propellor spin

Propellor/Attr.hs

@@ -59,7 +59,7 @@ addNamedConf conf d = d { _namedconf = new }
   where
 	m = _namedconf d
 	domain = confDomain conf
-	new = case (confType conf, confType <$> M.lookup domain m) of
+	new = case (confDnsServerType conf, confDnsServerType <$> M.lookup domain m) of
 		(Secondary, Just Master) -> m
 		_  -> M.insert domain conf m
 

Propellor/Property/Dns.hs

@@ -40,6 +40,17 @@ import Data.List
 -- that cannot be configured elsewhere. This often includes NS records,
 -- TXT records and perhaps CNAMEs pointing at hosts that propellor does
 -- not control.
+--
+-- The primary server is configured to only allow zone transfers to
+-- secondary dns servers. These are determined in two ways:
+--
+-- 1. By looking at the properties of other hosts, to find hosts that
+-- are configured as the secondary dns server.
+--
+-- 2. By looking for NS Records in the passed list of records.
+--
+-- In either case, the secondary dns server Host should have an ipv4
+-- property.
 primary :: [Host] -> Domain -> SOA -> [(BindDomain, Record)] -> RevertableProperty
 primary hosts domain soa rs = RevertableProperty setup cleanup
   where
@@ -63,11 +74,17 @@ primary hosts domain soa rs = RevertableProperty setup cleanup
 		satisfy
 	conf = NamedConf
 		{ confDomain = domain
-		, confType = Master
+		, confDnsServerType = Master
 		, confFile = zonefile
 		, confMasters = []
+		, confAllowTransfer = nub $
+			concatMap (\m -> hostAddresses m hosts) $
+				otherServers Secondary hosts domain ++ 
+				mapMaybe (domainHostName <=< getNS) rootRecords
 		, confLines = []
 		}
+	rootRecords = map snd $
+		filter (\(d, _r) -> d == RootDomain || d == AbsDomain domain) rs
 	needupdate = do
 		v <- readZonePropellorFile zonefile
 		return $ case v of
@@ -86,12 +103,7 @@ primary hosts domain soa rs = RevertableProperty setup cleanup
 -- Note that if a host is declared to be a primary and a secondary dns
 -- server for the same domain, the primary server config always wins.
 secondary :: [Host] -> Domain -> RevertableProperty
-secondary hosts domain = secondaryFor masters hosts domain
-  where
-	masters = M.keys $ M.filter ismaster $ hostAttrMap hosts
-	ismaster attr = case M.lookup domain (_namedconf attr) of
-		Nothing -> False
-		Just conf -> confType conf == Master && confDomain conf == domain
+secondary hosts domain = secondaryFor (otherServers Master hosts domain) hosts domain
 
 -- | This variant is useful if the primary server does not have its DNS
 -- configured via propellor.
@@ -105,12 +117,22 @@ secondaryFor masters hosts domain = RevertableProperty setup cleanup
  	desc = "dns secondary for " ++ domain
 	conf = NamedConf
 		{ confDomain = domain
-		, confType = Secondary
+		, confDnsServerType = Secondary
 		, confFile = "db." ++ domain
 		, confMasters = concatMap (\m -> hostAddresses m hosts) masters
-		, confLines = ["allow-transfer { }"]
+		, confAllowTransfer = []
+		, confLines = []
 		}
 
+otherServers :: DnsServerType -> [Host] -> Domain -> [HostName]
+otherServers wantedtype hosts domain =
+	M.keys $ M.filter wanted $ hostAttrMap hosts
+  where
+	wanted attr = case M.lookup domain (_namedconf attr) of
+		Nothing -> False
+		Just conf -> confDnsServerType conf == wantedtype
+			&& confDomain conf == domain
+
 -- | Rewrites the whole named.conf.local file to serve the zones
 -- configured by `primary` and `secondary`, and ensures that bind9 is
 -- running.
@@ -130,20 +152,26 @@ confStanza :: NamedConf -> [Line]
 confStanza c =
 	[ "// automatically generated by propellor"
 	, "zone \"" ++ confDomain c ++ "\" {"
-	, cfgline "type" (if confType c == Master then "master" else "slave")
+	, cfgline "type" (if confDnsServerType c == Master then "master" else "slave")
 	, cfgline "file" ("\"" ++ confFile c ++ "\"")
 	] ++
-	(if null (confMasters c) then [] else mastersblock) ++
+	mastersblock ++
+	allowtransferblock ++
 	(map (\l -> "\t" ++ l ++ ";") (confLines c)) ++
 	[ "};"
 	, ""
 	]
   where
 	cfgline f v = "\t" ++ f ++ " " ++ v ++ ";"
-	mastersblock =
-		[ "\tmasters {" ] ++
-		(map (\ip -> "\t\t" ++ fromIPAddr ip ++ ";") (confMasters c)) ++
+	ipblock name l = 
+		[ "\t" ++ name ++ " {" ] ++
+		(map (\ip -> "\t\t" ++ fromIPAddr ip ++ ";") l) ++
 		[ "\t};" ]
+	mastersblock
+		| null (confMasters c) = []
+		| otherwise = ipblock "masters" (confMasters c)
+	-- an empty block prohibits any transfers
+	allowtransferblock = ipblock "allow-transfer" (confAllowTransfer c)
 
 namedConfFile :: FilePath
 namedConfFile = "/etc/bind/named.conf.local"

