#!/bin/sh # Distributed under the terms of the GNU General Public License (GPL) version 2.0 # based on Yuval Adam's route53.sh found at https://github.com/yuvadm/route53-ddns/blob/master/route53.sh # 2017 Max Berger [ -z "$CURL_SSL" ] && write_log 14 "Amazon AWS Route53 communication require cURL with SSL support. Please install" [ -z "$username" ] && write_log 14 "Service section not configured correctly! Missing key as 'username'" [ -z "$password" ] && write_log 14 "Service section not configured correctly! Missing secret as 'password'" [ -z "$domain" ] && write_log 14 "Service section not configured correctly! Missing zone id as 'domain'" ENDPOINT="route53.amazonaws.com" RECORD_TTL=300 RECORD_NAME="${lookup_host}." [ ${use_ipv6} -eq 0 ] && RECORD_TYPE="A" [ ${use_ipv6} -eq 1 ] && RECORD_TYPE="AAAA" RECORD_VALUE="${LOCAL_IP}" HOSTED_ZONE_ID="${domain}" API_PATH="/2013-04-01/hostedzone/${HOSTED_ZONE_ID}/rrset/" AWS_ACCESS_KEY_ID="$username" AWS_SECRET_ACCESS_KEY="$password" AWS_REGION='us-east-1' AWS_SERVICE='route53' hash() { msg="$1" echo -en "${msg}" | openssl dgst -sha256 | sed 's/^.* //' } sign_plain() { # Sign message using a plaintext key key="$1" msg="$2" echo -en "${msg}" | openssl dgst -hex -sha256 -hmac "${key}" | sed 's/^.* //' } sign() { # Sign message using a hex formatted key key="$1" msg="$2" echo -en "${msg}" | openssl dgst -hex -sha256 -mac HMAC -macopt "hexkey:${key}" | sed 's/^.* //' } request_body=" \ \ \ \ \ UPSERT \ \ ${RECORD_NAME} \ ${RECORD_TYPE} \ ${RECORD_TTL} \ \ \ ${RECORD_VALUE} \ \ \ \ \ \ \ " fulldate="$(date --utc +%Y%m%dT%H%M%SZ)" shortdate="$(date --utc +%Y%m%d)" signed_headers="host;x-amz-date" request_hash="$(hash "${request_body}")" canonical_request="POST\n${API_PATH}\n\nhost:route53.amazonaws.com\nx-amz-date:${fulldate}\n\n${signed_headers}\n${request_hash}" date_key="$(sign_plain "AWS4${AWS_SECRET_ACCESS_KEY}" "${shortdate}")" region_key="$(sign "${date_key}" ${AWS_REGION})" service_key="$(sign "${region_key}" ${AWS_SERVICE})" signing_key="$(sign "${service_key}" aws4_request)" credential="${shortdate}/${AWS_REGION}/${AWS_SERVICE}/aws4_request" sigmsg="AWS4-HMAC-SHA256\n${fulldate}\n${credential}\n$(hash "${canonical_request}")" signature="$(sign "${signing_key}" "${sigmsg}")" authorization="AWS4-HMAC-SHA256 Credential=${AWS_ACCESS_KEY_ID}/${credential}, SignedHeaders=${signed_headers}, Signature=${signature}" ANSWER="$(flock /tmp/$(basename -s .sh "$0").lock curl \ -X "POST" \ -H "Host: route53.amazonaws.com" \ -H "X-Amz-Date: ${fulldate}" \ -H "Authorization: ${authorization}" \ -H "Content-Type: text/xml" \ -d "$request_body" \ "https://${ENDPOINT}${API_PATH}")" write_log 7 "${ANSWER}" echo "${ANSWER}" | grep -F "Error" >/dev/null && return 1 echo "${ANSWER}" | grep -F "ChangeInfo" >/dev/null && return 0 return 2