#!/bin/bash
# Paul Matthews paul.matthews@cathedral.qld.edu.au

progname=$(basename $0)

keyfile_default=/etc/named.keys
keyname_default=DHCP_UPDATER
random_dev_default=/dev/random
force=false

function usage 
{
cat 1>&2 <<- EOF

	Usage:
	
	  $progname <options>  
	
	Options:
	
	  -f|--key-file <FILENAME> 	key is written to this file (default: $keyfile_default)
	  -n|--key-name <NAME>		name of the key (default: $keyname_default)
	  -r|--random			random device to use (default: $random_dev_default)
	  --force			overwrite an existing key file
	  --help			print usage info

	See /usr/share/doc/packages/dhcp-server/DDNS-howto.txt (in dhcp-server package) about 
	configuration of a DHCP server to do DDNS updates.

EOF
exit 1
}

while [ $# -ge 1 ]; do
	case "$1" in
	"")
		;;

	-f|--key-file)  
		shift
		KEYFILE=${1:?option requires an argument} ;;

	-n|--key-name)  
		shift
		KEYNAME=${1:?option requires an argument} ;;

	-r|--random)  
		shift
		RANDOM_DEV=${1:?option requires an argument} ;;

	--force)  
		force=true ;;

	-h|--help|*)  
		usage ;;

	esac
	shift
done

: ${KEYFILE:=$keyfile_default}
: ${KEYNAME:=$keyname_default}
: ${RANDOM_DEV:=$random_dev_default}

if ! $force; then
	if [ -e $ROOT/$KEYFILE ]; then
		echo >&2 $KEYFILE exists, use --force to overwrite
		exit 1
	fi
fi

# This is where the keys are created 
cd $ROOT/$(dirname $KEYFILE)

# determine the BIND version
if [ -f /usr/sbin/rndc ]; then 
	bind9=true
elif [ -f /usr/sbin/ndc ]; then
	bind9=false
else
	echo could not determine the BIND version. Exiting.
	exit 1
fi

umask 600

# generate a 512 bit HMAC-MD5 Zone (DNS validation) key
if $bind9; then 
	keyfile=$(/usr/sbin/dnssec-keygen -a hmac-md5 -b 512 -r ${RANDOM_DEV} -n user ${KEYNAME})
else
	keyfile=$(/usr/sbin/dnskeygen -H 512 -z -c -n ${KEYNAME})
	# dhskeygen has (had) a weekness, it puts one key into a world readable file
	# (see http://xforce.iss.net/alerts/advise78.php)
	chmod 600 $keyfile*
fi
# now we've got files like these:
# -rw-------    1 root     root           77 Sep 11 01:03 K${KEYNAME}+157+00000.private
# -rw-r--r--    1 root     root           58 Sep 11 01:03 K${KEYNAME}+157+00000.key
#
#                                                          ----------     -----
#                                                          name           key id
#
#                                                                     ---
#                                                                     157 is short
#                                                                     for hmac-md5
echo $keyfile

# read the secret 
while read line; do
	case $line in 
	Key:*)	secret=${line#* }
	esac
done < $keyfile.private


cat >$KEYFILE <<-EOF

# generated by $(basename $0) on $(date)

key ${KEYNAME} {
	$(if $bind9; then 
		echo "algorithm hmac-md5;"
	else
		echo "algorithm HMAC-MD5.SIG-ALG.REG.INT;"
	fi)
        secret "$secret";
};


EOF

# set permissions
chown root.named $KEYFILE
chmod 640 $KEYFILE