Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/sh
- # This script is for secure DDNS updates using GSS/TSIG
- # Version: 0.1
- ## CONFIGURATION ##
- # Kerberos realm
- realm="DOMAIN.LAN"
- # Kerberos principal
- principal="dhcpduser@$realm"
- # Kerberos keytab
- keytab="/etc/dhcp/dhcpd.keytab"
- # Kerberos credentials cache
- krb5cc="/run/dhcp-server/dhcpd.krb5cc"
- # Use MIT kerberos args instead of heimdal.
- #KRB5MIT="YES"
- # Domain appended to hostname
- domain="domain.lan"
- # Space separated list of DNS servers for sending updates to
- NSRVS="ns1.domain.lan ns2.domain.lan"
- # Default DNS resource records TTL
- RRTTL="3600"
- # Do not use TXT RRs (rfc4701)
- NOTXTRRS="YES"
- # Additional nsupdate flags (-g already applied), e.g. "-d" for debug
- #NSUPDFLAGS="-d"
- # Run in the foreground (for manual run only!!!), it's better to use "-d" as script's first argument
- #DEBUG="YES"
- ######################################################
- ## VARIABLES ##
- [ "$1" = "-d" ] && DEBUG="YES" && shift
- action=$1
- ip=$2
- DHCID=$3
- name=${4%%.*}
- [ -n "$5" ] && RRTTL="$5"
- _usage() {
- echo "Usage:"
- echo " `basename $0` [-d] add ip-address dhcid|mac-address hostname [dns-ttl]"
- echo " `basename $0` [-d] delete ip-address dhcid|mac-address"
- }
- _kerberos() {
- export KRB5_KTNAME="$keytab"
- export KRB5CCNAME="$krb5cc"
- if [ "$KRB5MIT" = "YES" ]; then
- KLISTARG="-s"
- else
- KLISTARG="-t"
- fi
- klist $KLISTARG || kinit -k -t "$keytab" -c "$krb5cc" "$principal" || { echo "DDNS: kinit failed"; exit 1; }
- }
- _main() {
- umask 77
- if [ -z "$ip" ] || [ -z "$DHCID" ]; then
- _usage
- exit 1
- fi
- ## NSUPDATE ##
- case "$action" in
- add)
- RRPTR="$name.$domain"
- if [ "$NOTXTRRS" != "YES" ]; then
- NOTXTRRS=""
- RRAOLD=`host $RRPTR | awk '/has address/ {print $4}'`
- if [ -n "$RRAOLD" ]; then
- RRTXTOLD=`host -t txt "$RRPTR" | sed -n '/descriptive text/s/^.*[[:space:]]descriptive text[[:space:]]*"\(.*\)"$/\1/p'`
- [ -z "$RRTXTOLD" ] && echo "DDNS: adding records for $ip ($RRPTR) FAILED: has A record but no DHCID, not mine" && exit 1
- RRTXT=`echo "$DHCID$RRPTR" | sha256sum`
- RRTXT="000101${RRTXT%% *}"
- [ "$RRTXT" != "$RRTXTOLD" ] && echo "DDNS: adding records for $ip ($RRPTR) FAILED: has A record but DHCID is wrong" && exit 1
- else
- RRTXT=`echo "$DHCID$RRPTR" | sha256sum`
- RRTXT="000101${RRTXT%% *}"
- fi
- else
- NOTXTRRS=";"
- fi
- RRPTRNAME=`echo $ip | awk -F '.' '{print $4"."$3"."$2"."$1".in-addr.arpa"}'`
- _kerberos
- for NSRV in $NSRVS; do
- nsupdate -g $NSUPDFLAGS << UPDATE
- server $NSRV
- realm $realm
- update delete $RRPTR. $RRTTL A
- ${NOTXTRRS}update delete $RRPTR. $RRTTL TXT
- ${NOTXTRRS}update add $RRPTR. $RRTTL TXT $RRTXT
- update add $RRPTR. $RRTTL A $ip
- send
- update delete $RRPTRNAME. $RRTTL PTR
- update add $RRPTRNAME. $RRTTL PTR $name.$domain.
- send
- UPDATE
- result=$?
- [ "$result" -eq "0" ] && echo "DDNS: adding records for $ip ($RRPTR) succeeded" && exit 0
- done
- [ "$result" != "0" ] && echo "DDNS: adding records for $ip ($RRPTR) FAILED: nsupdate status $result" && exit "$result"
- ;;
- delete)
- RRPTR=`host $ip | awk '/domain name pointer/ { sub(/\.$/, "", $5); print $5}'`
- if [ "$NOTXTRRS" != "YES" ]; then
- NOTXTRRS=""
- if [ -n "$RRPTR" ]; then
- RRTXTOLD=`host -t txt "$RRPTR" | sed -n '/descriptive text/s/^.*[[:space:]]descriptive text[[:space:]]*"\(.*\)"$/\1/p'`
- [ -z "$RRTXTOLD" ] && echo "DDNS: removing records for $ip ($RRPTR) FAILED: has A record but no DHCID, not mine" && exit 1
- RRTXT=`echo "$DHCID$RRPTR" | sha256sum`
- RRTXT="000101${RRTXT%% *}"
- [ "$RRTXT" != "$RRTXTOLD" ] && echo "DDNS: removing records for $ip ($RRPTR) FAILED: has A record but DHCID is wrong" && exit 1
- else
- echo "DDNS: removing records for $ip FAILED: has no PTR, can not determine A record" && exit 1
- fi
- else
- NOTXTRRS=";"
- fi
- RRPTRNAME=`echo $ip | awk -F '.' '{print $4"."$3"."$2"."$1".in-addr.arpa"}'`
- _kerberos
- for NSRV in $NSRVS; do
- nsupdate -g $NSUPDFLAGS << UPDATE
- server $NSRV
- realm $realm
- update delete $RRPTR. $RRTTL A
- ${NOTXTRRS}update delete $RRPTR. $RRTTL TXT
- send
- update delete $RRPTRNAME. $RRTTL PTR
- send
- UPDATE
- result=$?
- [ "$result" -eq "0" ] && echo "DDNS: removing records for $ip ($RRPTR) succeeded" && exit 0
- done
- [ "$result" != "0" ] && echo "DDNS: removing records for $ip ($RRPTR) FAILED: nsupdate status $result" && exit "$result"
- ;;
- *)
- _usage && exit 1
- ;;
- esac
- }
- if [ "$DEBUG" = "YES" ]; then
- _main
- else
- :
- _main | logger -s -t dhcpd &
- fi
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement