1YADIFAD-CONF(5) YADIFA YADIFAD-CONF(5)
2
3
4
6 yadifad.conf - configuration file for yadifad(8).
7
9 ${SYSCONFDIR}/yadifad.conf
10
12 The configuration of yadifad is consistent in a text file that can op‐
13 tionally include others. The general structure is a sequence of con‐
14 tainers: a sequence of lines of text starting with a <container-name>
15 and ending with a </container-name>. Each line between these delimit‐
16 ters is in the form: variable-name value. The format of the value is
17 determined by the type of the variable.
18
19 TYPES
20 There are 15 types:
21
22 ACL
23 A list of ACL descriptors. User-defined ACLs are found in the
24 ACL section. The "any" and "none" descriptors are always de‐
25 fined. Elements of the list are separated by a "," or a ";".
26
27 DNSSECTYPE
28 A DNSSEC type name. It can be a DNSSEC-enabled value ("nsec",
29 "nsec3" or "nsec3-optout") or a DNSSEC-disabled value ("none",
30 "no", "off" or "0").
31
32 ENUM
33 A word from a specified set.
34
35 FLAG
36 A boolean value. It can be true ("1", "enable", "enabled",
37 "on", "true", "yes") or false ("0", "disable", "disabled",
38 "off", "false", "no").
39
40 FQDN
41 A fully-qualified domain name text string. e.g.: www.eurid.eu.
42
43 GID
44 Group ID. (Can be a number or a name)
45
46 HOST(S)
47 A (list of) host(s). A host is defined by an IP (v4 or v6) and
48 can be followed by the word `port' and a port number. Elements
49 of the list are separated by a `,' or a `;'.
50
51 INTEGER / INT
52 A base-ten integer.
53
54 NETMOD
55 A word or integer that identifies the network model:
56 single or 0 Each working thread reads a single message, pro‐
57 cesses its answer and replies to it.
58 buffered or 1 Working threads are working by couple. One reads a
59 single message and queues it, one de-queues it, processes its
60 answer and replies to it.
61 multi or 2 Each working thread reads a multiple messages, pro‐
62 cesses their answers and replies to them.
63
64 PATH / FILE
65 A file or directory path. i.e.: "/var/zones".
66
67 STRING / STR
68 A text string. Double quotes can be used but are not mandatory.
69 Without quotes the string will be taken from the first non-blank
70 charater to the last non-blank character.
71
72 HEXSTR
73 A hexadecimal even-length text string.
74
75 RELDATE
76 A cron-like date to be matched, relative to another. The col‐
77 umns are minutes [0;59], hours [0;23], days [0;31], months
78 [1;12], weekdays [mon,tue,wed,thu,fri,sat,sun] and
79 week-of-the-month [0;4]. Multiple values can be set in a column
80 cell using ',' as a separator. The '*' character can be used to
81 set all possible values of its column cell.
82
83 RELTIME
84 A time offset relative to another. It's written as +inte‐
85 ger[unit-character] (e.g.: +24h) where the unit character can be
86 seconds, minutes, hours, days or weeks.
87
88 SECONDS
89 A base-ten integer.
90
91 HOURS
92 A base-ten integer.
93
94 DAYS
95 A base-ten integer.
96
97 UID
98 User ID. (Can be a number or a name)
99
100 CONTAINERS
101 The configuration of yadifad has several containers:
102
103 <main>
104 General container
105
106 <key>
107 TSIG keys
108
109 <acl>
110 Access lists
111
112 <nsid>
113 NameServer IDentifier
114
115 <rrl>
116 Response Rate Limiting directives
117
118 <zone>
119 Description of the domain name in specific attributes.
120
121 <channels>
122 Description of the logger outputs.
123
124 <dnssec-policy>
125 Description of dnssec policies.
126
127 <key-suite>
128 Description of the key-suites needed if 'dnssec policies' are
129 used.
130
131 <key-roll>
132 Description of the key-rolls needed if 'dnssec policies' are
133 used.
134
135 <key-template>
136 Description of the key-templates needed if 'dnssec policies'
137 are used.
138
139 <denial>
140 Description of 'denial', this can be used in certain 'dnssec
141 policies'.
142
143 The configuration supports included files.
144 example: include /etc/yadifa/conf.d/local.conf
145
146 The configuration files can be nested.
147
148 The configuration consists of:
149
150 * Container, which starts with <container name> and ends with
151 </container name>
152
153 * Variable name
154
155 * 1 or 2 arguments
156
157 * Arguments can contain 1 or more comma separated values.
158
159 STANDARD SECTIONS
160 <main>
161 General container, contains all the configuration parameters
162 needed to start up yadifad.
163
164 allow-control ACL
165 default: none
166
167 Default server-control access control list. Only the
168 sources matching the ACL are accepted.
169
170 allow-notify ACL
171 default: any
172
173 Default notify access control list. Only the servers
174 matching the ACL will be handled.
175
176 allow-query ACL
177 default: any
178
179 Default query access control list. Only the clients
180 matching the ACL will be replied to.
181
182 allow-transfer ACL
183 default: none
184
185 Default transfer access control list. Only the clients
186 matching the ACL will be allowed to transfer a zone
187 (axfr/ixfr).
188
189 allow-update ACL
190 default: none
191
192 Default update access control list. Only the clients
193 matching the ACL will be allowed to update a zone.
194
195 allow-update-forwarding ACL
196 default: none
197
198 Default update-forwarding access control list. Only the
199 sources matching the ACL are accepted.
