From bf9b770255f1766ac49b2cd17847f3274879e350 Mon Sep 17 00:00:00 2001 From: Joshua Tauberer Date: Tue, 7 Oct 2014 15:15:22 +0000 Subject: [PATCH] sort SSHFP records so that DNS updates don't trigger spurrious zone changes --- management/dns_update.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/management/dns_update.py b/management/dns_update.py index c96618d3..94bd8196 100755 --- a/management/dns_update.py +++ b/management/dns_update.py @@ -332,9 +332,11 @@ def build_sshfp_records(): } # Get our local fingerprints by running ssh-keyscan. The output looks - # like the known_hosts file: hostname, keytype, fingerprint. + # like the known_hosts file: hostname, keytype, fingerprint. The order + # of the output is arbitrary, so sort it to prevent spurrious updates + # to the zone file (that trigger bumping the serial number). keys = shell("check_output", ["ssh-keyscan", "localhost"]) - for key in keys.split("\n"): + for key in sorted(keys.split("\n")): if key.strip() == "" or key[0] == "#": continue try: host, keytype, pubkey = key.split(" ")