robin.thoni
/
docker-pdns-server
Watch 1
Star 0
Fork 0
Code Issues 4 Pull Requests 0 Releases 8 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2 Commits
2 Branches
Tree: a628060c97
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'a628060c97'
${ noResults }
docker-pdns-server/poweradmin/poweradmin-2.1.7/inc/dnssec.inc.php

dnssec.inc.php 14KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580 
  1. <?php

  2. 

  3. /*  Poweradmin, a friendly web-based admin tool for PowerDNS.

  4.  *  See <http://www.poweradmin.org> for more details.

  5.  *

  6.  *  Copyright 2007-2009  Rejo Zenger <rejo@zenger.nl>

  7.  *  Copyright 2010-2014  Poweradmin Development Team

  8.  *      <http://www.poweradmin.org/credits.html>

  9.  *

  10.  *  This program is free software: you can redistribute it and/or modify

  11.  *  it under the terms of the GNU General Public License as published by

  12.  *  the Free Software Foundation, either version 3 of the License, or

  13.  *  (at your option) any later version.

  14.  *

  15.  *  This program is distributed in the hope that it will be useful,

  16.  *  but WITHOUT ANY WARRANTY; without even the implied warranty of

  17.  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

  18.  *  GNU General Public License for more details.

  19.  *

  20.  *  You should have received a copy of the GNU General Public License

  21.  *  along with this program.  If not, see <http://www.gnu.org/licenses/>.

  22.  */

  23. 

  24. /**

  25.  * DNSSEC functions

  26.  *

  27.  * @package Poweradmin

  28.  * @copyright   2007-2010 Rejo Zenger <rejo@zenger.nl>

  29.  * @copyright   2010-2014 Poweradmin Development Team

  30.  * @license     http://opensource.org/licenses/GPL-3.0 GPL

  31.  */

  32. 

  33. /** Check if it's possible to execute dnssec command

  34.  *

  35.  * @return boolean true on success, false on failure

  36.  */

  37. function is_pdnssec_callable() {

  38.     global $pdnssec_command;

  39. 

  40.     if (!function_exists('exec')) {

  41.         error(ERR_EXEC_NOT_ALLOWED);

  42.         return false;

  43.     }

  44. 

  45.     if (!file_exists($pdnssec_command) || !is_executable($pdnssec_command)) {

  46.         error(ERR_EXEC_PDNSSEC);

  47.         return false;

  48.     }

  49. 

  50.     return true;

  51. }

  52. 

  53. /** Execute dnssec utility

  54.  *

  55.  * @return mixed[] Array with output from command execution and error code

  56.  */

  57. function call_dnssec($command, $args) {

  58.     global $pdnssec_command;

  59.     $output = '';

  60.     $return_code = -1;

  61. 

  62.     if (!is_pdnssec_callable()) {

  63.         return array($output, $return_code);

  64.     }

  65. 

  66.     $command = join(' ', array(

  67.         $pdnssec_command,

  68.         $command,

  69.         $args)

  70.     );

  71. 

  72.     exec($command, $output, $return_code);

  73. 

  74.     return array($output, $return_code);

  75. }

  76. 

  77. /** Execute PDNSSEC rectify-zone command for Domain ID

  78.  *

  79.  * If a Domain is dnssec enabled, or uses features as

  80.  * e.g. ALSO-NOTIFY, ALLOW-AXFR-FROM, TSIG-ALLOW-AXFR

  81.  * following has to be executed

  82.  * pdnssec rectify-zone $domain

  83.  *

  84.  * @param int $domain_id Domain ID

  85.  *

  86.  * @return boolean true on success, false on failure or unnecessary

  87.  */

  88. function dnssec_rectify_zone($domain_id) {

  89.     global $db;

  90.     global $pdnssec_command;

  91. 

  92.     $output = array();

  93. 

  94.     /* if pdnssec_command is set we perform ``pdnssec rectify-zone $domain`` on all zones,

  95.      * as pdns needs the "auth" column for all zones if dnssec is enabled

  96.      *

  97.      * If there is any entry at domainmetadata table for this domain,

  98.      * it is an error if pdnssec_command is not set */

  99.     $query = "SELECT COUNT(id) FROM domainmetadata WHERE domain_id = " . $db->quote($domain_id, 'integer');

  100.     $count = $db->queryOne($query);

  101. 

  102.     if (PEAR::isError($count)) {

  103.         error($count->getMessage());

  104.         return false;

  105.     }

  106. 

  107.     if (isset($pdnssec_command)) {

  108.         $domain = get_zone_name_from_id($domain_id);

  109.         $command = $pdnssec_command . " rectify-zone " . $domain;

  110. 

  111.         if (!is_pdnssec_callable()) {

  112.             return false;

  113.         }

  114. 

  115.         exec($command, $output, $return_code);

  116.         if ($return_code != 0) {

  117.             error(ERR_EXEC_PDNSSEC_RECTIFY_ZONE);

  118.             return false;

  119.         }

  120. 

  121.         return true;

  122.     } else if ($count >= 1) {

  123.         error(ERR_EXEC_PDNSSEC);

  124.         return false;

  125.     }

  126. 

  127.     return false;

  128. }

  129. 

  130. /** Execute PDNSSEC secure-zone command for Domain Name

  131.  *

  132.  * @param string $domain_name Domain Name

  133.  *

  134.  * @return boolean true on success, false on failure or unnecessary

  135.  */

  136. function dnssec_secure_zone($domain_name) {

  137.     $call_result = call_dnssec('secure-zone', $domain_name);

  138.     $return_code = $call_result[1];

  139. 

  140.     if ($return_code != 0) {

  141.         error(ERR_EXEC_PDNSSEC_SECURE_ZONE);

  142.         return false;

  143.     }

  144. 

  145.     return true;

  146. }

  147. 

  148. /** Execute PDNSSEC disable-dnssec command for Domain Name

  149.  *

  150.  * @param string $domain_name Domain Name

  151.  *

  152.  * @return boolean true on success, false on failure or unnecessary

  153.  */

  154. function dnssec_unsecure_zone($domain_name) {

  155.     $call_result = call_dnssec('disable-dnssec', $domain_name);

  156.     $return_code = $call_result[1];

  157. 

  158.     if ($return_code != 0) {

  159.         error(ERR_EXEC_PDNSSEC_DISABLE_ZONE);

  160.         return false;

  161.     }

  162. 

  163.     return true;

  164. }

  165. 

  166. /** Check if zone is secured

  167.  *

  168.  * @param string $domain_name Domain Name

  169.  *

  170.  * @return boolean true on success, false on failure

  171.  */

  172. function dnssec_is_zone_secured($domain_name) {

  173.     $call_result = call_dnssec('show-zone', $domain_name);

  174.     $output = $call_result[0];

  175.     $return_code = $call_result[1];

  176. 

  177.     if ($return_code != 0) {

  178.         error(ERR_EXEC_PDNSSEC_SHOW_ZONE);

  179.         return false;

  180.     }

  181. 

  182.     return (count($output) == 0 ? false : true);

  183. }

  184. 

  185. /** Use presigned RRSIGs from storage

  186.  *

  187.  * @param string $domain_name Domain Name

  188.  */

  189. function dnssec_set_nsec3($domain_name) {

  190.     call_dnssec('set-nsec3', $domain_name);

  191. }

  192. 

  193. /** Switch back to NSEC

  194.  *

  195.  * @param string $domain_name Domain Name

  196.  */

  197. function dnssec_unset_nsec3($domain_name) {

  198.     call_dnssec('unset-nsec3', $domain_name);

  199. }

  200. 

  201. /** Return nsec type

  202.  *

  203.  * @param string $domain_name Domain Name

  204.  *

  205.  * @return string nsec or nsec3

  206.  */

  207. function dnssec_get_nsec_type($domain_name) {

  208.     $call_result = call_dnssec('show-zone', $domain_name);

  209.     $output = $call_result[0];

  210. 

  211.     return ($output[0] == 'Zone has NSEC semantics' ? 'nsec' : 'nsec3');

  212. }

  213. 

  214. /** Use presigned RRSIGs from storage

  215.  *

  216.  * @param string $domain_name Domain Name

  217.  */

  218. function dnssec_set_presigned($domain_name) {

  219.     call_dnssec('set-presigned', $domain_name);

  220. }

  221. 

  222. /** No longer use presigned RRSIGs

  223.  *

  224.  * @param string $domain_name Domain Name

  225.  */

  226. function dnssec_unset_presigned($domain_name) {

  227.     call_dnssec('unset-presigned', $domain_name);

  228. }

  229. 

  230. /** Return presigned status

  231.  *

  232.  * @param string $domain_name Domain Name

  233.  *

  234.  * @return boolean true if zone is presigned, otherwise false

  235.  */

  236. function dnssec_get_presigned_status($domain_name) {

  237.     $call_result = call_dnssec('show-zone', $domain_name);

  238.     $output = $call_result[0];

  239. 

  240.     return ($output[1] == 'Zone is presigned' ? true : false);

  241. }

  242. 

  243. /** Rectify all zones.

  244.  */

  245. function dnssec_rectify_all_zones() {

  246.     call_dnssec('rectify-all-zones', '');

  247. }

  248. 

  249. /** Return DS records

  250.  *

  251.  * @param string $domain_name Domain Name

  252.  *

  253.  * @return mixed[] DS records

  254.  */

  255. function dnssec_ds_records($domain_name) {

  256.     $call_result = call_dnssec('show-zone', $domain_name);

  257.     $output = $call_result[0];

  258.     $return_code = $call_result[1];

  259. 

  260.     if ($return_code != 0) {

  261.         error(ERR_EXEC_PDNSSEC_SHOW_ZONE);

  262.         return false;

  263.     }

  264. 

  265.     $ds_records = array();

  266.     foreach ($output as $line) {

  267.         if (substr($line, 0, 2) == 'DS') {

  268.             $items = explode(' ', $line);

  269.             $ds_line = join(" ", array_slice($items, 2));

  270.             $ds_records[] = $ds_line;

  271.         }

  272.     }

  273. 

  274.     return $ds_records;

  275. }

  276. 

  277. /** Return algorithm name for given number

  278.  *

  279.  * @param int $algo Algorithm id

  280.  *

  281.  * @return string algorithm name

  282.  */

  283. function dnssec_algorithm_to_name($algo) {

  284.     $name = 'Unallocated/Reserved';

  285. 

  286.     switch ($algo) {

  287.         case 0:

  288.             $name = 'Reserved';

  289.             break;

  290.         case 1:

  291.             $name = 'RSAMD5';

  292.             break;

  293.         case 2:

  294.             $name = 'DH';

  295.             break;

  296.         case 3:

  297.             $name = 'DSA';

  298.             break;

  299.         case 4:

  300.             $name = 'ECC';

  301.             break;

  302.         case 5:

  303.             $name = 'RSASHA1';

  304.             break;

  305.         case 6:

  306.             $name = 'DSA-NSEC3-SHA1';

  307.             break;

  308.         case 7:

  309.             $name = 'RSASHA1-NSEC3-SHA1';

  310.             break;

  311.         case 8:

  312.             $name = 'RSASHA256';

  313.             break;

  314.         case 9:

  315.             $name = 'Reserved';

  316.             break;

  317.         case 10:

  318.             $name = 'RSASHA512';

  319.             break;

  320.         case 11:

  321.             $name = 'Reserved';

  322.             break;

  323.         case 12:

  324.             $name = 'ECC-GOST';

  325.             break;

  326.         case 13:

  327.             $name = 'ECDSAP256SHA256';

  328.             break;

  329.         case 14:

  330.             $name = 'ECDSAP384SHA384';

  331.             break;

  332.         case 252:

  333.             $name = 'INDIRECT';

  334.             break;

  335.         case 253:

  336.             $name = 'PRIVATEDNS';

  337.             break;

  338.         case 254:

  339.             $name = 'PRIVATEOID';

  340.             break;

  341.     }

  342. 

  343.     return $name;

  344. }

  345. 

  346. /** Return algorihtm name for given short name

  347.  *

  348.  * @param string $short_name Short algorithm name

  349.  */

  350. function dnssec_shorthand_to_algorithm_name($short_name) {

  351.     $name = 'Unknown';

  352. 

  353.     switch ($short_name) {

  354.         case "rsamd5":

  355.             $name = dnssec_algorithm_to_name(1);

  356.             break;

  357.         case "dh":

  358.             $name = dnssec_algorithm_to_name(2);

  359.             break;

  360.         case "dsa":

  361.             $name = dnssec_algorithm_to_name(3);

  362.             break;

  363.         case "ecc":

  364.             $name = dnssec_algorithm_to_name(4);

  365.             break;

  366.         case "rsasha1":

  367.             $name = dnssec_algorithm_to_name(5);

  368.             break;

  369.         case "rsasha256":

  370.             $name = dnssec_algorithm_to_name(8);

  371.             break;

  372.         case "rsasha512":

  373.             $name = dnssec_algorithm_to_name(10);

  374.             break;

  375.         case "gost":

  376.             $name = dnssec_algorithm_to_name(12);

  377.             break;

  378.         case "ecdsa256":

  379.             $name = dnssec_algorithm_to_name(13);

  380.             break;

  381.         case "ecdsa384":

  382.             $name = dnssec_algorithm_to_name(14);

  383.             break;

  384.         case "ed25519":

  385.             $name = dnssec_algorithm_to_name(250);

  386.             break;

  387.     }

  388. 

  389.     return $name;

  390. }

  391. 

  392. /** Get name of digest type

  393.  *

  394.  * @param int $type Digest type id

  395.  *

  396.  * @return string digest name

  397.  */

  398. function dnssec_get_digest_name($type) {

  399.     $name = 'Unknown';

  400. 

  401.     switch ($type) {

  402.         case 1:

  403.             $name = 'SHA-1';

  404.             break;

  405.         case 2:

  406.             $name = 'SHA-256 ';

  407.             break;

  408.     }

  409. 

  410.     return $name;

  411. }

  412. 

  413. /** Check if zone is secured

  414.  *

  415.  * @param string $domain_name Domain Name

  416.  *

  417.  * @return string string containing dns key

  418.  */

  419. function dnssec_dnskey_record($domain_name) {

  420.     $call_result = call_dnssec('show-zone', $domain_name);

  421.     $output = $call_result[0];

  422.     $return_code = $call_result[1];

  423. 

  424.     if ($return_code != 0) {

  425.         error(ERR_EXEC_PDNSSEC_SHOW_ZONE);

  426.         return false;

  427.     }

  428. 

  429.     $dns_key = '';

  430.     foreach ($output as $line) {

  431.         if (substr($line, 0, 3) == 'KSK') {

  432.             $items = explode(' ', $line);

  433.             $dns_key = join(" ", array_slice($items, 3));

  434.         }

  435.     }

  436. 

  437.     return $dns_key;

  438. }

  439. 

  440. /** Activate zone key

  441.  *

  442.  * @param string $domain_name Domain Name

  443.  *

  444.  * @return boolean true on success, false on failure

  445.  */

  446. function dnssec_activate_zone_key($domain_name, $key_id) {

  447.     $call_result = call_dnssec('activate-zone-key', join(" ", array($domain_name, $key_id)));

  448.     $return_code = $call_result[1];

  449. 

  450.     if ($return_code != 0) {

  451.         error(ERR_EXEC_PDNSSEC_SHOW_ZONE);

  452.         return false;

  453.     }

  454. 

  455.     return true;

  456. }

  457. 

  458. /** Deactivate zone key

  459.  *

  460.  * @param string $domain_name Domain Name

  461.  *

  462.  * @return boolean true on success, false on failure

  463.  */

  464. function dnssec_deactivate_zone_key($domain_name, $key_id) {

  465.     $call_result = call_dnssec('deactivate-zone-key', join(" ", array($domain_name, $key_id)));

  466.     $return_code = $call_result[1];

  467. 