200
201 answer-formerr-packets FLAG
202 default: true
203
204 If this flag is disabled; the server will not reply to
205 badly formatted packets.
206
207 axfr-compress-packets FLAG
208 default: true
209
210 Enables the dns packet compression of each axfr packet.
211
212 axfr-max-packet-size INT
213 default: 4096 bytes
214
215 The maximum size of an axfr packet. (MIN: 512; MAX:
216 65535)
217
218 axfr-max-record-by-packet INT
219 default: 0
220
221 The maximum number of records in each axfr packet. Older
222 name servers can only handle 1. Set to 0 to disable the
223 limit. (MIN: 0; MAX: 65535)
224
225 axfr-retry-delay SECONDS
226 default: 600
227
228 Number of seconds between each retry for the first trans‐
229 fer from the primary name server. (MIN: 60; MAX: 86400)
230
231 axfr-retry-jitter SECONDS
232 default: 180
233
234 Jitter applied to axfr-retry-delay. (MIN: 60; MAX:
235 axfr-retry-delay)
236
237 axfr-retry-failure-delay-multiplier INT
238 default: 5
239
240 Linear back-off multiplier. The multiplier times the num‐
241 ber of failures is added to the xfr-retry-delay. (MIN: 0;
242 MAX: 86400)
243
244 axfr-retry-failure-delay-max SECONDS
245 default: 3600
246
247 Maximum delay added for the back-off. (MIN: 0; MAX:
248 604800)
249
250 axfr-strict-authority FLAG
251 default: yes (unless --enable-non-aa-axfr-support was
252 used)
253
254 Tells yadifad to be strict with the AA flag in AXFR an‐
255 swers
256
257 chroot FLAG
258 default: off
259
260 Enabling this flag will make the server jail itself in
261 the chroot-path directory.
262
263 chroot-path; chrootpath PATH
264 default: /
265
266 The directory used for the jail.
267
268 cpu-count-override INT
269 default: 0
270
271 Overrides the detected number of logical cpus. Set to 0
272 for automatic. (MIN: 0; MAX: 256)
273
274 daemon; daemonize FLAG
275 default: false
276
277 Enabling this flag will make the server detach from the
278 console and work in background.
279
280 data-path; datapath PATH
281 default: zones
282
283 The base path were lies the data (zone file path; jour‐
284 naling data; temporary files; etc.)
285
286 do-not-listen HOSTS
287 default: -
288
289 An exclusion list of addresses to never listen to. If
290 set, 0.0.0.0 and ::0 will always be split by interface to
291 isolate the address.
292
293 edns0-max-size INT
294 default: 4096
295
296 edns0 packets size. (MIN: 512; MAX: 65535)
297
298 gid; group GID
299 default: 0 (or root)
300
301 The group ID that the server will use.
302
303 hidden-primary; hidden-master FLAG
304 default: no
305
306 As a hidden primary more CPU will be used for various
307 maintenance tasks.
308
309 hostname-chaos; hostname STR
310 default: the host name
311
312 The string returned by a hostname-chaos TXT CH query.
313
314 keys-path; keyspath PATH
315 default: zones/keys
316
317 The base path of the dnssec keys.
318
319 listen HOSTS
320 default: 0.0.0.0,::0
321
322 The list of interfaces to listen to.
323
324 log-files-disabled FLAG
325 default: no
326
327 If set, disables checking the log-path directory for ex‐
328 istence and writing rights.
329
330 log-path; logpath PATH
331 default: log
332
333 The base path where the log files are written.
334
335 log-unprocessable FLAG
336 default: off
337
338 Enabling this flag will make the server log unprocessable
339 queries.
340
341 max-tcp-queries; max-tcp-connections INT
342 default: 16
343
344 The maximum number of parallel tcp queries; allowed.
345 (MIN: 1; MAX: 255)
346
347 network-model NETMOD
348 default: multi
349
350 Sets the networking model of yadifa.
351
352 pid-file; pidfile STR
353 default: run/yadifad.pid
354
355 The pid file name.
356
357 queries-log-type INT
358 default: 1
359
360 Query log format. (0: none; 1: yadifa format; 2: BIND
361 format; 3: yadifa and BIND format at once)
362
363 serverid-chaos; serverid STR
364 default: -
365
366 The string returned by a id.server. TXT CH query. If not
367 set; REFUSED is answered.
368
369 server-port; port INT
370 default: 53
371
372 The default dns port. (MIN: 1; MAX: 65535)
373
374 sig-validity-interval DAYS
375 default: 30
376
377 The number of days for which an automatic signature is
378 valid. (MIN: 7 days; MAX: 30 days)
379
380 sig-validity-jitter; sig-jitter SECONDS
381 default: 3600
382
383 The signature expiration validity jitter in seconds (1
384 hour). (MIN: 0 sec; MAX: 86400 sec)
385
386 sig-validity-regeneration HOURS
387 default: automatic
388
389 Signatures expiring in less than the indicated amount of
390 hours will be recomputed. The default will be chosen by
391 yadifa. (MIN: 24 hours; MAX: 168 hours)
392
393 statistics FLAG
394 default: true
395
396 The server will log a report line about some internal
397 statistics.
