cadey
/
propellor
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

add $INCLUDE of pubkeys before zone file is written, to avoid pogoing

This commit is contained in:
Joey Hess 2015-01-04 14:20:22 -04:00
parent 43e15c8add
commit bb7b8e7891
4 changed files with 18 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
src/Propellor/Info.hs
View File

@ -64,6 +64,7 @@ addDNS r = pureInfoProperty (rdesc r) $ mempty { _dns = S.singleton r }
rdesc (NS d) = unwords ["NS", ddesc d] rdesc (NS d) = unwords ["NS", ddesc d]
rdesc (TXT s) = unwords ["TXT", s] rdesc (TXT s) = unwords ["TXT", s]
rdesc (SRV x y z d) = unwords ["SRV", show x, show y, show z, ddesc d] rdesc (SRV x y z d) = unwords ["SRV", show x, show y, show z, ddesc d]
rdesc (INCLUDE f) = unwords ["$INCLUDE", f]
ddesc (AbsDomain domain) = domain ddesc (AbsDomain domain) = domain
ddesc (RelDomain domain) = domain ddesc (RelDomain domain) = domain

22
src/Propellor/Property/Dns.hs
View File

@ -133,7 +133,7 @@ signedPrimary recurrance hosts domain soa rs = RevertableProperty setup cleanup
-- TODO enable dnssec options. -- TODO enable dnssec options.
-- dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; -- dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto;
setup = combineProperties ("dns primary for " ++ domain ++ " (signed)") setup = combineProperties ("dns primary for " ++ domain ++ " (signed)")
[ setupPrimary zonefile signedZoneFile hosts domain soa rs [ setupPrimary zonefile signedZoneFile hosts domain soa rs'
, toProp (zoneSigned domain zonefile) , toProp (zoneSigned domain zonefile)
] ]
`onChange` Service.reloaded "bind9" `onChange` Service.reloaded "bind9"
@ -142,6 +142,10 @@ signedPrimary recurrance hosts domain soa rs = RevertableProperty setup cleanup
`onChange` toProp (revert (zoneSigned domain zonefile)) `onChange` toProp (revert (zoneSigned domain zonefile))
`onChange` Service.reloaded "bind9" `onChange` Service.reloaded "bind9"
-- Include the public keys into the zone file.
rs' = include PubKSK : include PubZSK : rs
include k = (RootDomain, INCLUDE (keyFn domain k))
-- Put DNSSEC zone files in a different directory than is used for -- Put DNSSEC zone files in a different directory than is used for
-- the regular ones. This allows 'primary' to be reverted and -- the regular ones. This allows 'primary' to be reverted and
-- 'signedPrimary' enabled, without the reverted property stomping -- 'signedPrimary' enabled, without the reverted property stomping
@ -267,6 +271,7 @@ rField (MX _ _) = "MX"
rField (NS _) = "NS" rField (NS _) = "NS"
rField (TXT _) = "TXT" rField (TXT _) = "TXT"
rField (SRV _ _ _ _) = "SRV" rField (SRV _ _ _ _) = "SRV"
rField (INCLUDE _) = "$INCLUDE"
rValue :: Record -> String rValue :: Record -> String
rValue (Address (IPv4 addr)) = addr rValue (Address (IPv4 addr)) = addr
@ -280,6 +285,7 @@ rValue (SRV priority weight port target) = unwords
, show port , show port
, dValue target , dValue target
] ]
rValue (INCLUDE f) = f
rValue (TXT s) = [q] ++ filter (/= q) s ++ [q] rValue (TXT s) = [q] ++ filter (/= q) s ++ [q]
where where
q = '"' q = '"'
@ -345,12 +351,16 @@ genZoneFile (Zone zdomain soa rs) = unlines $
header = com $ "BIND zone file for " ++ zdomain ++ ". Generated by propellor, do not edit." header = com $ "BIND zone file for " ++ zdomain ++ ". Generated by propellor, do not edit."
genRecord :: Domain -> (BindDomain, Record) -> String genRecord :: Domain -> (BindDomain, Record) -> String
genRecord _ (_, record@(INCLUDE _)) = intercalate "\t"
[ rField record
, rValue record
]
genRecord zdomain (domain, record) = intercalate "\t" genRecord zdomain (domain, record) = intercalate "\t"
[ domainHost zdomain domain [ domainHost zdomain domain
, "IN" , "IN"
, rField record , rField record
, rValue record , rValue record
] ]
genSOA :: SOA -> [String] genSOA :: SOA -> [String]
genSOA soa = genSOA soa =

7
src/Propellor/Property/DnsSec.hs
View File

@ -41,7 +41,6 @@ zoneSigned :: Domain -> FilePath -> RevertableProperty
zoneSigned domain zonefile = RevertableProperty setup cleanup zoneSigned domain zonefile = RevertableProperty setup cleanup
where where
setup = check needupdate (forceZoneSigned domain zonefile) setup = check needupdate (forceZoneSigned domain zonefile)
`requires` includePubKeys domain zonefile
`requires` toProp (keysInstalled domain) `requires` toProp (keysInstalled domain)
cleanup = combineProperties ("removed signed zone for " ++ domain) cleanup = combineProperties ("removed signed zone for " ++ domain)
@ -66,12 +65,6 @@ zoneSigned domain zonefile = RevertableProperty setup cleanup
t2 <- getModificationTime f t2 <- getModificationTime f
return (t2 >= t1) return (t2 >= t1)
includePubKeys :: Domain -> FilePath -> Property
includePubKeys domain zonefile = File.containsLines zonefile $
map mkinclude [PubKSK, PubZSK]
where
mkinclude k = "$INCLUDE " ++ keyFn domain k
forceZoneSigned :: Domain -> FilePath -> Property forceZoneSigned :: Domain -> FilePath -> Property
forceZoneSigned domain zonefile = property ("zone signed for " ++ domain) $ liftIO $ do forceZoneSigned domain zonefile = property ("zone signed for " ++ domain) $ liftIO $ do
salt <- take 16 <$> saltSha1 salt <- take 16 <$> saltSha1

1
src/Propellor/Types/Dns.hs
View File

@ -62,6 +62,7 @@ data Record
| NS BindDomain | NS BindDomain
| TXT String | TXT String
| SRV Word16 Word16 Word16 BindDomain | SRV Word16 Word16 Word16 BindDomain
| INCLUDE FilePath
deriving (Read, Show, Eq, Ord) deriving (Read, Show, Eq, Ord)
getIPAddr :: Record -> Maybe IPAddr getIPAddr :: Record -> Maybe IPAddr