1YADIFAD-CONF(5) YADIFA YADIFAD-CONF(5)
2
3
4
6 yadifad.conf - configuration file for yadifad(8).
7
9 ${PREFIX}/etc/yadifad.conf
10
12 The configuration of yadifad has several containers:
13
14 <main>
15 General container
16
17 <key> TSIG keys
18
19 <acl> Access lists
20
21 <nsid> NameServer IDentifier
22
23 <rrl> Response Rate Limiting directives
24
25 <zone> Description of the domain name in specific attributes.
26
27 <channels>
28 Description of the logger outputs.
29
30 <dnssec-policy>
31 Description of dnssec policies.
32
33 <key-suite>
34 Description of the key-suites needed if 'dnssec policies' are
35 used.
36
37 <key-roll>
38 Description of the key-rolls needed if 'dnssec policies' are
39 used.
40
41 <key-template>
42 Description of the key-templates needed if 'dnssec policies' are
43 used.
44
45 <denial>
46 Description of 'denial', this can be used in certain 'dnssec
47 policies'.
48
49 The configuration supports included files.
50 example: include /etc/yadifa/conf.d/local.conf
51
52 The configuration files can be nested.
53
54 The configuration consists of:
55
56 * Container, which starts with <container name> and ends with
57 </container name>
58
59 * Variable name
60
61 * 1 or 2 arguments
62
63 * Arguments can contain 1 or more comma separated values.
64
65 eg.
66
67 <container>
68 # variable argument
69 variable value1
70 # variable argument1 argument2
71 variable value1 value2
72 # variable argument1
73 variable value1,value2
74 </container>
75
76
78 Examples of containers defined for a configuration file.
79
80 * Main
81
82 1. Config with includes
83
84 # start yadifad.conf <main> container
85 include /etc/yadifa/conf.d/local.conf
86 # end yadifad.conf <main> container
87
88
89 2. Main without includes
90
91 <main>
92 # Detach from the console (alias: daemonize)
93 daemon off
94
95 # Jail the application
96 chroot off
97
98 # The path of the log files (alias: chroot-path)
99 chrootpath "/chroot/yadifad"
100
101 # The path of the log files (alias: log-path)
102 logpath "/var/log/yadifa"
103
104 # The location of the pid file (alias: pid-file)
105 pidfile "/var/run/yadifa/yadifad.pid"
106
107 # The path of the zone files (alias: data-path)
108 datapath "/var/lib/yadifa"
109
110 # The path of the DNSSEC keys (alias: keys-path)
111 keyspath "/var/lib/yadifa/keys"
112
113 # The path of the transfer and journaling files (AXFR & IXFR) (alias: xfr-path)
114 xfrpath "/var/lib/yadifa/xfr"
115
116 # A string returned by a query of hostname. CH TXT
117 # note: if you leave this out, the real hostname will be given back (alias: hostname-chaos)
118 hostname "server-yadifad"
119
120 # An ID returned by a query to id.server. CH TXT (alias: serverid-chaos)
121 serverid "yadifad-01"
122
123 # The version returned by a query to version.yadifa. CH TXT (alias: version-chaos)
124 version "2.3.9"
125
126 # Set the maximum UDP packet size.
127 # note: the packetsize cannot be less than 512 or more than 65535.
128 # Typical choice is 4096.
129 edns0-max-size 4096
130
131 # The maximum number of parallel TCP queries (max-tcp-connections)
132 max-tcp-queries 100
133
134 # The minimum data rate for a TCP query (in bytes per second)
135 tcp-query-min-rate 512
136
137 # The user id to use (alias: user)
138 uid yadifa
139
140 # The group id to use (alias: group)
141 gid yadifa
142
143 # The DNS port - any DNS query will use that port unless a specific value is used (alias: server-port)
144 port 53
145
146 # The interfaces to listen to.
