version 1.0.0rc1

Signed-off-by: Blackyfff <freifunk@freifunk-herpf.de>

README.md

@@ -1,7 +1,7 @@
 
 # dns-scripts
 Dieses Git enthält eine Sammlung an Scripten zur Aktualisierung der Zonen für fff.community.
-Dabei werden aus der Forward-Zone und optional eigener Subdomain (durch community-Zonefile gesteuert) auch passende Reverse-Zonen für unsere internen RFC 1918 und RFC 4193 Adressen erzeugen.
+Dabei werden aus der Forward-Zone und optional eigener Subdomain (durch community-Zonendatei gesteuert) auch passende Reverse-Zonen für unsere internen RFC 1918 und RFC 4193 Adressen erzeugt.
 
 Es werden bei eigener Subdomain die momentan vergebenen Adressen von dnsmasq und odhcpd (alles unter /tmp/hosts/) inkludiert.
 Das ermöglicht eine Namensauflösung für Freifunk-Teilnehmer ohne manuelle Konfiguration.
@@ -9,7 +9,7 @@ Damit kann jeder Freifunk-Teilnehmer ein gültiges TLS-Zertifikat bekommen, sofe
 
 Unterstützt wird Split-DNS für Freifunk-interne und -externe Anfragen, dabei kann auch eine Subdomain angelegt werden unter welcher nur extern erreichbare IPs herausgegeben werden.
 
-DNSSEC wird für jede Zone unterstützt, allerdings nur für die Hauptzone mit mehreren Servern. Für Subdomainserver darf mit DNSSEC nur jeweils ein Server autoritativ sein.
+DNSSEC wird für jede Zone unterstützt, allerdings nur für die Hauptzone mit mehreren Servern. Für Subdomainserver darf mit DNSSEC nur jeweils ein primärer Server autoritativ sein.
 
 ## Installation
 
@@ -21,7 +21,7 @@ bind9
 
 named-checkzone (z.B. bei bind oder bind-tools enthalten)
 
-für DNSSEC: delv; bind9 >= 9.16.18
+für DNSSEC: delv; bind9 >= 9.16.33/9.18.12; openssl
 
 
 #### dns-scripts klonen
@@ -216,7 +216,7 @@ Sofern noch nicht vorhanden wird dann eine neue Zonendatei für diese Subdomain
 ```
 wie die Rootzonendatei editiert werden.
 
-Sollten spezielle Konfigurationen für die views benötigt werden, können diese im Konfigurationsverzeichnis (/etc/ffdns) als Dateien im Format <View>.<Domain> abgelegt werden. Die dort enthaltenen Zeilen werden in die Konfiguration des Views geschrieben.
+In den durch die Scripte angelegten Zonen des ersten internen View (bei DNSSEC die unsignierte Variante) können mit einer update-policy auch dynamisch Einträge gesetzt werden. Da bei DNSSEC diese Datei nicht über die Scripte von bind geladen wird, sollte diese in einem separaten View für Updates geladen werden.
 
 ### Subsubdomains
 

usr/lib/ffdns/dns-functions.sh

@@ -20,13 +20,17 @@ InsertZoneToViews() {
 	ZoneFilesFolder="$2"
 	Domain="$3"
 	SourceFile="$4"
-	TempFolder="$5"
+	AdditionalZoneConfig="$5"
-	DNSSECPolicy="$6"
-	AdditionalZoneConfig="$7"
 	for View in $Views; do
 		ZoneFile="$ZoneFilesFolder""db.""$View"".""$Domain"
 		[ -f "$ZoneFile" ] || ln -s "$SourceFile" "$ZoneFile"
-		InsertZoneToIncludeFile "$Domain" "$ZoneFile" "$TempFolder""$View"".conf" "$DNSSECPolicy" "$AdditionalZoneConfig""$View""."
+		if [ -n "$DNSSCRIPT_DNSSECPolicy" ]; then
+			if [ ! -f "$ZoneFilesFolder""db.""$View"".""$Domain"".signed" ]; then
+				cp -f "$ZoneFile" "$ZoneFilesFolder""db.""$View"".""$Domain"".signed"
+			fi
+			ZoneFile="$ZoneFilesFolder""db.""$View"".""$Domain"".signed"
+		fi
+		InsertZoneToIncludeFile "$Domain" "$ZoneFile" "$DNSSCRIPT_TEMP_FOLDER""$View"".conf" "$DNSSCRIPT_DNSSECPolicy" "$AdditionalZoneConfig""$View""."
