From 64fe300e426acbf85ae3d1a746ef060e261ae4b7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marc-Andr=C3=A9=20Kolly?= Date: Sun, 28 Jul 2019 16:28:29 +0200 Subject: [PATCH] Implement general CAA DNS records for all issuers --- install/froxlor.sql | 2 +- .../updates/froxlor/0.10/update_0.10.inc.php | 2 +- lib/Froxlor/Dns/Dns.php | 19 +++++++++++++++++-- .../admin/domains/formfield.domains_add.php | 15 ++++++--------- .../admin/domains/formfield.domains_edit.php | 17 ++++++----------- .../domains/formfield.domains_add.php | 15 ++++++--------- .../domains/formfield.domains_edit.php | 17 ++++++----------- lng/english.lng.php | 8 ++++---- lng/german.lng.php | 8 ++++---- 9 files changed, 51 insertions(+), 52 deletions(-) diff --git a/install/froxlor.sql b/install/froxlor.sql index 76fe4d6d..f50c5c1f 100644 --- a/install/froxlor.sql +++ b/install/froxlor.sql @@ -256,7 +256,7 @@ CREATE TABLE `panel_domains` ( `mod_fcgid_maxrequests` int(4) default '-1', `ismainbutsubto` int(11) unsigned NOT NULL default '0', `letsencrypt` tinyint(1) NOT NULL default '0', - `caa` tinyint(1) NOT NULL default '0', + `caa` text default NULL, `hsts` varchar(10) NOT NULL default '0', `hsts_sub` tinyint(1) NOT NULL default '0', `hsts_preload` tinyint(1) NOT NULL default '0', diff --git a/install/updates/froxlor/0.10/update_0.10.inc.php b/install/updates/froxlor/0.10/update_0.10.inc.php index 41dfb662..fae59b55 100644 --- a/install/updates/froxlor/0.10/update_0.10.inc.php +++ b/install/updates/froxlor/0.10/update_0.10.inc.php @@ -266,6 +266,6 @@ if (\Froxlor\Froxlor::isFroxlorVersion('0.10.0-rc1')) { if (\Froxlor\Froxlor::isDatabaseVersion('201904250')) { - Database::query("ALTER TABLE `" . TABLE_PANEL_DOMAINS . "` ADD `caa` TINYINT(1) NOT NULL DEFAULT '0' AFTER `letsencrypt`;"); + Database::query("ALTER TABLE `" . TABLE_PANEL_DOMAINS . "` ADD `caa` text default NULL AFTER `letsencrypt`;"); \Froxlor\Froxlor::updateToDbVersion('201907270'); } \ No newline at end of file diff --git a/lib/Froxlor/Dns/Dns.php b/lib/Froxlor/Dns/Dns.php index c34a5543..0d754f21 100644 --- a/lib/Froxlor/Dns/Dns.php +++ b/lib/Froxlor/Dns/Dns.php @@ -131,9 +131,15 @@ class Dns } // additional required records for CAA if activated - if ($domain['caa'] == '1') { + if (!is_null($domain['caa'])) { // check for CAA content later self::addRequiredEntry('@', 'CAA', $required_entries); + // additional required records by subdomain setting + if ($domain['iswildcarddomain'] == '1') { + self::addRequiredEntry('*', 'CAA', $required_entries); + } elseif ($domain['wwwserveralias'] == '1') { + self::addRequiredEntry('www', 'CAA', $required_entries); + } } // additional required records for SPF and DKIM if activated @@ -287,7 +293,16 @@ class Dns // CAA if (array_key_exists("CAA", $required_entries)) { - $zonerecords[] = new DnsEntry('@', 'CAA', '0 issue "letsencrypt.org"'); + foreach ($required_entries as $type => $records) { + if ($type == 'CAA') { + foreach ($records as $record) { + $caa_entries = explode(PHP_EOL, $domain['caa']); + foreach ($caa_entries as $entry) { + $zonerecords[] = new DnsEntry($record, 'CAA', self::encloseTXTContent($entry)); + } + } + } + } } } diff --git a/lib/formfields/admin/domains/formfield.domains_add.php b/lib/formfields/admin/domains/formfield.domains_add.php index b3460fae..b2dde16b 100644 --- a/lib/formfields/admin/domains/formfield.domains_add.php +++ b/lib/formfields/admin/domains/formfield.domains_add.php @@ -215,17 +215,14 @@ return array( 'value' => array() ), 'caa' => array( - 'visible' => (\Froxlor\Settings::Get('system.leenabled') == '1' ? ($ssl_ipsandports != '' ? true : false) : false), + 'visible' => $ssl_ipsandports != '' ? true : false, + 'style' => 'align-top', 'label' => $lng['admin']['caa']['title'], 'desc' => $lng['admin']['caa']['description'], - 'type' => 'checkbox', - 'values' => array( - array( - 'label' => $lng['panel']['yes'], - 'value' => '1' - ) - ), - 'value' => array() + 'type' => 'textarea', + 'value' => (\Froxlor\Settings::Get('system.leenabled') == '1' ? ($ssl_ipsandports != '' ? '0 issue "letsencrypt.org"' : '') : ''), + 'cols' => 60, + 'rows' => 5 ), 'http2' => array( 'visible' => ($ssl_ipsandports != '' ? true : false) && \Froxlor\Settings::Get('system.webserver') != 'lighttpd' && \Froxlor\Settings::Get('system.http2_support') == '1', diff --git a/lib/formfields/admin/domains/formfield.domains_edit.php b/lib/formfields/admin/domains/formfield.domains_edit.php index 7fe2fe54..5585a193 100644 --- a/lib/formfields/admin/domains/formfield.domains_edit.php +++ b/lib/formfields/admin/domains/formfield.domains_edit.php @@ -251,19 +251,14 @@ return array( ) ), 'caa' => array( - 'visible' => (\Froxlor\Settings::Get('system.leenabled') == '1' ? ($ssl_ipsandports != '' ? true : false) : false), + 'visible' => $ssl_ipsandports != '' ? true : false, + 'style' => 'align-top', 'label' => $lng['admin']['caa']['title'], 'desc' => $lng['admin']['caa']['description'], - 'type' => 'checkbox', - 'values' => array( - array( - 'label' => $lng['panel']['yes'], - 'value' => '1' - ) - ), - 'value' => array( - $result['caa'] - ) + 'type' => 'textarea', + 'value' => $result['caa'], + 'cols' => 60, + 'rows' => 5 ), 'http2' => array( 'visible' => ($ssl_ipsandports != '' ? true : false) && \Froxlor\Settings::Get('system.webserver') != 'lighttpd' && \Froxlor\Settings::Get('system.http2_support') == '1', diff --git a/lib/formfields/customer/domains/formfield.domains_add.php b/lib/formfields/customer/domains/formfield.domains_add.php index b620dba1..15f352d2 100644 --- a/lib/formfields/customer/domains/formfield.domains_add.php +++ b/lib/formfields/customer/domains/formfield.domains_add.php @@ -109,17 +109,14 @@ return array( 'value' => array() ), 'caa' => array( - 'visible' => \Froxlor\Settings::Get('system.leenabled') == '1' ? true : false, + 'visible' => $ssl_ipsandports != '' ? true : false, + 'style' => 'align-top', 'label' => $lng['customer']['caa']['title'], 'desc' => $lng['customer']['caa']['description'], - 'type' => 'checkbox', - 'values' => array( - array( - 'label' => $lng['panel']['yes'], - 'value' => '1' - ) - ), - 'value' => array() + 'type' => 'textarea', + 'value' => (\Froxlor\Settings::Get('system.leenabled') == '1' ? ($ssl_ipsandports != '' ? '0 issue "letsencrypt.org"' : '') : ''), + 'cols' => 60, + 'rows' => 5 ), 'hsts_maxage' => array( 'label' => $lng['admin']['domain_hsts_maxage']['title'], diff --git a/lib/formfields/customer/domains/formfield.domains_edit.php b/lib/formfields/customer/domains/formfield.domains_edit.php index c5315487..9a21d3e6 100644 --- a/lib/formfields/customer/domains/formfield.domains_edit.php +++ b/lib/formfields/customer/domains/formfield.domains_edit.php @@ -129,19 +129,14 @@ return array( ) ), 'caa' => array( - 'visible' => \Froxlor\Settings::Get('system.leenabled') == '1' ? true : false, + 'visible' => $ssl_ipsandports != '' ? true : false, + 'style' => 'align-top', 'label' => $lng['customer']['caa']['title'], 'desc' => $lng['customer']['caa']['description'], - 'type' => 'checkbox', - 'values' => array( - array( - 'label' => $lng['panel']['yes'], - 'value' => '1' - ) - ), - 'value' => array( - $result['caa'] - ) + 'type' => 'textarea', + 'value' => $result['caa'], + 'cols' => 60, + 'rows' => 5 ), 'hsts_maxage' => array( 'label' => $lng['admin']['domain_hsts_maxage']['title'], diff --git a/lng/english.lng.php b/lng/english.lng.php index 3ee60eeb..e88c4d13 100644 --- a/lng/english.lng.php +++ b/lng/english.lng.php @@ -1849,10 +1849,10 @@ $lng['serversettings']['leenabled']['description'] = "If activated, customers ar $lng['domains']['ssl_redirect_temporarilydisabled'] = "
The SSL redirect is temporarily deactivated while a new Let's Encrypt certificate is generated. It will be activated again after the certificate was generated."; // Added for CAA record support -$lng['admin']['caa']['title'] = 'Use CAA DNS record'; -$lng['admin']['caa']['description'] = 'DNS Certification Authority Authorization (CAA) is an Internet security policy mechanism which allows domain name holders to indicate to certificate authorities whether they are authorized to issue digital certificates for a particular domain name. It does this by means of a new "CAA" Domain Name System (DNS) resource record. Currently it only supports Let\'s Encrypt. This feature is still in beta.'; -$lng['customer']['caa']['title'] = 'Use CAA DNS record'; -$lng['customer']['caa']['description'] = 'DNS Certification Authority Authorization (CAA) is an Internet security policy mechanism which allows domain name holders to indicate to certificate authorities whether they are authorized to issue digital certificates for a particular domain name. It does this by means of a new "CAA" Domain Name System (DNS) resource record. Currently it only supports Let\'s Encrypt. This feature is still in beta.'; +$lng['admin']['caa']['title'] = 'Use CAA DNS records'; +$lng['admin']['caa']['description'] = 'DNS Certification Authority Authorization (CAA) is an Internet security policy mechanism which allows domain name holders to indicate to certificate authorities whether they are authorized to issue digital certificates for a particular domain name. It does this by means of a new "CAA" Domain Name System (DNS) resource record.
The content of this field will be included into the DNS zone directly (each line results in a CAA record). An example for the use with Let\'s Encrypt would be:
0 issue "letsencrypt.org"
To enable Incident Reporting, you would need to add an iodef record. An example for sending such report to me@example.com would be:
0 iodef "mailto:me@example.com"
Attention: The code won\'t be checked for any errors. If it contains errors, DNS server might not start again!'; +$lng['customer']['caa']['title'] = 'Use CAA DNS records'; +$lng['customer']['caa']['description'] = 'DNS Certification Authority Authorization (CAA) is an Internet security policy mechanism which allows domain name holders to indicate to certificate authorities whether they are authorized to issue digital certificates for a particular domain name. It does this by means of a new "CAA" Domain Name System (DNS) resource record.
