diff options
| author | Joey Hess <joeyh@joeyh.name> | 2015-01-03 19:10:28 -0400 |
|---|---|---|
| committer | Joey Hess <joeyh@joeyh.name> | 2015-01-03 19:10:28 -0400 |
| commit | a1f61e09b8d72ef4d4ee8490b9b228dafd8b3d1d (patch) | |
| tree | 4b54f48d04dbf04a7eb00afed43694a4b31d1d47 /src/Propellor/Property/Dns.hs | |
| parent | 4dd6596919e8e7c14436fb0cabd113664680faf7 (diff) | |
stub signedPrimary
Diffstat (limited to 'src/Propellor/Property/Dns.hs')
| -rw-r--r-- | src/Propellor/Property/Dns.hs | 27 |
1 files changed, 27 insertions, 0 deletions
diff --git a/src/Propellor/Property/Dns.hs b/src/Propellor/Property/Dns.hs index f351804c..20530f26 100644 --- a/src/Propellor/Property/Dns.hs +++ b/src/Propellor/Property/Dns.hs @@ -1,6 +1,7 @@ module Propellor.Property.Dns ( module Propellor.Types.Dns, primary, + signedPrimary, secondary, secondaryFor, mkSOA, @@ -17,6 +18,8 @@ import Propellor.Types.Dns import Propellor.Property.File import qualified Propellor.Property.Apt as Apt import qualified Propellor.Property.Service as Service +import Propellor.Property.Scheduled +import Propellor.Property.DnsSec import Utility.Applicative import qualified Data.Map as M @@ -97,6 +100,30 @@ primary hosts domain soa rs = RevertableProperty setup cleanup z = zone { zSOA = (zSOA zone) { sSerial = oldserial } } in z /= oldzone || oldserial < sSerial (zSOA zone) +-- | Primary dns server for a domain, secured with DNSSEC. +-- +-- This is like `primary`, except the resulting zone +-- file is signed. +-- The Zone Signing Key (ZSK) and Key Signing Key (KSK) +-- used in signing it are taken from the PrivData. +-- +-- As a side effect of signing the zone, a +-- </var/cache/bind/dsset-domain.> +-- file will be created. This file contains the DS records +-- which need to be communicated to your domain registrar +-- to make DNSSEC be used for your domain. Doing so is outside +-- the scope of propellor (currently). See for example the tutorial +-- <https://www.digitalocean.com/community/tutorials/how-to-setup-dnssec-on-an-authoritative-bind-dns-server--2> +-- +-- The 'Recurrance' controls how frequently the signature +-- should be regenerated, using a new random salt, to prevent +-- zone walking attacks. `Daily` is a reasonable choice. +signedPrimary :: Recurrance -> [Host] -> Domain -> SOA -> [(BindDomain, Record)] -> RevertableProperty +signedPrimary recurrance hosts domain soa rs = RevertableProperty setup cleanup + where + setup = undefined + cleanup = undefined + -- | Secondary dns server for a domain. -- -- The primary server is determined by looking at the properties of other |