398
399 statistics-max-period SECONDS
400 default: 60
401
402 The period in seconds between two statistics log lines.
403 (MIN: 1 sec; MAX: 31 * 86400 seconds (31 days))
404
405 tcp-query-min-rate INT
406 default: 512 bytes/second
407
408 The minimum transfer rate required in a tcp connection
409 (read and write). Slower connections are closed. The
410 units are bytes per second. (MIN: 0; MAX: 4294967295
411
412 thread-affinity-base INT
413 default: 0
414
415 Sets the first CPU to set affinity for. Set it to the
416 real CPU of a core. (MIN: 0; MAX: 3)
417
418 thread-affinity-multiplier INT
419 default: 0
420
421 Sets the multiplier chosing CPU to set affinity for. Al‐
422 lows avoiding hyperthread cores. Set to 0 for automatic
423 avoiding. (MIN: 0; MAX: 4)
424
425 thread-count-by-address INT
426 default: -1
427
428 Number of independent threads used to process each lis‐
429 tening address. Set to -1 for automatic. Set to 0 for
430 single threaded. (MIN: -1; MAX: number of CPU's)
431
432 uid; user UID
433 default: 0 (or root)
434
435 The user ID that the server will use.
436
437 version-chaos; version STR
438 default: yadifa version#
439
440 The text to include in the version TXT CH query.
441
442 xfr-connect-timeout SECONDS
443 default: 5
444
445 Timeout for establishing a connection for axfr and ixfr
446 transfers. Set to 0 to disable. (MIN: 0; MAX: 4294967295)
447
448 xfr-path; xfrpath PATH
449 default: zones/xfr
450
451 The base path used for axfr and journal storage.
452
453 zone-download-thread-count INT
454 default: 4
455
456 Number of independent threads used to download the zones.
457 (MIN: 0; MAX: 255)
458
459 zone-load-thread-count INT
460 default: 1
461
462 Number of independent threads used to process loading of
463 the zones. (MIN: 0; MAX: 255)
464
465 zone-store-thread-count INT
466 default: 1
467
468 Sets the number of threads used to store a zone on disk
469 (MIN: 1, MAX: 4).
470
471 zone-unload-thread-count INT
472 default: 1
473
474 Sets the number of threads used to delete a zone from
475 memory (MIN: 1, MAX: 4).
476
477 worker-backlog-queue-size INT
478 default: 16384
479
480 For network-model 1, sets the size of the backlog queue
481 (MIN: 4096, MAX: 1048576).
482
483 <key>
484 TSIG keys
485
486 algorithm ENUM
487 default: -
488
489 Mandatory. Sets the algorithm of the key.
490
491
492 Supported values are:
493
494 hmac-md5
495
496 hmac-sha1
497
498 hmac-sha224
499
500 hmac-sha256
501
502 hmac-sha384
503
504 hmac-sha512
505
506 (the algorithm names are case insensitive)}
507
508 name FQDN
509 default: -
510
511 Mandatory. Sets the name of the key.
512
513 secret TEXT
514 default: -
515
516 Mandatory. Sets the value of the key. BASE64 encoded.
517
518 <acl>
519 Access lists
520
521 Each entry of the acl section defines a rule of access. Each rule is a
522 name (a single user-defined word) followed by a rule in the form of a
523 list of statements. The separator can be "," or ";". The "any" and
524 "none" names are reserved. A statement tells if a source is accepted
525 or rejected. Reject statements are prefixed with "!". Statements are
526 evaluated in the following order: first from more specific to less spe‐
527 cific, then from reject to accept. If a statement matches, the evalua‐
528 tion will stop and accordingly accept or reject the source. If no
529 statement matches, then the source is rejected.
530
531 A statement can be either:
532
533 * An IPv4 or an IPv6 address followed (or not) by a mask.
534 [!]ipv4 |ipv6 [/mask]
535
536 For example:
537
538 * internal-network 192.0.2.128/26;2001:DB8::/32
539
540 * The word `key' followed by the name of a TSIG key.
541 key key-name
542
543 For example:
544
545 * slaves key public-slave;key hidden-slave
546
547 * An ACL statement name from the acl section. Note that
548 negation and recursion are forbidden and duly rejected.
549 acl-name
550
551 For example:
552
553 * who-can-ask-for-an-ixfr primary;secon‐
554 daries;127.0.0.1
555
556 <nsid>
557 NameServer IDentifier
558
559 ascii STR
560 default: ""
561
562 The string can be 512 characters long.
563
564 hex
565 default: ""
566
567 <rrl>
568 Response Rate Limiting directives
569
570 responses-per-second INT
571 default: 5
572
573 Allowed response rate.
574
575 errors-per-second INT
576 default: 5
577
578 Allowed error rate.
579
580 slip INT
581 default: 2
582
583 Random slip parameter.
584
585 log-only FLAG
586 default: false
587
588 If set to true, logs what it should do without doing it.
589
590 ipv4-prefix-length INT
591 default: 24
592
593 Mask applied to group the IPv4 clients.
594
595 ipv6-prefix-length INT
596 default: 56
597
598 Mask applied to group the IPv6 clients.
599
600 exempt-clients ACL
601 default: none
602
603 Clients maching this rule are not subject to the RRL.
604
605 enabled FLAG
606 default: false
607
608 Enables the RRL
609
610 min-table-size INT
611 default: 1024
612
613 RRL buffer minimum size
614
615 max-table-size INT
616 default: 16384
617
618 RRL buffer maximum size
619
620 window INT
621 default: 15
622
623 RRL sliding window size in seconds
624
625 <zone>
626 Description of the domain name in specific attributes.
627
628 allow-control ACL
629 default: as main
630
631 Control commands control list. Only the matching sources
632 are allowed.
