From 2a5069d0b1f47296eb47b99e9b948347663f98e3 Mon Sep 17 00:00:00 2001
From: Blackyfff <blackyfff@noreply.git.freifunk-franken.de>
Date: Wed, 10 Mar 2021 00:02:15 +0100
Subject: [PATCH] configurable Temp-Folder; DNSSEC for master-zone with
 multiple synchronising servers

Signed-off-by: Blackyfff <blackyfff@noreply.git.freifunk-franken.de>
---
 README.md        |   6 +-
 dns-functions.sh |  83 ++++++++++++++++++++++-
 update-dns.sh    | 169 ++++++++++++++++++++++++++++++++++++-----------
 3 files changed, 217 insertions(+), 41 deletions(-)

diff --git a/README.md b/README.md
index 9493340..634a062 100644
--- a/README.md
+++ b/README.md
@@ -7,6 +7,8 @@ Weiterhin werden bei eigener Subdomain die momentan vergebenen Adressen von dnsm
 Das ermöglicht eine Namensauflösung für Freifunk-Teilnehmer ohne manuelle Konfiguration.
 Damit kann jeder Freifunk-Teilnehmer ein gültiges TLS-Zertifikat bekommen, sofern DHCPv6 am Gateway aktiviert ist.
 
+DNSSEC wird für jede Zone unterstützt, allerdings nur für die Hauptzone mit mehreren Servern. Für Subdomainserver darf mit DNSSEC nur jeweils ein Server authorativ sein.
+
 ## Installation
 
 #### Systemanforderungen
@@ -72,7 +74,7 @@ view "icvpn-internal-view" {
     [..] # eigene Optionen
 
 
-	include "/etc/bind/fff.community-internal.conf"; # auto-generated
+	include "/etc/bind/icvpn-internal-view.conf"; # auto-generated
 
 	include "/etc/bind/icvpn-zones.conf"; # Nicht vergessen ;)
 
@@ -83,7 +85,7 @@ view "external-view" {
 	match-clients { any; };
     [..] # eigene Optionen
 	
-	include "/etc/bind/fff.community-external.conf"; # auto-generated
+	include "/etc/bind/external-view.conf"; # auto-generated
     
     [..]	
 };
diff --git a/dns-functions.sh b/dns-functions.sh
index b0b59c5..2699186 100755
--- a/dns-functions.sh
+++ b/dns-functions.sh
@@ -31,6 +31,17 @@ zone \"""$1""\" {\n\
 };" "$3"
 	fi
 }
+GetAllSubNameservers() {
+	Domain="$(echo "$1" | sed -e 's/\./\\\./g')"
+	SubDomain="$(echo "$2" | sed -e 's/\./\\\./g')"
+	sed -ne 's/^\s*'"$SubDomain"'\(\.'"$Domain"'\.\)\?\s\+\([0-9]*\s\)\?\s*[Ii][Nn]\s\+[Nn][Ss]\s\+\(\S\+\)/\3/p' "$3" | \
+	sed -e 's/\([^.]\)$/\1\.'"$1"'\./g;s/\.$//g'
+}
+GetAllZoneNameservers() {
+	Domain="""$(echo "$1" | sed -e 's/\./\\\./g')"
+	sed -ne 's/^\s*\(@\|'"$Domain"'\.\)\s\+\([0-9]*\s\)\?\s*[Ii][Nn]\s\+[Nn][Ss]\s\+\(\S\+\)/\3/p' "$2" | \
+	sed -e 's/\([^.]\)$/\1\.'"$1"'\./g;s/\.$//g'
+}
 GetReverseZoneFileFromZone() {
 	echo "db.""$(echo "$1" | awk -F. '{ printf $(NF-2);for(i=NF-3;i>0;--i) printf "."$i}')"
 }
@@ -103,7 +114,7 @@ GetServernameSEDEntry() {
 	echo "$ServerName" | sed -r 's/\./\\\./g'
 }
 NormalizeZoneFileFormatting() {
-	awk 'BEGIN{FS="\t"}{l=length($1);f=substr("                           ", 1+length($1));
+	awk 'BEGIN{FS="\t"}{l=length($1);f=substr("                                    ", 1+length($1));
 		s=substr("         ", 1+length($2));
 		x=substr($0,length($1)+length($2)+3);
 		print $1 f " " $2 s " " x}'
@@ -160,6 +171,76 @@ IPv4IsInSubnet() {
 	fi
 
