cadey
/
propellor
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

stub signedPrimary

This commit is contained in:
Joey Hess 2015-01-03 19:10:28 -04:00
parent 4dd6596919
commit a1f61e09b8
2 changed files with 28 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
debian/changelog vendored
View File

@ -5,6 +5,7 @@ propellor (1.2.3) UNRELEASED; urgency=medium
* Detect #774376 and refuse to use docker if the system is so broken * Detect #774376 and refuse to use docker if the system is so broken
that docker exec doesn't enter a chroot. that docker exec doesn't enter a chroot.
* Update intermediary propellor in --spin --via * Update intermediary propellor in --spin --via
* Added support for DNSSEC.
-- Joey Hess <id@joeyh.name> Thu, 01 Jan 2015 13:27:23 -0400 -- Joey Hess <id@joeyh.name> Thu, 01 Jan 2015 13:27:23 -0400

27
src/Propellor/Property/Dns.hs
View File

@ -1,6 +1,7 @@
module Propellor.Property.Dns ( module Propellor.Property.Dns (
module Propellor.Types.Dns, module Propellor.Types.Dns,
primary, primary,
signedPrimary,
secondary, secondary,
secondaryFor, secondaryFor,
mkSOA, mkSOA,
@ -17,6 +18,8 @@ import Propellor.Types.Dns
import Propellor.Property.File import Propellor.Property.File
import qualified Propellor.Property.Apt as Apt import qualified Propellor.Property.Apt as Apt
import qualified Propellor.Property.Service as Service import qualified Propellor.Property.Service as Service
import Propellor.Property.Scheduled
import Propellor.Property.DnsSec
import Utility.Applicative import Utility.Applicative
import qualified Data.Map as M import qualified Data.Map as M
@ -97,6 +100,30 @@ primary hosts domain soa rs = RevertableProperty setup cleanup
z = zone { zSOA = (zSOA zone) { sSerial = oldserial } } z = zone { zSOA = (zSOA zone) { sSerial = oldserial } }
in z /= oldzone || oldserial < sSerial (zSOA zone) in z /= oldzone || oldserial < sSerial (zSOA zone)
-- | Primary dns server for a domain, secured with DNSSEC.
--
-- This is like `primary`, except the resulting zone
-- file is signed.
-- The Zone Signing Key (ZSK) and Key Signing Key (KSK)
-- used in signing it are taken from the PrivData.
--
-- As a side effect of signing the zone, a
-- </var/cache/bind/dsset-domain.>
-- file will be created. This file contains the DS records
-- which need to be communicated to your domain registrar
-- to make DNSSEC be used for your domain. Doing so is outside
-- the scope of propellor (currently). See for example the tutorial
-- <https://www.digitalocean.com/community/tutorials/how-to-setup-dnssec-on-an-authoritative-bind-dns-server--2>
--
-- The 'Recurrance' controls how frequently the signature
-- should be regenerated, using a new random salt, to prevent
-- zone walking attacks. `Daily` is a reasonable choice.
signedPrimary :: Recurrance -> [Host] -> Domain -> SOA -> [(BindDomain, Record)] -> RevertableProperty
signedPrimary recurrance hosts domain soa rs = RevertableProperty setup cleanup
where
setup = undefined
cleanup = undefined
-- | Secondary dns server for a domain. -- | Secondary dns server for a domain.
-- --
-- The primary server is determined by looking at the properties of other -- The primary server is determined by looking at the properties of other