 	done
 }
 InsertZoneToIncludeFile() {
@@ -39,9 +43,13 @@ InsertZoneToIncludeFile() {
 		{
 			echo "zone \"""$1""\" {"
 			echo "	type master;"
-			[ -n "$4" ] && echo "	dnssec-policy $4"";"
+			if [ -n "$4" ]; then
-			[ -n "$4" ] && echo "	inline-signing yes;"
+				echo "	dnssec-policy $4"";"
-			[ -n "$Additional" ] && echo "$Additional"
+				echo "	update-policy {"
+				echo "		grant local subdomain ""$1"". any;"
+				[ -n "$Additional" ] && echo "$Additional"
+				echo "	};"
+			fi
 			echo "	file \"""$2""\";"
 			echo "};"
 		} > "$3"
@@ -49,9 +57,13 @@ InsertZoneToIncludeFile() {
 		{
 			echo "zone \"""$1""\" {"
 			echo "	type master;"
-			[ -n "$4" ] && echo "	dnssec-policy $4"";"
+			if [ -n "$4" ]; then
-			[ -n "$4" ] && echo "	inline-signing yes;"
+				echo "	dnssec-policy $4"";"
-			[ -n "$Additional" ] && echo "$Additional"
+				echo "	update-policy {"
+				echo "		grant local subdomain ""$1"". any;"
+				[ -n "$Additional" ] && echo "$Additional"
+				echo "	};"
+			fi
 			echo "	file \"""$2""\";"
 			echo "};"
 		} >> "$3"
@@ -215,17 +227,19 @@ GetOwnKeysForZone () {
 	if [ -n "$DNSSECKeyFolder" ];then
 		for OwnKeyFile in "$DNSSECKeyFolder""K""$Domain"".+"*".key"; do
 			if ! [ "$OwnKeyFile" = "$DNSSECKeyFolder""K""$Domain"".+*.key" ]; then
-				Removed="$(sed -ne 's/^; Delete: \(\S\{12\}\).*/\1/p' "$OwnKeyFile")"
+				Removed="$(sed -ne 's/^; Inactive: \(\S\{12\}\).*/\1/p' "$OwnKeyFile")"
-				RemovedSeconds="$(date -u -d "$Removed" '+%s' 2>/dev/null)"
+				if [ -n "$Removed" ]; then
-				if [ -z "$RemovedSeconds" ]; then
+					RemovedISO="$( echo "$Removed" | sed -ne 's/\(.\{4\}\)\(.\{2\}\)\(.\{2\}\)\(.\{2\}\)\(.\{2\}\).*/\1-\2-\3T\4:\5/p')"
-					RemovedSeconds="$( echo "$Removed" | sed -ne 's/\(.\{4\}\)\(.\{2\}\)\(.\{2\}\)\(.\{2\}\)\(.\{2\}\).*/\1-\2-\3T\4:\5/p')"
+					RemovedSeconds="$(date -d "$RemovedISO" '+%s' 2>/dev/null)"
-					RemovedSeconds="$(date -u -d "$RemovedSeconds" '+%s' 2>/dev/null)"
+					[ -n "$RemovedSeconds" ] || RemovedSeconds="$(date -u -d "$Removed" '+%s' 2>/dev/null)"
-				fi
+					if [ -n "$RemovedSeconds" ]; then
-				if [ -n "$RemovedSeconds" ]; then
+						CurDate="$(date '+%s')"
-					CurDate="$(date -u '+%s')"
+						if [ $((RemovedSeconds)) -ge $((CurDate)) ]; then
-					if [ $((CurDate - RemovedSeconds)) -le 72000 ]; then
+							RemovedSeconds=""
-						RemovedSeconds=""
+						fi
 					fi
+				else
+					RemovedSeconds=""
 				fi
 				if [ -z "$RemovedSeconds" ]; then
 					sed -ne '/^;/d;s/^'"$Domain"'\.\s\+\([0-9]*\s\)\?\s*[Ii][Nn]\s\+[Dd][Nn][Ss][Kk][Ee][Yy]\s\+\(.*\)$/_dnsseckeys\.'"$Domain"'\.\tIN TXT\t\"\2\"/p' "$OwnKeyFile" | \
@@ -241,7 +255,6 @@ UpdateDNSSECEntryCache () {
 	CachedZoneFile="$3"
 	DNSSECKeyFolder="$4"
 	UpstreamIP="$5"
-	TempFolder="$6"
 	
 	[ -z "$UpstreamIP" ] || UpstreamIP="-b""$UpstreamIP"
 	
@@ -257,7 +270,7 @@ UpdateDNSSECEntryCache () {
 			if [ "$Nameserver" = "$DNSSCRIPT_SERVER_NAME" ]; then
 				{
 					GetOwnKeysForZone "$DNSSECKeyFolder" "$Domain" | sort
-					GetDSForZone "$DNSSECKeyFolder" "$Domain" "$TempFolder" | NormalizeZoneFileFormatting
+					GetDSForZone "$DNSSECKeyFolder" "$Domain" "$DNSSCRIPT_TEMP_FOLDER" | NormalizeZoneFileFormatting
 				} > "$ZoneTempFolder""Keys.""$Nameserver"
 			else
 				{
@@ -305,20 +318,38 @@ UpdateDNSSECEntryCache () {
 		rm -f "$KeyFile"
 	done
 }
+
 ReloadZone() {
 	if [ -n "$2" ]; then
 		if [ $((DNSSCRIPT_BIND_RELOAD_VER)) -eq 0 ]; then
 			systemctl reload bind9 >/dev/null
 		elif [ $((DNSSCRIPT_BIND_RELOAD_VER)) -eq 1 ]; then
+			ZoneFilesFolder="$3"
 			for Zone in $2; do
-				if ! rndc reload "$1" IN "$Zone" 2>"/tmp/dnsscript_rndcerr" >/dev/null; then
+				if [ -z "$ZoneFilesFolder" ] || [ -f "$ZoneFilesFolder""db.""$Zone"".""$1" ]; then
-					if [ -n "$3" ] && grep -q "failed: out of range" "/tmp/dnsscript_rndcerr"; then
+					if [ -n "$DNSSCRIPT_DNSSECPolicy" ] && [ -n "$ZoneFilesFolder" ]; then
-						rndc sync -clean "$1" IN "$Zone" >/dev/null || touch "/tmp/dnsscript-forcereconf"
+						! rndc freeze "$1" IN "$Zone" >/dev/null
-					else
+						UnsignedZonefile="$ZoneFilesFolder""db.""$Zone"".""$1"
-						touch "/tmp/dnsscript-forcereconf"
+						SignedZonefile="$ZoneFilesFolder""db.""$Zone"".""$1"".signed"
+						NewSerial="$(GetZoneFileSerial "$UnsignedZonefile")"
+						named-checkzone -q -i none -o "$TmpFolder""tmp.zone" "$1" "$UnsignedZonefile"
+						OldSerial="$(GetZoneFileSerial "$SignedZonefile")"
+						if [ $((NewSerial)) -le $((OldSerial)) ]; then
+							OldSerial=$((OldSerial+1))
+							sed -i -e 's/^\(\s*\S\+\s\+\([0-9]*\s\)\?\s*[Ii][Nn]\s\+[Ss][Oo][Aa]\s\+\S\+\s\+\S\+\s\+\)'"$NewSerial"'\(\s\+.*\)$/\1'"$OldSerial"'\3/g' "$TmpFolder""tmp.zone"	
+						fi
+						cp -f "$TmpFolder""tmp.zone" "$SignedZonefile"
+						! rndc reload "$1" IN "$Zone" >/dev/null
+						! rndc thaw "$1" IN "$Zone" >/dev/null
+					elif ! rndc reload "$1" IN "$Zone" 2>"/tmp/dnsscript_rndcerr" >/dev/null; then
+						if [ -n "$3" ] && grep -q "failed: out of range" "/tmp/dnsscript_rndcerr"; then
+							rndc sync -clean "$1" IN "$Zone" >/dev/null || touch "/tmp/dnsscript-forcereconf"
+						else
+							touch "/tmp/dnsscript-forcereconf"
+						fi
 					fi
+					rm -f "/tmp/dnsscript_rndcerr"
 				fi
-				rm -f "/tmp/dnsscript_rndcerr"
 			done
 		elif [ $((DNSSCRIPT_BIND_RELOAD_VER)) -eq 2 ]; then
 			/etc/init.d/named reload >/dev/null
@@ -389,7 +420,7 @@ GetDSForZone () {
 			Protocol="$(echo "$KSK" | sed -e 's/^[^ ]* [^ ]* //g;s/ .*//g')"
 			Algo="$(echo "$KSK" | sed -e 's/^[^ ]* [^ ]* [^ ]* //g;s/ .*//g')"
 			KSK="$(echo "$KSK" | sed -e 's/^[^ ]* [^ ]* [^ ]* [^ ]* //g;s/ //g')"
