1YADIFAD-CONF(5)                     YADIFA                     YADIFAD-CONF(5)
2
3
4

NAME

6       yadifad.conf - configuration file for yadifad(8).
7

SYNOPSIS

9       ${PREFIX}/etc/yadifad.conf
10

DESCRIPTION

12       The configuration of yadifad has several containers:
13
14       <main>
15               General container
16
17       <key>  TSIG keys
18
19       <acl>  Access lists
20
21       <nsid> NameServer IDentifier
22
23       <rrl>  Response Rate Limiting directives
24
25       <zone> Description of the domain name in specific attributes.
26
27       <channels>
28              Description of the logger outputs.
29
30       <dnssec-policy>
31              Description of dnssec policies.
32
33       <key-suite>
34              Description  of  the  key-suites needed if 'dnssec policies' are
35              used.
36
37       <key-roll>
38              Description of the key-rolls needed  if  'dnssec  policies'  are
39              used.
40
41       <key-template>
42              Description of the key-templates needed if 'dnssec policies' are
43              used.
44
45       <denial>
46              Description of 'denial', this can be  used  in  certain  'dnssec
47              policies'.
48
49       The configuration supports included files.
50       example: include /etc/yadifa/conf.d/local.conf
51
52       The configuration files can be nested.
53
54       The configuration consists of:
55
56       *      Container,  which  starts  with  <container  name> and ends with
57              </container name>
58
59       *      Variable name
60
61       *      1 or 2 arguments
62
63       *      Arguments can contain 1 or more comma separated values.
64
65       eg.
66
67       <container>
68           # variable  argument
69           variable    value1
70           # variable  argument1       argument2
71           variable    value1          value2
72           # variable  argument1
73           variable    value1,value2
74       </container>
75
76