 	return $AreEqual
+	
+}
+GetOwnKeysForZone () {
+	DNSSECKeyFolder="$1"
+	Domain="$2"
+	if [ -n "$DNSSECKeyFolder" ];then
+		for OwnKeyFile in "$DNSSECKeyFolder""K""$Domain"".+"*".key"; do
+			sed -ne '/^;/d;s/^'"$Domain"'\.\s\+\([0-9]*\s\)\?\s*[Ii][Nn]\s\+[Dd][Nn][Ss][Kk][Ee][Yy]\s\+\(.*\)$/_dnsseckeys\.'"$Domain"'\.\tIN TXT\t\"\2\"/p' "$OwnKeyFile" | \
+			NormalizeZoneFileFormatting
+		done
+	fi
+}
+UpdateDNSSECEntryCache () {
+	Domain="$1"
+	ZoneTempFolder="$2"
+	CachedZoneFile="$3"
+	DNSSECKeyFolder="$4"
+	UpdateMaster=0
+	
+	Nameservers="$(GetAllZoneNameservers "$Domain" "$CachedZoneFile")"
+	
+	mkdir -p "$ZoneTempFolder"
+	for KeyFile in "$ZoneTempFolder"*; do
+		[ "$KeyFile" = "$ZoneTempFolder""*" ] || \
+		mv "$KeyFile" "$ZoneTempFolder""Old""${KeyFile##*"$ZoneTempFolder"}"
+	done
+	for Nameserver in $Nameservers; do
+		if [ "$Nameserver" = "$DNSSCRIPT_SERVER_NAME" ]; then
+			DNSKEYS="$( GetOwnKeysForZone "$DNSSECKeyFolder" "$Domain" )"
+		else
+			DNSKEYS="$(delv @"$Nameserver" _dnsseckeys."$Domain" TXT 2>/dev/null | \
+				sed -ne '/^;/d;s/^.*\sIN\s\+TXT\s\+"\(.*\)"$/'"$Domain"'.\tIN DNSKEY\t\1/p' | \
+				NormalizeZoneFileFormatting )"
+		fi
+		if [ -n "$DNSKEYS" ] && [ "$DNSKEYS" != "$(cat "$ZoneTempFolder""OldKeys.""$Nameserver" 2>/dev/null)" ]; then
+			echo "$DNSKEYS" > "$ZoneTempFolder""Keys.""$Nameserver"
+			UpdateMaster=1
+		elif [ -f "$ZoneTempFolder""OldKeys.""$Nameserver" ]; then
+			mv "$ZoneTempFolder""OldKeys.""$Nameserver" "$ZoneTempFolder""Keys.""$Nameserver"
+		fi
+	done
+	
+	SEDDomain="$(echo "$Domain" | sed -e 's/\./\\\./g')"
+	ChildServers="$( sed -ne '/^\s*\(@\|'"$SEDDomain"'\.\)\s/!s/^\s*\(\S\+\)\s\+\([0-9]*\s\)\?\s*[Ii][Nn]\s\+[Nn][Ss]\s\+\(\S\+\);\?.*$/\1#\3/p' "$CachedZoneFile" | \
+		sed -e 's/\([^.]\)$/\1\.'"$Domain"'\./g;s/\.$//g;s/\([^.]\)#/\1\.'"$Domain"'\.#/g;s/\.#/#/g' )"
+	for ChildServer in $ChildServers; do
+		DNSKEYS="$(delv @"${ChildServer##*\#}" "${ChildServer%%\#*}" CDS 2>/dev/null | \
+			sed -ne '/^;/d;s/^.*\sIN\s\+CDS\s\+\(.*\)$/'"${ChildServer%%\#*}"'.\tIN DS\t\1/p' | \
+			NormalizeZoneFileFormatting )"
+		
+		if [ -n "$DNSKEYS" ]; then
+			DNSKEYS="$(echo "$DNSKEYS" | sed -e '/\sIN\s\+DS\s\+0\s\+0\s\+0\s\+0/d')"
+			if [ "$DNSKEYS" != "$(cat "$ZoneTempFolder""OldChildKeys.""$ChildServer" 2>/dev/null)" ]; then
+				[ -z "$DNSKEYS" ] || echo "$DNSKEYS" > "$ZoneTempFolder""ChildKeys.""$ChildServer"
+				UpdateMaster=1
+			elif [ -n "$DNSKEYS" ]; then
+				mv "$ZoneTempFolder""OldChildKeys.""$ChildServer" "$ZoneTempFolder""ChildKeys.""$ChildServer"
+			elif [ -f "$ZoneTempFolder""OldKeys.""$Nameserver" ]; then
+				UpdateMaster=1
+			fi
+		elif [ -f "$ZoneTempFolder""OldChildKeys.""$Nameserver" ]; then
+			mv "$ZoneTempFolder""OldChildKeys.""$ChildServer" "$ZoneTempFolder""ChildKeys.""$ChildServer"
+		fi
+	done
+	
+	for KeyFile in "$ZoneTempFolder""Old"*; do
+		[ "$KeyFile" = "$ZoneTempFolder""Old*" ] || \
+		rm -f "$KeyFile"
+	done
+	echo "$UpdateMaster"
 }
 ReloadZone() {
 	if [ $((DNSSCRIPT_BIND_RELOAD_VER)) -eq 0 ]; then
diff --git a/update-dns.sh b/update-dns.sh
index 8c67d60..6aec388 100755
--- a/update-dns.sh
+++ b/update-dns.sh
@@ -5,11 +5,10 @@ set -e
 
