#!/bin/bash
#
# Why this script, the ISC has do created a number of tools to manage and generate DNSSEC keys etc.
# The dnssec-keygen tool works very nicely in that it can use the inactivate date of one key to generate a new key with an appropriate activate date.
# The problems that I have are it does not automagically
#   1. select either the current key, or the key with an Inactive date furthest in the future as the roll base.
#   2. nor does it set the inactive or delete dates for the new key, based either on the new keysetys active date or on the selected keyset inactive date 
#
# This script is intended to automatically generate new DNSSEC keysets based upon the inactive date furthest in the future.
#
# The idea being that it would be run as a cron or anacron job every n days, where n is equal to the key life. 
#
#=================================================

autoDelete=0				# The automatic deletion of keysets where the Delete date has passed - default Off
keyLife=90				# how often you roll the ZSK in days
keyDeleteInterval=30			# interval; between inactivation and deletion
keyDirectory=.				# Where the Keys live, if we are not told otherwise
inactiveDate=20010101000000		# date a ZSK goes Inactive 
today=$(date -u +%Y%m%d%H%M%S)		# todays date UTC based to determine if ZSKs marked for deletion can be removed
domainName=""				# which domain are we interested in
rollTime=040000				# what time of day do you want to roll, may not be important 

function display_help() {
     #===================================================================================================================================
echo ""
echo "     klam-autoroll [-h] [-X] [-l nnn] [-d nnn] [-r hh[mm[ss]] [-K] /etc/bind/keys domain-name"
echo ""
echo "		-h Display this help information"
echo ""
echo "		-X automatically remove keysets whose delete date has passed."
echo ""
echo "		-l the life of the keyset, this is the time in days from active to inactive."
echo "		   It is added to the new keysets activation date to set its inactive date."
echo ""
echo "		-d the delete delay, the length time in days between a keyset becoming inactive and being eligible for deletion."
echo "		   It is added to the new keysets inactive date to set its delete date."
echo ""
echo "		-r roll time of day, when during the day you would prefer rollover to occur."
echo "		   In most case not needed, but some people may prefer rollover to occur at a specific time of day."
echo ""
echo "		-K Directory where your DNSSEC keys are stored."
echo ""
echo "		domain-name the domain used as the basis for key generation."
echo ""
     #===================================================================================================================================
}
temp=
tempI=$today
tempD=$today

if [ $# -ne 0 ]; then
    while getopts "d:l:r:hK:X" option; do
        case $option in
            d )	if [[ $OPTARG == ?([0-9]*) ]] && [[ $OPTARG -lt 730 ]]; then
                    keyDeleteInterval=$OPTARG
                    echo "The interval between a key becoming inactive and being eligable for removal has been set to $keyDeleteInterval days."
                fi
                ;; 
            l ) if [[ $OPTARG == ?([0-9]*) ]] && [[ $OPTARG -lt 730 ]]; then
                    keyLife=$OPTARG
                    echo "Key life set to $keyLife days."
                fi
                ;;
            r ) if [[ $OPTARG == ?([0-9]*) ]] && [[ $OPTARG -lt 235959 ]]; then
                    rollTime=$OPTARG
                    echo "Roll TOD set to $keyLife \(HHMMSS\)."
                fi
                ;;
            h ) display_help
                exit 
                ;;
            K ) if [[ -d $OPTARG ]]; then
                    keyDirectory=$OPTARG
                fi
                ;;
            X ) autoDelete=1
                echo "Auto Delete enabled"
                ;;
            * ) echo "An unknown paramter was found. OPERATION TERMINATED"
                ;;
        esac
    done
    shift $((OPTIND-1))
    domainName=$@
else
    echo "ERROR - A domain name must be provided"
    exit 1
fi

keyDeleteInterval=$((keyLife+$keyDeleteInterval))d
keyLife="$keyLife"d

for file in $( find "$keyDirectory" -maxdepth 1 -type f -name "K$domainName.*.key" )
    do
        if [ "$file" ]; then
            temp=$(sed -n -e 's/.*\([I|D]\).*\([0-9]\{14\}\).*/\2/ p' $file )

            tempI=${temp:0:14}
            tempD=${temp:15:14}

            if [ $tempD ] && [ $tempD -lt $today ]; then				# do we have a delete date and is it in the past
                if [ $autoDelete -eq 1 ]; then						# are we in auto delete mode
                    dname=$(basename $file .key)					# clean up the file name so we can wildcard delete all elements
                    echo "auto remove $dname keyset with Delete date = $tempD"		# tell people whats happen(ing|ed)
                    rm $dname.*								# delete the keyset
                fi
            elif [ $tempI ] && [ $tempI -ge $inactiveDate ]; then			# do we have a inactive date and is it greater then any seen so far
                    inactiveDate=$tempI							# save this date for further comparison
                    fileName=$(basename $file .key)					# together with the relavaent file name
            fi
    fi
    done

if [ $fileName ]; then
    echo "A search of the Bind key store has result in $fileName being considered a suitable candidate as a predessor for -S keygen"

    inactiveDate=${inactiveDate:0:8}

    dnssec-keygen -i14d -K$keyDirectory -S$fileName  -I$inactiveDate$rollTime+$keyLife -D$inactiveDate$rollTime+$keyDeleteInterval 
else
    echo "No DNSSEC records available for for rollover base"
fi
exit 0