mailinabox/setup/dns.sh

#!/bin/bash
# DNS: Configure a DNS server to host our own DNS
# -----------------------------------------------

# This script installs packages, but the DNS zone files are only
# created by the /dns/update API in the management server because
# the set of zones (domains) hosted by the server depends on the
# mail users & aliases created by the user later.

source setup/functions.sh # load our functions

# Install `nsd`, our DNS server software, and `ldnsutils` which helps
# us sign zones for DNSSEC.

# ...but first, we have to create the user because the 
# current Ubuntu forgets to do so in the .deb
# see issue #25 and https://bugs.launchpad.net/ubuntu/+source/nsd/+bug/1311886
if id nsd > /dev/null 2>&1; then
	true; #echo "nsd user exists... good"; #NODOC
else
	useradd nsd;
fi

# Okay now install the packages.
#
# * nsd: The non-recursive nameserver that publishes our DNS records.
# * ldnsutils: Helper utilities for signing DNSSEC zones.
# * openssh-client: Provides ssh-keyscan which we use to create SSHFP records.

apt_install nsd ldnsutils openssh-client

# Prepare nsd's configuration.

sudo mkdir -p /var/run/nsd

# Create DNSSEC signing keys.

mkdir -p "$STORAGE_ROOT/dns/dnssec";

# TLDs don't all support the same algorithms, so we'll generate keys using a few
# different algorithms.
#
# Supports RSASHA1-NSEC3-SHA1 (didn't test with RSASHA256):
#   .info and .me.
#
# Requires RSASHA256
#   .email
FIRST=1
for algo in RSASHA1-NSEC3-SHA1 RSASHA256; do
if [ ! -f "$STORAGE_ROOT/dns/dnssec/$algo.conf" ]; then
	if [ $FIRST == 1 ]; then
		echo "Generating DNSSEC signing keys. This may take a few minutes..."
		FIRST=0
	fi

	# Create the Key-Signing Key (KSK) (-k) which is the so-called
	# Secure Entry Point. Use a NSEC3-compatible algorithm (best
	# practice), and a nice and long keylength. The domain name we
	# provide ("_domain_") doesn't matter -- we'll use the same
	# keys for all our domains.
	KSK=$(umask 077; cd $STORAGE_ROOT/dns/dnssec; ldns-keygen -a $algo -b 2048 -k _domain_);

	# Now create a Zone-Signing Key (ZSK) which is expected to be
	# rotated more often than a KSK, although we have no plans to
	# rotate it (and doing so would be difficult to do without
	# disturbing DNS availability.) Omit '-k' and use a shorter key.
	ZSK=$(umask 077; cd $STORAGE_ROOT/dns/dnssec; ldns-keygen -a $algo -b 1024 _domain_);

	# These generate two sets of files like:
	#
	# * `K_domain_.+007+08882.ds`: DS record normally provided to domain name registrar (but it's actually invalid with "_domain_")
	# * `K_domain_.+007+08882.key`: public key (goes into DS record & upstream DNS provider like your registrar)
	# * `K_domain_.+007+08882.private`: private key (secret!)

	# The filenames are unpredictable and encode the key generation
	# options. So we'll store the names of the files we just generated.
	# We might have multiple keys down the road. This will identify
	# what keys are the current keys.
	cat > $STORAGE_ROOT/dns/dnssec/$algo.conf << EOF;
KSK=$KSK
ZSK=$ZSK
EOF
fi
done

# Force the dns_update script to be run every day to re-sign zones for DNSSEC.
cat > /etc/cron.daily/mailinabox-dnssec << EOF;
#!/bin/bash
# Mail-in-a-Box
# Re-sign any DNS zones with DNSSEC because the signatures expire periodically.
`pwd`/tools/dns_update
EOF
chmod +x /etc/cron.daily/mailinabox-dnssec

