X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Fnamed%2Fmanifests%2Fprimary.pp;h=f256814156252b5c43e813a3c1daa6daa99fd14f;hb=f54c4f0e27d1ff4c0805a8b6902f0b7e1b772b19;hp=75d50d296ebb29a93bc9dbad7afb07348b783c12;hpb=1deaf341016c4b7f741c1a3f6e36673852f93824;p=mirror%2Fdsa-puppet.git

diff --git a/modules/named/manifests/primary.pp b/modules/named/manifests/primary.pp
index 75d50d296..f25681415 100644
--- a/modules/named/manifests/primary.pp
+++ b/modules/named/manifests/primary.pp
@@ -1,7 +1,7 @@
 class named::primary inherits named::authoritative {
 	include dnsextras::entries
 
-	@ferm::rule { '01-dsa-bind-4':
+	ferm::rule { '01-dsa-bind-4':
 		domain      => '(ip ip6)',
 		description => 'Allow nameserver access',
 		rule        => '&TCP_UDP_SERVICE_RANGE(53, ( $HOST_DNS_GEO $HOST_NAGIOS $HOST_RCODE0 $HOST_EASYDNS $HOST_NETNOD ) )',
@@ -40,6 +40,9 @@ class named::primary inherits named::authoritative {
 					dnsnodeapi-ACL;
 				};
 				also-notify {
+					rcode0-masters;
+					dnsnode-masters;
+					dnsnodeapi-masters;
 				};
 
 				key-directory "/srv/dns.debian.org/var/keys/_openpgpkey.debian.org";
@@ -49,4 +52,16 @@ class named::primary inherits named::authoritative {
 			};
 			| EOF
 	}
+
+	concat::fragment { 'dsa-puppet-stuff--nsec3':
+		target => '/etc/cron.d/dsa-puppet-stuff',
+		content  => @(EOF)
+			13 19 4 * * root chronic /usr/sbin/rndc signing -nsec3param 1 0 16 $(head -c 20 /dev/urandom | sha512sum | cut -b 1-10) debian.net
+			29 12 7 * * root chronic /usr/sbin/rndc signing -nsec3param 1 0 16 $(head -c 20 /dev/urandom | sha512sum | cut -b 1-10) debian.org
+			32 12 7 * * root chronic /usr/sbin/rndc signing -nsec3param 1 0 16 $(head -c 20 /dev/urandom | sha512sum | cut -b 1-10) debconf.org
+			36 12 7 * * root chronic /usr/sbin/rndc signing -nsec3param 1 0 16 $(head -c 20 /dev/urandom | sha512sum | cut -b 1-10) _openpgpkey.debian.org
+
+			| EOF
+	}
+
 }