make-zsk.sh $1
+
+echo "To finalize your zone use edit-zone and then sign-zone and finally update-zone-conf."
--- /dev/null
+#!/bin/bash
+source `dirname $0`/conf/settings
+cd `dirname $0`
+
+if [ $# -ne 1 ] ; then
+ echo "$0 <domain.tld>"
+ exit
+fi
+if [ ! -d zones/$1 ] ; then
+ echo "zone $1 does not exists"
+ exit
+fi
+
+echo "Removing retired keys for $1"
+for ksk in $( find . -name "*.oldkey" -exec grep -q " 257 " {} \; -exec ls {} \; ) ; do
+ ksk=$(basename $ksk .oldkey)
+ date=$(date -r zones/$1/${ksk}.oldkey +%Y-%m-%d )
+ rm zones/$1/${ksk}.oldkey
+ echo " ... removed KSK $ksk modified $date"
+done
+for zsk in $( find . -name "*.oldkey" -exec grep -q " 256 " {} \; -exec ls {} \; ) ; do
+ zsk=$(basename $zsk .oldkey)
+ date=$(date -r zones/$1/${zsk}.oldkey +%Y-%m-%d )
+ rm zones/$1/${zsk}.oldkey
+ echo " ... removed ZSK $zsk modified $date"
+done
--- /dev/null
+#!/bin/bash
+source `dirname $0`/conf/settings
+cd `dirname $0`
+
+for zone in `find . -name "*.signed" -mtime $resign_days -exec basename {} .zone.signed \;` ; do
+ ./sign-zone.sh $zone
+done
--- /dev/null
+#!/bin/bash
+source `dirname $0`/conf/settings
+cd `dirname $0`
+
+if [ $# -ne 2 ] ; then
+ echo "$0 <domain.tld> <key>"
+ exit
+fi
+if [ ! -d zones/$1 ] ; then
+ echo "zone $1 does not exists"
+ exit
+fi
+
+if [ -f zones/$1/$2.oldkey -a -f zones/$1/$2.oldprivate ] ; then
+ echo "Re-instate key $2 for $1"
+ mv zones/$1/$2.oldkey zones/$1/$2.key
+ mv zones/$1/$2.oldprivate zones/$1/$2.private
+fi
--- /dev/null
+#!/bin/bash
+source `dirname $0`/conf/settings
+cd `dirname $0`
+
+if [ $# -ne 2 ] ; then
+ echo "$0 <domain.tld> <key>"
+ exit
+fi
+if [ ! -d zones/$1 ] ; then
+ echo "zone $1 does not exists"
+ exit
+fi
+
+if [ -f zones/$1/$2.key -a -f zones/$1/$2.private ] ; then
+ echo "Retire key $2 for $1"
+ mv zones/$1/$2.key zones/$1/$2.oldkey
+ mv zones/$1/$2.private zones/$1/$2.oldprivate
+fi
--- /dev/null
+#!/bin/bash
+source `dirname $0`/conf/settings
+cd `dirname $0`
+
+if [ $# -ne 1 ] ; then
+ echo "$0 <domain.tld>"
+ exit
+fi
+if [ ! -d zones/$1 ] ; then
+ echo "zone $1 does not exists"
+ exit
+fi
+
+function gen_salt {
+ # gen_salt function copied and adapted from advanced bash scripting guide
+ LENGTH=$1
+ MATRIX="0123456789ABCDEF"
+
+ while [ "${n:=1}" -le "$LENGTH" ]
+ do
+ SALT="$SALT${MATRIX:$(($RANDOM%${#MATRIX})):1}"
+ let n+=1
+ done
+ return 0;
+}
+
+cd zones/$1
+
+echo "=== zone $1"
+echo "... adding keys"
+cat $1 K$1*.key > $1.zone
+cat $1 K$1*.oldkey >> $1.zone
+
+echo "... signing"
+gen_salt $salt_length
+$signzone -A -a -3 $SALT -N unixtime -o $1 $1.zone
+
+for i in `seq $num_nameservers` ; do
+ ns=ns$i
+
+ echo "... uploading to $ns"
+ eval ssh_access=\$${ns}_ssh_access
+ eval conf_path=\$${ns}_conf_path
+ eval rndc_path=\$${ns}_rndc_path
+
+ scp -q $1.zone.signed $ssh_access:$conf_path
+ ssh -q $ssh_access "$rndc_path reload"
+done
--- /dev/null
+this file containes "deleted" domains.
+
+they can be removed when you are sure, they are unneeded.
--- /dev/null
+#!/bin/bash
+source `dirname $0`/conf/settings
+cd `dirname $0`
+
+rm -f zones/zone.conf
+
+for d in zones/* ; do
+ zone=`basename $d`
+cat >> zones/zone.conf <<EOF
+zone "$zone." in {
+ type master;
+ file "$zone.zone.signed";
+};
+
+EOF
+done
+
+
+for i in `seq $num_nameservers` ; do
+ ns=ns$i
+
+ echo "running $ns"
+ eval ssh_access=\$${ns}_ssh_access
+ eval conf_path=\$${ns}_conf_path
+ eval rndc_path=\$${ns}_rndc_path
+
+ scp zones/zone.conf $ssh_access:$conf_path
+ ssh $ssh_access "$rndc_path reload"
+done
--- /dev/null
+this folder contains production zones