 # Communityconfig
 CommunityDomain="fff.community"
-CommunityExternDomain="extern.fff.community"
+CommunityExternPrefix="extern"
 CommunitySubnets="10.50.0/16 10.83.0/16 fd43:5602:29bd::/48"
 RemoteLocation="https://git.freifunk-franken.de/freifunk-franken/dns/raw/branch/master/"
-DNSSECPolicy=""
-ServeMasterZone=0
+DNSSECPolicy="herpf"
 
 # Serverconfig
 export DNSSCRIPT_CONTACT_EMAIL=info.freifunk-herpf.de.
@@ -18,8 +17,10 @@ export DNSSCRIPT_SERVER_NAME=dns.herpf.fff.community
 UpdateScriptsFolder="/usr/lib/ffdns/"
 ZoneFilesFolder="/etc/bind/fff/"
 BindIncludeFileFolder="/etc/bind/"
+DNSSECKeyFolder="/etc/bind/keys/"
+TempFolder="/tmp/dnsscripts/"
 # specify the bird/babel or other routing table[s]
-# if RoutingTables is empty, the ICVPN-ACL-List will be fetched remotely (for servers that are no gateways)
+# if RoutingTables is empty, the ICVPN-ACL-List will be fetched remotely (for servers that are no gateway)
 RoutingTables="10"
 
 # -1 -> disable bind [restart|reload]
@@ -28,7 +29,6 @@ RoutingTables="10"
 # 2 -> OpenWRT /etc/init.d/named [reload|restart]
 export DNSSCRIPT_BIND_RELOAD_VER=0
 
-# only necessary when rndc is used
 InternalViews="icvpn-internal-view icvpn-internal-dns64-view"
 ExternalView="external-view"
 
@@ -45,24 +45,74 @@ cd "$UpdateScriptsFolder"
 . ./dns-functions.sh
 
 FirstInternal="$( echo "$InternalViews" | sed -ne 's/^\(\S\+\)\s.*$/\1/p')"
-MasterFile="$ZoneFilesFolder""db.""$FirstInternal"".""$CommunityDomain"
-BindIcvpnAclTmp="/tmp/icvpn-acl.conf"
+BindIcvpnAclTmp="$TempFolder""icvpn-acl.conf"
 BindIcvpnAcl="$BindIncludeFileFolder""icvpn-acl.conf"
+[ -z "$CommunityExternPrefix" ] || CommunityExternDomain="$CommunityExternPrefix"".""$CommunityDomain"
+
+mkdir -p "$TempFolder""cache"
 
 for IView in $InternalViews; do
-	rm -f "/tmp/""$IView"".conf"
+	rm -f "$TempFolder""$IView"".conf"
 done
-rm -f "/tmp/""$ExternalView"".conf"
+rm -f "$TempFolder""$ExternalView"".conf"
 