  468.     if ($return_code != 0) {

  469.         error(ERR_EXEC_PDNSSEC_SHOW_ZONE);

  470.         return false;

  471.     }

  472. 

  473.     return true;

  474. }

  475. 

  476. /** Get list of existing DNSSEC keys

  477.  *

  478.  * @param string $domain_name Domain Name

  479.  *

  480.  * @return mixed[] array with DNSSEC keys

  481.  */

  482. function dnssec_get_keys($domain_name) {

  483.     $call_result = call_dnssec('show-zone', $domain_name);

  484.     $output = $call_result[0];

  485.     $return_code = $call_result[1];

  486. 

  487.     if ($return_code != 0) {

  488.         error(ERR_EXEC_PDNSSEC_SHOW_ZONE);

  489.         return false;

  490.     }

  491. 

  492.     $keys = array();

  493.     foreach ($output as $line) {

  494.         if (substr($line, 0, 2) == 'ID') {

  495.             $items = explode(' ', $line);

  496.             $bits_array = explode("\t", $items[12]);

  497.             $keys[] = array($items[2], substr($items[3], 1, -2), substr($items[6], 0, -1), substr($items[9], 0, -1), $bits_array[0], $items[13]);

  498.         }

  499.     }

  500. 

  501.     return $keys;

  502. }

  503. 

  504. /** Create new DNSSEC key

  505.  *

  506.  * @param string $domain_name Domain Name

  507.  * @param string $key_type Key type

  508.  * @param string $bits Bits in length

  509.  * @param string $algorithm Algorithm

  510.  *

  511.  * @return boolean true on success, false on failure

  512.  */

  513. function dnssec_add_zone_key($domain_name, $key_type, $bits, $algorithm) {

  514.     $call_result = call_dnssec('add-zone-key', join(" ", array($domain_name, $key_type, $bits, $algorithm)));

  515.     $return_code = $call_result[1];

  516. 

  517.     if ($return_code != 0) {

  518.         error(ERR_EXEC_PDNSSEC_ADD_ZONE_KEY);

  519.         return false;

  520.     }

  521. 

  522.     return true;

  523. }

  524. 

  525. /** Remove DNSSEC key

  526.  *

  527.  * @param string $domain_name Domain Name

  528.  * @param int $key_id Key ID

  529.  *

  530.  * @return boolean true on success, false on failure

  531.  */

  532. function dnssec_remove_zone_key($domain_name, $key_id) {

  533.     $call_result = call_dnssec('remove-zone-key', join(" ", array($domain_name, $key_id)));

  534.     $return_code = $call_result[1];

  535. 

  536.     if ($return_code != 0) {

  537.         error(ERR_EXEC_PDNSSEC_ADD_ZONE_KEY);

  538.         return false;

  539.     }

  540. 

  541.     return true;

  542. }

  543. 

  544. /** Check if given key exists

  545.  *

  546.  * @param string $domain_name Domain Name

  547.  * @param int $key_id Key ID

  548.  *

  549.  * @return boolean true if exists, otherwise false

  550.  */

  551. function dnssec_zone_key_exists($domain_name, $key_id) {

  552.     $keys = dnssec_get_keys($domain_name);

  553. 

  554.     foreach ($keys as $key) {

  555.         if ($key[0] == $key_id) {

  556.             return true;

  557.         }

  558.     }

  559. 

  560.     return false;

  561. }

  562. 

  563. /** Return requested key

  564.  *

  565.  * @param string $domain_name Domain Name

  566.  * @param int $key_id Key ID

  567.  *

  568.  * @return mixed[] true if exists, otherwise false

  569.  */

  570. function dnssec_get_zone_key($domain_name, $key_id) {

  571.     $keys = dnssec_get_keys($domain_name);

  572. 

  573.     foreach ($keys as $key) {

  574.         if ($key[0] == $key_id) {

  575.             return $key;

  576.         }

  577.     }

  578. 

  579.     return array();

  580. }