diff --git a/install_dehydrated.sh b/install_dehydrated.sh index 9084bd4..4b989bb 100755 --- a/install_dehydrated.sh +++ b/install_dehydrated.sh @@ -1305,6 +1305,7 @@ get_domain_by_hostname=bind_get_domain_by_hostname.sh # - TTL for Records "IN TLSA 3 1 1" and "IN TLSA 2 1 1" # - ttl_311=3600 +ttl_201=3600 ttl_211=3600 @@ -1426,6 +1427,7 @@ get_domain_by_hostname=bind_get_domain_by_hostname.sh # - TTL for Records "IN TLSA 3 1 1" and "IN TLSA 2 1 1" # - ttl_311=360 +ttl_201=360 ttl_211=360 @@ -1998,15 +2000,14 @@ if [[ -n "\$_successfully_created_hosts" ]] ; then esac - # - Generate TLSA 2 1 1 record + # - Generate TLSA 2 0 1 record # - - \$verbose && echononl " Generate \\"TLSA 2 1 1\\" record from root certificate (root.ca).." - tlsa_record_211=\$( - printf "_%s._tcp.%s. \$ttl_211 IN TLSA 2 1 1 %s\\n" \\ + \$verbose && echononl " Generate \\"TLSA 2 0 1\\" record from root certificate (root.ca).." + tlsa_record_201=\$( + printf "_%s._tcp.%s. \$ttl_201 IN TLSA 2 0 1 %s\\n" \\ \${_tmp_arr[1]} \\ \${_tmp_arr[0]} \\ - \$(openssl x509 -in /var/lib/dehydrated/certs/\${_tmp_arr[0]}/chain.pem -noout -pubkey | - openssl pkey -pubin -outform DER | + \$(openssl x509 -in /var/lib/dehydrated/certs/\${_tmp_arr[0]}/chain.pem -outform DER | openssl dgst -sha256 -binary | hexdump -ve '/1 "%02x"') ) @@ -2015,9 +2016,9 @@ if [[ -n "\$_successfully_created_hosts" ]] ; then else \$verbose && echo_failed if \$verbose ; then - error "Generating \\"TLSA 2 1 1\\" record failed! " + error "Generating \\"TLSA 2 0 1\\" record failed! " else - echo -e "\\n [ Error ]: Generating \\"TLSA 2 1 1\\" record failed! \\n" + echo -e "\\n [ Error ]: Generating \\"TLSA 2 0 1\\" record failed! \\n" fi continue fi @@ -2026,31 +2027,31 @@ if [[ -n "\$_successfully_created_hosts" ]] ; then # - \$verbose && echononl " Add/Renew Record in concerning zone file.." ssh -q -p \$dane_ssh_port -i \$dane_ssh_key \${dane_ssh_user}@\${dane_nameserver} \\ - "sudo \$renew_tlsa_record \$tlsa_record_211 > /dev/null 2>&1" + "sudo \$renew_tlsa_record \$tlsa_record_201 > /dev/null 2>&1" ret_val=\$? case \$ret_val in 0) \$verbose && echo_skipped if \$verbose ; then - info "TLSA 2 1 1 record for \\"\$hostname\\" is up to date." + info "TLSA 2 0 1 record for \\"\$hostname\\" is up to date." else - echo -e "\\n [ Info ]: TLSA 2 1 1 record for \\"\$hostname\\" is up to date.\\n" + echo -e "\\n [ Info ]: TLSA 2 0 1 record for \\"\$hostname\\" is up to date.\\n" fi ;; 1) \$verbose && echo_ok if \$verbose ; then - info "TLSA 2 1 1 record for \\"\$hostname\\" replaced." + info "TLSA 2 0 1 record for \\"\$hostname\\" replaced." else - echo -e "\\n [ Info ]: TLSA 2 1 1 record for \\"\$hostname\\" replaced.