cadey
/
propellor
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

stub signedPrimary

This commit is contained in:
Joey Hess 2015-01-03 19:10:28 -04:00
parent 4dd6596919
commit a1f61e09b8
2 changed files with 28 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
debian/changelog vendored
View File

@ -5,6 +5,7 @@ propellor (1.2.3) UNRELEASED; urgency=medium
* Detect #774376 and refuse to use docker if the system is so broken
that docker exec doesn't enter a chroot.
* Update intermediary propellor in --spin --via
* Added support for DNSSEC.
-- Joey Hess <id@joeyh.name> Thu, 01 Jan 2015 13:27:23 -0400

27
src/Propellor/Property/Dns.hs
View File

@ -1,6 +1,7 @@
module Propellor.Property.Dns (
module Propellor.Types.Dns,
primary,
signedPrimary,
secondary,
secondaryFor,
mkSOA,
@ -17,6 +18,8 @@ import Propellor.Types.Dns
import Propellor.Property.File
import qualified Propellor.Property.Apt as Apt
import qualified Propellor.Property.Service as Service
import Propellor.Property.Scheduled
import Propellor.Property.DnsSec
import Utility.Applicative
import qualified Data.Map as M
@ -97,6 +100,30 @@ primary hosts domain soa rs = RevertableProperty setup cleanup
z = zone { zSOA = (zSOA zone) { sSerial = oldserial } }
in z /= oldzone || oldserial < sSerial (zSOA zone)
-- | Primary dns server for a domain, secured with DNSSEC.
--
-- This is like `primary`, except the resulting zone
-- file is signed.
-- The Zone Signing Key (ZSK) and Key Signing Key (KSK)
-- used in signing it are taken from the PrivData.
--
-- As a side effect of signing the zone, a
-- </var/cache/bind/dsset-domain.>
-- file will be created. This file contains the DS records
-- which need to be communicated to your domain registrar
-- to make DNSSEC be used for your domain. Doing so is outside
-- the scope of propellor (currently). See for example the tutorial
-- <https://www.digitalocean.com/community/tutorials/how-to-setup-dnssec-on-an-authoritative-bind-dns-server--2>
--
-- The 'Recurrance' controls how frequently the signature
-- should be regenerated, using a new random salt, to prevent
-- zone walking attacks. `Daily` is a reasonable choice.
signedPrimary :: Recurrance -> [Host] -> Domain -> SOA -> [(BindDomain, Record)] -> RevertableProperty
signedPrimary recurrance hosts domain soa rs = RevertableProperty setup cleanup
where
setup = undefined
cleanup = undefined
-- | Secondary dns server for a domain.
--
-- The primary server is determined by looking at the properties of other