Warn about bad BIND config

2017-08-22 20:24:50 -07:00 · 2017-08-22 20:24:50 -07:00 · db2659d9c5
commit db2659d9c5
parent e991e8199b
3 changed files with 25 additions and 1 deletions
--- a/bind8/bind8-lib.pl
+++ b/bind8/bind8-lib.pl
@ -4122,5 +4122,22 @@ else {
 	}
 }

+# check_dnssec_client()
+# If the DNSSEC client config is invalid, return a warning message
+sub check_dnssec_client
+{
+my $conf = &get_config();
+my $options = &find("options", $conf);
+my $mems = $options ? $options->{'members'} : [ ];
+my $en = &find_value("dnssec-enable", $mems);
+return undef if ($en !~ /yes/i);
+my $tkeys = &find("trusted-keys", $conf);
+return undef if (!$tkeys || !@{$tkeys->{'members'}});
+return &text('trusted_warning',
+	     $gconfig{'webprefix'}.'/bind8/conf_trusted.cgi')."<p>\n".
+       &ui_form_start($gconfig{'webprefix'}.'/bind8/fix_trusted.cgi')."\n".
+       &ui_form_end([ [ undef, $text{'trusted_fix'} ] ]);
+}
+
 1;

--- a/bind8/index.cgi
+++ b/bind8/index.cgi
@ -101,7 +101,6 @@ if (@zones && $access{'zones'} eq '*' && !$access{'ro'}) {
 	foreach my $z (@zones) {
                my $zonefile = &make_chroot(&absolute_path($z->{'file'}));
                if ($z->{'type'} eq 'master' && $z->{'file'} && !-r $zonefile) {
-                        print STDERR "Missing chrooted zone file '${zonefile}'\n";
 			push(@missing, $z);
 			}
 		}
@ -119,6 +118,12 @@ if (@zones && $access{'zones'} eq '*' && !$access{'ro'}) {
 		}
 	}

+# Check for obsolete DNSSEC config
+if ($access{'defaults'}) {
+	my $err = &check_dnssec_client();
+	print "<center>".$err."</center>" if ($err);
+	}
+
 if ($access{'defaults'}) {
 	# display global options
 	print &ui_subheading($text{'index_opts'});
--- a/bind8/lang/en
+++ b/bind8/lang/en
@ -1276,6 +1276,8 @@ trusted_ealg=Missing or invalid algorithm number in row $1
 trusted_ekey=Missing base-64 encoded trusted zone key in row $1
 trusted_setup=For DNSSEC to be useful to verify the majority of signed zones on the Internet, BIND must be configured to use a DLV server. Webmin can set this up for you, using the ICS DLV server at $1.
 trusted_ok=Setup DLV and Enable DNSSEC Verification
+trusted_warning=Warning! Your BIND DNSSEC client configuration contains out of date keys that will stop working in October 2017. Either use the <a href='$1'>BIND DNSSEC Verification page</a> to adjust the configuration, or click the button below.
+trusted_fix=Fix DNSSEC Configuration

 xfer_title=Test Zone Transfer
 xfer_doing=Testing transfer of slave zone from $1 ..