1YAKEYROLLD-CONF(5) YADIFA YAKEYROLLD-CONF(5)
2
3
4
6 yakeyrolld.conf - configuration file for yakeyrolld(8).
7
9 ${SYSCONFDIR}/yakeyrolld.conf
10
12 The configuration of yakeyrolld is consistent in a text file that can
13 optionally include others. The general structure is a a sequence of
14 containers: a sequence of lines of text starting with a <con‐
15 tainer-name> and ending with a </container-name>. Each line between
16 these delimitters is in the form: variable-name value. The format of
17 the value is determined by the type of the variable.
18
19 There are 7 types:
20
21 FQDN
22 A fully-qualified domain name text string. e.g.: www.eurid.eu.
23
24 GID
25 Group ID. (Can be a number or a name)
26
27 HOST(S)
28 A (list of) host(s). A host is defined by an IP (v4 or v6) and
29 can be followed by the word `port' and a port number. Elements
30 of the list are separated by a `,' or a `;'.
31
32 INTEGER / INT
33 A base-ten integer.
34
35 PATH / FILE
36 A file or directory path. i.e.: "/var/plans".
37
38 STRING / STR
39 A text string. Double quotes can be used but are not mandatory.
40 Without quotes the string will be taken from the first non-blank
41 charater to the last non-blank character.
42
43 UID
44 User ID. (Can be a number or a name)
45
46 STANDARD SECTIONS
47 There are 9 sections:
48
49 <yakeyrolld>
50 General container, contains all the configuration parameters
51 needed to start up yakeyrolld.
52
53 domain FQDN
54 default: .
55
56 Names one domain to manage, can be used up to 200 times.
57 In yadifad.conf, each of these domains must have
58 rrsig-nsupdate-allowed enabled in their respective <zone>
59 section.
60
61 log-path PATH
62 default: ${localstatedir}/log/yakeyrolld
63
64 The directory that will contain the log files.
65
66 keys-path PATH
67 default: ${localstatedir}/zones/keys
68
69 The directory the name server uses to read zone key file.
70
71 plan-path PATH
72 default: ${localstatedir}/plans
73
74 The directory of the step files.
75
76 pid-path PATH
77 default: ${localstatedir}/run
78
79 The directory of the pid file.
80
81 pid-file STRING
82 default: yakeyrolld.pid
83
84 The name of the pid file.
85
86 generate-from STRING
87 default: "now"
88
89 For plan generation, when to start the plan, can be over‐
90 ridden by the command line.
91
92 generate-until STRING
93 default: "+1y"
94
95 For plan generation, when to stop the plan, can be over‐
96 ridden by the command line.
97
98 server HOST
99 default: 127.0.0.1
100
101 The address of the name server for queries and dynamic
102 updates.
103
104 timeout INT
105 default: 3
106
107 The number of seconds spent trying to communicate with
108 the primary until it's considered a time-out.
109
110 ttl INT
111 default: 600
112
113 The default ttl value to use when generating records.
114
115 update-apply-verify-retries INT
116 default: 60
117
118 If an update isn't checked successfully, retries that
119 many times.
120
121 update-apply-verify-retries-delay INT
122 default: 1
123
124 Waits that many seconds between two update apply tries.
125
126 match-verify-retries INT
127 default: 60
128
129 If a match test fails, retries that many times.
130
131 match-verify-retries-delay INT
132 default: 1
133
134 Waits that many seconds between two match test tries.
135
136 policy STRING
137 default: undefined
138
139 The name of the policy to use when generating the plan.
140
141 uid UID
142 default: 0
143
144 The uid to swich to. This should match the name server's.
145
146 gid GID
147 default: 0
148
149 The gid to swich to. This should match the name server's.
150
151 <dnssec-policy>
152 Description of dnssec policies.
153
154 id STR
155 default: -
156
157 id of the dnssec-policy section.
158
159 description STR
160 default: -
161
162 Description for the dnssec-policy section.
163
164 key-suite STR
165 default: -
166
167 id of the key-suite to be used.
168
169 <key-suite>
170 Description of the key-suites needed if 'dnssec policies' are
171 used.
172
173 id STR
174 default: -
175
176 id of the key-suite section.
177
178 key-template STR
179 default: -
180
181 id of the key-template to be used.
182
183 key-roll STR
184 default: -
185
186 id of the key-roll to be used.