The content of this field will be included into the DNS zone directly (each line results in a CAA record). An example for the use with Let\'s Encrypt would be:
0 issue "letsencrypt.org"
To enable Incident Reporting, you would need to add an iodef record. An example for sending such report to me@example.com would be:
0 iodef "mailto:me@example.com"
Attention: The code won\'t be checked for any errors. If it contains errors, DNS server might not start again!'; // Autoupdate $lng['admin']['autoupdate'] = 'Auto-Update'; diff --git a/lng/german.lng.php b/lng/german.lng.php index 37c3f08f..a838ce0a 100644 --- a/lng/german.lng.php +++ b/lng/german.lng.php @@ -1501,10 +1501,10 @@ $lng['serversettings']['leenabled']['description'] = "Wenn dies aktiviert ist, k $lng['domains']['ssl_redirect_temporarilydisabled'] = "
Die SSL-Umleitung ist, während ein neues Let's Encrypt - Zertifikat erstellt wird, temporär deaktiviert. Die Umleitung wird nach der Zertifikatserstellung wieder aktiviert."; // Added for CAA record support -$lng['admin']['caa']['title'] = 'CAA DNS Eintrag erstellen'; -$lng['admin']['caa']['description'] = 'DNS Certification Authority Authorization (CAA) verwendet das Domain Name System, um dem Besitzer einer Domain die Möglichkeit zu bieten, gewisse Zertifizierungsstellen (CAs) dazu zu berechtigen, ein Zertifikat für die betroffene Domain auszustellen. CAA Records sollen verhindern, dass Zertifikate fälschlicherweise für eine Domain ausgestellt werden. Im Moment wird nur Let\'s Encrypt unterstützt. Dieses Feature befindet sich noch im Test.'; -$lng['customer']['caa']['title'] = 'CAA DNS Eintrag erstellen'; -$lng['customer']['caa']['description'] = 'DNS Certification Authority Authorization (CAA) verwendet das Domain Name System, um dem Besitzer einer Domain die Möglichkeit zu bieten, gewisse Zertifizierungsstellen (CAs) dazu zu berechtigen, ein Zertifikat für die betroffene Domain auszustellen. CAA Records sollen verhindern, dass Zertifikate fälschlicherweise für eine Domain ausgestellt werden. Im Moment wird nur Let\'s Encrypt unterstützt. Dieses Feature befindet sich noch im Test.'; +$lng['admin']['caa']['title'] = 'CAA DNS Einträge erstellen'; +$lng['admin']['caa']['description'] = 'DNS Certification Authority Authorization (CAA) verwendet das Domain Name System, um dem Besitzer einer Domain die Möglichkeit zu bieten, gewisse Zertifizierungsstellen (CAs) dazu zu berechtigen, ein Zertifikat für die betroffene Domain auszustellen. CAA Records sollen verhindern, dass Zertifikate fälschlicherweise für eine Domain ausgestellt werden.
Der Inhalt dieses Feldes wird direkt in die DNS Zone übernommen (eine Zeile pro CAA Record). Ein Beispiel für Let\'s Encrypt wäre:
0 issue "letsencrypt.org"
Um Incident Reporting per Mail zu aktivieren, muss eine iodef Zeile angefügt werden. Ein Beispiel für einen Report an me@example.com wäre:
0 iodef "mailto:me@example.com"
ACHTUNG: Der Code wird nicht auf Fehler geprüft. Etwaige Fehler werden also auch übernommen. Der DNS-Server könnte nicht mehr starten!'; +$lng['customer']['caa']['title'] = 'CAA DNS Einträge erstellen'; +$lng['customer']['caa']['description'] = 'DNS Certification Authority Authorization (CAA) verwendet das Domain Name System, um dem Besitzer einer Domain die Möglichkeit zu bieten, gewisse Zertifizierungsstellen (CAs) dazu zu berechtigen, ein Zertifikat für die betroffene Domain auszustellen. CAA Records sollen verhindern, dass Zertifikate fälschlicherweise für eine Domain ausgestellt werden.
Der Inhalt dieses Feldes wird direkt in die DNS Zone übernommen (eine Zeile pro CAA Record). Ein Beispiel für Let\'s Encrypt wäre:
0 issue "letsencrypt.org"
Um Incident Reporting per Mail zu aktivieren, muss eine iodef Zeile angefügt werden. Ein Beispiel für einen Report an me@example.com wäre:
0 iodef "mailto:me@example.com"
ACHTUNG: Der Code wird nicht auf Fehler geprüft. Etwaige Fehler werden also auch übernommen. Der DNS-Server könnte nicht mehr starten!'; // Autoupdate $lng['admin']['autoupdate'] = 'Auto-Update';