-PreFetchMasterSerial="$(GetZoneFileSerial "$MasterFile")"
-curl -s -S -f "$RemoteLocation""db.""$CommunityDomain" --output "$MasterFile"
-
-if [ $ServeMasterZone -ne 0 ]; then
-	PostFetchMasterSerial="$(GetZoneFileSerial "$MasterFile")"
-	if [ $((PostFetchMasterSerial)) -gt $((PreFetchMasterSerial)) ]; then
-		ReloadZone "$CommunityDomain" "$InternalViews"
+CachedMasterFile="$TempFolder""cache/db.""$CommunityDomain"
+PreFetchMasterSerial="$(GetZoneFileSerial "$CachedMasterFile")"
+curl -s -S -f "$RemoteLocation""db.""$CommunityDomain" --output "$CachedMasterFile"
+PostFetchMasterSerial="$(GetZoneFileSerial "$CachedMasterFile")"
+ServeMasterZone="$( GetAllZoneNameservers "$CommunityDomain" "$CachedMasterFile" | awk '{for(i=NF;i>0;--i) if($i=="'"$DNSSCRIPT_SERVER_NAME"'") {printf 1}}')"
+if [ -n "$CommunityExternDomain" ]; then
+	if [ -n "$ServeMasterZone" ]; then
+		ServeExtZone="1"
+	else
+		ServeExtZone="$( GetAllSubNameservers "$CommunityDomain" "$CommunityExternPrefix" "$CachedMasterFile" | awk '{for(i=NF;i>0;--i) if($i=="'"$DNSSCRIPT_SERVER_NAME"'") {printf 1}}')"
 	fi
+else
+	ServeExtZone=""
+fi
+
+if [ -n "$ServeMasterZone" ] || [ -n "$ServeExtZone" ]; then
+	sed -i -e '/^\s*_dnsseckeys\./d' "$CachedMasterFile"
+	FileForExternGeneration="$CachedMasterFile"
+	if [ -n "$ExternalView" ]; then
+		ExternFile="$ZoneFilesFolder""db.""$ExternalView"".""$CommunityDomain"
+	else
+		ExternFile="$ZoneFilesFolder""db.""$CommunityExternDomain"
+	fi
+	LocalMasterSerial=$((PostFetchMasterSerial))
+	if [ -n "$ServeMasterZone" ]; then
+		MasterFile="$ZoneFilesFolder""db.""$FirstInternal"".""$CommunityDomain"
+		FileForExternGeneration="$MasterFile"
+		UpdateMaster=0
+		ZoneTempFolder="$TempFolder""cache/""$CommunityDomain""/"
 	
