From 4dd6596919e8e7c14436fb0cabd113664680faf7 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Sat, 3 Jan 2015 19:09:02 -0400 Subject: add DnsSec module --- src/Propellor/Property/DnsSec.hs | 48 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 src/Propellor/Property/DnsSec.hs (limited to 'src/Propellor/Property') diff --git a/src/Propellor/Property/DnsSec.hs b/src/Propellor/Property/DnsSec.hs new file mode 100644 index 00000000..55a447a1 --- /dev/null +++ b/src/Propellor/Property/DnsSec.hs @@ -0,0 +1,48 @@ +module Propellor.Property.DnsSec where + +import Propellor +import Propellor.Property.File + +-- | Puts the DNSSEC key files in place from PrivData. +-- +-- signedPrimary uses this, so this property does not normally need to be +-- used directly. +keysInstalled :: Domain -> RevertableProperty +keysInstalled domain = RevertableProperty setup cleanup + where + setup = propertyList "DNSSEC keys installed" $ + map installkey keys + + cleanup = propertyList "DNSSEC keys removed" $ + map (notPresent . keyFn domain) keys + + installkey k = (if isPublic k then hasPrivContentExposedFrom else hasPrivContentFrom) + (keysrc k) (keyFn domain k) (Context domain) + + keys = [ PubZSK, PrivZSK, PubKSK, PrivKSK ] + + keysrc k = PrivDataSource (DnsSec k) $ unwords + [ "The file with extension" + , keyExt k + , " created by running:" + , if isZoneSigningKey k + then "dnssec-keygen -a RSASHA256 -b 2048 -n ZONE " ++ domain + else "dnssec-keygen -f KSK -a RSASHA256 -b 4096 -n ZONE " ++ domain + ] + +-- | The file used for a given key. +keyFn :: Domain -> DnsSecKey -> FilePath +keyFn domain k = "/etc/bind/propellor" + "K" ++ domain ++ "." ++ show k ++ keyExt k + +-- | These are the extensions that dnssec-keygen looks for. +keyExt :: DnsSecKey -> String +keyExt k + | isPublic k = ".key" + | otherwise = ".private" + +isPublic :: DnsSecKey -> Bool +isPublic k = k `elem` [PubZSK, PubKSK] + +isZoneSigningKey :: DnsSecKey -> Bool +isZoneSigningKey k = k `elem` [PubZSK, PrivZSK] -- cgit v1.2.3