diff options
| author | Joey Hess <joeyh@joeyh.name> | 2015-01-04 13:13:06 -0400 |
|---|---|---|
| committer | Joey Hess <joeyh@joeyh.name> | 2015-01-04 13:13:06 -0400 |
| commit | d6c8ddb955707cd73f66fcb662ea4616c5715d39 (patch) | |
| tree | ef298b9111dbdfaf53180530f5ecf18ebb7fdf12 /src/Propellor | |
| parent | 01d8ab0cfd5e65395afc242f8307a67c48ec8544 (diff) | |
resign zone if keys change
Diffstat (limited to 'src/Propellor')
| -rw-r--r-- | src/Propellor/Property/Dns.hs | 1 | ||||
| -rw-r--r-- | src/Propellor/Property/DnsSec.hs | 13 | ||||
| -rw-r--r-- | src/Propellor/Types/PrivData.hs | 2 |
3 files changed, 9 insertions, 7 deletions
diff --git a/src/Propellor/Property/Dns.hs b/src/Propellor/Property/Dns.hs index 89180963..38e98eac 100644 --- a/src/Propellor/Property/Dns.hs +++ b/src/Propellor/Property/Dns.hs @@ -136,7 +136,6 @@ signedPrimary recurrance hosts domain soa rs = RevertableProperty setup cleanup -- TODO put signed zone file in named.conf. -- TODO enable dnssec options. -- dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; - -- TODO if keys change, resign zone file. -- TODO write to entirely different files than does primary, -- so that primary can be reverted and signedPrimary enabled, -- or vice-versa, without conflicts. diff --git a/src/Propellor/Property/DnsSec.hs b/src/Propellor/Property/DnsSec.hs index 201cc003..ba9c2a1b 100644 --- a/src/Propellor/Property/DnsSec.hs +++ b/src/Propellor/Property/DnsSec.hs @@ -53,15 +53,18 @@ zoneSigned domain zonefile = RevertableProperty setup cleanup dssetfile = dir </> "-" ++ domain ++ "." dir = takeDirectory zonefile - -- Need to update the signed zone if the zone file - -- has a newer timestamp. + -- Need to update the signed zone file if the zone file or + -- any of the keys have a newer timestamp. needupdate = do v <- catchMaybeIO $ getModificationTime signedzonefile case v of Nothing -> return True - Just t1 -> do - t2 <- getModificationTime zonefile - return (t2 >= t1) + Just t1 -> anyM (newerthan t1) $ + zonefile : map (keyFn domain) [minBound..maxBound] + + newerthan t1 f = do + t2 <- getModificationTime f + return (t2 >= t1) forceZoneSigned :: Domain -> FilePath -> Property forceZoneSigned domain zonefile = property ("zone signed for " ++ domain) $ liftIO $ do diff --git a/src/Propellor/Types/PrivData.hs b/src/Propellor/Types/PrivData.hs index 636c9658..d6941a77 100644 --- a/src/Propellor/Types/PrivData.hs +++ b/src/Propellor/Types/PrivData.hs @@ -104,4 +104,4 @@ data DnsSecKey | PrivZSK -- ^ DNSSEC Zone Signing Key (private) | PubKSK -- ^ DNSSEC Key Signing Key (public) | PrivKSK -- ^ DNSSEC Key Signing Key (private) - deriving (Read, Show, Ord, Eq) + deriving (Read, Show, Ord, Eq, Bounded, Enum) |