選択できるのは25トピックまでです。 トピックは、先頭が英数字で、英数字とダッシュ('-')を使用した35文字以内のものにしてください。

dnssec.inc.php 16KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617
  1. <?php
  2. /* Poweradmin, a friendly web-based admin tool for PowerDNS.
  3. * See <http://www.poweradmin.org> for more details.
  4. *
  5. * Copyright 2007-2009 Rejo Zenger <rejo@zenger.nl>
  6. * Copyright 2010-2017 Poweradmin Development Team
  7. * <http://www.poweradmin.org/credits.html>
  8. *
  9. * This program is free software: you can redistribute it and/or modify
  10. * it under the terms of the GNU General Public License as published by
  11. * the Free Software Foundation, either version 3 of the License, or
  12. * (at your option) any later version.
  13. *
  14. * This program is distributed in the hope that it will be useful,
  15. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  16. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  17. * GNU General Public License for more details.
  18. *
  19. * You should have received a copy of the GNU General Public License
  20. * along with this program. If not, see <http://www.gnu.org/licenses/>.
  21. */
  22. /**
  23. * DNSSEC functions
  24. *
  25. * @package Poweradmin
  26. * @copyright 2007-2010 Rejo Zenger <rejo@zenger.nl>
  27. * @copyright 2010-2017 Poweradmin Development Team
  28. * @license http://opensource.org/licenses/GPL-3.0 GPL
  29. */
  30. /** Check if it's possible to execute dnssec command
  31. *
  32. * @return boolean true on success, false on failure
  33. */
  34. function dnssec_is_pdnssec_callable() {
  35. global $pdnssec_command;
  36. if (!function_exists('exec')) {
  37. error(ERR_EXEC_NOT_ALLOWED);
  38. return false;
  39. }
  40. if (!file_exists($pdnssec_command) || !is_executable($pdnssec_command)) {
  41. error(ERR_EXEC_PDNSSEC);
  42. return false;
  43. }
  44. return true;
  45. }
  46. /** Execute dnssec utility
  47. *
  48. * @param string $command Command name
  49. * @param string $args Command arguments
  50. *
  51. * @return mixed[] Array with output from command execution and error code
  52. */
  53. function dnssec_call_pdnssec($command, $args) {
  54. global $pdnssec_command;
  55. $output = '';
  56. $return_code = -1;
  57. if (!dnssec_is_pdnssec_callable()) {
  58. return array($output, $return_code);
  59. }
  60. $command = join(' ', array(
  61. $pdnssec_command,
  62. $command,
  63. $args)
  64. );
  65. exec($command, $output, $return_code);
  66. return array($output, $return_code);
  67. }
  68. /** Execute PDNSSEC rectify-zone command for Domain ID
  69. *
  70. * If a Domain is dnssec enabled, or uses features as
  71. * e.g. ALSO-NOTIFY, ALLOW-AXFR-FROM, TSIG-ALLOW-AXFR
  72. * following has to be executed
  73. * pdnssec rectify-zone $domain
  74. *
  75. * @param int $domain_id Domain ID
  76. *
  77. * @return boolean true on success, false on failure or unnecessary
  78. */
  79. function dnssec_rectify_zone($domain_id) {
  80. global $db;
  81. global $pdnssec_command;
  82. $output = array();
  83. /* if pdnssec_command is set we perform ``pdnssec rectify-zone $domain`` on all zones,
  84. * as pdns needs the "auth" column for all zones if dnssec is enabled
  85. *
  86. * If there is any entry at domainmetadata table for this domain,
  87. * it is an error if pdnssec_command is not set */
  88. $query = "SELECT COUNT(id) FROM domainmetadata WHERE domain_id = " . $db->quote($domain_id, 'integer');
  89. $count = $db->queryOne($query);
  90. if (PEAR::isError($count)) {
  91. error($count->getMessage());
  92. return false;
  93. }