+		UpdateMaster="$(UpdateDNSSECEntryCache "$CommunityDomain" "$ZoneTempFolder" "$CachedMasterFile"  "$DNSSECKeyFolder")"
+		[ $((PostFetchMasterSerial)) -le $((PreFetchMasterSerial)) ] || UpdateMaster=1
+		
+		if [ $UpdateMaster -ne 0 ]; then
+			cp -f "$CachedMasterFile" "$CachedMasterFile""I"
+			for KeyFile in "$ZoneTempFolder"*; do
+				[ "$KeyFile" = "$ZoneTempFolder""*" ] || \
+				cat "$KeyFile" >> "$CachedMasterFile""I"
+			done
+			LocalMasterSerial="$(GetZoneFileSerial "$MasterFile")"
+			
+			if [ $((PostFetchMasterSerial)) -le $((LocalMasterSerial)) ]; then
+				LocalMasterSerial=$((LocalMasterSerial+1))
+				sed -i -e 's/^\(\s*\)'"$PostFetchMasterSerial"'\(\s*;\s*[Ss]erial.*\)$/\1'"$LocalMasterSerial"'\3/g' "$CachedMasterFile""I"
+				sed -i -e 's/^\(\s*\S\+\s\+\([0-9]*\s\)\?\s*[Ii][Nn]\s\+[Ss][Oo][Aa]\s\+\S\+\s\+\S\+\s\+\)'"$PostFetchMasterSerial"'\(\s\+.*\)$/\1'"$LocalMasterSerial"'\3/g' "$CachedMasterFile""I"
+			else
+				LocalMasterSerial=$((PostFetchMasterSerial))
+			fi
+			mv "$CachedMasterFile""I" "$MasterFile"
+			ReloadZone "$CommunityDomain" "$InternalViews"
+			
+			for IView in $InternalViews; do
+				InternViewMasterZone="$ZoneFilesFolder""db.""$IView"".""$CommunityDomain"
+				[ -f "$InternViewMasterZone" ] || ln -s "$MasterFile" "$InternViewMasterZone"
+				InsertZoneToIncludeFile "$CommunityDomain" "$InternViewMasterZone" "$TempFolder""$IView"".conf" "$DNSSECPolicy"
+			done
+		fi
 	for Subnet in $CommunitySubnets; do
 		ReverseDomains="$(GetReverseDomains "$Subnet")"
 		for RDomain in $ReverseDomains; do
@@ -72,29 +122,72 @@ if [ $ServeMasterZone -ne 0 ]; then
 				rm -f "$ZoneFilesFolder""static.""$ReverseZoneFile"
 			./update-rdnszone.sh "$RDomain" "$ForwardZones" "$ZoneFilesFolder""$ReverseZoneFile" "$TTLReReExMi" "$InternalViews"
 			for IView in $InternalViews; do
-				InsertZoneToIncludeFile "${RDomain%*.}" "$ZoneFilesFolder""$ReverseZoneFile" "/tmp/""$IView"".conf"
+					InsertZoneToIncludeFile "${RDomain%*.}" "$ZoneFilesFolder""$ReverseZoneFile" "$TempFolder""$IView"".conf"
 			done
 		done
 	done
-	ExternFile="$ZoneFilesFolder""db.""$ExternalView"".""$CommunityDomain"
-	./update-extzone.sh "$MasterFile" "$ExternFile" "$CommunityDomain" "$ExternalView" "$CommunityExternDomain" "$InternalViews"
+		if [ -n "$ExternalView" ]; then
+			InsertZoneToIncludeFile "$CommunityDomain" "$ExternFile" "$TempFolder""$ExternalView"".conf" "$DNSSECPolicy"
+		fi
+	fi
 	