-			echo -e "_cdskey.""$Domain"".\tIN TXT\t\"""$KeyID"" ""$Algo"" 2 ""$(GetDS "$Domain" "$KeyTag" "$Protocol" "$Algo" "$KSK" "$TmpFolder")""\""
+			echo "_cdskey.""$Domain"".	IN TXT	\"""$KeyID"" ""$Algo"" 2 ""$(GetDS "$Domain" "$KeyTag" "$Protocol" "$Algo" "$KSK" "$TmpFolder")""\""
 		fi
 	fi
 }

usr/lib/ffdns/update-dns-functions.sh

@@ -1,15 +1,15 @@
 #!/bin/sh
 # SPDX-License-Identifier: GPL-3.0
 #
-# freifunk-franken dns-scipts (c) 2021-2022 Blackyfff
+# freifunk-franken dns-scipts (c) 2021-2023 Blackyfff
 
 SetupCache() {
-	mkdir -p "$TempFolder""cache"
+	mkdir -p "$DNSSCRIPT_TEMP_FOLDER""cache"
 
 	for IView in $InternalViews; do
-		rm -f "$TempFolder""$IView"".conf"
+		rm -f "$DNSSCRIPT_TEMP_FOLDER""$IView"".conf"
 	done
-	rm -f "$TempFolder""$ExternalView"".conf"
+	rm -f "$DNSSCRIPT_TEMP_FOLDER""$ExternalView"".conf"
 }
 GetMasterFile() {
 	curl -s -S -f "$RemoteLocation""db.""$MasterDomain" --output "$CachedMasterFile" && \
@@ -19,7 +19,7 @@ GetMasterFile() {
 			echo "_dnsscript_version	IN TXT	""$DNSSCRIPT_VERSION" | NormalizeZoneFileFormatting
 		} >> "$CachedMasterFile" || :
 	if [ ! -f "$CachedMasterFile" ]; then
-		cp "$ZoneFilesFolder""db.""$FirstInternalView"".""$MasterDomain" "$CachedMasterFile"
+		cp -f "$ZoneFilesFolder""db.""$FirstInternalView"".""$MasterDomain" "$CachedMasterFile"
 		sed -i -e '/^_dnsscript_version.*/,$d' "$CachedMasterFile"
 		echo "_dnsscript_version	IN TXT	""$DNSSCRIPT_VERSION" | NormalizeZoneFileFormatting >> "$CachedMasterFile"
 	fi
@@ -37,13 +37,14 @@ DoServeOnlyExternZone() {
 }
 RemoveDNSSECKeysFromCacheFile() {
 	sed -i -e '/^\s*_dnsseckeys\./d' "$CachedMasterFile"
+	sed -i -e '/^\s*_cdskey\./d' "$CachedMasterFile"
 }
 UpdateMasterZone() {
 	LocalMasterSerial=$((PostFetchMasterSerial))
 	if [ -n "$ServeMasterZone" ]; then
-		ZoneTempFolder="$TempFolder""cache/""$MasterDomain""/"
+		ZoneTempFolder="$DNSSCRIPT_TEMP_FOLDER""cache/""$MasterDomain""/"
 	
-		UpdateMaster="$(UpdateDNSSECEntryCache "$MasterDomain" "$ZoneTempFolder" "$CachedMasterFile" "$DNSSECKeyFolder" "$InternalUpstreamIP" "$TempFolder")"
+		UpdateMaster="$(UpdateDNSSECEntryCache "$MasterDomain" "$ZoneTempFolder" "$CachedMasterFile" "$DNSSECKeyFolder" "$InternalUpstreamIP" )"
 		
 		if [ $((PostFetchMasterSerial)) -gt $((PreFetchMasterSerial)) ] || [ -n "$UpdateMaster" ] || [ ! -f "$MasterFile" ]; then
 			cp -f "$CachedMasterFile" "$CachedMasterFile""I"
@@ -64,16 +65,14 @@ UpdateMasterZone() {
 			ReloadZone "$MasterDomain" "$InternalViews" "$ZoneFilesFolder"
 			
 		fi
-		InsertZoneToViews "$InternalViews" "$ZoneFilesFolder" "$MasterDomain" "$MasterFile" "$TempFolder" "$DNSSECPolicy"
+		
-		if [ -n "$ExternalView" ]; then
+		InsertZoneToViews "$InternalViews" "$ZoneFilesFolder" "$MasterDomain" "$MasterFile"
-			InsertZoneToIncludeFile "$MasterDomain" "$ExternFile" "$TempFolder""$ExternalView"".conf" "$DNSSECPolicy"
-		fi
 	fi
 
