From d6c8ddb955707cd73f66fcb662ea4616c5715d39 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Sun, 4 Jan 2015 13:13:06 -0400 Subject: resign zone if keys change --- src/Propellor/Property/Dns.hs | 1 - src/Propellor/Property/DnsSec.hs | 13 ++++++++----- src/Propellor/Types/PrivData.hs | 2 +- 3 files changed, 9 insertions(+), 7 deletions(-) (limited to 'src') diff --git a/src/Propellor/Property/Dns.hs b/src/Propellor/Property/Dns.hs index 89180963..38e98eac 100644 --- a/src/Propellor/Property/Dns.hs +++ b/src/Propellor/Property/Dns.hs @@ -136,7 +136,6 @@ signedPrimary recurrance hosts domain soa rs = RevertableProperty setup cleanup -- TODO put signed zone file in named.conf. -- TODO enable dnssec options. -- dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; - -- TODO if keys change, resign zone file. -- TODO write to entirely different files than does primary, -- so that primary can be reverted and signedPrimary enabled, -- or vice-versa, without conflicts. diff --git a/src/Propellor/Property/DnsSec.hs b/src/Propellor/Property/DnsSec.hs index 201cc003..ba9c2a1b 100644 --- a/src/Propellor/Property/DnsSec.hs +++ b/src/Propellor/Property/DnsSec.hs @@ -53,15 +53,18 @@ zoneSigned domain zonefile = RevertableProperty setup cleanup dssetfile = dir "-" ++ domain ++ "." dir = takeDirectory zonefile - -- Need to update the signed zone if the zone file - -- has a newer timestamp. + -- Need to update the signed zone file if the zone file or + -- any of the keys have a newer timestamp. needupdate = do v <- catchMaybeIO $ getModificationTime signedzonefile case v of Nothing -> return True - Just t1 -> do - t2 <- getModificationTime zonefile - return (t2 >= t1) + Just t1 -> anyM (newerthan t1) $ + zonefile : map (keyFn domain) [minBound..maxBound] + + newerthan t1 f = do + t2 <- getModificationTime f + return (t2 >= t1) forceZoneSigned :: Domain -> FilePath -> Property forceZoneSigned domain zonefile = property ("zone signed for " ++ domain) $ liftIO $ do diff --git a/src/Propellor/Types/PrivData.hs b/src/Propellor/Types/PrivData.hs index 636c9658..d6941a77 100644 --- a/src/Propellor/Types/PrivData.hs +++ b/src/Propellor/Types/PrivData.hs @@ -104,4 +104,4 @@ data DnsSecKey | PrivZSK -- ^ DNSSEC Zone Signing Key (private) | PubKSK -- ^ DNSSEC Key Signing Key (public) | PrivKSK -- ^ DNSSEC Key Signing Key (private) - deriving (Read, Show, Ord, Eq) + deriving (Read, Show, Ord, Eq, Bounded, Enum) -- cgit v1.2.3