# Copyright (C) Internet Systems Consortium, Inc. ("ISC") # # SPDX-License-Identifier: MPL-2.0 # # This Source Code Form is subject to the terms of the Mozilla Public # License, v. 2.0. If a copy of the MPL was not distributed with this # file, you can obtain one at https://mozilla.org/MPL/2.0/. # # See the COPYRIGHT file distributed with this work for additional # information regarding copyright ownership. from __future__ import print_function import os, sys, argparse, glob, re, time, calendar, pprint from collections import defaultdict prog = "dnssec-keymgr" from isc import dnskey, keydict, keyseries, policy, parsetab, utils ############################################################################ # print a fatal error and exit ############################################################################ def fatal(*args, **kwargs): print(*args, **kwargs) sys.exit(1) ############################################################################ # find the location of an external command ############################################################################ def set_path(command, default=None): """find the location of a specified command. If a default is supplied, exists and it's an executable, we use it; otherwise we search PATH for an alternative. :param command: command to look for :param default: default value to use :return: PATH with the location of a suitable binary """ fpath = default if not fpath or not os.path.isfile(fpath) or not os.access(fpath, os.X_OK): path = os.environ["PATH"] if not path: path = os.path.defpath for directory in path.split(os.pathsep): fpath = directory + os.sep + command if os.path.isfile(fpath) and os.access(fpath, os.X_OK): break fpath = None return fpath ############################################################################ # parse arguments ############################################################################ def parse_args(): """Read command line arguments, returns 'args' object :return: args object properly prepared """ keygen = set_path( "dnssec-keygen", os.path.join(utils.prefix("sbin"), "dnssec-keygen") ) settime = set_path( "dnssec-settime", os.path.join(utils.prefix("sbin"), "dnssec-settime") ) parser = argparse.ArgumentParser( description=prog + ": schedule " "DNSSEC key rollovers according to a " "pre-defined policy" ) parser.add_argument( "zone", type=str, nargs="*", default=None, help="Zone(s) to which the policy should be applied " + "(default: all zones in the directory)", ) parser.add_argument( "-K", dest="path", type=str, help="Directory containing keys", metavar="dir" ) parser.add_argument( "-c", dest="policyfile", type=str, help="Policy definition file", metavar="file" ) parser.add_argument( "-g", dest="keygen", default=keygen, type=str, help="Path to 'dnssec-keygen'", metavar="path", ) parser.add_argument( "-r", dest="randomdev", type=str, default=None, help="DEPRECATED", metavar="path", ) parser.add_argument( "-s", dest="settime", default=settime, type=str, help="Path to 'dnssec-settime'", metavar="path", ) parser.add_argument( "-k", dest="no_zsk", action="store_true", default=False, help="Only apply policy to key-signing keys (KSKs)", ) parser.add_argument( "-z", dest="no_ksk", action="store_true", default=False, help="Only apply policy to zone-signing keys (ZSKs)", ) parser.add_argument( "-f", "--force", dest="force", action="store_true", default=False, help="Force updates to key events " + "even if they are in the past", ) parser.add_argument( "-q", "--quiet", dest="quiet", action="store_true", default=False, help="Update keys silently", ) parser.add_argument("-v", "--version", action="version", version=utils.version) args = parser.parse_args() if args.randomdev: fatal("ERROR: -r option has been deprecated.") if args.no_zsk and args.no_ksk: fatal("ERROR: -z and -k cannot be used together.") if args.keygen is None: fatal("ERROR: dnssec-keygen not found") if args.settime is None: fatal("ERROR: dnssec-settime not found") # if a policy file was specified, check that it exists. # if not, use the default file, unless it doesn't exist if args.policyfile is not None: if not os.path.exists(args.policyfile): fatal('ERROR: Policy file "%s" not found' % args.policyfile) else: args.policyfile = os.path.join(utils.sysconfdir, "dnssec-policy.conf") if not os.path.exists(args.policyfile): args.policyfile = None return args ############################################################################ # main ############################################################################ def main(): args = parse_args() # As we may have specific locations for the binaries, we put that info # into a context object that can be passed around context = { "keygen_path": args.keygen, "settime_path": args.settime, "keys_path": args.path, "randomdev": args.randomdev, } try: dp = policy.dnssec_policy(args.policyfile) except Exception as e: fatal("Unable to load DNSSEC policy: " + str(e)) try: kd = keydict(dp, path=args.path, zones=args.zone) except Exception as e: fatal("Unable to build key dictionary: " + str(e)) try: ks = keyseries(kd, context=context) except Exception as e: fatal("Unable to build key series: " + str(e)) try: ks.enforce_policy( dp, ksk=args.no_zsk, zsk=args.no_ksk, force=args.force, quiet=args.quiet ) except Exception as e: fatal("Unable to apply policy: " + str(e))