147 # listen 0.0.0.0
148 listen 127.0.0.1, 192.0.2.2, 192.0.2.130 port 8053, 2001:db8::2
149
150 # Type of querylog to use
151 # 0: none
152 # 1: yadifa
153 # 2: bind
154 # 3: both yadifa and bind
155 queries-log-type 1
156
157 # Enable the collection and logging of statistics
158 statistics on
159
160 # Maximum number of seconds between two statistics lines
161 statistics-max-period 60
162
163 # Drop queries with erroneous content
164 #
165 # answer-formerr-packets on
166 answer-formerr-packets off
167
168 # Maximum number of records in an AXFR packet. Set to 1 for compatibility
169 # with very old name servers (alias: axfr-max-record-by-packet)
170 axfr-maxrecordbypacket 0
171
172 # Global Access Control rules
173 #
174 # Rules can be defined on network ranges, TSIG signatures, and ACL rules
175
176 # simple queries:
177 #
178 # allow-query any
179 allow-query !192.0.2.251,any
180
181 # dynamic update of a zone
182 #
183 # allow-update none
184 allow-update admins
185
186 # dynamic update of a slave (forwarded to the master)
187 #
188 # allow-update-forwarding none
189 allow-update-forwarding admins,key abroad-admin-key
190
191 # transfer of a zone (AXFR or IXFR)
192 #
193 # allow-transfer any
194 allow-transfer transferer
195
196 # notify of a change in the master
197 #
198 # allow-notify any
199 allow-notify master,admins
200
201 # If YADIFA has the controller enabled, allow control only for these
202 # clients (none by default)
203 allow-control localhost
204
205 # overwrite the amount of CPUs detected by yadifad
206 cpu-count-override 3
207
208 # set the number of threads to serve queries
209 thread-count-by-address 2
210
211 </main>
212
213
214 * Key
215 TSIG-key configuration
216
217 1. Admin-key key definition (the name is arbitrary)
218
219 <key>
220 name abroad-admin-key
221 algorithm hmac-md5
222 secret WorthlessKeyForExample==
223 </key>
224
225
226 2. Master-slave key definition
227
228 <key>
229 name master-slave
230 algorithm hmac-md5
231 secret MasterAndSlavesTSIGKey==
232 </key>
233
234
235 * ACL
236 Access Control List definitions
237
238 1. Master-slave key use
239
240 <acl>
241 transferer key master-slave
242 admins 192.0.2.0/24, 2001:db8::74
243 master 192.0.2.53
244 localhost 127.0.0.0/8, ::1
245 </acl>
246
247
248 * NSID
249 DNS NameServer IDentifier
250
251 1. Example with ascii
252
253 <nsid>
254 ascii belgium-brussels-01
255 </nsid>
256
257
258 2. Example with hex
259
260 <nsid>
261 hex 00320201
262 </nsid>
263
264
265 * RRL
266 Response Rate Limiting
267
268 <rrl>
269 # Number of identical responses per second before responses are being limited
270 responses-per-second 5
271
272 # Number of errors per second before responses are being limited
273 errors-per-second 5
274
275 # Random slip parameter
276 slip 10
277
278 # If enabled, the rate limits are only logged and not enforced
279 log-only off
280
281 # Mask applied to group the IPv4 clients
282 ipv4-prefix-length 24
283
284 # Mask applied to group the IPv6 clients
285 ipv6-prefix-length 56
286
287 # Rate limits are not subject to the following clients (aka whitelist)
288 exempt-clients none
289
290 # Enable or disable the rate limit capabilities
291 enabled yes
292 </rrl>
293
294
295 * Zone
296
297 1. Master domain zone config
298
299 <zone>
300 # This server is master for the zone (mandatory)
301 type master
302
303 # The domain name (mandatory)
304 domain mydomain.eu
305
306 # The zone file, relative to 'datapath' (mandatory for a master) (alias: file-name)
307 file master/mydomain.eu
308
309 # List of servers also notified of a change (beside the ones in the zone file) (alias: notifies, notify)
310 also-notify 192.0.2.84, 192.0.2.149
311
312 # Set the size of the journal file in KB (alias: journal-size-kb)
313 journal-size 8192
314
315 # Allow dynupdate for these ACL entries
316 allow-update admins
317
318 # Allow AXFR/IXFR for these ACL entries
319 allow-transfer transferer
320
321 # Use DNSSEC policies otherwise remove or put in remark line below
322 dnssec-policy 1
323 </zone>
324
325
326 2. Slave domain zone config
327
328 <zone>
329 # This server is slave for that zone (mandatory)
330 type slave
331
332 # The domain name (mandatory)
333 domain myotherdomain.eu
334
335 # The address of the master (mandatory for a slave, forbidden for a master) (alias: master)
336 masters 191.0.2.53 port 4053 key master-slave
337
338 # The zone file, relative to 'datapath'.
