diff options
| author | Joey Hess <joeyh@joeyh.name> | 2015-01-04 14:20:22 -0400 |
|---|---|---|
| committer | Joey Hess <joeyh@joeyh.name> | 2015-01-04 14:22:44 -0400 |
| commit | bb7b8e789104a77b12030df5fe508afbe0eac2a5 (patch) | |
| tree | e0fa55fe5ebed586b9397b7635d1875534fc28a4 | |
| parent | 43e15c8addef95d300fbf1a84b06def9fd099c4d (diff) | |
add $INCLUDE of pubkeys before zone file is written, to avoid pogoing
| -rw-r--r-- | src/Propellor/Info.hs | 1 | ||||
| -rw-r--r-- | src/Propellor/Property/Dns.hs | 22 | ||||
| -rw-r--r-- | src/Propellor/Property/DnsSec.hs | 7 | ||||
| -rw-r--r-- | src/Propellor/Types/Dns.hs | 1 |
4 files changed, 18 insertions, 13 deletions
diff --git a/src/Propellor/Info.hs b/src/Propellor/Info.hs index 0437f8ec..3af3fc15 100644 --- a/src/Propellor/Info.hs +++ b/src/Propellor/Info.hs @@ -64,6 +64,7 @@ addDNS r = pureInfoProperty (rdesc r) $ mempty { _dns = S.singleton r } rdesc (NS d) = unwords ["NS", ddesc d] rdesc (TXT s) = unwords ["TXT", s] rdesc (SRV x y z d) = unwords ["SRV", show x, show y, show z, ddesc d] + rdesc (INCLUDE f) = unwords ["$INCLUDE", f] ddesc (AbsDomain domain) = domain ddesc (RelDomain domain) = domain diff --git a/src/Propellor/Property/Dns.hs b/src/Propellor/Property/Dns.hs index c5a4efa9..e9c7c769 100644 --- a/src/Propellor/Property/Dns.hs +++ b/src/Propellor/Property/Dns.hs @@ -133,7 +133,7 @@ signedPrimary recurrance hosts domain soa rs = RevertableProperty setup cleanup -- TODO enable dnssec options. -- dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; setup = combineProperties ("dns primary for " ++ domain ++ " (signed)") - [ setupPrimary zonefile signedZoneFile hosts domain soa rs + [ setupPrimary zonefile signedZoneFile hosts domain soa rs' , toProp (zoneSigned domain zonefile) ] `onChange` Service.reloaded "bind9" @@ -142,6 +142,10 @@ signedPrimary recurrance hosts domain soa rs = RevertableProperty setup cleanup `onChange` toProp (revert (zoneSigned domain zonefile)) `onChange` Service.reloaded "bind9" + -- Include the public keys into the zone file. + rs' = include PubKSK : include PubZSK : rs + include k = (RootDomain, INCLUDE (keyFn domain k)) + -- Put DNSSEC zone files in a different directory than is used for -- the regular ones. This allows 'primary' to be reverted and -- 'signedPrimary' enabled, without the reverted property stomping @@ -267,6 +271,7 @@ rField (MX _ _) = "MX" rField (NS _) = "NS" rField (TXT _) = "TXT" rField (SRV _ _ _ _) = "SRV" +rField (INCLUDE _) = "$INCLUDE" rValue :: Record -> String rValue (Address (IPv4 addr)) = addr @@ -280,6 +285,7 @@ rValue (SRV priority weight port target) = unwords , show port , dValue target ] +rValue (INCLUDE f) = f rValue (TXT s) = [q] ++ filter (/= q) s ++ [q] where q = '"' @@ -345,12 +351,16 @@ genZoneFile (Zone zdomain soa rs) = unlines $ header = com $ "BIND zone file for " ++ zdomain ++ ". Generated by propellor, do not edit." genRecord :: Domain -> (BindDomain, Record) -> String +genRecord _ (_, record@(INCLUDE _)) = intercalate "\t" + [ rField record + , rValue record + ] genRecord zdomain (domain, record) = intercalate "\t" - [ domainHost zdomain domain - , "IN" - , rField record - , rValue record - ] + [ domainHost zdomain domain + , "IN" + , rField record + , rValue record + ] genSOA :: SOA -> [String] genSOA soa = diff --git a/src/Propellor/Property/DnsSec.hs b/src/Propellor/Property/DnsSec.hs index 37eea09c..b7557006 100644 --- a/src/Propellor/Property/DnsSec.hs +++ b/src/Propellor/Property/DnsSec.hs @@ -41,7 +41,6 @@ zoneSigned :: Domain -> FilePath -> RevertableProperty zoneSigned domain zonefile = RevertableProperty setup cleanup where setup = check needupdate (forceZoneSigned domain zonefile) - `requires` includePubKeys domain zonefile `requires` toProp (keysInstalled domain) cleanup = combineProperties ("removed signed zone for " ++ domain) @@ -66,12 +65,6 @@ zoneSigned domain zonefile = RevertableProperty setup cleanup t2 <- getModificationTime f return (t2 >= t1) -includePubKeys :: Domain -> FilePath -> Property -includePubKeys domain zonefile = File.containsLines zonefile $ - map mkinclude [PubKSK, PubZSK] - where - mkinclude k = "$INCLUDE " ++ keyFn domain k - forceZoneSigned :: Domain -> FilePath -> Property forceZoneSigned domain zonefile = property ("zone signed for " ++ domain) $ liftIO $ do salt <- take 16 <$> saltSha1 diff --git a/src/Propellor/Types/Dns.hs b/src/Propellor/Types/Dns.hs index 5e9666d8..2fbf51e5 100644 --- a/src/Propellor/Types/Dns.hs +++ b/src/Propellor/Types/Dns.hs @@ -62,6 +62,7 @@ data Record | NS BindDomain | TXT String | SRV Word16 Word16 Word16 BindDomain + | INCLUDE FilePath deriving (Read, Show, Eq, Ord) getIPAddr :: Record -> Maybe IPAddr |