Propellor/Types/Dns.hs

@@ -1,5 +1,7 @@
 module Propellor.Types.Dns where
 
+import Propellor.Types.OS (HostName)
+
 import Data.Word
 
 type Domain = String
@@ -14,14 +16,15 @@ fromIPAddr (IPv6 addr) = addr
 -- | Represents a bind 9 named.conf file.
 data NamedConf = NamedConf
 	{ confDomain :: Domain
-	, confType :: Type
+	, confDnsServerType :: DnsServerType
 	, confFile :: FilePath
 	, confMasters :: [IPAddr]
+	, confAllowTransfer :: [IPAddr]
 	, confLines :: [String]
 	}
 	deriving (Show, Eq, Ord)
 
-data Type = Master | Secondary
+data DnsServerType = Master | Secondary
 	deriving (Show, Eq, Ord)
 
 -- | Represents a bind 9 zone file.
@@ -66,6 +69,10 @@ getCNAME :: Record -> Maybe BindDomain
 getCNAME (CNAME d) = Just d
 getCNAME _ = Nothing
 
+getNS :: Record -> Maybe BindDomain
+getNS (NS d) = Just d
+getNS _ = Nothing
+
 -- | Bind serial numbers are unsigned, 32 bit integers.
 type SerialNumber = Word32
 
@@ -78,3 +85,8 @@ type SerialNumber = Word32
 -- to add nameservers, MX's, etc to a domain.
 data BindDomain = RelDomain Domain | AbsDomain Domain | RootDomain
 	deriving (Read, Show, Eq, Ord)
+
+domainHostName :: BindDomain -> Maybe HostName
+domainHostName (RelDomain d) = Just d
+domainHostName (AbsDomain d) = Just d
+domainHostName RootDomain = Nothing

config-joey.hs

@@ -299,6 +299,8 @@ monsters =	      -- but do want to track their public keys etc.
 		& sshPubKey "ssh-dss AAAAB3NzaC1kc3MAAAEBAI6ZsoW8a+Zl6NqUf9a4xXSMcV1akJHDEKKBzlI2YZo9gb9YoCf5p9oby8THUSgfh4kse7LJeY7Nb64NR6Y/X7I2/QzbE1HGGl5mMwB6LeUcJ74T3TQAlNEZkGt/MOIVLolJHk049hC09zLpkUDtX8K0t1yaCirC9SxDGLTCLEhvU9+vVdVrdQlKZ9wpLUNbdAzvbra+O/IVvExxDZ9WCHrnfNA8ddVZIGEWMqsoNgiuCxiXpi8qL+noghsSQNFTXwo7W2Vp9zj1JkCt3GtSz5IzEpARQaXEAWNEM0n1nJ686YUOhou64iRM8bPC1lp3QXvvZNgj3m+QHhIempx+de8AAAAVAKB5vUDaZOg14gRn7Bp81ja/ik+RAAABACPH/bPbW912x1NxNiikzGR6clLh+bLpIp8Qie3J7DwOr8oC1QOKjNDK+UgQ7mDQEgr4nGjNKSvpDi4c1QCw4sbLqQgx1y2VhT0SmUPHf5NQFldRQyR/jcevSSwOBxszz3aq9AwHiv9OWaO3XY18suXPouiuPTpIcZwc2BLDNHFnDURQeGEtmgqj6gZLIkTY0iw7q9Tj5FOyl4AkvEJC5B4CSzaWgey93Wqn1Imt7KI8+H9lApMKziVL1q+K7xAuNkGmx5YOSNlE6rKAPtsIPHZGxR7dch0GURv2jhh0NQYvBRn3ukCjuIO5gx56HLgilq59/o50zZ4NcT7iASF76TcAAAEAC6YxX7rrs8pp13W4YGiJHwFvIO1yXLGOdqu66JM0plO4J1ItV1AQcazOXLiliny3p2/W+wXZZKd5HIRt52YafCA8YNyMk/sF7JcTR4d4z9CfKaAxh0UpzKiAk+0j/Wu3iPoTOsyt7N0j1+dIyrFodY2sKKuBMT4TQ0yqQpbC+IDQv2i1IlZAPneYGfd5MIGygs2QMfaMQ1jWAKJvEO0vstZ7GB6nDAcg4in3ZiBHtomx3PL5w+zg48S4Ed69BiFXLZ1f6MnjpUOP75pD4MP6toS0rgK9b93xCrEQLgm4oD/7TCHHBo2xR7wwcsN2OddtwWsEM2QgOkt/jdCAoVCqwQ=="
 	, host "github.com" 
 		& sshPubKey "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ=="
+	, host "ns6.gandi.net"
+		& ipv4 "217.70.177.40"
 	, host "turtle.kitenet.net"
 		& ipv4 "67.223.19.96"
 		& ipv6 "2001:4978:f:2d9::2"

debian/changelog

@@ -1,6 +1,10 @@
 propellor (0.5.1) UNRELEASED; urgency=medium
 
   * Add missing build deps and deps. Closes: #745459
+  * Primary DNS servers now have allow-transfer automatically populated
+    with the IP addresses of secondary dns servers. So, it's important
+    that all secondary DNS servers have an ipv4 (and/or ipv6) property
+    configured.
 
  -- Joey Hess <joeyh@debian.org>  Tue, 22 Apr 2014 19:07:59 -0400