summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorJoey Hess2015-01-04 13:13:06 -0400
committerJoey Hess2015-01-04 13:13:06 -0400
commitd6c8ddb955707cd73f66fcb662ea4616c5715d39 (patch)
treeef298b9111dbdfaf53180530f5ecf18ebb7fdf12 /src
parent01d8ab0cfd5e65395afc242f8307a67c48ec8544 (diff)
resign zone if keys change
Diffstat (limited to 'src')
-rw-r--r--src/Propellor/Property/Dns.hs1
-rw-r--r--src/Propellor/Property/DnsSec.hs13
-rw-r--r--src/Propellor/Types/PrivData.hs2
3 files changed, 9 insertions, 7 deletions
diff --git a/src/Propellor/Property/Dns.hs b/src/Propellor/Property/Dns.hs
index 89180963..38e98eac 100644
--- a/src/Propellor/Property/Dns.hs
+++ b/src/Propellor/Property/Dns.hs
@@ -136,7 +136,6 @@ signedPrimary recurrance hosts domain soa rs = RevertableProperty setup cleanup
-- TODO put signed zone file in named.conf.
-- TODO enable dnssec options.
-- dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto;
- -- TODO if keys change, resign zone file.
-- TODO write to entirely different files than does primary,
-- so that primary can be reverted and signedPrimary enabled,
-- or vice-versa, without conflicts.
diff --git a/src/Propellor/Property/DnsSec.hs b/src/Propellor/Property/DnsSec.hs
index 201cc003..ba9c2a1b 100644
--- a/src/Propellor/Property/DnsSec.hs
+++ b/src/Propellor/Property/DnsSec.hs
@@ -53,15 +53,18 @@ zoneSigned domain zonefile = RevertableProperty setup cleanup
dssetfile = dir </> "-" ++ domain ++ "."
dir = takeDirectory zonefile
- -- Need to update the signed zone if the zone file
- -- has a newer timestamp.
+ -- Need to update the signed zone file if the zone file or
+ -- any of the keys have a newer timestamp.
needupdate = do
v <- catchMaybeIO $ getModificationTime signedzonefile
case v of
Nothing -> return True
- Just t1 -> do
- t2 <- getModificationTime zonefile
- return (t2 >= t1)
+ Just t1 -> anyM (newerthan t1) $
+ zonefile : map (keyFn domain) [minBound..maxBound]
+
+ newerthan t1 f = do
+ t2 <- getModificationTime f
+ return (t2 >= t1)
forceZoneSigned :: Domain -> FilePath -> Property
forceZoneSigned domain zonefile = property ("zone signed for " ++ domain) $ liftIO $ do
diff --git a/src/Propellor/Types/PrivData.hs b/src/Propellor/Types/PrivData.hs
index 636c9658..d6941a77 100644
--- a/src/Propellor/Types/PrivData.hs
+++ b/src/Propellor/Types/PrivData.hs
@@ -104,4 +104,4 @@ data DnsSecKey
| PrivZSK -- ^ DNSSEC Zone Signing Key (private)
| PubKSK -- ^ DNSSEC Key Signing Key (public)
| PrivKSK -- ^ DNSSEC Key Signing Key (private)
- deriving (Read, Show, Ord, Eq)
+ deriving (Read, Show, Ord, Eq, Bounded, Enum)