#!/bin/ksh
set -e

chroot=0
remotecontrol=1

if (( chroot == 1 )); then
	confdir=/var/chroot/nsd/etc
else
	confdir=/etc/nsd
fi

[[ -z $1 ]] && echo what zone? && exit 1
zone=$1
zonefile=$zone.db

[[ ! -f $confdir/$zonefile ]] && echo could not find $confdir/$zonefile && exit 1

KSK=`grep -E '[[:space:]]257[[:space:]]' $confdir/dnssec/K$zone.*.key | cut -f1 -d:`
ZSK=`grep -E '[[:space:]]256[[:space:]]' $confdir/dnssec/K$zone.*.key | cut -f1 -d:`

KSK=${KSK##*/}
ZSK=${ZSK##*/}

KSK=${KSK%\.key}
ZSK=${ZSK%\.key}

[[ -z $KSK ]] && echo KSK not defined && exit 1
[[ -z $ZSK ]] && echo ZSK not defined && exit 1

[[ ! -f $confdir/dnssec/$KSK.private ]] && echo could not read $confdir/dnssec/$KSK.private && exit 1
[[ ! -f $confdir/dnssec/$ZSK.private ]] && echo could not read $confdir/dnssec/$ZSK.private && exit 1

echo -n checking conf...
nsd-checkconf $confdir/nsd.conf && echo done

# self-verbose
nsd-checkzone $zone $confdir/$zonefile

#cannot use full date: serial is expected or serial too big
date=`date +%s`
echo -n serial $date...
mkdir -p $confdir/backup/
mv $confdir/$zonefile $confdir/backup/$zonefile.$date
sed -r "s/[[:space:]]*[[:digit:]]+[[:space:]]*; serial number$/                        $date ; serial number/" \
        $confdir/backup/$zonefile.$date > $confdir/$zonefile && echo done
#grep 'serial number' $confdir/$zone.db
#self verbose
nsd-checkzone $zone $confdir/$zonefile

tmp=`uname`
if [[ $tmp = Linux ]]; then
	echo -n salt from gnu/linux...
        SALT=`head -c 512 /dev/urandom | sha1sum | cut -b 1-16` && echo done
elif [[ $tmp = NetBSD ]]; then
	echo -n salt from netbsd...
        SALT=`head -c 512 /dev/urandom | sha1 | cut -b 1-16` && echo done
fi
unset tmp

echo -n signing $zone ...
ldns-signzone -n -t 10 -s $SALT $confdir/$zonefile $confdir/dnssec/$KSK $confdir/dnssec/$ZSK && echo done
# self-verbose
nsd-checkzone $zone $confdir/$zonefile.signed

echo -n reloading $zone ...
if (( remotecontrol == 0 )); then
	parent=`ps auxfww | grep nsd | grep -v grep | head -1 | awk '{print $2}'`
	[[ -z $parent ]] && echo IS NSD RUNNING? && exit 1
	kill -HUP $parent && echo done || echo FAIL
	unset parent
else
	# ok-verbose
	nsd-control reload $zone || echo FAIL
fi

dig $zone @127.0.0.1 +short
#host $zone 127.0.0.1
#host -t txt _dmarc.$zone 127.0.0.1
#host -t txt _acme-challenge.$zone 127.0.0.1
#host -t wildcard-noexist.$zone 127.0.0.1