resign zone if keys change

src/Propellor/Property/Dns.hs

@@ -136,7 +136,6 @@ signedPrimary recurrance hosts domain soa rs = RevertableProperty setup cleanup
 	-- TODO put signed zone file in named.conf.
 	-- TODO enable dnssec options.
 	-- 	dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto;
-	-- TODO if keys change, resign zone file.
 	-- TODO write to entirely different files than does primary,
 	-- so that primary can be reverted and signedPrimary enabled,
 	-- or vice-versa, without conflicts.

src/Propellor/Property/DnsSec.hs

@@ -53,15 +53,18 @@ zoneSigned domain zonefile = RevertableProperty setup cleanup
 	dssetfile = dir </> "-" ++ domain ++ "."
 	dir = takeDirectory zonefile
 
-	-- Need to update the signed zone if the zone file
-	-- has a newer timestamp.
+	-- Need to update the signed zone file if the zone file or
+	-- any of the keys have a newer timestamp.
 	needupdate = do
 		v <- catchMaybeIO $ getModificationTime signedzonefile
 		case v of
 			Nothing -> return True
-			Just t1 -> do
-				t2 <- getModificationTime zonefile
-				return (t2 >= t1)
+			Just t1 -> anyM (newerthan t1) $
+				zonefile : map (keyFn domain) [minBound..maxBound]
+
+	newerthan t1 f = do
+		t2 <- getModificationTime f
+		return (t2 >= t1)
 
 forceZoneSigned :: Domain -> FilePath -> Property
 forceZoneSigned domain zonefile = property ("zone signed for " ++ domain) $ liftIO $ do

src/Propellor/Types/PrivData.hs

@@ -104,4 +104,4 @@ data DnsSecKey
 	| PrivZSK -- ^ DNSSEC Zone Signing Key (private)
 	| PubKSK -- ^ DNSSEC Key Signing Key (public)
 	| PrivKSK -- ^ DNSSEC Key Signing Key (private)
-	deriving (Read, Show, Ord, Eq)
+	deriving (Read, Show, Ord, Eq, Bounded, Enum)