Hi
I have a script to resign all DNS zones every two weeks. When i run the script from bash, it works like it should. But when it is executed in cron not. Its starting normal as cronjob: Feb 1 03:00:01 xxx CROND[20116]: (root) CMD (sh /opt/dnssec/resign_dnssec_zones.sh)
But after i get a mail that everything is finsihed, but it isn't. 03:04:28 DNSSEC-Signierung abgeschlossen
The script deletes the old signed zones, but don't resign it. The mail is also sent. Below the script.
Anybody an idea why it doesn't work in cron?^ I cannot find any error in any log.
Best regards Daniel
#!/bin/bash KSKDIR="/etc/named/KSK" ZSKDIR="/etc/named/ZSK" ZONEDIR="/var/named/chroot/var/named" LOG="/var/named/chroot/var/log/dnssec_resign.log" MAILREC="monitor@xx"
#delete old signed files rm -rf $ZONEDIR/*.signed
#delete the old log rm -rf $LOG
#read the zonefiles ZONEFILES=$(ls -p $ZONEDIR | grep -v '/$' | grep -v 'dsset*')
for FILES in $ZONEFILES; do #remove the .zone at the end ZONE=$(echo "${FILES%.*}")
#remove the old signed zone rm -rf $ZONEDIR/$ZONE.signed
#Sign the zone cd $ZONEDIR dnssec-signzone -o $ZONE -k $KSKDIR/K$ZONE.*.key -e +3024000 -f $ZONE.signed $ZONEDIR/$ZONE.zone $ZSKDIR/K$ZONE.*.key >> $LOG
#Set the correct permissions chown named.named $ZONEDIR/*.signed chmod 755 $ZONEDIR/*.signed sleep 5 done rm -rf $ZONEDIR/named.zone
echo $(date +"%T")"DNSSEC-Signierung abgeschlossen - Neustart des Servers" >> $LOG echo "$(cat $LOG)" | mail -s "DNSSEC-Signierung abgeschlossen auf xxx" $MAILREC
In article 86827d81f1944333ae213f2d3f19856a@2sic.com, Daniel Reich Daniel.Reich@2sic.com wrote:
Hi
I have a script to resign all DNS zones every two weeks. When i run the script from bash, it works like it should. But when it is executed in cron not. Its starting normal as cronjob: Feb 1 03:00:01 xxx CROND[20116]: (root) CMD (sh /opt/dnssec/resign_dnssec_zones.sh)
But after i get a mail that everything is finsihed, but it isn't. 03:04:28 DNSSEC-Signierung abgeschlossen
The script deletes the old signed zones, but don't resign it. The mail is also sent. Below the script.
Anybody an idea why it doesn't work in cron?^ I cannot find any error in any log.
After the first line, add a line saying: set -x
Then set cron to run it and examine the output that gets mailed to you.
The -x tells it to echo each command it is about to execute. That will help you to see how far it is getting.
Further comments below.
Cheers Tony
Best regards Daniel
#!/bin/bash KSKDIR="/etc/named/KSK" ZSKDIR="/etc/named/ZSK" ZONEDIR="/var/named/chroot/var/named" LOG="/var/named/chroot/var/log/dnssec_resign.log" MAILREC="monitor@xx"
#delete old signed files rm -rf $ZONEDIR/*.signed
#delete the old log rm -rf $LOG
#read the zonefiles ZONEFILES=$(ls -p $ZONEDIR | grep -v '/$' | grep -v 'dsset*')
for FILES in $ZONEFILES; do #remove the .zone at the end ZONE=$(echo "${FILES%.*}")
Why not just: ZONE=${FILES%.*}
#remove the old signed zone rm -rf $ZONEDIR/$ZONE.signed
You deleted them all further up.
#Sign the zone cd $ZONEDIR
Why not do this before the loop? Then you also don't need $ZONEDIR/ everywhere.
dnssec-signzone -o $ZONE -k $KSKDIR/K$ZONE.*.key -e +3024000 -f $ZONE.signed $ZONEDIR/$ZONE.zone$ZSKDIR/K$ZONE.*.key >> $LOG
#Set the correct permissions chown named.named $ZONEDIR/*.signed chmod 755 $ZONEDIR/*.signed sleep 5 done rm -rf $ZONEDIR/named.zone
echo $(date +"%T")"DNSSEC-Signierung abgeschlossen - Neustart des Servers" >> $LOG echo "$(cat $LOG)" | mail -s "DNSSEC-Signierung abgeschlossen auf xxx" $MAILREC
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Do not forget that cron does not use the root environment, such as $PATH. You need to set up the exect environment you need in the beginning of the crontab file. It would be helpful to see your crontab file to know what environment it has set up.
Also the /var/log/cron log file should contain error information that might be helpful.