187
188 <key>
189 TSIG keys
190
191 algorithm ENUM
192 default: -
193
194 Mandatory. Sets the algorithm of the key.
195
196
197 Supported values are:
198
199 hmac-md5
200
201 hmac-sha1
202
203 hmac-sha224
204
205 hmac-sha256
206
207 hmac-sha384
208
209 hmac-sha512
210
211 (the algorithm names are case insensitive)}
212
213 name FQDN
214 default: -
215
216 Mandatory. Sets the name of the key.
217
218 secret TEXT
219 default: -
220
221 Mandatory. Sets the value of the key. BASE64 encoded.
222
223 <key-roll>
224 Description of the key-rolls needed if 'dnssec policies' are
225 used.
226
227 id STR
228 default: -
229
230 id of the key-roll section.
231
232 generate STR
233 default: -
234
235 Time when the key must be generated.
236
237 publish STR
238 default: -
239
240 Time when the key must be published in the zone.
241
242 activate STR
243 default: -
244
245 Time when the key will be used for signing the zone or
246 apex of the zone.
247
248 inactive STR
249 default: -
250
251 Time when the key will not be used anymore for signing.
252
253 delete STR
254 default: -
255
256 Time when the key will be removed out of the zone.
257
258 <key-template>
259 Description of the key-templates needed if 'dnssec policies'
260 are used.
261
262 id STR
263 default: -
264
265 id of the key-roll section.
266
267 generate STR
268 default: -
269
270 Time when the key must be generated.
271
272 publish STR
273 default: -
274
275 Time when the key must be published in the zone.
276
277 activate STR
278 default: -
279
280 Time when the key will be used for signing the zone or
281 apex of the zone.
282
283 inactive STR
284 default: -
285
286 Time when the key will not be used anymore for signing.
287
288 delete STR
289 default: -
290
291 Time when the key will be removed out of the zone.
292
293 <channels>
294 Description of the logger outputs.
295
296 It contains a list descriptions of user-defined outputs for the logger.
297 Depending on the kind of output, the format is different.
298
299 The "name" is arbitrary and is used for identification in the <log‐
300 gers>.
301 The "stream-name" defines the output type (i.e.: a file name, a program
302 output or syslog).
303 The "arguments" are specific to the output type (i.e.: unix file access
304 rights or syslog options and facilities).
305
306 * file output stream channel-name file-name access-rights
307 (octal).
308
309 * pipe to a program channel-name "| shell command" chan‐
310 nel-name "| path-to-program program arguments >> ap‐
311 pend-redirect"
312
313 * STDOUT, STDERR output stream channel-name stdout chan‐
314 nel-name stderr
315
316 * syslog channel-name syslog syslog-facility
317
318 <loggers>
319 Description of the logger outputs sources.
320
321 Sets the output of a pre-defined logger for yakeyrolld.
322
323 The format of the line is: logger-name output-filter comma-sepa‐
324 rated-channel-names
325
326 Filters are:
327 DEBUG7, DEBUG6, DEBUG5, DEBUG4, DEBUG3, DEBUG2, DEBUG1, DEBUG, INFO,
328 NOTICE, WARNING, ERR, CRIT, ALERT, EMERG
329
330 Additionally, there are:
331
332 * ALL (or '*') meaning all the filters.
333
334 * PROD means all but the DEBUG filters.
335
336 The defined loggers are:
337
338 keyroll
339 contains general messages about the keyroll
340
341 dnssec
342 contains messages about DNSSEC-related computations dur‐
343 ing the generation.
344
345 system
346 contains low level messages about the system such as
347 memory allocation, threading, IOs, timers and cryptogra‐
348 phy, ...
349
350 System operators will mostly be interested in the info and above
351 messages of the keyroll and dnssec loggers.