633
634 allow-notify ACL
635 default: as main
636
637 Notify access control list. Only the servers matching the
638 ACL will be handled.
639
640 allow-query ACL
641 default: as main
642
643 Query access control list. Only the clients matching the
644 ACL will be replied to.
645
646 allow-transfer ACL
647 default: as main
648
649 Tansfer access control list. Only the clients matching
650 the ACL will be allowed to transfer a zone (axfr/ixfr
651
652 allow-update ACL
653 default: as main
654
655 Update access control list. Only the clients matching the
656 ACL will be allowed to update a zone.
657
658 allow-update-forwarding ACL
659 default: as main
660
661 Update forwarding control list. Only the matching sources
662 are allowed.
663
664 dnssec-mode; dnssec DNSSEC-TYPE
665 default: off
666
667 Type of dnssec used for the zone. As primary name sever;
668 yadifa will try to maintain that state.
669
670 dnssec-policy STR
671 default: -
672
673 Sets the dnssec-policy id to be used.
674
675 domain FQDN
676 default: -
677
678 Mandatory. Sets the domain of the zone (i.e.: eurid.eu).
679
680 drop-before-load FLAG
681 default: off
682
683 Enabling this flag will make the server drop the zone be‐
684 fore loading the updated zone from disk. Use this on sys‐
685 tems constrained for RAM.
686
687 file-name; file FILE
688 default: -
689
690 Sets the zone file name. Only mandatory for a primary
691 zone.
692
693 journal-size-kb INT
694 default: 0
695
696 Puts a soft limit on the size of the journal; expressed
697 in KB. (MIN: 0; MAX: 3698688 (3GB))
698
699 keys-path; keyspath PATH
700 default: as main
701
702 The base path of the dnssec keys.
703
704 maintain-dnssec FLAG
705 default: true
706
707 Enabling this flag will cause the server to try and main‐
708 tain rrsig records
709
710 primaries; primary; masters; master HOSTS
711 default: -
712
713 Mandatory for a slave. Sets the primary server(s). Multi‐
714 ple primaries are supported.
715
716 multiprimary-retries; multimaster-retries INT
717 default: 0
718
719 The number of times the primary is unreachable before
720 switching to a different primary (MIN: 0; MAX: 255)
721
722 no-primary-updates; no-master-updates FLAG
723 default: false
724
725 Enabling this flag will prevent the server from probing
726 or downloading changes from the primary
727
728 notifies; also-notify; notify HOSTS
729 default: -
730
731 The list of servers to notify in the event of a change.
732 Currently only used by primaries when a dynamic update
733 occurs.
734
735 notify-auto FLAG
736 default: true
737
738 Enabling this flag will cause notify messages to be sent
739 to all name servers in the APEX. Disabling this flags
740 causes the content of APEX to be ignored (ns Records).
741
742 notify-retry-count INT
743 default: 5
744
745 Number of times yadifa tries to send a notify. (MIN: 0;
746 MAX: 10)
747
748 notify-retry-period INT
749 default: 1
750
751 Time period in minutes between two notify attempts. (MIN:
752 1; MAX: 600)
753
754 notify-retry-period-increase INT
755 default: 0
756
757 Increase of the time period in minutes between two notify
758 attempts. (MIN: 0; MAX: 600)
759
760 rrsig-nsupdate-allowed FLAG
761 default: false
762
763 If this flag is set the server allows to edit RRSIG
764 records using dynamic updates.
765
766 sig-validity-interval DAYS
767 default: as main
768
769 The number of days for which an automatic signature is
770 valid. (MIN: 7 days; MAX: 30 days)
771
772 sig-validity-regeneration HOURS
773 default: as main
774
775 The signatures expiring in less than the indicated amount
776 of hours will be recomputed. (MIN: 24 hours; MAX: 168
777 hours)
778
779 sig-validity-jitter SECONDS
780 default: as main
781
782 The signature expiration validity jitter in seconds.
783 (MIN: 0 sec; MAX: 86400 sec)
784
785 true-multiprimary; true-multimaster FLAG
786 default: off
787
788 Enabling this flag will make the server use axfr when
789 switching to a new primary
790
791 type ENUM
792 default: -
793
794 Mandatory. Sets the type of zone : either primary/master
795 or secondary/slave.
796
797 <channels>
798 Description of the logger outputs.
799
800 It contains a list descriptions of user-defined outputs for the logger.
801 Depending on the kind of output, the format is different.
802
803 The "name" is arbitrary and is used for identification in the <log‐
804 gers>.
805 The "stream-name" defines the output type (ie: a file name, a program
806 output or syslog).
807 The "arguments" are specific to the output type (ie: unix file access
808 rights or syslog options and facilities).
809
810 * file output stream channel-name file-name access-rights
811 (octal).
812
813 * pipe to a program channel-name "| shell command" chan‐
814 nel-name "| path-to-program program arguments >> ap‐
815 pend-redirect"
816
817 * STDOUT, STDERR output stream channel-name stdout chan‐
818 nel-name stderr
819
820 * syslog channel-name syslog syslog-facility
821
822 <loggers>
823 Description of the logger outputs sources.
824
825 Sets the output of a pre-defined logger from yadifad.
826
827 The format of the line is: logger-name output-filter comma-sepa‐
828 rated-channel-names
829
830 Filters are:
831 DEBUG7, DEBUG6, DEBUG5, DEBUG4, DEBUG3, DEBUG2, DEBUG1, DEBUG, INFO,
832 NOTICE, WARNING, ERR, CRIT, ALERT, EMERG
833
834 Additionally, there are:
835
836 * ALL (or '*') meaning all the filters.
837
838 * PROD means all but the DEBUG filters.
839
840 The defined loggers are:
841
842 system
843 contains low level messages about the system such as
844 memory allocation, threading, IOs, timers and cryptogra‐
845 phy, ...
846
847 database
848 It contains messages about most lower-level operations
849 in the DNS database. ie: journal, updates, zone loading
850 and sanitization, DNS message query resolution, ...)
851
852 dnssec
853 contains messages about lower-level dnssec operations in
854 the DNS database. ie: status, maintenance, verification,
855 ...
856
857 server
858 contains messages about operations in the DNS server.
859 ie: start up, shutdown, configuration, transfers, various
860 services status (database management, network management,
861 DNS notification management, dynamic update management,
862 resource rate limiting, ...)
863
864 zone
865 contains messages about the loading of a zone from a
866 source (file parsing, transferred binary zone reading,
867 ...)
868
869 stats
870 contains the statistics of the server.
871
872 queries
873 contains the queries on the server. Queries can be
874 logged with the BIND and/or with the YADIFA format.
875 BIND format:
876 client sender-ip#port: query: fqdn class type +SETDC
877 (listen-ip)
878 YADIFA format:
879 query [ id ] {+SETDC} fqdn class type (sender-ip#port)
880 where:
881
882 id is the query message id
883
884 + means the message has the Recursion Desired flag
885 set
886
887 S means the message is signed with a TSIG
888
889 E means the message is EDNS
890
891 T means the message was sent using TCP instead of
892 UDP
893
894 D means the message has the DNSSEC OK flag set
895
896 C means the message has the Checking Disabled flag
897 set
898
899 fqdn is the queried FQDN
900
901 class is the queried class
902
903 type is the queried type
904
905 sender-ip
906 is the IP of the client that sent the query
907
908 port is the port of the client that sent the query
909
910 listen-ip
911 is the listen network interface that received the
912 message
913
914 Note that on YADIFA any unset flag is replaced by a '-',
915 on BIND only the '+' follows that rule.
916
917 System operators will mostly be interested in the info and above
918 messages of queries and stats, as well as the error and above
919 messages of the other loggers.
920
921 DNSSEC-POLICY
922 There are 5 sections:
923
924 <dnssec-policy>
925 The dnssec-policy section binds up to four key suites and a de‐
926 nial mode. It is meant to be used as a dnssec-policy parameter
927 in a zone section. Usually two key-suite will be given: one for
928 a KSK and one for a ZSK. The denial mode can be either 'nsec'
929 either the name of a denial section.
930
931 id STR
932 default: -
933
934 id of the dnssec-policy section.
935
936 description STR
937 default: -
938
939 Description for the dnssec-policy section.
940
941 key-suite STR
942 default: -
943
944 id of the key-suite to be used. Usually both a KSK and a
945 ZSK suites are given.
946
947 denial STR
948 default: nsec
949
950 id of the denial to be used for nsec3 or the argument
951 'nsec' to use nsec.
952
953 <key-suite>
954 The key-suite section is used by dnssec policies and is meant
955 to be referenced by a dnssec-policy section. A key-suite links
956 a key definition (key-template) with a deployment calendar
957 (key-roll).
958
959 id STR
960 default: -
961
962 id of the key-suite section.
963
964 key-template STR
965 default: -
966
967 id of the key-template to be used.
968
969 key-roll STR
970 default: -
971
972 id of the key-roll to be used.
973
974 <key-roll>
975 The key-roll section is used by dnssec policies and is meant to
976 be referenced by a key-suite section. It's essentially a de‐
977 ployment calendar. Each event is computed relatively to an‐
978 other. Dates are chosen so that there is always a key in an ac‐
979 tive state. Please look at the examples as a misconfiguration
980 could easily span the life of a key over several years. (e.g.:
981 by too restrictive on the matching conditions) If the RELDATE
982 format is being used, the first valid date matching the line is
983 used. Usage of the RELDATE format is recommended over the REL‐
984 TIME one.
985
986 id RELDATE|RELTIME
987 default: -
988
989 id of the key-roll section.
990
991 generate RELDATE|RELTIME
992 default: -
993
994 Time when the key must be generated. Pre-dated before so
995 it's active right now if it's the first one. Always com‐
996 puted so that the next activation happens before the last
997 deactivation.
998
999 publish RELDATE|RELTIME
1000 default: -
1001
1002 Time when the key must be published in the zone. Relative
1003 to the generation.
1004
1005 activate RELDATE|RELTIME
1006 default: -
1007
1008 Time when the key will be used for signing the zone or
1009 apex of the zone. Relative to the publication.
1010
1011 inactive RELDATE|RELTIME
1012 default: -
1013
1014 Time when the key will not be used anymore for signing.
1015 Relative to the activation.
1016
1017 delete RELDATE|RELTIME
1018 default: -
1019
1020 Time when the key will be removed out of the zone. Rela‐
1021 tive to the deactivation.
1022
1023 <key-template>
1024 The key-template section is used by dnssec policies and is
1025 meant to be referenced by a key-suite section. It contains the
1026 various parameters of a key for its generation.
1027
1028 id STR
1029 default: -
1030
1031 id of the key-template section.
1032
1033 ksk FLAG
1034 default: false
1035
1036 When this flag is enabled a ksk will be generated. When
1037 disabled a zsk will be generated.