EXAMPLES

78       Examples of containers defined for a configuration file.
79
80       *      Main
81
82              1.     Config with includes
83
84                     # start yadifad.conf <main> container
85                     include /etc/yadifa/conf.d/local.conf
86                     # end yadifad.conf <main> container
87
88
89              2.     Main without includes
90
91                     <main>
92                         # Detach from the console (alias: daemonize)
93                         daemon                  off
94
95                         # Jail the application
96                         chroot                  off
97
98                         # The path of the log files (alias: chroot-path)
99                         chrootpath              "/chroot/yadifad"
100
101                         # The path of the log files (alias: log-path)
102                         logpath                 "/var/log/yadifa"
103
104                         # The location of the pid file (alias: pid-file)
105                         pidfile                 "/var/run/yadifa/yadifad.pid"
106
107                         # The path of the zone files (alias: data-path)
108                         datapath                "/var/lib/yadifa"
109
110                         # The path of the DNSSEC keys (alias: keys-path)
111                         keyspath                "/var/lib/yadifa/keys"
112
113                         # The path of the transfer and journaling files (AXFR & IXFR) (alias: xfr-path)
114                         xfrpath                 "/var/lib/yadifa/xfr"
115
116                         # A string returned by a query of hostname. CH TXT
117                         # note: if you leave this out, the real hostname will be given back (alias: hostname-chaos)
118                         hostname                "server-yadifad"
119
120                         # An ID returned by a query to id.server. CH TXT (alias: serverid-chaos)
121                         serverid                "yadifad-01"
122
123                         # The version returned by a query to version.yadifa. CH TXT (alias: version-chaos)
124                         version                 "2.3.9"
125
126                         # Set the maximum UDP packet size.
127                         # note: the packetsize cannot be less than 512 or more than 65535.
128                         #       Typical choice is 4096.
129                         edns0-max-size          4096
130
131                         # The maximum number of parallel TCP queries (max-tcp-connections)
132                         max-tcp-queries         100
133
134                         # The minimum data rate for a TCP query (in bytes per second)
135                         tcp-query-min-rate      512
136
137                         # The user id to use (alias: user)
138                         uid                     yadifa
139
140                         # The group id to use (alias: group)
141                         gid                     yadifa
142
143                         # The DNS port - any DNS query will use that port unless a specific value is used (alias: server-port)
144                         port                    53
145
146                         # The interfaces to listen to.
147                         # listen        0.0.0.0
148                         listen                  127.0.0.1, 192.0.2.2, 192.0.2.130 port 8053, 2001:db8::2
149
150                         # Type of querylog to use
151                         #   0: none
152                         #   1: yadifa
153                         #   2: bind
154                         #   3: both yadifa and bind
155                         queries-log-type        1
156
157                         # Enable the collection and logging of statistics
158                         statistics              on
159
160                         # Maximum number of seconds between two statistics lines
161                         statistics-max-period   60
162
163                         # Drop queries with erroneous content
164                         #
165                         # answer-formerr-packets on
166                         answer-formerr-packets  off
167
168                         # Maximum number of records in an AXFR packet. Set to 1 for compatibility
169                         # with very old name servers (alias: axfr-max-record-by-packet)
170                         axfr-maxrecordbypacket  0
171
172                         # Global Access Control rules
173                         #
174                         # Rules can be defined on network ranges, TSIG signatures, and ACL rules
175
176                         # simple queries:
177                         #
178                         # allow-query any
179                         allow-query             !192.0.2.251,any
180
181                         # dynamic update of a zone
182                         #
183                         # allow-update none
184                         allow-update            admins
185
186                         # dynamic update of a slave (forwarded to the master)
187                         #
188                         # allow-update-forwarding   none
189                         allow-update-forwarding admins,key abroad-admin-key
190
191                         # transfer of a zone (AXFR or IXFR)
192                         #
193                         # allow-transfer any
194                         allow-transfer          transferer
195
196                         # notify of a change in the master
197                         #
198                         # allow-notify any
199                         allow-notify            master,admins
200
201                         # If YADIFA has the controller enabled, allow control only for these
202                         # clients (none by default)
203                         allow-control           localhost
204
205                         # overwrite the amount of CPUs detected by yadifad
206                         cpu-count-override 3
207
208                         # set the number of threads to serve queries
209                         thread-count-by-address 2
210
211                     </main>
212
213
214       *      Key
215              TSIG-key configuration
216
217              1.     Admin-key key definition (the name is arbitrary)
218
219                     <key>
220                         name        abroad-admin-key
221                         algorithm   hmac-md5
222                         secret      WorthlessKeyForExample==
223                     </key>
224
225
226              2.     Master-slave key definition
227
228                     <key>
229                         name        master-slave
230                         algorithm   hmac-md5
231                         secret      MasterAndSlavesTSIGKey==
232                     </key>
233
234
235       *      ACL
236              Access Control List definitions
237
238              1.     Master-slave key use
239
240                     <acl>
241                         transferer  key master-slave
242                         admins      192.0.2.0/24, 2001:db8::74
243                         master      192.0.2.53
244                         localhost   127.0.0.0/8, ::1
245                     </acl>
246
247
248       *      NSID
249              DNS NameServer IDentifier
250
251              1.     Example with ascii
252
253                     <nsid>
254                         ascii belgium-brussels-01
255                     </nsid>
256
257
258              2.     Example with hex
259
260                     <nsid>
261                         hex 00320201
262                     </nsid>
263
264
265       *      RRL
266              Response Rate Limiting
267
268       <rrl>
269           # Number of identical responses per second before responses are being limited
270           responses-per-second    5
271
272           # Number of errors per second before responses are being limited
273           errors-per-second       5
274
275           # Random slip parameter
276           slip                    10
277
278           # If enabled, the rate limits are only logged and not enforced
279           log-only                off
280
281           # Mask applied to group the IPv4 clients
282           ipv4-prefix-length      24
283
284           # Mask applied to group the IPv6 clients
285           ipv6-prefix-length      56
286
287           # Rate limits are not subject to the following clients (aka whitelist)
288           exempt-clients          none
289
290           # Enable or disable the rate limit capabilities
291           enabled                 yes
292       </rrl>
293
294
295       *      Zone
296
297              1.     Master domain zone config
298
299                     <zone>
300                         # This server is master for the zone (mandatory)
301                         type            master
302
303                         # The domain name (mandatory)
304                         domain          mydomain.eu
305
306                         # The zone file, relative to 'datapath'  (mandatory for a master) (alias: file-name)
307                         file            master/mydomain.eu
308
309                         # List of servers also notified of a change (beside the ones in the zone file) (alias: notifies, notify)
310                         also-notify     192.0.2.84, 192.0.2.149
311
312                         # Set the size of the journal file in KB (alias: journal-size-kb)
313                         journal-size    8192
314
315                         # Allow dynupdate for these ACL entries
316                         allow-update    admins
317
318                         # Allow AXFR/IXFR for these ACL entries
319                         allow-transfer  transferer
320
321                         # Use DNSSEC policies otherwise remove or put in remark line below
322                         dnssec-policy   1
323                     </zone>
324
325
326              2.     Slave domain zone config
327
328                     <zone>
329                         # This server is slave for that zone (mandatory)
330                         type            slave
331
332                         # The domain name (mandatory)
333                         domain          myotherdomain.eu
334
335                         # The address of the master (mandatory for a slave, forbidden for a master) (alias: master)
336                         masters         191.0.2.53 port 4053 key master-slave
337
338                         # The zone file, relative to 'datapath'.
339                         file            slaves/myotherdomain.eu
340
341                         # Accept notifes from these ACL entries
342                         allow-notify    master
343                     </zone>
344
345
346       *      DNSSEC-Policy
347
348       DNSSEC-Policy needs some extra sections: key-suite, key-roll,  key-tem‐
