dns-krbnsupdate.sh

#!/bin/sh

#exit 0

## CONFIGURATION ##
# Kerberos realm
realm="DOMAIN.LAN"
# Kerberos principal
principal="dhcpduser@$realm"
# Kerberos keytab
keytab="/etc/dhcp/dhcpd.keytab"
# Kerberos credentials cache
krb5cc="/run/dhcp-server/dhcpd.krb5cc"
# Use MIT kerberos args instead of heimdal.
#KRB5MIT="YES"

# Domain appended to hostname
domain="domain.lan"
# Space separated list of DNS servers for sending updates to
NSRVS="ns1.domain.lan ns2.domain.lan"
# Default DNS resource records TTL
RRTTL="3600"
# Do not use TXT RRs (rfc4701)
#NOTXTRRS="YES"
# Additional nsupdate flags (-g already applied), e.g. "-d" for debug
#NSUPDFLAGS="-d"

######################################################

## VARIABLES ##
action=$1
ip=$2
DHCID=$3
name=${4%%.*}
[ -n "$5" ] && RRTTL="$5"

_usage() {
echo "Usage:"
echo "  `basename $0` add ip-address dhcid|mac-address hostname [dns-ttl]"
echo "  `basename $0` delete ip-address dhcid|mac-address"
}

_kerberos() {
export KRB5_KTNAME="$keytab"
export KRB5CCNAME="$krb5cc"

if [ "$KRB5MIT" = "YES" ]; then
    klist -s || kinit $principal -k -t $keytab
else
    klist -t || kinit -t $keytab $principal
fi
}

_main() {
umask 77

if [ -z "$ip" ] || [ -z "$DHCID" ]; then
    _usage
    exit 1
fi

## NSUPDATE ##
case "$action" in
    add)
    if [ "$NOTXTRRS" != "YES" ]; then
        NOTXTRRS=""
        RRAOLD=`host $name.$domain | awk '/has address/ {print $4}'`
        if [ -n "$RRAOLD" ]; then
        RRTXTOLD=`host -t txt "$name.$domain" | sed -n '/descriptive text/s/^.*[[:space:]]descriptive text[[:space:]]*"\(.*\)"$/\1/p'`
        [ -z "$RRTXTOLD" ] && echo "Forward map from $name.$domain to $ip FAILED: Has an address record but no DHCID, not mine." && exit 0

        RRTXT=`echo "$DHCID$name.$domain" | sha256sum`
        RRTXT="000101${RRTXT%% *}"
        [ "$RRTXT" != "$RRTXTOLD" ] && echo "Forward map from $name.$domain to $ip FAILED: Has an address record but DHCID is wrong, not mine." && exit 0
        else
        RRTXT=`echo "$DHCID$name.$domain" | sha256sum`
        RRTXT="000101${RRTXT%% *}"
        fi
    else
        NOTXTRRS=";"
    fi

    RRPTRNAME=`echo $ip | awk -F '.' '{print $4"."$3"."$2"."$1".in-addr.arpa"}'`

    _kerberos

    for NSRV in $NSRVS; do
        nsupdate -g $NSUPDFLAGS << UPDATE
server $NSRV
realm $realm
update delete $name.$domain. $RRTTL A
${NOTXTRRS}update delete $name.$domain. $RRTTL TXT
${NOTXTRRS}update add $name.$domain. $RRTTL TXT $RRTXT
update add $name.$domain. $RRTTL A $ip
send
update delete $RRPTRNAME. $RRTTL PTR
update add $RRPTRNAME. $RRTTL PTR $name.$domain.
send
UPDATE
        result=$?
        [ "$result" -eq "0" ] && break
    done
    ;;
    delete)
    RRPTR=`host $ip | awk '/domain name pointer/ { sub(/\.$/, "", $5); print $5}'`
    if [ "$NOTXTRRS" != "YES" ]; then
        NOTXTRRS=""
        if [ -n "$RRPTR" ]; then
        RRTXTOLD=`host -t txt "$RRPTR" | sed -n '/descriptive text/s/^.*[[:space:]]descriptive text[[:space:]]*"\(.*\)"$/\1/p'`
        [ -z "$RRTXTOLD" ] && echo "Forward map from $RRPTR to $ip removing FAILED: Has an address record but no DHCID, not mine." && exit 0

        RRTXT=`echo "$DHCID$RRPTR" | sha256sum`
        RRTXT="000101${RRTXT%% *}"
        [ "$RRTXT" != "$RRTXTOLD" ] && echo "Forward map from $RRPTR to $ip removing FAILED: Has an address record but DHCID is wrong." && exit 0
        else
        echo "$ip has no PTR, can not determine address record." && exit 0
        fi
    else
        NOTXTRRS=";"
    fi

    RRPTRNAME=`echo $ip | awk -F '.' '{print $4"."$3"."$2"."$1".in-addr.arpa"}'`

    _kerberos

    for NSRV in $NSRVS; do
        nsupdate -g $NSUPDFLAGS << UPDATE
server $NSRV
realm $realm
update delete $RRPTR. $RRTTL A
${NOTXTRRS}update delete $RRPTR. $RRTTL TXT
send
update delete $RRPTRNAME. $RRTTL PTR
send
UPDATE
        result=$?
        [ "$result" -eq "0" ] && break
    done
    ;;
    *)
    _usage && exit 1
    ;;
esac

[ "$result" != "0" ] && echo "GSS-TSIG DNS update failed: $result"
exit $result
}

_main