1038
1039 algorithm ENUM
1040 default: 7
1041
1042 Sets the algorithm of the key. Supported values are:
1043 ’DSA’; 3; ’RSASHA1’; 5; ’NSEC3DSA’; 6; ’NSEC3RSASHA1’; 7;
1044 ’RSASHA256’; 8; ’RSASHA512’; 10; ’ECDSAP256SHA256’; 13;
1045 ’ECDSAP384SHA384’; 14.
1046
1047 size INT
1048 default: 0
1049
1050 The length of the key in bits (incompatible sizes will be
1051 rejected). (MIN: 0; MAX: 4096)
1052
1053 <denial>
1054 The denial section is used by dnssec policies and is meant to
1055 be referenced by a dnssec-policy section. It is used to define
1056 the NSEC3 denial parameters of a dnssec policy. Policies using a
1057 NSEC denial don't need to use this section.
1058
1059 id STR
1060 default: -
1061
1062 id of the denial section.
1063
1064 salt HEXSTR
1065 default: empty
1066
1067 A base16 encoded sequence of bytes used as the salt pa‐
1068 rameter of the NSEC3 chain.
1069
1070 salt-length INT
1071 default: 0
1072
1073 If the salt parameter isn't set, generates a random salt
1074 parameter of that length. (MIN: 0; MAX: 255)
1075
1076 iterations INT
1077 default: 1
1078
1079 Iteration parameter of the NSEC3 chain. (MIN: 0; MAX:
1080 65535)
1081
1082 optout FLAG
1083 default: false
1084
1085 Enables opt-out coverage in the NSEC3 chain. When this
1086 flag is enabled, delegations which do not have a DS
1087 record will not be covered by an NSEC3 record.
1088
1090 Examples of containers defined for a configuration file.
1091
1092 * Main
1093
1094 1. Main section example
1095
1096 <main>
1097 # Detach from the console (alias: daemonize)
1098 daemon off
1099
1100 # Jail the application
1101 chroot off
1102
1103 # The path of the log files (alias: chroot-path)
1104 chrootpath "/chroot/yadifad"
1105
1106 # The path of the log files (alias: log-path)
1107 logpath "/var/log/yadifa"
1108
1109 # The location of the pid file (alias: pid-file)
1110 pidfile "/var/run/yadifa/yadifad.pid"
1111
1112 # The path of the zone files (alias: data-path)
1113 datapath "/var/lib/yadifa"
1114
1115 # The path of the DNSSEC keys (alias: keys-path)
1116 keyspath "/var/lib/yadifa/keys"
1117
1118 # The path of the transfer and journaling files (AXFR & IXFR) (alias: xfr-path)
1119 xfrpath "/var/lib/yadifa/xfr"
1120
1121 # A string returned by a query of hostname. CH TXT
1122 # note: if you leave this out, the real hostname will be given back (alias: hostname-chaos)
1123 hostname "server-yadifad"
1124
1125 # An ID returned by a query to id.server. CH TXT (alias: serverid-chaos)
1126 serverid "yadifad-01"
1127
1128 # The version returned by a query to version.yadifa. CH TXT (alias: version-chaos)
1129 version 2.5.0
1130
1131 # Set the maximum UDP packet size.
1132 # note: the packetsize cannot be less than 512 or more than 65535.
1133 # Typical choice is 4096.
1134 edns0-max-size 4096
1135
1136 # The maximum number of parallel TCP queries (max-tcp-connections)
1137 max-tcp-queries 100
1138
1139 # The minimum data rate for a TCP query (in bytes per second)
1140 tcp-query-min-rate 512
1141
1142 # The user id to use (alias: user)
1143 uid yadifa
1144
1145 # The group id to use (alias: group)
1146 gid yadifa
1147
1148 # The DNS port - any DNS query will use that port unless a specific value is used (alias: server-port)
1149 port 53
1150
1151 # The interfaces to listen to.