 	echo "$LocalMasterSerial"
 }
 UpdateExternal() {
-	CachedZoneFile="$TempFolder""cache/db.""$InternalDomain""E"
+	CachedZoneFile="$DNSSCRIPT_TEMP_FOLDER""cache/db.""$InternalDomain""E"
 
 	UpdateExternView=0
 	if [ -n "$ExternalView" ] || [ -n "$ExternDomain" ]; then
@@ -84,23 +83,40 @@ UpdateExternal() {
 			UpdateExternView=1
 			ReloadZone "$InternalDomain" "$ExternalView" "$ZoneFilesFolder"
 		fi
+		
+		if [ -n "$ExternalView" ]; then
+			InsertZoneToViews "$ExternalView" "$ZoneFilesFolder" "$InternalDomain" "$InternalZoneFile"
+		fi
 	fi
 
 	if [ -n "$ExternDomain" ]; then
 		ExtDomainFile="$ZoneFilesFolder""db.""$FirstInternalView"".""$ExternDomain"
-		ZoneTempFolder="$TempFolder""cache/""$ExternDomain""/"
+		ZoneTempFolder="$DNSSCRIPT_TEMP_FOLDER""cache/""$ExternDomain""/"
-		cp -f "$ExternalZoneFile" "$CachedZoneFile"
+		named-checkzone -q -i none -o "$CachedZoneFile" "$InternalDomain" "$ExternalZoneFile"
+		InternalDomainSed="$(SEDifyHostname "$InternalDomain")"
+		ExternDomainSed="$(SEDifyHostname "$ExternDomain")"
+		
+		if [ -n "$(sed -e '/^'"$ExternDomainSed"'\.\s\+\([0-9]*\s\)\?\s*[Ii][Nn]\s\+[Nn][Ss]\s/!d' "$CachedZoneFile")" ]; then
+			sed -i -e '/^'"$InternalDomainSed"'\.\s\+\([0-9]*\s\)\?\s*[Ii][Nn]\s\+[Nn][Ss]\s/d' "$CachedZoneFile"
+			sed -i -e 's/^'"$ExternDomainSed"'\.\(\s\)/@\1/g' "$CachedZoneFile"
+		fi
 		if [ -n "$DNSSECKeyFolder" ]; then
-			sed -i -e '/^\s*_dnsseckeys\./d' "$CachedZoneFile"
+			sed -i -e '/^_cdskey\./d' "$CachedZoneFile"
-			sed -i -e '/^\s*\S\+\s\+\([0-9]*\s\)\?\s*[Ii][Nn]\s\+[Dd][Nn][Ss][Kk][Ee][Yy]/d' "$CachedZoneFile"
+			sed -i -e '/^\S\+\s\+\([0-9]*\s\)\?\s*[Ii][Nn]\s\+[Dd][Nn][Ss][Kk][Ee][Yy]/d' "$CachedZoneFile"
 		fi
 		
 		[ -n "$(sed -e '/^\s*\(@\s\+\([0-9]*\s\)\?\s*[Ii][Nn]\s\+[Nn][Ss]\)\s/!d' "$CachedZoneFile")" ] || \
 			sed -i -e 's/^\s*\(@\s\+\([0-9]*\s\)\?\s*[Ii][Nn]\s\+[Ss][Oo][Aa]\)\s\+\S\+\s\+\S\+\s/\1 '"$DNSSCRIPT_SERVER_NAME"'. '"$DNSSCRIPT_CONTACT_EMAIL"' /g' "$CachedZoneFile"
 		
-		sed -i -e 's/^\s*'"$CommunityExternPrefix"'\s/@ /g;/^\s*\(@\|\S\+\.\)\s\+\([0-9]*\s\)\?\s*[Ii][Nn]\s\+[Dd][Ss]\s/d' "$CachedZoneFile"
+		sed -i -e '/^\S\+\s\+\([0-9]*\s\)\?\s*[Ii][Nn]\s\+[Dd][Ss]\s/d' "$CachedZoneFile"
+		sed -i -e '/^_dnsseckeys\./d' "$CachedZoneFile"
+		sed -i -e 's/^'"$InternalDomainSed"'\.\(\s\)/@\1/g' "$CachedZoneFile"
+		sed -i -e 's/^\(\S\+\)\.'"$InternalDomainSed"'\.\(\s\)/\1\2/g' "$CachedZoneFile"
+		
+		echo "\$TTL ${TTLReReExMi%% *}" >> "$CachedZoneFile"
+		
+		UpdateExternDomain="$(UpdateDNSSECEntryCache "$ExternDomain" "$ZoneTempFolder" "$CachedZoneFile" "$DNSSECKeyFolder" "$InternalUpstreamIP" )"
 	
-		UpdateExternDomain="$(UpdateDNSSECEntryCache "$ExternDomain" "$ZoneTempFolder" "$CachedZoneFile" "$DNSSECKeyFolder" "$InternalUpstreamIP" "$TempFolder")"
 		if [ $UpdateExternView -ne 0 ] || [ -n "$UpdateExternDomain" ]; then
