Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/sh
- #exit 0
- ## CONFIGURATION ##
- # Kerberos realm
- realm="DOMAIN.LAN"
- # Kerberos principal
- principal="dhcpduser@$realm"
- # Kerberos keytab
- keytab="/etc/dhcp/dhcpd.keytab"
- # Kerberos credentials cache
- krb5cc="/run/dhcp-server/dhcpd.krb5cc"
- # Use MIT kerberos args instead of heimdal.
- #KRB5MIT="YES"
- # Domain appended to hostname
- domain="domain.lan"
- # Space separated list of DNS servers for sending updates to
- NSRVS="ns1.domain.lan ns2.domain.lan"
- # Default DNS resource records TTL
- RRTTL="3600"
- # Do not use TXT RRs (rfc4701)
- #NOTXTRRS="YES"
- # Additional nsupdate flags (-g already applied), e.g. "-d" for debug
- #NSUPDFLAGS="-d"
- ######################################################
- ## VARIABLES ##
- action=$1
- ip=$2
- DHCID=$3
- name=${4%%.*}
- [ -n "$5" ] && RRTTL="$5"
- _usage() {
- echo "Usage:"
- echo " `basename $0` add ip-address dhcid|mac-address hostname [dns-ttl]"
- echo " `basename $0` delete ip-address dhcid|mac-address"
- }
- _kerberos() {
- export KRB5_KTNAME="$keytab"
- export KRB5CCNAME="$krb5cc"
- if [ "$KRB5MIT" = "YES" ]; then
- klist -s || kinit $principal -k -t $keytab
- else
- klist -t || kinit -t $keytab $principal
- fi
- }
- _main() {
- umask 77
- if [ -z "$ip" ] || [ -z "$DHCID" ]; then
- _usage
- exit 1
- fi
- ## NSUPDATE ##
- case "$action" in
- add)
- if [ "$NOTXTRRS" != "YES" ]; then
- NOTXTRRS=""
- RRAOLD=`host $name.$domain | awk '/has address/ {print $4}'`
- if [ -n "$RRAOLD" ]; then
- RRTXTOLD=`host -t txt "$name.$domain" | sed -n '/descriptive text/s/^.*[[:space:]]descriptive text[[:space:]]*"\(.*\)"$/\1/p'`
- [ -z "$RRTXTOLD" ] && echo "Forward map from $name.$domain to $ip FAILED: Has an address record but no DHCID, not mine." && exit 0
- RRTXT=`echo "$DHCID$name.$domain" | sha256sum`
- RRTXT="000101${RRTXT%% *}"
- [ "$RRTXT" != "$RRTXTOLD" ] && echo "Forward map from $name.$domain to $ip FAILED: Has an address record but DHCID is wrong, not mine." && exit 0
- else
- RRTXT=`echo "$DHCID$name.$domain" | sha256sum`
- RRTXT="000101${RRTXT%% *}"
- fi
- else
- NOTXTRRS=";"
- fi
- RRPTRNAME=`echo $ip | awk -F '.' '{print $4"."$3"."$2"."$1".in-addr.arpa"}'`
- _kerberos
- for NSRV in $NSRVS; do
- nsupdate -g $NSUPDFLAGS << UPDATE
- server $NSRV
- realm $realm
- update delete $name.$domain. $RRTTL A
- ${NOTXTRRS}update delete $name.$domain. $RRTTL TXT
- ${NOTXTRRS}update add $name.$domain. $RRTTL TXT $RRTXT
- update add $name.$domain. $RRTTL A $ip
- send
- update delete $RRPTRNAME. $RRTTL PTR
- update add $RRPTRNAME. $RRTTL PTR $name.$domain.
- send
- UPDATE
- result=$?
- [ "$result" -eq "0" ] && break
- done
- ;;
- delete)
- RRPTR=`host $ip | awk '/domain name pointer/ { sub(/\.$/, "", $5); print $5}'`
- if [ "$NOTXTRRS" != "YES" ]; then
- NOTXTRRS=""
- if [ -n "$RRPTR" ]; then
- RRTXTOLD=`host -t txt "$RRPTR" | sed -n '/descriptive text/s/^.*[[:space:]]descriptive text[[:space:]]*"\(.*\)"$/\1/p'`
- [ -z "$RRTXTOLD" ] && echo "Forward map from $RRPTR to $ip removing FAILED: Has an address record but no DHCID, not mine." && exit 0
- RRTXT=`echo "$DHCID$RRPTR" | sha256sum`
- RRTXT="000101${RRTXT%% *}"
- [ "$RRTXT" != "$RRTXTOLD" ] && echo "Forward map from $RRPTR to $ip removing FAILED: Has an address record but DHCID is wrong." && exit 0
- else
- echo "$ip has no PTR, can not determine address record." && exit 0
- fi
- else
- NOTXTRRS=";"
- fi
- RRPTRNAME=`echo $ip | awk -F '.' '{print $4"."$3"."$2"."$1".in-addr.arpa"}'`
- _kerberos
- for NSRV in $NSRVS; do
- nsupdate -g $NSUPDFLAGS << UPDATE
- server $NSRV
- realm $realm
- update delete $RRPTR. $RRTTL A
- ${NOTXTRRS}update delete $RRPTR. $RRTTL TXT
- send
- update delete $RRPTRNAME. $RRTTL PTR
- send
- UPDATE
- result=$?
- [ "$result" -eq "0" ] && break
- done
- ;;
- *)
- _usage && exit 1
- ;;
- esac
- [ "$result" != "0" ] && echo "GSS-TSIG DNS update failed: $result"
- exit $result
- }
- _main
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement