From e3465c57f5c78677b47415ace037801cd262f343 Mon Sep 17 00:00:00 2001 From: Rolf Sommerhalder Date: Sat, 1 Oct 2016 13:52:30 +0200 Subject: [PATCH] Correct filenames so DNSSEC signs Reverse Zones Without this change, inline signing fails to sign Reverse Zones because BIND expects to find the key files which were generated by ```dnssec-keygen``` with filenames ```/cf/named/etc/namedb/keys/K171.168.192.in-addr.arpa.+00...```. Still, this patch does not fix the problem where keys are restored from DNSSEC backup file for a zone that was previously created, then deleted, and finally re-created. Currently, when re-creating the signed Reverse Zone, it will restore the keys from the XML config using the (wrong) old filename. DNSSEC inline signing will fail to sign the newly created Reverse Zone. --- dns/pfSense-pkg-bind9/files/usr/local/pkg/bind.inc | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/dns/pfSense-pkg-bind9/files/usr/local/pkg/bind.inc b/dns/pfSense-pkg-bind9/files/usr/local/pkg/bind.inc index 26a957db30e4..d4715e1c49b1 100644 --- a/dns/pfSense-pkg-bind9/files/usr/local/pkg/bind.inc +++ b/dns/pfSense-pkg-bind9/files/usr/local/pkg/bind.inc @@ -587,9 +587,18 @@ EOD; log_error("[bind] {$key_restored} DNSSEC keys restored from XML backup for {$zonename} zone."); } $dnssec_bin = "/usr/local/sbin/dnssec-keygen"; + if ($zonereverso == "on") { + if ($zonereversv6o == "on") { + $z = "${zonename}.ip6.arpa"; + } else { + $z = "${zonename}.in-addr.arpa"; + } + } else { + $z = $zonename; + } if (file_exists($dnssec_bin) && $key_restored == 0) { - exec("{$dnssec_bin} -K " . CHROOT_LOCALBASE . "/etc/namedb/keys {$zonename}", $kout); - exec("{$dnssec_bin} -K " . CHROOT_LOCALBASE . "/etc/namedb/keys -fk {$zonename}", $kout); + exec("{$dnssec_bin} -K " . CHROOT_LOCALBASE . "/etc/namedb/keys {$z}", $kout); + exec("{$dnssec_bin} -K " . CHROOT_LOCALBASE . "/etc/namedb/keys -fk {$z}", $kout); foreach ($kout as $filename) { chown(CHROOT_LOCALBASE . "/etc/namedb/keys/{$filename}.key", "bind"); chown(CHROOT_LOCALBASE . "/etc/namedb/keys/{$filename}.private", "bind");