summaryrefslogtreecommitdiff
path: root/src/Propellor/Property/DnsSec.hs
diff options
context:
space:
mode:
authorJoey Hess2015-01-04 14:05:42 -0400
committerJoey Hess2015-01-04 14:05:42 -0400
commitf36443755e9c151d7d93b172fb2260b007ec483f (patch)
tree0e0427fef1c6f5edacf6366f5de74f09c32e62c1 /src/Propellor/Property/DnsSec.hs
parent8c1006c6542082691fce24c701d0a1ffd6ec0452 (diff)
propellor spin
Diffstat (limited to 'src/Propellor/Property/DnsSec.hs')
-rw-r--r--src/Propellor/Property/DnsSec.hs14
1 files changed, 12 insertions, 2 deletions
diff --git a/src/Propellor/Property/DnsSec.hs b/src/Propellor/Property/DnsSec.hs
index e4a8cad9..f39fcb25 100644
--- a/src/Propellor/Property/DnsSec.hs
+++ b/src/Propellor/Property/DnsSec.hs
@@ -41,6 +41,7 @@ zoneSigned :: Domain -> FilePath -> RevertableProperty
zoneSigned domain zonefile = RevertableProperty setup cleanup
where
setup = check needupdate (forceZoneSigned domain zonefile)
+ `requires` includePubKeys domain zonefile
`requires` toProp (keysInstalled domain)
cleanup = combineProperties ("removed signed zone for " ++ domain)
@@ -65,6 +66,12 @@ zoneSigned domain zonefile = RevertableProperty setup cleanup
t2 <- getModificationTime f
return (t2 >= t1)
+includePubKeys :: Domain -> FilePath -> Property
+includePubKeys domain zonefile = File.containsLines zonefile $
+ map mkinclude [PubKSK, PubZSK]
+ where
+ mkinclude k = "$INCLUDE " ++ keyFn domain k
+
forceZoneSigned :: Domain -> FilePath -> Property
forceZoneSigned domain zonefile = property ("zone signed for " ++ domain) $ liftIO $ do
salt <- take 16 <$> saltSha1
@@ -95,8 +102,11 @@ saltSha1 = readProcess "sh"
-- | The file used for a given key.
keyFn :: Domain -> DnsSecKey -> FilePath
-keyFn domain k = "/etc/bind/propellor/dnssec" </>
- "K" ++ domain ++ "." ++ show k ++ keyExt k
+keyFn domain k = "/etc/bind/propellor/dnssec" </> concat
+ [ "K" ++ domain ++ "."
+ , if isZoneSigningKey k then "ZSK" else "KSK"
+ , keyExt k
+ ]
-- | These are the extensions that dnssec-keygen looks for.
keyExt :: DnsSecKey -> String