diff --git a/src/Propellor/Info.hs b/src/Propellor/Info.hs index 3af3fc1..0437f8e 100644 --- a/src/Propellor/Info.hs +++ b/src/Propellor/Info.hs @@ -64,7 +64,6 @@ addDNS r = pureInfoProperty (rdesc r) $ mempty { _dns = S.singleton r } rdesc (NS d) = unwords ["NS", ddesc d] rdesc (TXT s) = unwords ["TXT", s] rdesc (SRV x y z d) = unwords ["SRV", show x, show y, show z, ddesc d] - rdesc (INCLUDE f) = unwords ["$INCLUDE", f] ddesc (AbsDomain domain) = domain ddesc (RelDomain domain) = domain diff --git a/src/Propellor/Property/Dns.hs b/src/Propellor/Property/Dns.hs index 27f81f6..c5a4efa 100644 --- a/src/Propellor/Property/Dns.hs +++ b/src/Propellor/Property/Dns.hs @@ -133,7 +133,7 @@ signedPrimary recurrance hosts domain soa rs = RevertableProperty setup cleanup -- TODO enable dnssec options. -- dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; setup = combineProperties ("dns primary for " ++ domain ++ " (signed)") - [ setupPrimary zonefile signedZoneFile hosts domain soa rs' + [ setupPrimary zonefile signedZoneFile hosts domain soa rs , toProp (zoneSigned domain zonefile) ] `onChange` Service.reloaded "bind9" @@ -142,10 +142,6 @@ signedPrimary recurrance hosts domain soa rs = RevertableProperty setup cleanup `onChange` toProp (revert (zoneSigned domain zonefile)) `onChange` Service.reloaded "bind9" - -- Include the public keys into the zone file. - rs' = include PubKSK : include PubZSK : rs - include k = (RootDomain, INCLUDE (keyFn domain k)) - -- Put DNSSEC zone files in a different directory than is used for -- the regular ones. This allows 'primary' to be reverted and -- 'signedPrimary' enabled, without the reverted property stomping @@ -271,7 +267,6 @@ rField (MX _ _) = "MX" rField (NS _) = "NS" rField (TXT _) = "TXT" rField (SRV _ _ _ _) = "SRV" -rField (INCLUDE _) = "$INCLUDE" rValue :: Record -> String rValue (Address (IPv4 addr)) = addr @@ -285,7 +280,6 @@ rValue (SRV priority weight port target) = unwords , show port , dValue target ] -rValue (INCLUDE f) = f rValue (TXT s) = [q] ++ filter (/= q) s ++ [q] where q = '"' diff --git a/src/Propellor/Property/DnsSec.hs b/src/Propellor/Property/DnsSec.hs index e4a8cad..f39fcb2 100644 --- a/src/Propellor/Property/DnsSec.hs +++ b/src/Propellor/Property/DnsSec.hs @@ -41,6 +41,7 @@ zoneSigned :: Domain -> FilePath -> RevertableProperty zoneSigned domain zonefile = RevertableProperty setup cleanup where setup = check needupdate (forceZoneSigned domain zonefile) + `requires` includePubKeys domain zonefile `requires` toProp (keysInstalled domain) cleanup = combineProperties ("removed signed zone for " ++ domain) @@ -65,6 +66,12 @@ zoneSigned domain zonefile = RevertableProperty setup cleanup t2 <- getModificationTime f return (t2 >= t1) +includePubKeys :: Domain -> FilePath -> Property +includePubKeys domain zonefile = File.containsLines zonefile $ + map mkinclude [PubKSK, PubZSK] + where + mkinclude k = "$INCLUDE " ++ keyFn domain k + forceZoneSigned :: Domain -> FilePath -> Property forceZoneSigned domain zonefile = property ("zone signed for " ++ domain) $ liftIO $ do salt <- take 16 <$> saltSha1 @@ -95,8 +102,11 @@ saltSha1 = readProcess "sh" -- | The file used for a given key. keyFn :: Domain -> DnsSecKey -> FilePath -keyFn domain k = "/etc/bind/propellor/dnssec" - "K" ++ domain ++ "." ++ show k ++ keyExt k +keyFn domain k = "/etc/bind/propellor/dnssec" concat + [ "K" ++ domain ++ "." + , if isZoneSigningKey k then "ZSK" else "KSK" + , keyExt k + ] -- | These are the extensions that dnssec-keygen looks for. keyExt :: DnsSecKey -> String diff --git a/src/Propellor/Types/Dns.hs b/src/Propellor/Types/Dns.hs index 2fbf51e..5e9666d 100644 --- a/src/Propellor/Types/Dns.hs +++ b/src/Propellor/Types/Dns.hs @@ -62,7 +62,6 @@ data Record | NS BindDomain | TXT String | SRV Word16 Word16 Word16 BindDomain - | INCLUDE FilePath deriving (Read, Show, Eq, Ord) getIPAddr :: Record -> Maybe IPAddr