349       plate (and denial if NSEC3 is configured)
350
351              1.     dnssec-policy example with all the needed sections
352
353                     example with NSEC3
354                     <dnssec-policy>
355                         id              "1"
356
357                         description     "Example of ZSK and KSK"
358                         denial          "nsec3-with-salt-on"
359                         key-suite       "zsk-1024"
360                         key-suite       "ksk-2048"
361                     </dnssec-policy>
362
363                     example with NSEC
364                     <dnssec-policy>
365                         id              "2"
366
367                         description     "Example of ZSK and KSK"
368                         denial          nsec
369                         key-suite       "zsk-1024"
370                         key-suite       "ksk-2048"
371                     </dnssec-policy>
372
373
374              2.     key-suite
375                     <key-suite>
376                         id              "ksk-2048"
377
378                         key-template    "ksk-2048"
379                         key-roll        "key-roll-ksk-2048-short-times"
380                     </key-suite>
381
382                     <key-suite>
383                         id              "zsk-1024"
384
385                         key-template    "zsk-1024"
386                         key-roll        "key-roll-zsk-1024-short-times"
387                     </key-suite>
388
389
390              3.     key-roll
391                     <key-roll>
392                         id              "key-roll-ksk-2048-short-times"
393
394                     #   command         minutes    hours      day        month      day-week   week
395                         generate        5,35       *          *          *          *          *
396                         publish         6,36       *          *          *          *          *
397                         activate        7,37       *          *          *          *          *
398                         inactive        8,38       *          *          *          *          *
399                         remove          12,42      *          *          *          *          *
400                     </key-roll>
401
402                     <key-roll>
403                         id              "key-roll-zsk-1024-short-times"
404
405                     #   command         minutes    hours      day        month      day-week   week
406                         generate        5,35       *          *          *          *          *
407                         publish         6,36       *          *          *          *          *
408                         activate        7,37       *          *          *          *          *
409                         inactive        8,38       *          *          *          *          *
410                         remove          12,42      *          *          *          *          *
411                     </key-roll>
412
413
414              4.     key-template
415                     <key-template>
416                         id              "ksk-2048"
417
418                         ksk             true
419                         algorithm       8
420                         size            2048
421                     </key-template>
422
423                     <key-template>
424                         id              "zsk-1024"
425
426                         ksk             false
427                         algorithm       8
428                         size            1024
429                     </key-template>
430
431
432              5.     denial
433                     <denial>
434                         id              "nsec3-with-salt-on"
435
436                         salt            "ABCD"
437                         algorithm       1
438                         iterations      5
439                         optout          off
440                     </denial>
441
442
443                     <denial>
444                         id              "nsec3-with-salt-length-on"
445
446                         salt-length     4
447                         algorithm       1
448                         iterations      5
449                         optout          off
450                     </denial>
451
452
453       *      Channels
454
455       Logging output-channel configurations:
456
457       The "name" is arbitrary and is used in the <loggers>.
458       The "stream-name" defines the output type (ie: a file name or syslog).
459       The  "arguments"  are specific to the output type (ie: unix file access
460       rights or syslog options and facilities).
461
462              1.     Example: YADIFA running as daemon channel definition.
463
464                     <channels>
465                     #   name        stream-name     arguments
466                         database    database.log    0644
467                         dnssec      dnssec.log      0644
468                         server      server.log      0644
469                         statistics  statistics.log  0644
470                         system      system.log      0644
471                         queries     queries.log     0644
472                         zone        zone.log        0644
473                         all         all.log         0644
474
475                         syslog      syslog          user
476                     </channels>
477
478
479              2.     Example: YADIFA running in debug mode.
480                     This example shows the "stderr" and  "stdout"  which  can
481                     also be used in the first example, but will output to the
482                     console.
483
484                     <channels>
485                     #   name        stream-name     arguments
486                         syslog      syslog          user
487
488                         stderr      STDERR
489                         stdout      STDOUT
490                     </channels>
491
492
493       *      Loggers
494
495       Logging input configurations:
496
497       The "bundle" is the name of the section of YADIDA being logged, sources
498       are : database, dnssec, queries, server, stats, system, zone.
499       The  "debuglevel" uses the same names as syslog or "*" or "all" to fil‐
500       ter the input.
501
502       The "channels" are a comma-separated list of channels.
503
504              1.     Example without syslog
505
506                     <loggers>
507                     #   bundle          debuglevel                          channels
508                         database        ALL                                 database,all
509                         dnssec          warning                             dnssec,all
510                         server          INFO,WARNING,ERR,CRIT,ALERT,EMERG   server,all
511                         stats           prod                                statistics
512                         system          *                                   system,all
513                         queries         *                                   queries
514                         zone            *                                   zone,all
515                     </loggers>
516
517
518              2.     Example with syslog
519
520                     <loggers>
521                     #   bundle          debuglevel                          channels
522                         database        ALL                                 database,syslog
523                         dnssec          warning                             dnssec,syslog
524                         server          INFO,WARNING,ERR,CRIT,ALERT,EMERG   server,syslog
525                         stats           prod                                statistics, syslog
526                         system          *                                   system,syslog
527                         queries         *                                   queries,syslog
528                         zone            *                                   zone,syslog
529                     </loggers>
530
531
532       The defined loggers are:
533
534       system contains low level messages about  the  system  such  as  memory
535              allocation, threading, IOs, timers and cryptography, ...
536
537       database
538              It  contains  messages  about most lower-level operations in the
539              DNS database. ie: journal, updates, zone loading  and  sanitiza‐
540              tion, DNS message query resolution, ...)
541
542       dnssec contains messages about lower-level dnssec operations in the DNS
543              database. ie: status, maintenance, verification, ...
544
545       server contains messages about operations in the DNS server. ie:  start
546              up,  shutdown, configuration, transfers, various services status
547              (database management, network management, DNS notification  man‐
548              agement, dynamic update management, resource rate limiting, ...)
549
550       zone   contains  messages  about  the  loading  of a zone from a source
551              (file parsing, transferred binary zone reading, ...)
552
553       stats  contains the statistics of the server.
554
555       queries
556              contains the queries on the server.  Queries can be logged  with
557              the BIND and/or with the YADIFA format.
558              BIND format:
559              client sender-ip#port: query: fqdn class type +SETDC (listen-ip)
560              YADIFA format:
561              query [ id ] {+SETDC} fqdn class type (sender-ip#port)
562              where:
563
564              id     is the query message id
565
566              +      means the message has the Recursion Desired flag set
567
568              S      means the message is signed with a TSIG
569
570              E      means the message is EDNS
571
572              T      means the message was sent using TCP instead of UDP
573
574              D      means the message has the DNSSEC OK flag set
575
576              C      means the message has the Checking Disabled flag set
577
578              fqdn   is the queried FQDN
579
580              class  is the queried class
581
582              type   is the queried type
583
584              sender-ip
585                     is the IP of the client that sent the query
586
587              port   is the port of the client that sent the query
588
589              listen-ip
590                     is the listen network interface that received the message
591
592              Note that on YADIFA any unset flag is replaced by a '-', on BIND
593              only the '+' follows that rule.
594
595       System operators will mostly be interested in the info and  above  mes‐
596       sages  of queries and stats, as well as the error and above messages of
597       the other loggers.
598