# Permit DNS queries on TCP/UDP in the firewall.

ufw_allow domain
the cron job to re-sign DNSSEC zones wasnt working after adding the API key to the management daemon because the script relied on a bash-ism but cron runs it with (probably) sh 2014-07-19 16:31:05 +00:00			`#!/bin/bash`
first pass at making readable documentation by parsing the bash scripts 2014-09-21 17:43:21 +00:00			`# DNS: Configure a DNS server to host our own DNS`
			`# -----------------------------------------------`
improve comments throughout the scripts 2013-09-01 14:13:51 +00:00
remove obsoleted parts of setup/dns.sh Now that dns_update is a part of the management daemon, we no longer are using STORAGE_ROOT/dns for anything. 2014-06-13 00:18:53 +00:00			`# This script installs packages, but the DNS zone files are only`
			`# created by the /dns/update API in the management server because`
			`# the set of zones (domains) hosted by the server depends on the`
			`# mail users & aliases created by the user later.`
improve comments throughout the scripts 2013-09-01 14:13:51 +00:00
rename the scripts directory to setup 2014-06-03 11:12:38 +00:00			`source setup/functions.sh # load our functions`
make a bash function to use everywhere we apt-get-install (`DEBIAN_FRONTEND=noninteractive apt-get -qq -y `) ensures the output is quiet 2014-05-01 19:13:00 +00:00
first pass at making readable documentation by parsing the bash scripts 2014-09-21 17:43:21 +00:00			# Install `nsd`, our DNS server software, and `ldnsutils` which helps
add DNSSEC * sign zones * in a cron job, periodically re-sign zones because they expire (not tested) 2014-06-17 22:21:12 +00:00			`# us sign zones for DNSSEC.`
DNS, SPF, and DKIM 2013-08-21 20:53:22 +00:00
Add conditional to avoid errors if nsd exists 2014-04-23 21:53:59 +00:00			`# ...but first, we have to create the user because the`
			`# current Ubuntu forgets to do so in the .deb`
tweak @randallsquared's workaround for the nsd package's brokenness 2014-04-23 22:40:33 +00:00			`# see issue #25 and https://bugs.launchpad.net/ubuntu/+source/nsd/+bug/1311886`
Add conditional to avoid errors if nsd exists 2014-04-23 21:53:59 +00:00			`if id nsd > /dev/null 2>&1; then`
first pass at making readable documentation by parsing the bash scripts 2014-09-21 17:43:21 +00:00			`true; #echo "nsd user exists... good"; #NODOC`
Add conditional to avoid errors if nsd exists 2014-04-23 21:53:59 +00:00			`else`
			`useradd nsd;`
tweak @randallsquared's workaround for the nsd package's brokenness 2014-04-23 22:40:33 +00:00			`fi`

remove obsoleted parts of setup/dns.sh Now that dns_update is a part of the management daemon, we no longer are using STORAGE_ROOT/dns for anything. 2014-06-13 00:18:53 +00:00			`# Okay now install the packages.`
add SSHFP records to DNS 2014-08-27 12:56:17 +00:00			`#`
first pass at making readable documentation by parsing the bash scripts 2014-09-21 17:43:21 +00:00			`# * nsd: The non-recursive nameserver that publishes our DNS records.`
			`# * ldnsutils: Helper utilities for signing DNSSEC zones.`
			`# * openssh-client: Provides ssh-keyscan which we use to create SSHFP records.`
tweak @randallsquared's workaround for the nsd package's brokenness 2014-04-23 22:40:33 +00:00
add SSHFP records to DNS 2014-08-27 12:56:17 +00:00			`apt_install nsd ldnsutils openssh-client`
DNS, SPF, and DKIM 2013-08-21 20:53:22 +00:00
update for Ubuntu 14.04 2014-04-18 00:17:24 +00:00			`# Prepare nsd's configuration.`
improve comments throughout the scripts 2013-09-01 14:13:51 +00:00
update for Ubuntu 14.04 2014-04-18 00:17:24 +00:00			`sudo mkdir -p /var/run/nsd`
improve comments throughout the scripts 2013-09-01 14:13:51 +00:00
add DNSSEC * sign zones * in a cron job, periodically re-sign zones because they expire (not tested) 2014-06-17 22:21:12 +00:00			`# Create DNSSEC signing keys.`