  94. if (isset($pdnssec_command)) {
  95. $domain = get_zone_name_from_id($domain_id);
  96. $command = $pdnssec_command . " rectify-zone " . $domain;
  97. if (!dnssec_is_pdnssec_callable()) {
  98. return false;
  99. }
  100. exec($command, $output, $return_code);
  101. if ($return_code != 0) {
  102. error(ERR_EXEC_PDNSSEC_RECTIFY_ZONE);
  103. return false;
  104. }
  105. return true;
  106. } else if ($count >= 1) {
  107. error(ERR_EXEC_PDNSSEC);
  108. return false;
  109. }
  110. return false;
  111. }
  112. /** Execute PDNSSEC secure-zone command for Domain Name
  113. *
  114. * @param string $domain_name Domain Name
  115. *
  116. * @return boolean true on success, false on failure or unnecessary
  117. */
  118. function dnssec_secure_zone($domain_name) {
  119. $call_result = dnssec_call_pdnssec('secure-zone', $domain_name);
  120. $return_code = $call_result[1];
  121. if ($return_code != 0) {
  122. error(ERR_EXEC_PDNSSEC_SECURE_ZONE);
  123. return false;
  124. }
  125. log_info(sprintf('client_ip:%s user:%s operation:dnssec_secure_zone zone:%s',
  126. $_SERVER['REMOTE_ADDR'], $_SESSION['userlogin'], $domain_name));
  127. return true;
  128. }
  129. /** Execute PDNSSEC disable-dnssec command for Domain Name
  130. *
  131. * @param string $domain_name Domain Name
  132. *
  133. * @return boolean true on success, false on failure or unnecessary
  134. */
  135. function dnssec_unsecure_zone($domain_name) {
  136. $call_result = dnssec_call_pdnssec('disable-dnssec', $domain_name);
  137. $return_code = $call_result[1];
  138. if ($return_code != 0) {
  139. error(ERR_EXEC_PDNSSEC_DISABLE_ZONE);
  140. return false;
  141. }
  142. log_info(sprintf('client_ip:%s user:%s operation:dnssec_unsecure_zone zone:%s',
  143. $_SERVER['REMOTE_ADDR'], $_SESSION['userlogin'], $domain_name));
  144. return true;
  145. }
  146. /** Check if zone is secured
  147. *
  148. * @param string $domain_name Domain Name
  149. *
  150. * @return boolean true on success, false on failure
  151. */
  152. function dnssec_is_zone_secured($domain_name) {
  153. global $db;
  154. $query = $db->prepare("SELECT
  155. COUNT(cryptokeys.id) AS active_keys,
  156. COUNT(domainmetadata.id) > 0 AS presigned
  157. FROM domains
  158. LEFT JOIN cryptokeys ON domains.id = cryptokeys.domain_id
  159. LEFT JOIN domainmetadata ON domains.id = domainmetadata.domain_id AND domainmetadata.kind = 'PRESIGNED'
  160. WHERE domains.name = ?
  161. GROUP BY domains.id
  162. ");
  163. $query->execute(array($domain_name));
  164. $row = $query->fetch();
  165. return $row['active_keys'] > 0 || $row['presigned'];
  166. }
  167. /** Use presigned RRSIGs from storage
  168. *
  169. * @param string $domain_name Domain Name
  170. */
  171. function dnssec_set_nsec3($domain_name) {
  172. dnssec_call_pdnssec('set-nsec3', $domain_name);
  173. log_info(sprintf('client_ip:%s user:%s operation:dnssec_set_nsec3 zone:%s',
  174. $_SERVER['REMOTE_ADDR'], $_SESSION['userlogin'], $domain_name));
  175. }
  176. /** Switch back to NSEC
  177. *
  178. * @param string $domain_name Domain Name
  179. */
  180. function dnssec_unset_nsec3($domain_name) {
  181. dnssec_call_pdnssec('unset-nsec3', $domain_name);
  182. log_info(sprintf('client_ip:%s user:%s operation:dnssec_unset_nsec3 zone:%s',
  183. $_SERVER['REMOTE_ADDR'], $_SESSION['userlogin'], $domain_name));
  184. }
  185. /** Return nsec type
  186. *
  187. * @param string $domain_name Domain Name
  188. *
  189. * @return string nsec or nsec3
  190. */
  191. function dnssec_get_nsec_type($domain_name) {
