transition docs

author: Joey Hess <joeyh@joeyh.name> 2015-01-04 15:22:22 -0400
committer: Joey Hess <joeyh@joeyh.name> 2015-01-04 15:22:22 -0400
commit: 0f41071cb5b2b41b7128b38ff33779c7b9e68cbd (patch)
tree: c55bba920e08d2c7caa0e42dffc26e15b2aad489 /src/Propellor/Property/Dns.hs
parent: ad984e74e4c85f0305d9ce8255ac8909038be82d (diff)
1 files changed, 8 insertions, 0 deletions
diff --git a/src/Propellor/Property/Dns.hs b/src/Propellor/Property/Dns.hs
index b5c97d35..581a9bfe 100644
--- a/src/Propellor/Property/Dns.hs
+++ b/src/Propellor/Property/Dns.hs
@@ -127,6 +127,14 @@ cleanupPrimary zonefile domain = check (doesFileExist zonefile) $
 -- The 'Recurrance' controls how frequently the signature
 -- should be regenerated, using a new random salt, to prevent
 -- zone walking attacks. `Weekly Nothing` is a reasonable choice.
+--
+-- To transition from 'primary' to 'signedPrimary', you can revert
+-- the 'primary' property, and add this property.
+--
+-- Note that DNSSEC zone files use a serial number based on the unix epoch.
+-- This is different from the serial number used by 'primary', so if you
+-- want to later disable DNSSEC you will need to adjust the serial number
+-- passed to mkSOA to ensure it is larger.
 signedPrimary :: Recurrance -> [Host] -> Domain -> SOA -> [(BindDomain, Record)] -> RevertableProperty
 signedPrimary recurrance hosts domain soa rs = RevertableProperty setup cleanup
   where
author	Joey Hess <joeyh@joeyh.name>	2015-01-04 15:22:22 -0400
committer	Joey Hess <joeyh@joeyh.name>	2015-01-04 15:22:22 -0400
commit	0f41071cb5b2b41b7128b38ff33779c7b9e68cbd (patch)
tree	c55bba920e08d2c7caa0e42dffc26e15b2aad489 /src/Propellor/Property/Dns.hs
parent	ad984e74e4c85f0305d9ce8255ac8909038be82d (diff)