 			for KeyFile in "$ZoneTempFolder"*; do
 				[ "$KeyFile" = "$ZoneTempFolder""*" ] || \
@@ -117,9 +133,8 @@ UpdateExternal() {
 			ReloadZone "$ExternDomain" "$InternalViews" "$ZoneFilesFolder"
 			ReloadZone "$ExternDomain" "$ExternalView" "$ZoneFilesFolder"
 		fi
-		
+		InsertZoneToViews "$InternalViews" "$ZoneFilesFolder" "$ExternDomain" "$ExtDomainFile"
-		InsertZoneToViews "$InternalViews" "$ZoneFilesFolder" "$ExternDomain" "$ExtDomainFile" "$TempFolder" "$DNSSECPolicy"
+		InsertZoneToViews "$ExternalView" "$ZoneFilesFolder" "$ExternDomain" "$ExtDomainFile"
-		InsertZoneToViews "$ExternalView" "$ZoneFilesFolder" "$ExternDomain" "$ExtDomainFile" "$TempFolder" "$DNSSECPolicy"
 	fi
 }
 UpdateReverseZones() {
@@ -134,7 +149,7 @@ UpdateReverseZones() {
 			fi
 			./update-rdnszone.sh "$RDomain" "$2" "$ZoneFilesFolder""$ReverseZoneFile" "$TTLReReExMi" "$InternalViews"
 			for IView in $InternalViews; do
-					InsertZoneToIncludeFile "${RDomain%*.}" "$ZoneFilesFolder""$ReverseZoneFile" "$TempFolder""$IView"".conf"
+					InsertZoneToIncludeFile "${RDomain%*.}" "$ZoneFilesFolder""$ReverseZoneFile" "$DNSSCRIPT_TEMP_FOLDER""$IView"".conf"
 			done
 		done
 	done

usr/lib/ffdns/update-dns.sh

@@ -8,7 +8,7 @@
 # exit script when command fails
 set -e
 
-export DNSSCRIPT_VERSION="0.9.5"
+export DNSSCRIPT_VERSION="1.0.0rc1"
 
 . /etc/ffdns/community.conf
 . /etc/ffdns/local.conf
@@ -16,6 +16,10 @@ export DNSSCRIPT_VERSION="0.9.5"
 export DNSSCRIPT_CONTACT_EMAIL
 export DNSSCRIPT_SERVER_NAME
 export DNSSCRIPT_BIND_RELOAD_VER
+DNSSCRIPT_DNSSECPolicy="$DNSSECPolicy"
+export DNSSCRIPT_DNSSECPolicy
+DNSSCRIPT_TEMP_FOLDER="$TempFolder"
+export DNSSCRIPT_TEMP_FOLDER
 
 cd /usr/lib/ffdns/
 . ./dns-functions.sh
@@ -31,13 +35,11 @@ fi
 FirstInternalView="$( echo "$InternalViews" | sed -e 's/\s.*//')"
 # ForwardZones: "<Zone>/<Zonendatei>" ; optionaly multiple " ""<ZoneX>/<ZonendateiX>" no spaces in full filename
 ForwardZones="$MasterDomain""/""$ZoneFilesFolder""db.""$FirstInternalView"".""$MasterDomain"
-BindIcvpnAclTmp="$TempFolder""icvpn-acl.conf"
+[ -n "$DNSSCRIPT_DNSSECPolicy" ] || DNSSECKeyFolder=""
-BindIcvpnAcl="$GeneratedIncludeFileFolder""icvpn-acl.conf"
-[ -n "$DNSSECPolicy" ] || DNSSECKeyFolder=""
 
 SetupCache
 
-CachedMasterFile="$TempFolder""cache/db.""$MasterDomain"
+CachedMasterFile="$DNSSCRIPT_TEMP_FOLDER""cache/db.""$MasterDomain"
 PreFetchMasterSerial="$(GetZoneFileSerial "$CachedMasterFile")"
 GetMasterFile
 PostFetchMasterSerial="$(GetZoneFileSerial "$CachedMasterFile")"
@@ -100,10 +102,10 @@ for Hood in $Hoods; do
 			echo ";"
 		} > "$HoodZoneFile"
 	fi
-	ZoneTempFolder="$TempFolder""cache/"
+	ZoneTempFolder="$DNSSCRIPT_TEMP_FOLDER""cache/"
 	./update-hoodzone.sh "$HoodZoneFile" "$HoodDomain" "$Subnets" "$InternalViews" "$ZoneTempFolder" "$ZoneFilesFolder"
 	
