Safe Haskell | None |
---|---|
Language | Haskell98 |
- module Propellor.Types.Dns
- primary :: [Host] -> Domain -> SOA -> [(BindDomain, Record)] -> RevertableProperty (HasInfo + DebianLike) DebianLike
- signedPrimary :: Recurrance -> [Host] -> Domain -> SOA -> [(BindDomain, Record)] -> RevertableProperty (HasInfo + DebianLike) DebianLike
- secondary :: [Host] -> Domain -> RevertableProperty (HasInfo + DebianLike) DebianLike
- secondaryFor :: [HostName] -> [Host] -> Domain -> RevertableProperty (HasInfo + DebianLike) DebianLike
- mkSOA :: Domain -> SerialNumber -> SOA
- writeZoneFile :: Zone -> FilePath -> IO ()
- nextSerialNumber :: Zone -> SerialNumber -> Zone
- adjustSerialNumber :: Zone -> (SerialNumber -> SerialNumber) -> Zone
- serialNumberOffset :: IO SerialNumber
- type WarningMessage = String
- genZone :: [Host] -> Map HostName Host -> Domain -> SOA -> (Zone, [WarningMessage])
Documentation
module Propellor.Types.Dns
primary :: [Host] -> Domain -> SOA -> [(BindDomain, Record)] -> RevertableProperty (HasInfo + DebianLike) DebianLike Source #
Primary dns server for a domain, using bind.
Currently, this only configures bind to serve forward DNS, not reverse DNS.
Most of the content of the zone file is configured by setting properties of hosts. For example,
host "foo.example.com" & ipv4 "192.168.1.1" & alias "mail.exmaple.com"
Will cause that hostmame and its alias to appear in the zone file, with the configured IP address.
Also, if a host has a ssh public key configured, a SSHFP record will be automatically generated for it.
The [(BindDomain, Record)] list can be used for additional records that cannot be configured elsewhere. This often includes NS records, TXT records and perhaps CNAMEs pointing at hosts that propellor does not control.
The primary server is configured to only allow zone transfers to secondary dns servers. These are determined in two ways:
- By looking at the properties of other hosts, to find hosts that are configured as the secondary dns server.
- By looking for NS Records in the passed list of records.
In either case, the secondary dns server Host should have an ipv4 and/or ipv6 property defined.
signedPrimary :: Recurrance -> [Host] -> Domain -> SOA -> [(BindDomain, Record)] -> RevertableProperty (HasInfo + DebianLike) DebianLike Source #
Primary dns server for a domain, secured with DNSSEC.
This is like primary
, except the resulting zone
file is signed.
The Zone Signing Key (ZSK) and Key Signing Key (KSK)
used in signing it are taken from the PrivData.
As a side effect of signing the zone, a /var/cache/bind/dsset-domain. file will be created. This file contains the DS records which need to be communicated to your domain registrar to make DNSSEC be used for your domain. Doing so is outside the scope of propellor (currently). See for example the tutorial https://www.digitalocean.com/community/tutorials/how-to-setup-dnssec-on-an-authoritative-bind-dns-server--2
The Recurrance
controls how frequently the signature
should be regenerated, using a new random salt, to prevent
zone walking attacks. `Weekly Nothing` is a reasonable choice.
To transition from primary
to signedPrimary
, you can revert
the primary
property, and add this property.
Note that DNSSEC zone files use a serial number based on the unix epoch.
This is different from the serial number used by primary
, so if you
want to later disable DNSSEC you will need to adjust the serial number
passed to mkSOA to ensure it is larger.
secondary :: [Host] -> Domain -> RevertableProperty (HasInfo + DebianLike) DebianLike Source #
Secondary dns server for a domain.
The primary server is determined by looking at the properties of other hosts to find which one is configured as the primary.
Note that if a host is declared to be a primary and a secondary dns server for the same domain, the primary server config always wins.
secondaryFor :: [HostName] -> [Host] -> Domain -> RevertableProperty (HasInfo + DebianLike) DebianLike Source #
This variant is useful if the primary server does not have its DNS configured via propellor.
mkSOA :: Domain -> SerialNumber -> SOA Source #
Generates a SOA with some fairly sane numbers in it.
The Domain is the domain to use in the SOA record. Typically something like ns1.example.com. So, not the domain that this is the SOA record for.
The SerialNumber can be whatever serial number was used by the domain before propellor started managing it. Or 0 if the domain has only ever been managed by propellor.
You do not need to increment the SerialNumber when making changes! Propellor will automatically add the number of commits in the git repository to the SerialNumber.
writeZoneFile :: Zone -> FilePath -> IO () Source #
Write a Zone out to a to a file.
The serial number in the Zone automatically has the serialNumberOffset added to it. Also, just in case, the old serial number used in the zone file is checked, and if it is somehow larger, its succ is used.
nextSerialNumber :: Zone -> SerialNumber -> Zone Source #
Adjusts the serial number of the zone to always be larger than the serial number in the Zone record, and always be larger than the passed SerialNumber.
adjustSerialNumber :: Zone -> (SerialNumber -> SerialNumber) -> Zone Source #
serialNumberOffset :: IO SerialNumber Source #
Count the number of git commits made to the current branch.
type WarningMessage = String Source #