def delzone(zone):
# Remove a zone from Knot DNS, so it is no longer served.
# Note: The removal is even done when key material still
# exists. In this case, the zone is no longer delivered
# but the key material is assumed to be cleaned up by an
# orthogonal process [that will shrug if the zone has
# been removed already].
#
# Note: Zone deletion is not done in the parenting procedure,
# as it can silently ignore the case of a deleted zone (for which
# we need, at minimum, the SOA record). The parenting exchange
# needs no hint when we delete a zone.
#
global_lock = open('/tmp/knotc-global-lock', 'w')
fcntl.lockf(global_lock, fcntl.LOCK_EX)
rv0 = os.system('/usr/sbin/knotc conf-begin')
rv1 = 0
rv2 = 0
if rv0 == 0:
rv1 = os.system('/usr/sbin/knotc conf-unset zone.domain "' + zone +
'"')
if rv0 == 0 and rv1 == 0:
rv2 = os.system('/usr/sbin/knotc -f zone-purge "' + zone + '"')
if rv0 == 0 and rv1 == 0 and rv2 == 0:
os.system('/usr/sbin/knotc conf-commit')
else:
if rv0 == 0:
os.system('/usr/sbin/knotc conf-abort')
log_error('Knot DNS could not delete zone', zone,
'(%d,%d,%d)' % (rv0, rv1, rv2))
global_lock.close()
def zone_add(zone, knot_zone_file):
raise NotImplementedError(
'Add zones in ods-zonerecv instead of in ods-parenting-exchange')
return
#TODO#HERE-OR-DURING-RECV#
global_lock = open('/tmp/knotc-global-lock', 'w')
fcntl.lockf(global_lock, fcntl.LOCK_EX)
rv0 = os.system('/usr/sbin/knotc conf-begin')
if rv0 == 0:
rv1 = os.system('/usr/sbin/knotc conf-set zone.domain "' + zone + '"')
# Ignore the result, as it may be taken care of already
if rv1 != 0:
rv1 = 0
if rv0 == 0 and rv1 == 0:
try:
fd = open(knot_zone_file, 'w')
fd.write(zone + ' 300 IN SOA ns1.' + zone + ' dns-beheer.' + zone +
' 0 300 300 300 300\n')
fd.close()
rv2 = 0
except:
rv2 = 2
if rv0 == 0 and rv1 == 0 and rv2 == 0:
os.system('/usr/sbin/knotc conf-commit')
else:
os.system('/usr/sbin/knotc conf-abort')
log_error('Knot DNS could not add zone', zone)
global_lock.close()
def connect():
global sidn_host, sidn_port, sidn_root
try:
sox = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
soxplus = ssl.wrap_socket(sox,
ca_certs=sidn_root,
cert_reqs=ssl.CERT_REQUIRED)
soxplus.connect((sidn_host, sidn_port))
hello(soxplus)
login(soxplus)
return soxplus
except:
log_error('Failed to securely connect to server %s:%d\n' %
(sidn_host, sidn_port))
raise
def addzone(zone, zonedata):
# Ensure that a zone is served by Knot DNS.
# Note: Key setup and DNSSEC signing is orthogonally setup;
# it defaults to being off, so an unsigned zone is delivered.
#
# Note: This procedure is idempotent, zone additions are neutral
# for already-existing zones.
#
# Note: Zone addition is not done in the parenting procedure,
# as it makes little sense there without actual zone data (with,
# at minimum, the SOA record). The parenting exchange will get
# a hint when we add a zone though, so it can append any child
# name server records as soon as we add the zone.
#
global_lock = open('/tmp/knotc-global-lock', 'w')
fcntl.lockf(global_lock, fcntl.LOCK_EX)
rv0 = os.system('/usr/sbin/knotc conf-begin')
rv1 = 0
rv2 = 0
if rv0 == 0:
os.system('/usr/sbin/knotc conf-set zone.domain "' + zone + '"')
# Ignore the result; the zone may already exist; check that
rv1 = os.system('/usr/sbin/knotc conf-get "zone[' + zone + ']"')
if rv0 == 0 and rv1 == 0:
try:
knot_signed = '/var/opendnssec/signed/' + zone + '.txt'
shared = stat.S_IRUSR | stat.S_IWUSR | stat.S_IRGRP | stat.S_IWGRP
fd = open(knot_signed, 'w')
fd.write(zonedata)
fd.close()
os.chmod(knot_signed, shared)
rv2 = os.system('/usr/sbin/knotc conf-set "zone[' + zone +
'].file" "' + knot_signed + '"')
except:
rv2 = 2
if rv0 == 0 and rv1 == 0 and rv2 == 0:
os.system('/usr/sbin/knotc conf-commit')
log_debug('CMD> ods-keyops-knot-sharekey "' + zone + '"')
os.system('ods-keyops-knot-sharekey "' + zone + '"')
else:
if rv0 == 0:
os.system('/usr/sbin/knotc conf-abort')
log_error('Knot DNS could not add zone', zone,
'(%d,%d,%d)' % (rv0, rv1, rv2))
global_lock.close()
def connect():