			`mkdir -p "$STORAGE_ROOT/dns/dnssec";`
dnssec: use RSASHA256 keys for .email domains 2014-10-04 17:29:42 +00:00
			`# TLDs don't all support the same algorithms, so we'll generate keys using a few`
			`# different algorithms.`
			`#`
			`# Supports RSASHA1-NSEC3-SHA1 (didn't test with RSASHA256):`
			`# .info and .me.`
			`#`
			`# Requires RSASHA256`
			`# .email`
			`FIRST=1`
			`for algo in RSASHA1-NSEC3-SHA1 RSASHA256; do`
			`if [ ! -f "$STORAGE_ROOT/dns/dnssec/$algo.conf" ]; then`
			`if [ $FIRST == 1 ]; then`
			`echo "Generating DNSSEC signing keys. This may take a few minutes..."`
			`FIRST=0`
			`fi`
add DNSSEC * sign zones * in a cron job, periodically re-sign zones because they expire (not tested) 2014-06-17 22:21:12 +00:00
			`# Create the Key-Signing Key (KSK) (-k) which is the so-called`
			`# Secure Entry Point. Use a NSEC3-compatible algorithm (best`
use /dev/random for crypto-grade RNG with the help of haveged Rather than pass `-r /dev/random` to ldns-keygen (it was `-r /dev/urandom`), don't pass `-r` at all since /dev/random is the default. Merges branch 'master' of github.com:pysiak/mailinabox 2014-07-21 11:12:59 +00:00			`# practice), and a nice and long keylength. The domain name we`
			`# provide ("_domain_") doesn't matter -- we'll use the same`
			`# keys for all our domains.`
dnssec: use RSASHA256 keys for .email domains 2014-10-04 17:29:42 +00:00			`KSK=$(umask 077; cd $STORAGE_ROOT/dns/dnssec; ldns-keygen -a $algo -b 2048 -k _domain_);`
add DNSSEC * sign zones * in a cron job, periodically re-sign zones because they expire (not tested) 2014-06-17 22:21:12 +00:00
			`# Now create a Zone-Signing Key (ZSK) which is expected to be`
			`# rotated more often than a KSK, although we have no plans to`
			`# rotate it (and doing so would be difficult to do without`
			`# disturbing DNS availability.) Omit '-k' and use a shorter key.`
dnssec: use RSASHA256 keys for .email domains 2014-10-04 17:29:42 +00:00			`ZSK=$(umask 077; cd $STORAGE_ROOT/dns/dnssec; ldns-keygen -a $algo -b 1024 _domain_);`
add DNSSEC * sign zones * in a cron job, periodically re-sign zones because they expire (not tested) 2014-06-17 22:21:12 +00:00
			`# These generate two sets of files like:`
first pass at making readable documentation by parsing the bash scripts 2014-09-21 17:43:21 +00:00			`#`
dnssec: use RSASHA256 keys for .email domains 2014-10-04 17:29:42 +00:00			# * `K_domain_.+007+08882.ds`: DS record normally provided to domain name registrar (but it's actually invalid with "_domain_")
first pass at making readable documentation by parsing the bash scripts 2014-09-21 17:43:21 +00:00			# * `K_domain_.+007+08882.key`: public key (goes into DS record & upstream DNS provider like your registrar)
			# * `K_domain_.+007+08882.private`: private key (secret!)
add DNSSEC * sign zones * in a cron job, periodically re-sign zones because they expire (not tested) 2014-06-17 22:21:12 +00:00
			`# The filenames are unpredictable and encode the key generation`
			`# options. So we'll store the names of the files we just generated.`
			`# We might have multiple keys down the road. This will identify`
			`# what keys are the current keys.`
dnssec: use RSASHA256 keys for .email domains 2014-10-04 17:29:42 +00:00			`cat > $STORAGE_ROOT/dns/dnssec/$algo.conf << EOF;`
add DNSSEC * sign zones * in a cron job, periodically re-sign zones because they expire (not tested) 2014-06-17 22:21:12 +00:00			`KSK=$KSK`
			`ZSK=$ZSK`
			`EOF`
			`fi`
dnssec: use RSASHA256 keys for .email domains 2014-10-04 17:29:42 +00:00			`done`
add DNSSEC * sign zones * in a cron job, periodically re-sign zones because they expire (not tested) 2014-06-17 22:21:12 +00:00
			`# Force the dns_update script to be run every day to re-sign zones for DNSSEC.`
			`cat > /etc/cron.daily/mailinabox-dnssec << EOF;`
the cron job to re-sign DNSSEC zones was still not working because the script needed a hash-bang line; what I did in 65c3a44e63b24c1d428bd0a53c9f6b6b34a6a858 didn't actually fix the problem 2014-07-25 12:15:30 +00:00			`#!/bin/bash`
add DNSSEC * sign zones * in a cron job, periodically re-sign zones because they expire (not tested) 2014-06-17 22:21:12 +00:00			`# Mail-in-a-Box`
			`# Re-sign any DNS zones with DNSSEC because the signatures expire periodically.`
the cron job to re-sign DNSSEC zones wasnt working after adding the API key to the management daemon because the script relied on a bash-ism but cron runs it with (probably) sh 2014-07-19 16:31:05 +00:00			`pwd`/tools/dns_update
add DNSSEC * sign zones * in a cron job, periodically re-sign zones because they expire (not tested) 2014-06-17 22:21:12 +00:00			`EOF`
			`chmod +x /etc/cron.daily/mailinabox-dnssec`

improve comments throughout the scripts 2013-09-01 14:13:51 +00:00			`# Permit DNS queries on TCP/UDP in the firewall.`
DNS, SPF, and DKIM 2013-08-21 20:53:22 +00:00
add a bash function ufw_allow which calls 'ufw allow' but hides its totally useless output 2014-05-01 19:35:18 +00:00			`ufw_allow domain`
DNS, SPF, and DKIM 2013-08-21 20:53:22 +00:00