SEE ALSO

600       yadifad(8)
601

NOTES

603       Since unquoted leading whitespace is generally  ignored  in  the  yadi‐
604       fad.conf you can indent everything to taste.
605

CHANGES

607       Please check the file ChangeLog from the sources.
608

VERSION

610       Version: 2.3.9 of 2019-02-11 .
611

MAILING LISTS

613       There exists a mailinglist for questions relating to any program in the
614       yadifa package:
615
616       *      yadifa-users@mailinglists.yadifa.eu
617              for submitting questions/answers.
618
619       *      http://www.yadifa.eu/mailing-list-users
620              for subscription requests.
621
622       If you would like to stay informed  about  new  versions  and  official
623       patches send a subscription request to via:
624
625       *      http://www.yadifa.eu/mailing-list-announcements
626
627       (this is a readonly list).
628
630       Copyright
631              (C)2011-2018, EURid
632              B-1831 Diegem, Belgium
633              info@yadifa.eu
634

AUTHORS

636       Gery Van Emelen
637       Email: Gery.VanEmelen@EURid.eu
638       Eric Diaz Fernandez
639       Email: Eric.DiazFernandez@EURid.eu
640
641       WWW: http://www.EURid.eu
642
643YADIFA                            P018-02-12                   YADIFAD-CONF(5)
Impressum