352
354 Examples of containers defined for a configuration file.
355
356 * Main
357
358 1. Config with includes
359
360 # start yakeyrolld.conf <yakeyrolld> container
361 include /etc/yakeyrolld/conf.d/local.conf
362 # end yakeyrolld.conf <yakeyrolld> container
363
364
365 2. Main without includes
366
367 <yakeyrolld>
368 # Detach from the console (alias: daemonize)
369 daemon off
370
371 # The directory to use for the log files
372 log-path "/var/log/yakeyrolld"
373
374 # The directory that yadifad uses to load private keys
375 keys-path "/var/lib/yadifa/keys"
376
377 # The directory to use to store the plans
378 plan-path "/var/lib/yadifa/plans"
379
380 generate-from "now"
381
382 generate-until "+1y"
383
384 server 127.0.0.1
385
386 policy "keyroll-policy"
387 </yakeyrolld>
388
389
390 * Key
391 TSIG-key configuration
392
393 1. Admin-key key definition (the name is arbitrary)
394
395 <key>
396 name abroad-admin-key
397 algorithm hmac-md5
398 secret WorthlessKeyForExample==
399 </key>
400
401
402 2. primary-secondary key definition
403
404 <key>
405 name primary-secondary
406 algorithm hmac-md5
407 secret PrimaryAndSecondaryKey==
408 </key>
409
410
411 * DNSSEC-Policy
412
413 DNSSEC-Policy needs some extra sections: key-suite, key-roll, key-tem‐
414 plate
415
416 1. dnssec-policy example with all the needed sections
417 <dnssec-policy>
418 id "keyroll-policy"
419
420 description "Example of ZSK and KSK"
421 key-suite "zsk-1024"
422 key-suite "ksk-2048"
423 </dnssec-policy>
424
425
426 2. key-suite
427 <key-suite>
428 id "ksk-2048"
429
430 key-template "ksk-2048"
431 key-roll "yearly-calendar"
432 </key-suite>
433
434 <key-suite>
435 id "zsk-1024"
436
437 key-template "zsk-1024"
438 key-roll "monthly-calendar"
439 </key-suite>
440
441
442 3. key-roll
443 <key-roll>
444 id "yearly-calendar"
445
446 generate 11 10 * 1 mon 1 # Januay, Monday of the second week at 10:11
447 publish 11 10 * 1 tue * # following Tuesday at 10:11
448 activate 11 10 * 1 wed * # following Wednesday at 10:11
449 inactive 11 10 * 1 mon * # following Monday, a year after, at 10:11
450 remove 11 10 * 1 wed * # following Wednesday at 10:11
451 </key-roll>
452
453 <key-roll>
454 id "monthly-calendar"
455
456 generate 17 10 * * mon 0 # 1st monday the month at 10:17
457 publish 17 10 * * tue * # following tuesday at 10:17
458 activate 17 10 * * wed * # following wednesday at 10:17
459 inactive 17 10 * * wed * # following wednesday at 10:17 (one week after the activation)
460 remove 17 10 * * thu * # following thursday at 10:17
461 </key-roll>
462
463
464 4. key-template
465 <key-template>
466 id "ksk-2048"
467
468 ksk true
469 algorithm RSASHA512
470 size 2048
471 </key-template>
472
473 <key-template>
474 id "zsk-1024"
475
476 ksk false
477 algorithm RSASHA512
478 size 1024
479 </key-template>
480
481
482 * Channels
483
484 Logging output-channel configurations:
485
486 It contains a list of user-defined outputs for the logger.
487
488 The "name" is arbitrary and is used for identification in the <log‐
489 gers>.
490 The "stream-name" defines the output type (i.e.: a file name, a program
491 output or syslog).
492 The "arguments" are specific to the output type (i.e.: unix file access
493 rights or syslog options and facilities).
494
495 1. Example: logging channels definition.
496
497 <channels>
498 # name stream-name arguments
499 keyroll keyroll.log 0644
500 dnssec dnssec.log 0644
501 system system.log 0644
502 all all.log 0644
503 </channels>
504
505
506 * Loggers
507
508 Logging input configurations:
509
510 The "bundle" is the name of the section of yakeyroll being logged,
511 sources are : database, dnssec, queries, server, stats, system, zone.
512 The "debuglevel" uses the same names as syslog.
513 Additionally, "*" or "all" means all the levels; "prod" means all but
514 the debug levels.
515
516 The "channels" are a comma-separated list of channels.
517
518 1. Example logger configuration
519
520 <loggers>
521 # bundle debuglevel channels
522 keyroll prod keyroll,all
523 dnssec prod dnssec,all
524 system prod system,all
525 </loggers>
526
527
529 yakeyrolld(8)
530
532 Since unquoted leading whitespace is generally ignored in the yadi‐
533 fad.conf you can indent everything to taste.
534
536 Please check the file README from the sources.
537
539 Version: 2.6.5 of 2023-09-06.
540
542 There exists a mailinglist for questions relating to any program in the
543 yadifa package:
544
545 * yadifa-users@mailinglists.yadifa.eu
546 for submitting questions/answers.
547
548 * http://www.yadifa.eu/mailing-list-users
549 for subscription requests.
550
551 If you would like to stay informed about new versions and official
552 patches send a subscription request to via:
553
554 * http://www.yadifa.eu/mailing-list-announcements
555
556 (this is a readonly list).
557
559 Copyright
560 (C)2011-2023, EURid
561 B-1831 Diegem, Belgium
562 info@yadifa.eu
563
565 Gery Van Emelen
566 Email: Gery.VanEmelen@EURid.eu
567 Eric Diaz Fernandez
568 Email: Eric.DiazFernandez@EURid.eu
569
570 WWW: http://www.EURid.eu
571
572YAKEYROLLD 2023-09-06 YAKEYROLLD-CONF(5)