On 02/01/2017 05:04 AM, Tony Mountifield wrote:
In article 86827d81f1944333ae213f2d3f19856a@2sic.com, Daniel Reich Daniel.Reich@2sic.com wrote:
Hi
I have a script to resign all DNS zones every two weeks. When i run the script from bash, it works like it should. But when it is executed in cron not. Its starting normal as cronjob: Feb 1 03:00:01 xxx CROND[20116]: (root) CMD (sh /opt/dnssec/resign_dnssec_zones.sh)
But after i get a mail that everything is finsihed, but it isn't. 03:04:28 DNSSEC-Signierung abgeschlossen
The script deletes the old signed zones, but don't resign it. The mail is also sent. Below the script.
Anybody an idea why it doesn't work in cron?^ I cannot find any error in any log.
After the first line, add a line saying: set -x
Then set cron to run it and examine the output that gets mailed to you.
The -x tells it to echo each command it is about to execute. That will help you to see how far it is getting.
Further comments below.
Cheers Tony
Best regards Daniel
#!/bin/bash KSKDIR="/etc/named/KSK" ZSKDIR="/etc/named/ZSK" ZONEDIR="/var/named/chroot/var/named" LOG="/var/named/chroot/var/log/dnssec_resign.log" MAILREC="monitor@xx"
#delete old signed files rm -rf $ZONEDIR/*.signed
#delete the old log rm -rf $LOG
#read the zonefiles ZONEFILES=$(ls -p $ZONEDIR | grep -v '/$' | grep -v 'dsset*')
for FILES in $ZONEFILES; do #remove the .zone at the end ZONE=$(echo "${FILES%.*}")
Why not just: ZONE=${FILES%.*}
#remove the old signed zone rm -rf $ZONEDIR/$ZONE.signed
You deleted them all further up.
#Sign the zone cd $ZONEDIR
Why not do this before the loop? Then you also don't need $ZONEDIR/ everywhere.
dnssec-signzone -o $ZONE -k $KSKDIR/K$ZONE.*.key -e +3024000 -f $ZONE.signed $ZONEDIR/$ZONE.zone$ZSKDIR/K$ZONE.*.key >> $LOG
#Set the correct permissions chown named.named $ZONEDIR/*.signed chmod 755 $ZONEDIR/*.signed sleep 5 done rm -rf $ZONEDIR/named.zone
echo $(date +"%T")"DNSSEC-Signierung abgeschlossen - Neustart des Servers" >> $LOG echo "$(cat $LOG)" | mail -s "DNSSEC-Signierung abgeschlossen auf xxx" $MAILREC
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Thank you for the hints
I modified like you described. I also moved the permission part out of the loop (once at the end of the script is enough).
Now with the "set -x" the script is working also in cron.
Best regards Daniel
-----Original Message----- From: CentOS [mailto:centos-bounces@centos.org] On Behalf Of Tony Mountifield Sent: Wednesday, February 1, 2017 11:04 AM To: centos@centos.org Subject: Re: [CentOS] Script not running correctly as cronjob
In article 86827d81f1944333ae213f2d3f19856a@2sic.com, Daniel Reich Daniel.Reich@2sic.com wrote:
Hi
I have a script to resign all DNS zones every two weeks. When i run the script from bash, it works like it should. But when it is executed in cron not. Its starting normal as cronjob: Feb 1 03:00:01 xxx CROND[20116]: (root) CMD (sh /opt/dnssec/resign_dnssec_zones.sh)
But after i get a mail that everything is finsihed, but it isn't. 03:04:28 DNSSEC-Signierung abgeschlossen
The script deletes the old signed zones, but don't resign it. The mail is also sent. Below the script.
Anybody an idea why it doesn't work in cron?^ I cannot find any error in any log.
After the first line, add a line saying: set -x
Then set cron to run it and examine the output that gets mailed to you.
The -x tells it to echo each command it is about to execute. That will help you to see how far it is getting.
Further comments below.
Cheers Tony
Best regards Daniel
#!/bin/bash KSKDIR="/etc/named/KSK" ZSKDIR="/etc/named/ZSK" ZONEDIR="/var/named/chroot/var/named" LOG="/var/named/chroot/var/log/dnssec_resign.log" MAILREC="monitor@xx"
#delete old signed files rm -rf $ZONEDIR/*.signed
#delete the old log rm -rf $LOG
#read the zonefiles ZONEFILES=$(ls -p $ZONEDIR | grep -v '/$' | grep -v 'dsset*')
for FILES in $ZONEFILES; do #remove the .zone at the end ZONE=$(echo "${FILES%.*}")
Why not just: ZONE=${FILES%.*}
#remove the old signed zone rm -rf $ZONEDIR/$ZONE.signed
You deleted them all further up.