-	InsertZoneToViews "$InternalViews" "$ZoneFilesFolder" "$HoodDomain" "$HoodZoneFile" "$TempFolder" "$DNSSECPolicy" "/etc/ffdns/"
+	InsertZoneToViews "$InternalViews" "$ZoneFilesFolder" "$HoodDomain" "$HoodZoneFile" "/etc/ffdns/"
 	
 	HoodForwardZones="$ForwardZones $HoodDomain""/""$HoodZoneFile"
 	UpdateReverseZones "$Subnets" "$HoodForwardZones"
@@ -123,9 +125,6 @@ for Hood in $Hoods; do
 	fi
 	
 	if [ -n "$ExternFile" ]; then
-		if [ -n "$ExternalView" ]; then
-			InsertZoneToIncludeFile "$HoodDomain" "$ExternFile" "$TempFolder""$ExternalView"".conf" "$DNSSECPolicy"
-		fi
 		InternalZoneFile="$HoodZoneFile"
 		ExternalZoneFile="$ExternFile"
 		InternalDomain="$HoodDomain"
@@ -135,8 +134,6 @@ for Hood in $Hoods; do
 	fi
 done
 
-./update-public-acl.sh "$BindIcvpnAclTmp" "$RemoteLocation" "$RoutingTables"
-
 ReConfigBind=0
 UpdateBindConfig() {
 	if [ -f "$1" ] && ! cmp -s "$1" "$2"; then
@@ -147,12 +144,11 @@ UpdateBindConfig() {
 	fi
 }
 
-UpdateBindConfig "$BindIcvpnAclTmp" "$BindIcvpnAcl"
 for IView in $InternalViews; do
-	UpdateBindConfig "$TempFolder""$IView"".conf" "$GeneratedIncludeFileFolder""$IView"".conf"
+	UpdateBindConfig "$DNSSCRIPT_TEMP_FOLDER""$IView"".conf" "$GeneratedIncludeFileFolder""$IView"".conf"
 done
 if [ -n "$ExternalView" ]; then
-	UpdateBindConfig "$TempFolder""$ExternalView"".conf" "$GeneratedIncludeFileFolder""$ExternalView"".conf"
+	UpdateBindConfig "$DNSSCRIPT_TEMP_FOLDER""$ExternalView"".conf" "$GeneratedIncludeFileFolder""$ExternalView"".conf"
 fi
 
 if [ $ReConfigBind -ne 0 ] || [ -f "/tmp/dnsscript-forcereconf" ]; then

usr/lib/ffdns/update-hoodzone.sh

@@ -24,12 +24,13 @@ GetLeaseEntriesInSubnet() {
 	done
 }
 
+ZoneTempFolder="$ZoneTempFolder""$Domain""/"
+
 OldSerial="$(GetZoneFileSerial "$ZoneTempFolder""db.""$Domain"".bkp")"
 NewSerial="$(GetZoneFileSerial "$HoodZoneFile")"
+ForceUpdate=""
 [ $((OldSerial)) -gt 0 ] && [ $((OldSerial)) -lt $((NewSerial)) ] && ForceUpdate="1"
 
-ZoneTempFolder="$ZoneTempFolder""$Domain""/"
-
 OldLeases="$(sed -e '/^;### Leases ###/,$!d;/^\s*\S\+\.\s\+\([0-9]*\s\)\?\s*[Ii][Nn]\s\+[Dd][Ss]\s/d' "$HoodZoneFile" | sed 1d)"
 
 if [ -f "/tmp/dhcp.leases" ]; then

usr/lib/ffdns/update-public-acl.sh

@@ -1,87 +0,0 @@
-#!/bin/sh
-# SPDX-License-Identifier: GPL-3.0
-#
-# freifunk-franken dns-scipts (c) 2021      Blackyfff
-
-
-. ./dns-functions.sh
-
-IncludeFile="$1"
-RemoteLocation="$2"
-Tables="$3"
-
-rm -f "$IncludeFile"
-
-if [ -z "$Tables" ]; then
-	# this is only a rude fallback and not recommended
-	# create your own file on a gateway with the community routing tables and use this one
-	RemoteFile="$(curl -s -S -f "$RemoteACL")"
-	if [ -n "$RemoteFile" ]; then
-		echo "$RemoteFile" > "$IncludeFile"
-	fi
-else
-	Installed4Routes=""
-	Installed6Routes=""
-	for Table in $Tables; do