  192. $call_result = dnssec_call_pdnssec('show-zone', $domain_name);
  193. $output = $call_result[0];
  194. return ($output[0] == 'Zone has NSEC semantics' ? 'nsec' : 'nsec3');
  195. }
  196. /** Use presigned RRSIGs from storage
  197. *
  198. * @param string $domain_name Domain Name
  199. */
  200. function dnssec_set_presigned($domain_name) {
  201. dnssec_call_pdnssec('set-presigned', $domain_name);
  202. log_info(sprintf('client_ip:%s user:%s operation:dnssec_set_presigned zone:%s',
  203. $_SERVER['REMOTE_ADDR'], $_SESSION['userlogin'], $domain_name));
  204. }
  205. /** No longer use presigned RRSIGs
  206. *
  207. * @param string $domain_name Domain Name
  208. */
  209. function dnssec_unset_presigned($domain_name) {
  210. dnssec_call_pdnssec('unset-presigned', $domain_name);
  211. log_info(sprintf('client_ip:%s user:%s operation:unset-presigned zone:%s',
  212. $_SERVER['REMOTE_ADDR'], $_SESSION['userlogin'], $domain_name));
  213. }
  214. /** Return presigned status
  215. *
  216. * @param string $domain_name Domain Name
  217. *
  218. * @return boolean true if zone is presigned, otherwise false
  219. */
  220. function dnssec_get_presigned_status($domain_name) {
  221. $call_result = dnssec_call_pdnssec('show-zone', $domain_name);
  222. $output = $call_result[0];
  223. return ($output[1] == 'Zone is presigned' ? true : false);
  224. }
  225. /** Rectify all zones.
  226. */
  227. function dnssec_rectify_all_zones() {
  228. dnssec_call_pdnssec('rectify-all-zones', '');
  229. log_info(sprintf('client_ip:%s user:%s operation:dnssec_rectify_all_zones',
  230. $_SERVER['REMOTE_ADDR'], $_SESSION['userlogin']));
  231. }
  232. /** Return DS records
  233. *
  234. * @param string $domain_name Domain Name
  235. *
  236. * @return mixed[] DS records
  237. */
  238. function dnssec_get_ds_records($domain_name) {
  239. $call_result = dnssec_call_pdnssec('show-zone', $domain_name);
  240. $output = $call_result[0];
  241. $return_code = $call_result[1];
  242. if ($return_code != 0) {
  243. error(ERR_EXEC_PDNSSEC_SHOW_ZONE);
  244. return false;
  245. }
  246. $ds_records = array();
  247. foreach ($output as $line) {
  248. if (substr($line, 0, 2) == 'DS') {
  249. $items = explode(' ', $line);
  250. $ds_line = join(" ", array_slice($items, 2));
  251. $ds_records[] = $ds_line;
  252. }
  253. }
  254. return $ds_records;
  255. }
  256. /** Return algorithm name for given number
  257. *
  258. * @param int $algo Algorithm id
  259. *
  260. * @return string algorithm name
  261. */
  262. function dnssec_algorithm_to_name($algo) {
  263. $name = 'Unallocated/Reserved';
  264. switch ($algo) {
  265. case 0:
  266. $name = 'Reserved';
  267. break;
  268. case 1:
  269. $name = 'RSAMD5';
  270. break;
  271. case 2:
  272. $name = 'DH';
  273. break;
  274. case 3:
  275. $name = 'DSA';
  276. break;
  277. case 4:
  278. $name = 'ECC';
  279. break;
  280. case 5:
  281. $name = 'RSASHA1';
  282. break;
  283. case 6:
  284. $name = 'DSA-NSEC3-SHA1';
  285. break;
  286. case 7:
  287. $name = 'RSASHA1-NSEC3-SHA1';
  288. break;
  289. case 8:
  290. $name = 'RSASHA256';
  291. break;
  292. case 9:
  293. $name = 'Reserved';
  294. break;
  295. case 10:
  296. $name = 'RSASHA512';
  297. break;
  298. case 11:
  299. $name = 'Reserved';
  300. break;
  301. case 12:
  302. $name = 'ECC-GOST';
  303. break;
  304. case 13:
  305. $name = 'ECDSAP256SHA256';
  306. break;
  307. case 14:
  308. $name = 'ECDSAP384SHA384';
  309. break;
  310. case 252:
  311. $name = 'INDIRECT';
  312. break;
  313. case 253:
  314. $name = 'PRIVATEDNS';