#Sign the zone cd $ZONEDIR
Why not do this before the loop? Then you also don't need $ZONEDIR/ everywhere.
dnssec-signzone -o $ZONE -k $KSKDIR/K$ZONE.*.key -e +3024000-f $ZONE.signed $ZONEDIR/$ZONE.zone $ZSKDIR/K$ZONE.*.key >> $LOG
#Set the correct permissions chown named.named $ZONEDIR/*.signed chmod 755 $ZONEDIR/*.signed sleep 5 done rm -rf $ZONEDIR/named.zone
echo $(date +"%T")"DNSSEC-Signierung abgeschlossen - Neustart des Servers" >> $LOG echo "$(cat $LOG)" | mail -s "DNSSEC-Signierung abgeschlossen auf xxx" $MAILREC
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
-- Tony Mountifield Work: tony@softins.co.uk - http://www.softins.co.uk Play: tony@mountifield.org - http://tony.mountifield.org _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
In article 9f43c460b0374ac3951c18dd2d477b14@2sic.com, Daniel Reich Daniel.Reich@2sic.com wrote:
Thank you for the hints
I modified like you described. I also moved the permission part out of the loop (once at the end of the script is enough).
Now with the "set -x" the script is working also in cron.
The "set -x" would not be not what made it work - it is a debugging aid only.
If it now works, then that is due to one of your other changes and you can remove the "set -x" again if you wish.
Cheers Tony
Best regards Daniel
-----Original Message----- From: CentOS [mailto:centos-bounces@centos.org] On Behalf Of Tony Mountifield Sent: Wednesday, February 1, 2017 11:04 AM To: centos@centos.org Subject: Re: [CentOS] Script not running correctly as cronjob
In article 86827d81f1944333ae213f2d3f19856a@2sic.com, Daniel Reich Daniel.Reich@2sic.com wrote:
Hi
I have a script to resign all DNS zones every two weeks. When i run the script from bash, it works like it should. But when it is executed in cron not. Its starting normal as cronjob: Feb 1 03:00:01 xxx CROND[20116]: (root) CMD (sh /opt/dnssec/resign_dnssec_zones.sh)
But after i get a mail that everything is finsihed, but it isn't. 03:04:28 DNSSEC-Signierung abgeschlossen
The script deletes the old signed zones, but don't resign it. The mail is also sent. Below the script.
Anybody an idea why it doesn't work in cron?^ I cannot find any error in any log.
After the first line, add a line saying: set -x
Then set cron to run it and examine the output that gets mailed to you.
The -x tells it to echo each command it is about to execute. That will help you to see how far it is getting.
Further comments below.
Cheers Tony
Best regards Daniel
#!/bin/bash KSKDIR="/etc/named/KSK" ZSKDIR="/etc/named/ZSK" ZONEDIR="/var/named/chroot/var/named" LOG="/var/named/chroot/var/log/dnssec_resign.log" MAILREC="monitor@xx"
#delete old signed files rm -rf $ZONEDIR/*.signed
#delete the old log rm -rf $LOG
#read the zonefiles ZONEFILES=$(ls -p $ZONEDIR | grep -v '/$' | grep -v 'dsset*')
for FILES in $ZONEFILES; do #remove the .zone at the end ZONE=$(echo "${FILES%.*}")
Why not just: ZONE=${FILES%.*}
#remove the old signed zone rm -rf $ZONEDIR/$ZONE.signed
You deleted them all further up.
#Sign the zone cd $ZONEDIR
Why not do this before the loop? Then you also don't need $ZONEDIR/ everywhere.
dnssec-signzone -o $ZONE -k $KSKDIR/K$ZONE.*.key -e +3024000-f $ZONE.signed $ZONEDIR/$ZONE.zone $ZSKDIR/K$ZONE.*.key >> $LOG
#Set the correct permissions chown named.named $ZONEDIR/*.signed chmod 755 $ZONEDIR/*.signed sleep 5 done rm -rf $ZONEDIR/named.zone
echo $(date +"%T")"DNSSEC-Signierung abgeschlossen - Neustart des Servers" >> $LOG echo "$(cat $LOG)" | mail -s "DNSSEC-Signierung abgeschlossen auf xxx" $MAILREC
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
-- Tony Mountifield Work: tony@softins.co.uk - http://www.softins.co.uk Play: tony@mountifield.org - http://tony.mountifield.org _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
On 02/01/2017 01:02 AM, Daniel Reich wrote:
I have a script to resign all DNS zones every two weeks.
I don't think I can answer the question about why your script is failing per se, but I can say that there are some flaws in the approach that your script is taking. Primarily, if you delete your old key when you create a new one, any external host that has any record from your zone in its cache will consider your zone to be invalid and will be unable to resolve new records (or any records? I'm unclear on that, actually) for the duration of your TTL. Key rotation is not instantaneous.
I'm actually working on a key rotation management job, myself:
https://bitbucket.org/gordonmessmer/update-dns-keys/src
I've been running it for a while, and I'm comfortable with the ZSK rotation segment. I have not yet tested the KSK rotation. If you'd like to help, please send patches.
-
Daniel Reich -
David Both -
Gordon Messmer -
tony@softins.co.uk