-	for IView in $InternalViews; do
-		InternViewMasterZone="$ZoneFilesFolder""db.""$IView"".""$CommunityDomain"
-		[ -f "$InternViewMasterZone" ] || ln -s "$MasterFile" "$InternViewMasterZone"
-		InsertZoneToIncludeFile "$CommunityDomain" "$InternViewMasterZone" "/tmp/""$IView"".conf" "$DNSSECPolicy"
+	UpdateExternView=0
+	if [ -n "$ExternalView" ] || [ -n "$ServeExtZone" ]; then
+		SerialExtern="$(GetZoneFileSerial "$ExternFile")"
+		if [ $((LocalMasterSerial)) -gt $((SerialExtern)) ]; then
+			sed -e '/^[^;]*\s\(10.\|[fF][cdCD][0-9a-fA-F]\{2\}:\)\S*\s*\(;.*\)\?$/d; \
+			s/^[^;^@]*\s\+\([^;]*\)\s[Ii][Nn]\s\+[Ss][Oo][Aa]\s/@                         \1 IN SOA /g' "$FileForExternGeneration" \
+			> "$ExternFile"
+			UpdateExternView=1
+			[ -z "$ExternalView" ] || ReloadZone "$CommunityExternDomain" "$ExternalView"
+		fi
+	fi
+	
+	UpdateExternDomain=0
+	if [ -n "$ServeExtZone" ]; then
+		MasterExtDomainFile="$ZoneFilesFolder""db.""$FirstInternal"".""$CommunityExternDomain"
+		ZoneTempFolder="$TempFolder""cache/""$CommunityExternDomain""/"
+		cp -f "$ExternFile" "$CachedMasterFile""E"
+		sed -i -e '/^\s*_dnsseckeys\./d' "$CachedMasterFile""E"
+		[ -n "$(sed -e '/^\s*\(@\s\+\([0-9]*\s\)\?\s*[Ii][Nn]\s\+[Nn][Ss]\)\s/!d' "$CachedMasterFile""E")" ] || \
+			sed -i -e 's/^\s*\(@\s\+\([0-9]*\s\)\?\s*[Ii][Nn]\s\+[Ss][Oo][Aa]\)\s\+\S\+\s\+\S\+\s/\1 '"$DNSSCRIPT_SERVER_NAME"'. '"$DNSSCRIPT_CONTACT_EMAIL"' /g' "$CachedMasterFile""E"
+		
+		sed -i -e 's/^\s*'"$CommunityExternPrefix"'\s/@ /g;/^\s*@\s\+[Ii][Nn]\s\+[Dd][Ss]\s/d' "$CachedMasterFile""E"
+		
+		UpdateExternDomain="$(UpdateDNSSECEntryCache "$CommunityExternDomain" "$ZoneTempFolder" "$CachedMasterFile""E" "$DNSSECKeyFolder")"
+		[ $UpdateExternView -eq 0 ] || UpdateExternDomain=1
+	
+		if [ $UpdateExternDomain -ne 0 ]; then
+			for KeyFile in "$ZoneTempFolder"*; do
+				[ "$KeyFile" = "$ZoneTempFolder""*" ] || \
+				cat "$KeyFile" >> "$CachedMasterFile""E"
 	done
-	InsertZoneToIncludeFile "$CommunityDomain" "$ExternFile" "/tmp/""$ExternalView"".conf" "$DNSSECPolicy"
-	if [ -n "$CommunityExternDomain" ]; then
+			LocalExtDomainMasterSerial="$(GetZoneFileSerial "$MasterExtDomainFile")"
+			
+			if [ $((LocalMasterSerial)) -le $((LocalExtDomainMasterSerial)) ]; then
+				LocalExtDomainMasterSerial=$((LocalExtDomainMasterSerial+1))
+				sed -i -e 's/^\(\s*\)'"$LocalMasterSerial"'\(\s*;\s*[Ss]erial.*\)$/\1'"$LocalExtDomainMasterSerial"'\3/g' "$CachedMasterFile""E"
+				sed -i -e 's/^\(\s*\S\+\s\+\([0-9]*\s\)\?\s*[Ii][Nn]\s\+[Ss][Oo][Aa]\s\+\S\+\s\+\S\+\s\+\)'"$LocalMasterSerial"'\(\s\+.*\)$/\1'"$LocalExtDomainMasterSerial"'\3/g' "$CachedMasterFile""E"
+			fi
+			mv "$CachedMasterFile""E" "$MasterExtDomainFile"
+			ReloadZone "$CommunityExternDomain" "$InternalViews"
+		fi
 		for IView in $InternalViews; do
 			InternViewExternZone="$ZoneFilesFolder""db.""$IView"".""$CommunityExternDomain"
-			[ -f "$InternViewExternZone" ] || ln -s "$ExternFile" "$InternViewExternZone"
-			InsertZoneToIncludeFile "$CommunityExternDomain" "$InternViewExternZone" "/tmp/""$IView"".conf" "$DNSSECPolicy"
+			[ -f "$InternViewExternZone" ] || ln -s "$MasterExtDomainFile" "$InternViewExternZone"
+			InsertZoneToIncludeFile "$CommunityExternDomain" "$InternViewExternZone" "$TempFolder""$IView"".conf" "$DNSSECPolicy"
 		done
+		if [ -n "$ExternalView" ]; then
 		ExternViewExternZone="$ZoneFilesFolder""db.""$ExternalView"".""$CommunityExternDomain"
-		[ -f "$ExternViewExternZone" ] || ln -s "$ExternFile" "$ExternViewExternZone"
-		InsertZoneToIncludeFile "$CommunityExternDomain" "$ExternViewExternZone" "/tmp/""$ExternalView"".conf" "$DNSSECPolicy"
+			[ -f "$ExternViewExternZone" ] || ln -s "$MasterExtDomainFile" "$ExternViewExternZone"
+			InsertZoneToIncludeFile "$CommunityExternDomain" "$ExternViewExternZone" "$TempFolder""$ExternalView"".conf" "$DNSSECPolicy"
 	fi
+	fi
+fi
+
+if [ -z "$MasterFile" ]; then
+	MasterFile="$ZoneFilesFolder""db.""$FirstInternal"".""$CommunityDomain"
+	cp -f "$CachedMasterFile" "$MasterFile"
 fi
 