339 file slaves/myotherdomain.eu
340
341 # Accept notifes from these ACL entries
342 allow-notify master
343 </zone>
344
345
346 * DNSSEC-Policy
347
348 DNSSEC-Policy needs some extra sections: key-suite, key-roll, key-tem‐
349 plate (and denial if NSEC3 is configured)
350
351 1. dnssec-policy example with all the needed sections
352
353 example with NSEC3
354 <dnssec-policy>
355 id "1"
356
357 description "Example of ZSK and KSK"
358 denial "nsec3-with-salt-on"
359 key-suite "zsk-1024"
360 key-suite "ksk-2048"
361 </dnssec-policy>
362
363 example with NSEC
364 <dnssec-policy>
365 id "2"
366
367 description "Example of ZSK and KSK"
368 denial nsec
369 key-suite "zsk-1024"
370 key-suite "ksk-2048"
371 </dnssec-policy>
372
373
374 2. key-suite
375 <key-suite>
376 id "ksk-2048"
377
378 key-template "ksk-2048"
379 key-roll "key-roll-ksk-2048-short-times"
380 </key-suite>
381
382 <key-suite>
383 id "zsk-1024"
384
385 key-template "zsk-1024"
386 key-roll "key-roll-zsk-1024-short-times"
387 </key-suite>
388
389
390 3. key-roll
391 <key-roll>
392 id "key-roll-ksk-2048-short-times"
393
394 # command minutes hours day month day-week week
395 generate 5,35 * * * * *
396 publish 6,36 * * * * *
397 activate 7,37 * * * * *
398 inactive 8,38 * * * * *
399 remove 12,42 * * * * *
400 </key-roll>
401
402 <key-roll>
403 id "key-roll-zsk-1024-short-times"
404
405 # command minutes hours day month day-week week
406 generate 5,35 * * * * *
407 publish 6,36 * * * * *
408 activate 7,37 * * * * *
409 inactive 8,38 * * * * *
410 remove 12,42 * * * * *
411 </key-roll>
412
413
414 4. key-template
415 <key-template>
416 id "ksk-2048"
417
418 ksk true
419 algorithm 8
420 size 2048
421 </key-template>
422
423 <key-template>
424 id "zsk-1024"
425
426 ksk false
427 algorithm 8
428 size 1024
429 </key-template>
430
431
432 5. denial
433 <denial>
434 id "nsec3-with-salt-on"
435
436 salt "ABCD"
437 algorithm 1
438 iterations 5
439 optout off
440 </denial>
441
442
443 <denial>
444 id "nsec3-with-salt-length-on"
445
446 salt-length 4
447 algorithm 1
448 iterations 5
449 optout off
450 </denial>
451
452
453 * Channels
454
455 Logging output-channel configurations:
456
457 The "name" is arbitrary and is used in the <loggers>.
458 The "stream-name" defines the output type (ie: a file name or syslog).
459 The "arguments" are specific to the output type (ie: unix file access
460 rights or syslog options and facilities).
461
462 1. Example: YADIFA running as daemon channel definition.
463
464 <channels>
465 # name stream-name arguments
466 database database.log 0644
467 dnssec dnssec.log 0644
468 server server.log 0644
469 statistics statistics.log 0644
470 system system.log 0644
471 queries queries.log 0644
472 zone zone.log 0644
473 all all.log 0644
474
475 syslog syslog user
476 </channels>
477
478
479 2. Example: YADIFA running in debug mode.
480 This example shows the "stderr" and "stdout" which can
481 also be used in the first example, but will output to the
482 console.
483
484 <channels>
485 # name stream-name arguments
486 syslog syslog user
487
488 stderr STDERR
489 stdout STDOUT
490 </channels>
491
492
493 * Loggers
494
495 Logging input configurations:
496
497 The "bundle" is the name of the section of YADIDA being logged, sources
498 are : database, dnssec, queries, server, stats, system, zone.
