1berry/webmin
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Warn about bad BIND config

Browse Source
This commit is contained in:
Jamie Cameron 2017-08-22 20:24:50 -07:00
parent e991e8199b
commit db2659d9c5
3 changed files with 25 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
bind8/bind8-lib.pl
View File

@ -4122,5 +4122,22 @@ else {
} }
} }
# check_dnssec_client()
# If the DNSSEC client config is invalid, return a warning message
sub check_dnssec_client
{
my $conf = &get_config();
my $options = &find("options", $conf);
my $mems = $options ? $options->{'members'} : [ ];
my $en = &find_value("dnssec-enable", $mems);
return undef if ($en !~ /yes/i);
my $tkeys = &find("trusted-keys", $conf);
return undef if (!$tkeys || !@{$tkeys->{'members'}});
return &text('trusted_warning',
$gconfig{'webprefix'}.'/bind8/conf_trusted.cgi')."<p>\n".
&ui_form_start($gconfig{'webprefix'}.'/bind8/fix_trusted.cgi')."\n".
&ui_form_end([ [ undef, $text{'trusted_fix'} ] ]);
}
1; 1;

7
bind8/index.cgi
View File

@ -101,7 +101,6 @@ if (@zones && $access{'zones'} eq '*' && !$access{'ro'}) {
foreach my $z (@zones) { foreach my $z (@zones) {
my $zonefile = &make_chroot(&absolute_path($z->{'file'})); my $zonefile = &make_chroot(&absolute_path($z->{'file'}));
if ($z->{'type'} eq 'master' && $z->{'file'} && !-r $zonefile) { if ($z->{'type'} eq 'master' && $z->{'file'} && !-r $zonefile) {
print STDERR "Missing chrooted zone file '${zonefile}'\n";
push(@missing, $z); push(@missing, $z);
} }
} }
@ -119,6 +118,12 @@ if (@zones && $access{'zones'} eq '*' && !$access{'ro'}) {
} }
} }
# Check for obsolete DNSSEC config
if ($access{'defaults'}) {
my $err = &check_dnssec_client();
print "<center>".$err."</center>" if ($err);
}
if ($access{'defaults'}) { if ($access{'defaults'}) {
# display global options # display global options
print &ui_subheading($text{'index_opts'}); print &ui_subheading($text{'index_opts'});

2
bind8/lang/en
View File

@ -1276,6 +1276,8 @@ trusted_ealg=Missing or invalid algorithm number in row $1
trusted_ekey=Missing base-64 encoded trusted zone key in row $1 trusted_ekey=Missing base-64 encoded trusted zone key in row $1
trusted_setup=For DNSSEC to be useful to verify the majority of signed zones on the Internet, BIND must be configured to use a DLV server. Webmin can set this up for you, using the ICS DLV server at $1. trusted_setup=For DNSSEC to be useful to verify the majority of signed zones on the Internet, BIND must be configured to use a DLV server. Webmin can set this up for you, using the ICS DLV server at $1.
trusted_ok=Setup DLV and Enable DNSSEC Verification trusted_ok=Setup DLV and Enable DNSSEC Verification
trusted_warning=Warning! Your BIND DNSSEC client configuration contains out of date keys that will stop working in October 2017. Either use the <a href='$1'>BIND DNSSEC Verification page</a> to adjust the configuration, or click the button below.
trusted_fix=Fix DNSSEC Configuration
xfer_title=Test Zone Transfer xfer_title=Test Zone Transfer
xfer_doing=Testing transfer of slave zone from $1 .. xfer_doing=Testing transfer of slave zone from $1 ..