summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--config-joey.hs22
-rw-r--r--src/Propellor/Property/Dns.hs5
2 files changed, 8 insertions, 19 deletions
diff --git a/config-joey.hs b/config-joey.hs
index 73674ea6..8cfb9250 100644
--- a/config-joey.hs
+++ b/config-joey.hs
@@ -253,10 +253,10 @@ diatom = standardSystem "diatom.kitenet.net" (Stable "wheezy") "amd64"
& JoeySites.oldUseNetServer hosts
& alias "ns2.kitenet.net"
- & myDnsPrimary "kitenet.net" []
- & myDnsPrimary' "joeyh.name" []
- & myDnsPrimary "ikiwiki.info" []
- & myDnsPrimary "olduse.net"
+ & myDnsPrimary False "kitenet.net" []
+ & myDnsPrimary True "joeyh.name" []
+ & myDnsPrimary False "ikiwiki.info" []
+ & myDnsPrimary False "olduse.net"
[ (RelDomain "article",
CNAME $ AbsDomain "virgil.koldfront.dk") ]
@@ -433,18 +433,8 @@ branchableSecondary = Dns.secondaryFor ["branchable.com"] hosts "branchable.com"
-- Currently using diatom (ns2) as primary with secondaries
-- elephant (ns3) and gandi.
-- kite handles all mail.
-myDnsPrimary :: Domain -> [(BindDomain, Record)] -> RevertableProperty
-myDnsPrimary domain extras = Dns.primary hosts domain
- (Dns.mkSOA "ns2.kitenet.net" 100) $
- [ (RootDomain, NS $ AbsDomain "ns2.kitenet.net")
- , (RootDomain, NS $ AbsDomain "ns3.kitenet.net")
- , (RootDomain, NS $ AbsDomain "ns6.gandi.net")
- , (RootDomain, MX 0 $ AbsDomain "kitenet.net")
- -- SPF only allows IP address of kitenet.net to send mail.
- , (RootDomain, TXT "v=spf1 a:kitenet.net -all")
- ] ++ extras
-myDnsPrimary' :: Domain -> [(BindDomain, Record)] -> RevertableProperty
-myDnsPrimary' domain extras = Dns.signedPrimary Daily hosts domain
+myDnsPrimary :: Bool -> Domain -> [(BindDomain, Record)] -> RevertableProperty
+myDnsPrimary dnssec domain extras = (if dnssec then Dns.signedPrimary (Weekly Nothing) else Dns.primary) hosts domain
(Dns.mkSOA "ns2.kitenet.net" 100) $
[ (RootDomain, NS $ AbsDomain "ns2.kitenet.net")
, (RootDomain, NS $ AbsDomain "ns3.kitenet.net")
diff --git a/src/Propellor/Property/Dns.hs b/src/Propellor/Property/Dns.hs
index e9c7c769..b5c97d35 100644
--- a/src/Propellor/Property/Dns.hs
+++ b/src/Propellor/Property/Dns.hs
@@ -126,15 +126,14 @@ cleanupPrimary zonefile domain = check (doesFileExist zonefile) $
--
-- The 'Recurrance' controls how frequently the signature
-- should be regenerated, using a new random salt, to prevent
--- zone walking attacks. `Daily` is a reasonable choice.
+-- zone walking attacks. `Weekly Nothing` is a reasonable choice.
signedPrimary :: Recurrance -> [Host] -> Domain -> SOA -> [(BindDomain, Record)] -> RevertableProperty
signedPrimary recurrance hosts domain soa rs = RevertableProperty setup cleanup
where
- -- TODO enable dnssec options.
- -- dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto;
setup = combineProperties ("dns primary for " ++ domain ++ " (signed)")
[ setupPrimary zonefile signedZoneFile hosts domain soa rs'
, toProp (zoneSigned domain zonefile)
+ , forceZoneSigned domain zonefile `period` recurrance
]
`onChange` Service.reloaded "bind9"