 # set shorter TTL for Hoods
@@ -130,7 +223,7 @@ for Hood in $Hoods; do
 			ReverseZoneFileFullPath="$ZoneFilesFolder""$(GetReverseZoneFileFromZone "${RDomain%*.}")"
 			./update-rdnszone.sh "$RDomain" "$HoodForwardZones" "$ReverseZoneFileFullPath" "$TTLReReExMi" "$InternalViews"
 			for IView in $InternalViews; do
-				InsertZoneToIncludeFile "${RDomain%*.}" "$ReverseZoneFileFullPath" "/tmp/""$IView"".conf"
+				InsertZoneToIncludeFile "${RDomain%*.}" "$ReverseZoneFileFullPath" "$TempFolder""$IView"".conf"
 			done
 		done
 	done
@@ -145,19 +238,19 @@ for Hood in $Hoods; do
 	for IView in $InternalViews; do
 		InternViewMasterZone="$ZoneFilesFolder""db.""$IView"".""$HoodDomain"
 		[ -f "$InternViewMasterZone" ] || ln -s "$HoodZoneFile" "$InternViewMasterZone"
-		InsertZoneToIncludeFile "$HoodDomain" "$InternViewMasterZone" "/tmp/""$IView"".conf" "$DNSSECPolicy"
+		InsertZoneToIncludeFile "$HoodDomain" "$InternViewMasterZone" "$TempFolder""$IView"".conf" "$DNSSECPolicy"
 	done
-	InsertZoneToIncludeFile "$HoodDomain" "$ExternFile" "/tmp/""$ExternalView"".conf" "$DNSSECPolicy"
+	InsertZoneToIncludeFile "$HoodDomain" "$ExternFile" "$TempFolder""$ExternalView"".conf" "$DNSSECPolicy"
 	
 	if [ -n "$HoodExternDomain" ]; then
 		for IView in $InternalViews; do
-			InternViewExternZone="$ZoneFilesFolder""db.""$IView"".""$HoodExternDomain"
+			InternViewExternZone="$ZoneFilesFolder""db.""$IView"".""${Hood%%\#*}"".""$CommunityExternDomain"
 			[ -f "$InternViewExternZone" ] || ln -s "$ExternFile" "$InternViewExternZone"
-			InsertZoneToIncludeFile "$HoodExternDomain" "$InternViewExternZone" "/tmp/""$IView"".conf" "$DNSSECPolicy"
+			InsertZoneToIncludeFile "${Hood%%\#*}"".""$CommunityExternDomain" "$InternViewExternZone" "$TempFolder""$IView"".conf" "$DNSSECPolicy"
 		done
-		ExternViewExternZone="$ZoneFilesFolder""db.""$ExternalView"".""$HoodExternDomain"
+		ExternViewExternZone="$ZoneFilesFolder""db.""$ExternalView"".""${Hood%%\#*}"".""$CommunityExternDomain"
 		[ -f "$ExternViewExternZone" ] || ln -s "$ExternFile" "$ExternViewExternZone"
-		InsertZoneToIncludeFile "$HoodExternDomain" "$ExternViewExternZone" "/tmp/""$ExternalView"".conf" "$DNSSECPolicy"
+		InsertZoneToIncludeFile "${Hood%%\#*}"".""$CommunityExternDomain" "$ExternViewExternZone" "$TempFolder""$ExternalView"".conf" "$DNSSECPolicy"
 	fi
 done
 
@@ -175,9 +268,9 @@ UpdateBindConfig() {
 
 UpdateBindConfig "$BindIcvpnAclTmp" "$BindIcvpnAcl"
 for IView in $InternalViews; do
-	UpdateBindConfig "/tmp/""$IView"".conf" "$BindIncludeFileFolder""$IView"".conf"
+	UpdateBindConfig "$TempFolder""$IView"".conf" "$BindIncludeFileFolder""$IView"".conf"
 done
-UpdateBindConfig "/tmp/""$ExternalView"".conf" "$BindIncludeFileFolder""$ExternalView"".conf"
+UpdateBindConfig "$TempFolder""$ExternalView"".conf" "$BindIncludeFileFolder""$ExternalView"".conf"
 
 if [ $ReConfigBind -ne 0 ] || [ -f "/tmp/dnsscript-forcereconf" ]; then
 	if [ $((DNSSCRIPT_BIND_RELOAD_VER)) -eq 0 ]; then