-		Installed4Routes="$(echo "$Installed4Routes" && ip -d -4 ro sh ta "$Table")"
-		Installed6Routes="$(echo "$Installed6Routes" && ip -d -6 ro sh ta "$Table")"
-	done
-	PublicSubs="$(echo "$Installed6Routes" | \
-		sed -e '/^unicast default from/!d;s/.* from \(\S\+\).*/\1/g')"
-	Privatev4Prefix="\(192\.168\.\|172\.\(1[6-9]\|2[0-9]\|3[01]\)\.\|10\.\)"
-	Privatev6Prefix="\([fF][cCdD][0-9a-fA-F]\{2\}:\)"
-	Publicv4Singles="$(echo "$Installed4Routes" | \
-		sed -e 's/^\S\+\s\+\(\S\+\)\s.*/\t\1;/g;/^\t'"$Privatev4Prefix"'\|^\t\(unreachable\|default\|0\.\)\|^$/d')"
-	Publicv6Singles="$(echo "$Installed6Routes" | \
-		sed -e 's/^\S\+\s\+\(\S\+\)\s.*/\1/g;/^'"$Privatev6Prefix"'\|^\(unreachable\|default\|::\|64:ff9b::\)\|^$/d')"
-	
-	# the following code is not well optimized yet and may take a bit to process
-	# therefore it is not recommended to activate it on hardware-routers
-	# even in other environments it did not speed up bind9 measurable, its just for a smaller acl-file, e.g. for redistribution
-
-	#for Subnet in $PublicSubs; do
-	#	SubnetIPFilled="$(FillIPv6Zeroes "$(echo "${Subnet%/*}" | awk '{print tolower($0)}')")"
-	#	Mask="${Subnet##*/}"
-	#	Statics=$((Mask / 4))
-	#	BlockMask=$((Mask % 4))
-	#	if [ $BlockMask -ne 0 ]; then
-	#		BlockMask=$((4 - BlockMask))
-	#		BlockMask=$((-1 << $BlockMask))
-	#		SubnetBlock="$(printf %d 0x"$(echo "$SubnetIPFilled" | awk 'BEGIN{FS=""}{printf $'"$((Statics+1))"'}')")"
-	#		SubnetBlock=$((SubnetBlock & BlockMask))
-	#	fi
-	#	
-	#	SubnetStaticPart="$(echo "$SubnetIPFilled" | awk 'BEGIN{FS=""}{for(i='"$Statics"';i>0;i--) printf $i;}')"
-	#	
-	#	for Single in $Publicv6Singles; do
-	#		IPFilled="$(FillIPv6Zeroes "$(echo "${Single%/*}" | awk '{print tolower($0)}')")"
-	#		MaskIP="$( echo "$Single" | sed -e 's/^[^/]*\(\/\)\?//g')"
-	#		MaskIP="${MaskIP:-128}"
-	#		IsInSub="$([ $((Mask)) -le $((MaskIP)) ]; echo "$?")"
-	#		if [ $IsInSub -eq 0 ]; then
-	#			IPStaticPart="$(echo "$IPFilled" | awk 'BEGIN{FS=""}{for(i='"$Statics"';i>0;i--) printf $i;}')"
-	#			IsInSub="$([ "$IPStaticPart" = "$SubnetStaticPart" ]; echo "$?")"
-	#		fi
-	#		if [ $IsInSub -eq 0 ] && [ $BlockMask -ne 0 ]; then
-	#			IPBlock="$(printf %d 0x"$(echo "$IPFilled" | awk 'BEGIN{FS=""}{printf $'"$((Statics+1))"'}')")"
-	#			IPBlock=$((IPBlock & BlockMask))
-	#			IsInSub="$([ $IPBlock -eq $SubnetBlock ]; echo "$?")"
-	#		fi
-	#		
-	#		! [ $IsInSub -eq 0 ] \
-	#			&& NewSingles="$( [ -n "$NewSingles" ] && echo "$NewSingles"; echo "$Single")"
-	#	done
-	#	Publicv6Singles="$NewSingles"
-	#	NewSingles=""
-	#done	
-	
-	{
-		echo "acl icvpnrange {" 
-		echo "	icvpnlocal;"
-		echo "$PublicSubs" | sed -e 's/\(.*\)/\t\1;/g'
-		echo "$(curl -s -S -f "$RemoteLocation""external.dnsserverips" | sed -e 's/^/\t/g;s/$/;/g')"
-		echo "$Publicv4Singles"
-		echo "$Publicv6Singles" | sed -e 's/\(.*\)/\t\1;/g'
-		echo "};"
-	} > "$IncludeFile"
-fi