1152 listen 127.0.0.1, 192.0.2.2, 192.0.2.130 port 8053, 2001:db8::2
1153
1154 # Type of querylog to use
1155 # 0: none
1156 # 1: yadifa
1157 # 2: bind
1158 # 3: both yadifa and bind
1159 queries-log-type 1
1160
1161 # Enable the collection and logging of statistics
1162 statistics on
1163
1164 # Maximum number of seconds between two statistics lines
1165 statistics-max-period 60
1166
1167 # Drop queries with erroneous content
1168 #
1169 # answer-formerr-packets on
1170 answer-formerr-packets off
1171
1172 # Maximum number of records in an AXFR packet. Set to 1 for compatibility
1173 # with very old name servers (alias: axfr-max-record-by-packet)
1174 axfr-maxrecordbypacket 0
1175
1176 # Global Access Control rules
1177 #
1178 # Rules can be defined on network ranges, TSIG signatures, and ACL rules
1179
1180 # simple queries:
1181 #
1182 # allow-query any
1183 allow-query !192.0.2.251,any
1184
1185 # dynamic update of a zone
1186 #
1187 # allow-update none
1188 allow-update admins
1189
1190 # dynamic update of a slave (forwarded to the primary)
1191 #
1192 # allow-update-forwarding none
1193 allow-update-forwarding admins,key abroad-admin-key
1194
1195 # transfer of a zone (AXFR or IXFR)
1196 #
1197 # allow-transfer any
1198 allow-transfer transferer
1199
1200 # notify of a change in the primary
1201 #
1202 # allow-notify any
1203 allow-notify primary,admins
1204
1205 # If YADIFA has the controller enabled, allow control only for these
1206 # clients (none by default)
1207 allow-control controller
1208
1209 # overwrite the amount of CPUs detected by yadifad
1210 cpu-count-override 3
1211
1212 # set the number of threads to serve queries
1213 thread-count-by-address 2
1214
1215 </main>
1216
1217
1218 * Key
1219 TSIG-key configuration
1220
1221 1. Admin-key key definition (the name is arbitrary)
1222
1223 <key>
1224 name abroad-admin-key
1225 algorithm hmac-md5
1226 secret WorthlessKeyForExample==
1227 </key>
1228
1229
1230 2. primary-secondary key definition (the name is arbitrary)
1231
1232 <key>
1233 name primary-secondary
1234 algorithm hmac-md5
1235 secret PrimaryAndSecondaryKey==
1236 </key>
1237
1238
1239 * ACL
1240 Access Control List definitions
1241
1242 1. primary-secondary key use
1243
1244 <acl>
1245 transferer key primary-secondary
1246 admins 192.0.2.0/24, 2001:db8::74
1247 primary 192.0.2.53
1248 localhost 127.0.0.0/8, ::1
1249 controller key controller # the ACL for the controller MUST use a key
1250 </acl>
1251
1252
1253 * NSID
1254 DNS NameServer IDentifier
1255
1256 1. Example with ascii
1257
1258 <nsid>
1259 ascii belgium-brussels-01
1260 </nsid>
1261
1262
1263 2. Example with hex
1264
1265 <nsid>
1266 hex 00320201
1267 </nsid>
1268
1269
1270 * RRL
1271 Response Rate Limiting
1272
1273 1. Example
1274
1275 <rrl>
1276 # Number of identical responses per second before responses are being limited
1277 responses-per-second 5
1278
1279 # Number of errors per second before responses are being limited
1280 errors-per-second 5
1281
1282 # Random slip parameter
1283 slip 10
1284
1285 # If enabled, the rate limits are only logged and not enforced
1286 log-only off
1287
1288 # Mask applied to group the IPv4 clients
1289 ipv4-prefix-length 24
1290
1291 # Mask applied to group the IPv6 clients
1292 ipv6-prefix-length 56
1293
1294 # Rate limits are not subject to the following clients (aka whitelist)
1295 exempt-clients none
1296
1297 # Enable or disable the rate limit capabilities
1298 enabled yes
1299 </rrl>
1300
1301
1302 * Zone
1303
1304 1. Primary domain zone config
1305
1306 <zone>
1307 # This server is primary for the zone (mandatory)
1308 type primary
1309
1310 # The domain name (mandatory)
1311 domain mydomain.eu
1312
1313 # The zone file, relative to 'datapath' (mandatory for a primary) (alias: file-name)
1314 file primaries/mydomain.eu
1315
1316 # List of servers also notified of a change (beside the ones in the zone file) (alias: notifies, notify)
1317 also-notify 192.0.2.84, 192.0.2.149
1318
1319 # Set the size of the journal file in KB (alias: journal-size-kb)
1320 journal-size 8192
1321
1322 # Allow dynupdate for these ACL entries
1323 allow-update admins
1324
1325 # Allow AXFR/IXFR for these ACL entries
1326 allow-transfer transferer
1327
1328 # Use DNSSEC policies otherwise remove or put in remark line below
1329 dnssec-policy 1
1330 </zone>
1331
1332
1333 2. Slave domain zone config
1334
1335 <zone>
1336 # This server is slave for that zone (mandatory)
1337 type slave
1338
1339 # The domain name (mandatory)
1340 domain myotherdomain.eu
1341
1342 # The address of the primary (mandatory for a slave, forbidden for a primary) (alias: primary)
1343 primaries 191.0.2.53 port 4053 key primary-secondary
1344
1345 # The zone file, relative to 'datapath'.