  315. break;
  316. case 254:
  317. $name = 'PRIVATEOID';
  318. break;
  319. }
  320. return $name;
  321. }
  322. /** Return algorithm name for given short name
  323. *
  324. * @param string $short_name Short algorithm name
  325. * @return string Algorithm name
  326. */
  327. function dnssec_shorthand_to_algorithm_name($short_name) {
  328. $name = 'Unknown';
  329. switch ($short_name) {
  330. case "rsamd5":
  331. $name = dnssec_algorithm_to_name(1);
  332. break;
  333. case "dh":
  334. $name = dnssec_algorithm_to_name(2);
  335. break;
  336. case "dsa":
  337. $name = dnssec_algorithm_to_name(3);
  338. break;
  339. case "ecc":
  340. $name = dnssec_algorithm_to_name(4);
  341. break;
  342. case "rsasha1":
  343. $name = dnssec_algorithm_to_name(5);
  344. break;
  345. case "rsasha256":
  346. $name = dnssec_algorithm_to_name(8);
  347. break;
  348. case "rsasha512":
  349. $name = dnssec_algorithm_to_name(10);
  350. break;
  351. case "gost":
  352. $name = dnssec_algorithm_to_name(12);
  353. break;
  354. case "ecdsa256":
  355. $name = dnssec_algorithm_to_name(13);
  356. break;
  357. case "ecdsa384":
  358. $name = dnssec_algorithm_to_name(14);
  359. break;
  360. case "ed25519":
  361. $name = dnssec_algorithm_to_name(250);
  362. break;
  363. }
  364. return $name;
  365. }
  366. /** Get name of digest type
  367. *
  368. * @param int $type Digest type id
  369. *
  370. * @return string digest name
  371. */
  372. function dnssec_get_digest_name($type) {
  373. $name = 'Unknown';
  374. switch ($type) {
  375. case 1:
  376. $name = 'SHA-1';
  377. break;
  378. case 2:
  379. $name = 'SHA-256 ';
  380. break;
  381. }
  382. return $name;
  383. }
  384. /** Check if zone is secured
  385. *
  386. * @param string $domain_name Domain Name
  387. *
  388. * @return string string containing dns key
  389. */
  390. function dnssec_get_dnskey_record($domain_name) {
  391. $call_result = dnssec_call_pdnssec('show-zone', $domain_name);
  392. $output = $call_result[0];
  393. $return_code = $call_result[1];
  394. if ($return_code != 0) {
  395. error(ERR_EXEC_PDNSSEC_SHOW_ZONE);
  396. return false;
  397. }
  398. $dns_key = '';
  399. foreach ($output as $line) {
  400. if (substr($line, 0, 3) == 'KSK') {
  401. $items = explode(' ', $line);
  402. $dns_key = join(" ", array_slice($items, 3));
  403. }
  404. }
  405. return $dns_key;
  406. }
  407. /** Activate zone key
  408. *
  409. * @param string $domain_name Domain Name
  410. * @param $key_id
  411. *
  412. * @return bool true on success, false on failure
  413. */
  414. function dnssec_activate_zone_key($domain_name, $key_id) {
  415. $call_result = dnssec_call_pdnssec('activate-zone-key', join(" ", array($domain_name, $key_id)));
  416. $return_code = $call_result[1];
  417. if ($return_code != 0) {
  418. error(ERR_EXEC_PDNSSEC_SHOW_ZONE);
  419. return false;
  420. }
  421. log_info(sprintf('client_ip:%s user:%s operation:dnssec_activate_zone_key zone:%s key_id:%s',
  422. $_SERVER['REMOTE_ADDR'], $_SESSION['userlogin'], $domain_name, $key_id));
  423. return true;
  424. }
  425. /** Deactivate zone key
  426. *
  427. * @param string $domain_name Domain Name
  428. * @param $key_id
  429. *
  430. * @return bool true on success, false on failure
  431. */
  432. function dnssec_deactivate_zone_key($domain_name, $key_id) {
  433. $call_result = dnssec_call_pdnssec('deactivate-zone-key', join(" ", array($domain_name, $key_id)));
  434. $return_code = $call_result[1];
  435. if ($return_code != 0) {
  436. error(ERR_EXEC_PDNSSEC_SHOW_ZONE);