499 The "debuglevel" uses the same names as syslog or "*" or "all" to fil‐
500 ter the input.
501
502 The "channels" are a comma-separated list of channels.
503
504 1. Example without syslog
505
506 <loggers>
507 # bundle debuglevel channels
508 database ALL database,all
509 dnssec warning dnssec,all
510 server INFO,WARNING,ERR,CRIT,ALERT,EMERG server,all
511 stats prod statistics
512 system * system,all
513 queries * queries
514 zone * zone,all
515 </loggers>
516
517
518 2. Example with syslog
519
520 <loggers>
521 # bundle debuglevel channels
522 database ALL database,syslog
523 dnssec warning dnssec,syslog
524 server INFO,WARNING,ERR,CRIT,ALERT,EMERG server,syslog
525 stats prod statistics, syslog
526 system * system,syslog
527 queries * queries,syslog
528 zone * zone,syslog
529 </loggers>
530
531
532 The defined loggers are:
533
534 system contains low level messages about the system such as memory
535 allocation, threading, IOs, timers and cryptography, ...
536
537 database
538 It contains messages about most lower-level operations in the
539 DNS database. ie: journal, updates, zone loading and sanitiza‐
540 tion, DNS message query resolution, ...)
541
542 dnssec contains messages about lower-level dnssec operations in the DNS
543 database. ie: status, maintenance, verification, ...
544
545 server contains messages about operations in the DNS server. ie: start
546 up, shutdown, configuration, transfers, various services status
547 (database management, network management, DNS notification man‐
548 agement, dynamic update management, resource rate limiting, ...)
549
550 zone contains messages about the loading of a zone from a source
551 (file parsing, transferred binary zone reading, ...)
552
553 stats contains the statistics of the server.
554
555 queries
556 contains the queries on the server. Queries can be logged with
557 the BIND and/or with the YADIFA format.
558 BIND format:
559 client sender-ip#port: query: fqdn class type +SETDC (listen-ip)
560 YADIFA format:
561 query [ id ] {+SETDC} fqdn class type (sender-ip#port)
562 where:
563
564 id is the query message id
565
566 + means the message has the Recursion Desired flag set
567
568 S means the message is signed with a TSIG
569
570 E means the message is EDNS
571
572 T means the message was sent using TCP instead of UDP
573
574 D means the message has the DNSSEC OK flag set
575
576 C means the message has the Checking Disabled flag set
577
578 fqdn is the queried FQDN
579
580 class is the queried class
581
582 type is the queried type
583
584 sender-ip
585 is the IP of the client that sent the query
586
587 port is the port of the client that sent the query
588
589 listen-ip
590 is the listen network interface that received the message
591
592 Note that on YADIFA any unset flag is replaced by a '-', on BIND
593 only the '+' follows that rule.
594
595 System operators will mostly be interested in the info and above mes‐
596 sages of queries and stats, as well as the error and above messages of
597 the other loggers.
598
600 yadifad(8)
601
603 Since unquoted leading whitespace is generally ignored in the yadi‐
604 fad.conf you can indent everything to taste.
605
607 Please check the file ChangeLog from the sources.
608
610 Version: 2.3.9 of 2019-02-11 .
611
613 There exists a mailinglist for questions relating to any program in the
614 yadifa package:
615
616 * yadifa-users@mailinglists.yadifa.eu
617 for submitting questions/answers.
618
619 * http://www.yadifa.eu/mailing-list-users
620 for subscription requests.
621
622 If you would like to stay informed about new versions and official
623 patches send a subscription request to via:
624
625 * http://www.yadifa.eu/mailing-list-announcements
626
627 (this is a readonly list).
628
630 Copyright
631 (C)2011-2018, EURid
632 B-1831 Diegem, Belgium
633 info@yadifa.eu
634
636 Gery Van Emelen
637 Email: Gery.VanEmelen@EURid.eu
638 Eric Diaz Fernandez
639 Email: Eric.DiazFernandez@EURid.eu
640
641 WWW: http://www.EURid.eu
642
643YADIFA P018-02-12 YADIFAD-CONF(5)