propellor-2.7.0: property-based host configuration management in haskell

Safe HaskellNone
LanguageHaskell98

Propellor.Property.Dns

Synopsis

Documentation

primary :: [Host] -> Domain -> SOA -> [(BindDomain, Record)] -> RevertableProperty Source

Primary dns server for a domain.

Most of the content of the zone file is configured by setting properties of hosts. For example,

host "foo.example.com"
  & ipv4 "192.168.1.1"
  & alias "mail.exmaple.com"

Will cause that hostmame and its alias to appear in the zone file, with the configured IP address.

Also, if a host has a ssh public key configured, a SSHFP record will be automatically generated for it.

The [(BindDomain, Record)] list can be used for additional records that cannot be configured elsewhere. This often includes NS records, TXT records and perhaps CNAMEs pointing at hosts that propellor does not control.

The primary server is configured to only allow zone transfers to secondary dns servers. These are determined in two ways:

  1. By looking at the properties of other hosts, to find hosts that are configured as the secondary dns server.
  2. By looking for NS Records in the passed list of records.

In either case, the secondary dns server Host should have an ipv4 and/or ipv6 property defined.

signedPrimary :: Recurrance -> [Host] -> Domain -> SOA -> [(BindDomain, Record)] -> RevertableProperty Source

Primary dns server for a domain, secured with DNSSEC.

This is like primary, except the resulting zone file is signed. The Zone Signing Key (ZSK) and Key Signing Key (KSK) used in signing it are taken from the PrivData.

As a side effect of signing the zone, a /var/cache/bind/dsset-domain. file will be created. This file contains the DS records which need to be communicated to your domain registrar to make DNSSEC be used for your domain. Doing so is outside the scope of propellor (currently). See for example the tutorial https://www.digitalocean.com/community/tutorials/how-to-setup-dnssec-on-an-authoritative-bind-dns-server--2

The Recurrance controls how frequently the signature should be regenerated, using a new random salt, to prevent zone walking attacks. `Weekly Nothing` is a reasonable choice.

To transition from primary to signedPrimary, you can revert the primary property, and add this property.

Note that DNSSEC zone files use a serial number based on the unix epoch. This is different from the serial number used by primary, so if you want to later disable DNSSEC you will need to adjust the serial number passed to mkSOA to ensure it is larger.

secondary :: [Host] -> Domain -> RevertableProperty Source

Secondary dns server for a domain.

The primary server is determined by looking at the properties of other hosts to find which one is configured as the primary.

Note that if a host is declared to be a primary and a secondary dns server for the same domain, the primary server config always wins.

secondaryFor :: [HostName] -> [Host] -> Domain -> RevertableProperty Source

This variant is useful if the primary server does not have its DNS configured via propellor.

mkSOA :: Domain -> SerialNumber -> SOA Source

Generates a SOA with some fairly sane numbers in it.

The Domain is the domain to use in the SOA record. Typically something like ns1.example.com. So, not the domain that this is the SOA record for.

The SerialNumber can be whatever serial number was used by the domain before propellor started managing it. Or 0 if the domain has only ever been managed by propellor.

You do not need to increment the SerialNumber when making changes! Propellor will automatically add the number of commits in the git repository to the SerialNumber.

writeZoneFile :: Zone -> FilePath -> IO () Source

Write a Zone out to a to a file.

The serial number in the Zone automatically has the serialNumberOffset added to it. Also, just in case, the old serial number used in the zone file is checked, and if it is somehow larger, its succ is used.

nextSerialNumber :: Zone -> SerialNumber -> Zone Source

Adjusts the serial number of the zone to always be larger than the serial number in the Zone record, and always be larger than the passed SerialNumber.

serialNumberOffset :: IO SerialNumber Source

Count the number of git commits made to the current branch.

genZone :: [Host] -> Map HostName Host -> Domain -> SOA -> (Zone, [WarningMessage]) Source

Generates a Zone for a particular Domain from the DNS properies of all hosts that propellor knows about that are in that Domain.

Does not include SSHFP records.