\\n" + echo -e "\\n [ Info ]: TLSA 2 0 1 record for \\"\$hostname\\" replaced.\\n" fi ;; 2) \$verbose && echo_ok if \$verbose ; then - info "New TLSA 2 1 1 record for \\"\$hostname\\" added." + info "New TLSA 2 0 1 record for \\"\$hostname\\" added." else - echo -e "\\n [ Info ]: New TLSA 2 1 1 record for \\"\$hostname\\" added.\\n" + echo -e "\\n [ Info ]: New TLSA 2 0 1 record for \\"\$hostname\\" added.\\n" fi ;; 10) @@ -2074,18 +2075,18 @@ if [[ -n "\$_successfully_created_hosts" ]] ; then 20) \$verbose && echo_failed if \$verbose ; then - error "Replacing TLSA 2 1 1 record for host \\"\$hostname\\" failed!" + error "Replacing TLSA 2 0 1 record for host \\"\$hostname\\" failed!" else - echo -e "\\n [ Error ]: Replacing TLSA 2 1 1 record for host \\"\$hostname\\" failed! \\n" + echo -e "\\n [ Error ]: Replacing TLSA 2 0 1 record for host \\"\$hostname\\" failed! \\n" fi continue ;; 21) \$verbose && echo_failed if \$verbose ; then - error "Adding TLSA 2 1 1 record for host \\"\$hostname\\" failed!" + error "Adding TLSA 2 0 1 record for host \\"\$hostname\\" failed!" else - echo -e "\\n [ Error ]: Adding TLSA 2 1 1 record for host \\"\$hostname\\" failed! \\n" + echo -e "\\n [ Error ]: Adding TLSA 2 0 1 record for host \\"\$hostname\\" failed! \\n" fi continue ;; @@ -3468,7 +3469,7 @@ hostname=\${_tmp_arr[0]} cert=/var/lib/dehydrated/certs/\${hostname}/cert.pem tlsa_record_311=\$( - printf '_%s._tcp.%s. IN TLSA 3 1 1 %s\n' \\ + printf '_%s._tcp.%s. 360 IN TLSA 3 1 1 %s\n' \\ \$port \\ \$hostname \\ "\$(openssl x509 -in \$cert -noout -pubkey | @@ -3479,7 +3480,7 @@ tlsa_record_311=\$( cert=/var/lib/dehydrated/certs/\${hostname}/cert.pem tlsa_record_301=\$( - printf '_%s._tcp.%s. IN TLSA 3 0 1 %s\n' \\ + printf '_%s._tcp.%s. 360 IN TLSA 3 0 1 %s\n' \\ \$port \\ \$hostname \\ "\$(openssl x509 -in \$cert -outform DER | @@ -3490,7 +3491,7 @@ tlsa_record_301=\$( cert=/var/lib/dehydrated/certs/\${hostname}/chain.pem tlsa_record_211_chain=\$( - printf '_%s._tcp.%s. IN TLSA 2 1 1 %s\n' \\ + printf '_%s._tcp.%s. 360 IN TLSA 2 1 1 %s\n' \\ \$port \\ \$hostname \\ "\$(openssl x509 -in \$cert -noout -pubkey | @@ -3501,7 +3502,7 @@ tlsa_record_211_chain=\$( cert=/var/lib/dehydrated/certs/\${hostname}/chain.pem tlsa_record_201_chain=\$( - printf '_%s._tcp.%s. IN TLSA 2 0 1 %s\n' \\ + printf '_%s._tcp.%s. 360 IN TLSA 2 0 1 %s\n' \\ \$port \\ \$hostname \\ "\$(openssl x509 -in \$cert -outform DER | @@ -3513,7 +3514,7 @@ tlsa_record_211_root="" cert=/var/lib/dehydrated/certs/\${hostname}/root.ca if [[ -f "\$cert" ]]; then tlsa_record_211_root=\$( - printf '_%s._tcp.%s. IN TLSA 2 1 1 %s\n' \\ + printf '_%s._tcp.%s. 360 IN TLSA 2 1 1 %s\n' \\ \$port \\ \$hostname \\ "\$(openssl x509 -in \$cert -noout -pubkey |