#
# Create the queueing infrastructure for the parent exchange.
#
creds = rabbitdnssec.my_credentials(ovr_username='******')
cnxparm = rabbitdnssec.my_connectionparameters(creds)
intcnx = None
chan = None
try:
intcnx = pika.BlockingConnection(cnxparm)
chan = intcnx.channel()
#TODO:CLASS# chan.basic_consume (process_msg, queue=queue_name)
#TODO:NOTHERE# chan.tx_select ()
#TODO:CLASS# chan.start_consuming ()
return (intcnx, chan)
except pika.exceptions.AMQPChannelError, e:
log_error('AMQP Channel Error:', e)
sys.exit(1)
def zone_del(zone):
raise NotImplementedError(
'Delete zones in ods-zonerecv instead of in ods-parenting-exchange')
return
#TODO#HERE-OR-DURING-RECV#
global_lock = open('/tmp/knotc-global-lock', 'w')
fcntl.lockf(global_lock, fcntl.LOCK_EX)
rv0 = os.system('/usr/sbin/knotc conf-begin')
if rv0 == 0:
rv1 = os.system('/usr/sbin/knotc conf-unset zone.domain "' + zone +
'"')
if rv0 == 0 and rv1 == 0:
rv2 = os.system('/usr/sbin/knotc zone-purge "' + zone + '"')
if rv0 == 0 and rv1 == 0 and rv2 == 0:
os.system('/usr/sbin/knotc conf-commit')
else:
os.system('/usr/sbin/knotc conf-abort')
log_error('Knot DNS could not delete zone', zone)
global_lock.close()
def syncio(sox, query):
try:
if query:
#DEBUG_SHOWS_PASSWORD# sys.stdout.write (query)
query = struct.pack('>L', 4 + len(query)) + query
sox.send(query)
else:
log_debug('Picking up response without sending a query\n')
except:
log_error('Failed to send message to registry server\n')
raise
try:
resplen = struct.unpack('>L', sox.read(4))[0] - 4
# syslog (LOG_DEBUG, 'Receiving %d response bytes from registry' % resplen)
xmltext = ''
while len(xmltext) < resplen:
xmltext = xmltext + sox.read(resplen - len(xmltext))
#DEBUG_SHOWS_ANYTHING# sys.stdout.write (xmltext)
except:
log_error('Failed to receive reply from registry server\n')
raise
try:
xmltree = etree.fromstring(xmltext)
return xmltree
except:
log_error('Failed to parse XML:\n| ' + xmltext.replace('\n', '\n| '))
raise
def zone_update(zone, new_zone_file, knot_zone_file):
tmp_zone_file = '/tmp/' + zone
log_debug('CMD> /usr/sbin/knotc zone-read "' + zone +
'" | sed \'s/^\[[^]]*\] *//\' > "' + tmp_zone_file + '"')
os.system('/usr/sbin/knotc zone-read "' + zone +
'" | sed \'s/^\[[^]]*\] *//\' > "' + tmp_zone_file + '"')
log_debug('CMD> ldns-zonediff -k -o "' + zone + '" "' + tmp_zone_file +
'" "' + new_zone_file + '" | /usr/sbin/knotc')
os.system('ldns-zonediff -k -o "' + zone + '" "' + tmp_zone_file + '" "' +
new_zone_file + '" | /usr/sbin/knotc')
# ignore previous result, but check the result
log_debug('CMD> /usr/sbin/knotc zone-read "' + zone +
'" | sed \'s/^\[[^]]*\] *//\' > "' + tmp_zone_file + '"')
os.system('/usr/sbin/knotc zone-read "' + zone +
'" | sed \'s/^\[[^]]*\] *//\' > "' + tmp_zone_file + '"')
log_debug('CMD> ldns-zonediff -o "' + zone + '" "' + tmp_zone_file +
'" "' + new_zone_file + '"')
exitval = os.system('ldns-zonediff -o "' + zone + '" "' + tmp_zone_file +
'" "' + new_zone_file + '"')
if exitval != 0:
log_error(
'Knot DNS has not received/processed complete zone file update for',
zone)
def zone_exists(zone_name=''):
if os.system("knotc zone-read '" + zone_name + "' > /dev/null") != 0:
log_error('Have no zone for ', zone_name)
return False
else:
return True
def fatal(errstr):
log_error('Fatal error:', errstr, '-- Closing shell with force')
closelog()
sys.exit(1)
#
sidn_host = cfg['registry_sidn_host']
sidn_port = int(cfg['registry_sidn_port'])
sidn_user = cfg['registry_sidn_account']
sidn_pass = cfg['registry_sidn_password']
sidn_root = cfg['registry_sidn_calist']
sidn_lock = cfg['registry_sidn_epplock']
# Check invocation when called as main script
#
#TODO# Perhaps skip configuration file parsing for main script?
#
server_tuple = None
if __name__ == '__main__':
if len(sys.argv) > 3:
log_error('Usage: ' + sys.argv[0] + ' [<registry> [<port>]]\n')
sys.exit(1)
try:
if len(sys.argv) >= 2:
# Override hostname
sidn_host = sys.argv[1]
if len(sys.argv) >= 3:
# Override port
sidn_port = int(sys.argv[2])
except:
log_error('Registry ' + sys.argv[1] + ':' + sys.argv[2] +
' is unknown\n')
sys.exit(1)
#
# A few oft-used strings as an easy-to-use (constant-value) variable
creds = rabbitdnssec.my_credentials(ovr_username='******')
cnxparm = rabbitdnssec.my_connectionparameters(creds)
intcnx = None
chan = None
try:
intcnx = pika.BlockingConnection(cnxparm)
chan = intcnx.channel()
#TODO:CLASS# chan.basic_consume (process_msg, queue=queue_name)
#TODO:NOTHERE# chan.tx_select ()
#TODO:CLASS# chan.start_consuming ()
return (intcnx, chan)
except pika.exceptions.AMQPChannelError, e:
log_error('AMQP Channel Error:', e)
sys.exit(1)
except pika.exceptions.AMQPError, e:
log_error('AMQP Error:', e)
sys.exit(1)
#
# Terminate any outstanding connection to the local parent
#
def disconnect(cnx):
(intcnx, chan) = cnx
#
# To end this program, unwind all instances and unregister our own
# callback to cb_uploaded_hint().
#
chan.basic_cancel(uploaded_hints_tag)
for pex in parenting_exchange.values():
pex.close()