  437. return false;
  438. }
  439. log_info(sprintf('client_ip:%s user:%s operation:dnssec_deactivate_zone_key zone:%s key_id:%s',
  440. $_SERVER['REMOTE_ADDR'], $_SESSION['userlogin'], $domain_name, $key_id));
  441. return true;
  442. }
  443. /** Get list of existing DNSSEC keys
  444. *
  445. * @param string $domain_name Domain Name
  446. *
  447. * @return mixed[] array with DNSSEC keys
  448. */
  449. function dnssec_get_keys($domain_name) {
  450. $call_result = dnssec_call_pdnssec('show-zone', $domain_name);
  451. $output = $call_result[0];
  452. $return_code = $call_result[1];
  453. if ($return_code != 0) {
  454. error(ERR_EXEC_PDNSSEC_SHOW_ZONE);
  455. return false;
  456. }
  457. $keys = array();
  458. foreach ($output as $line) {
  459. if (substr($line, 0, 2) == 'ID') {
  460. $items = explode(' ', $line);
  461. $bits_array = explode("\t", $items[12]);
  462. $keys[] = array($items[2], substr($items[3], 1, -2), substr($items[6], 0, -1), substr($items[9], 0, -1), $bits_array[0], $items[13]);
  463. }
  464. }
  465. return $keys;
  466. }
  467. /** Create new DNSSEC key
  468. *
  469. * @param string $domain_name Domain Name
  470. * @param string $key_type Key type
  471. * @param string $bits Bits in length
  472. * @param string $algorithm Algorithm
  473. *
  474. * @return boolean true on success, false on failure
  475. */
  476. function dnssec_add_zone_key($domain_name, $key_type, $bits, $algorithm) {
  477. $call_result = dnssec_call_pdnssec('add-zone-key', join(" ", array($domain_name, $key_type, $bits, $algorithm)));
  478. $return_code = $call_result[1];
  479. if ($return_code != 0) {
  480. error(ERR_EXEC_PDNSSEC_ADD_ZONE_KEY);
  481. return false;
  482. }
  483. log_info(sprintf('client_ip:%s user:%s operation:dnssec_add_zone_key zone:%s type:%s bits:%s algorithm:%s',
  484. $_SERVER['REMOTE_ADDR'], $_SESSION['userlogin'], $domain_name, $key_type, $bits, $algorithm));
  485. return true;
  486. }
  487. /** Remove DNSSEC key
  488. *
  489. * @param string $domain_name Domain Name
  490. * @param int $key_id Key ID
  491. *
  492. * @return boolean true on success, false on failure
  493. */
  494. function dnssec_remove_zone_key($domain_name, $key_id) {
  495. $call_result = dnssec_call_pdnssec('remove-zone-key', join(" ", array($domain_name, $key_id)));
  496. $return_code = $call_result[1];
  497. if ($return_code != 0) {
  498. error(ERR_EXEC_PDNSSEC_ADD_ZONE_KEY);
  499. return false;
  500. }
  501. log_info(sprintf('client_ip:%s user:%s operation:dnssec_remove_zone_key zone:%s key_id:%s',
  502. $_SERVER['REMOTE_ADDR'], $_SESSION['userlogin'], $domain_name, $key_id));
  503. return true;
  504. }
  505. /** Check if given key exists
  506. *
  507. * @param string $domain_name Domain Name
  508. * @param int $key_id Key ID
  509. *
  510. * @return boolean true if exists, otherwise false
  511. */
  512. function dnssec_zone_key_exists($domain_name, $key_id) {
  513. $keys = dnssec_get_keys($domain_name);
  514. foreach ($keys as $key) {
  515. if ($key[0] == $key_id) {
  516. return true;
  517. }
  518. }
  519. return false;
  520. }
  521. /** Return requested key
  522. *
  523. * @param string $domain_name Domain Name
  524. * @param int $key_id Key ID
  525. *
  526. * @return mixed[] true if exists, otherwise false
  527. */
  528. function dnssec_get_zone_key($domain_name, $key_id) {
  529. $keys = dnssec_get_keys($domain_name);
  530. foreach ($keys as $key) {
  531. if ($key[0] == $key_id) {
  532. return $key;
  533. }
  534. }
  535. return array();
  536. }