1346 file slaves/myotherdomain.eu
1347
1348 # Accept notifes from these ACL entries
1349 allow-notify primary
1350 </zone>
1351
1352
1353 * DNSSEC-Policy
1354
1355 DNSSEC-Policy needs some extra sections: key-suite, key-roll, key-tem‐
1356 plate (and denial if NSEC3 is configured)
1357
1358 1. dnssec-policy example with all the needed sections
1359
1360 example with NSEC3
1361 <dnssec-policy>
1362 id "1"
1363
1364 description "Example of ZSK and KSK"
1365 denial "nsec3-with-salt-on"
1366 key-suite "zsk-1024"
1367 key-suite "ksk-2048"
1368 </dnssec-policy>
1369
1370 example with NSEC
1371 <dnssec-policy>
1372 id "2"
1373
1374 description "Example of ZSK and KSK"
1375 denial nsec
1376 key-suite "zsk-1024"
1377 key-suite "ksk-2048"
1378 </dnssec-policy>
1379
1380
1381 2. key-suite
1382 <key-suite>
1383 id "ksk-2048"
1384
1385 key-template "ksk-2048"
1386 key-roll "yearly-schedule"
1387 </key-suite>
1388
1389 <key-suite>
1390 id "zsk-1024"
1391
1392 key-template "zsk-1024"
1393 key-roll "monthly-schedule"
1394 </key-suite>
1395
1396
1397 3. key-roll
1398 <key-roll>
1399 id "yearly-schedule"
1400
1401 generate 5 0 15 6 * * # this year (2018) 15/06 at 00:05
1402 publish 10 0 15 6 * * # 00:10
1403 activate 15 0 16 6 * * # 16/06 at 00:15
1404 inactive 15 0 17 6 * * # (2019) 17/06 at 00:15
1405 remove 15 11 18 6 * * # (2019) 18/06 at 11:15
1406 </key-roll>
1407
1408 <key-roll>
1409 id "monthly-schedule"
1410
1411 generate 5 0 * * tue 0 # 1 tuesday of the month at 00:05
1412 publish 10 0 * * tue 0 # 00:10
1413 activate 15 0 * * wed 0 # 1 wednesday of the month at 00:15
1414 inactive 15 0 * * thu 0 # 1 thursday of the month at 00:15
1415 remove 15 11 * * fri 0 # 1 friday of the month at 11:15
1416 </key-roll>
1417
1418
1419 4. key-template
1420 <key-template>
1421 id "ksk-2048"
1422
1423 ksk true
1424 algorithm 8
1425 size 2048
1426 </key-template>
1427
1428 <key-template>
1429 id "zsk-1024"
1430
1431 ksk false
1432 algorithm 8
1433 size 1024
1434 </key-template>
1435
1436
1437 5. denial
1438 <denial>
1439 id "nsec3-with-salt-on"
1440
1441 salt "ABCD"
1442 algorithm 1
1443 iterations 5
1444 optout off
1445 </denial>
1446
1447
1448 <denial>
1449 id "nsec3-with-salt-length-on"
1450
1451 salt-length 4
1452 algorithm 1
1453 iterations 5
1454 optout off
1455 </denial>
1456
1457
1458 * Channels
1459
1460 Logging output-channel configurations:
1461
1462 It contains a list of user-defined outputs for the logger.
1463
1464 The "name" is arbitrary and is used for identification in the <log‐
1465 gers>.
1466 The "stream-name" defines the output type (ie: a file name, a program
1467 output or syslog).
1468 The "arguments" are specific to the output type (ie: unix file access
1469 rights or syslog options and facilities).
1470
1471 1. Example: YADIFA running as daemon channel definition.
1472
1473 <channels>
1474 # name stream-name arguments
1475 database database.log 0644
1476 dnssec dnssec.log 0644
1477 server server.log 0644
1478 statistics statistics.log 0644
1479 system system.log 0644
1480 queries queries.log 0644
1481 zone zone.log 0644
1482 all all.log 0644
1483
1484 gziplog "|/usr/bin/gzip \- >> /var/log/yadifa.log.gz"
1485
1486 syslog syslog user
1487 </channels>
1488
1489
1490 2. Example: YADIFA running in debug mode.
1491 This example shows the "stderr" and "stdout" which can
1492 also be used in the first example, but will output to the
1493 console.
1494
1495 <channels>
1496 # name stream-name arguments
1497 syslog syslog user
1498
1499 stderr STDERR
1500 stdout STDOUT
1501 </channels>
1502
1503
1504 * Loggers
1505
1506 Logging input configurations:
1507
1508 The "bundle" is the name of the section of YADIDA being logged, sources
1509 are : database, dnssec, queries, server, stats, system, zone.
1510 The "debuglevel" uses the same names as syslog.
1511 Additionally, "*" or "all" means all the levels; "prod" means all but
1512 the debug levels.
1513
1514 The "channels" are a comma-separated list of channels.
1515
1516 1. Example without syslog
1517
1518 <loggers>
1519 # bundle debuglevel channels
1520 database ALL database,all
1521 dnssec warning dnssec,all
1522 server INFO,WARNING,ERR,CRIT,ALERT,EMERG server,all
1523 stats prod statistics
1524 system * system,all
1525 queries * queries
1526 zone * zone,all
1527 </loggers>
1528
1529
1530 2. Example with syslog
1531
1532 <loggers>
1533 # bundle debuglevel channels
1534 database ALL database,syslog
1535 dnssec warning dnssec,syslog
1536 server INFO,WARNING,ERR,CRIT,ALERT,EMERG server,syslog
1537 stats prod statistics, syslog
1538 system * system,syslog
1539 queries * queries,syslog
1540 zone * zone,syslog
1541 </loggers>
1542
1543
1545 yadifad(8)
1546
1548 Since unquoted leading whitespace is generally ignored in the yadi‐
1549 fad.conf you can indent everything to taste.
1550
1552 Please check the file README from the sources.
1553
1555 Version: 2.5.3 of 2021-10-25.
1556
1558 There exists a mailinglist for questions relating to any program in the
1559 yadifa package:
1560
1561 * yadifa-users@mailinglists.yadifa.eu
1562 for submitting questions/answers.
1563
1564 * http://www.yadifa.eu/mailing-list-users
1565 for subscription requests.
1566
1567 If you would like to stay informed about new versions and official
1568 patches send a subscription request to via:
1569
1570 * http://www.yadifa.eu/mailing-list-announcements
1571
1572 (this is a readonly list).
1573
1575 Copyright
1576 (C)2011-2021, EURid
1577 B-1831 Diegem, Belgium
1578 info@yadifa.eu
1579
1581 Gery Van Emelen
1582 Email: Gery.VanEmelen@EURid.eu
1583 Eric Diaz Fernandez
1584 Email: Eric.DiazFernandez@EURid.eu
1585
1586 WWW: http://www.EURid.eu
1587
1588YADIFA 2021-10-25 YADIFAD-CONF(5)