1YADIFAD-CONF(5) YADIFA YADIFAD-CONF(5)
2
6 yadifad.conf - configuration file for yadifad(8).
7
9 ${SYSCONFDIR}/yadifad.conf
10
12 The configuration of yadifad is consistent in a text file that can op‐
13 tionally include others. The general structure is a sequence of con‐
14 tainers: a sequence of lines of text starting with a <container-name>
15 and ending with a </container-name>. Each line between these delimit‐
16 ters is in the form: variable-name value. The format of the value is
17 determined by the type of the variable.
18 TYPES
20 There are 15 types:
21 ACL
23 A list of ACL descriptors. User-defined ACLs are found in the
24 ACL section. The "any" and "none" descriptors are always de‐
25 fined. Elements of the list are separated by a "," or a ";".
26 DNSSECTYPE
28 A DNSSEC type name. It can be a DNSSEC-enabled value ("nsec",
29 "nsec3" or "nsec3-optout") or a DNSSEC-disabled value ("none",
30 "no", "off" or "0").
31 ENUM
33 A word from a specified set.
34 FLAG
36 A boolean value. It can be true ("1", "enable", "enabled",
37 "on", "true", "yes") or false ("0", "disable", "disabled",
38 "off", "false", "no").
39 FQDN
41 A fully-qualified domain name text string. e.g.: www.eurid.eu.
42 GID
44 Group ID. (Can be a number or a name)
45 HOST(S)
47 A (list of) host(s). A host is defined by an IP (v4 or v6) and
48 can be followed by the word `port' and a port number. Elements
49 of the list are separated by a `,' or a `;'.
50 INTEGER / INT
52 A base-ten integer.
53 NETMOD
55 A word or integer that identifies the network model:
56 single or 0 Each working thread reads a single message, pro‐
57 cesses its answer and replies to it.
58 buffered or 1 Working threads are working by couple. One reads a
59 single message and queues it, one de-queues it, processes its
60 answer and replies to it.
61 multi or 2 Each working thread reads a multiple messages, pro‐
62 cesses their answers and replies to them.
63 PATH / FILE
65 A file or directory path. i.e.: "/var/zones".
66 STRING / STR
68 A text string. Double quotes can be used but are not mandatory.
69 Without quotes the string will be taken from the first non-blank
70 charater to the last non-blank character.
71 HEXSTR
73 A hexadecimal even-length text string.
74 RELDATE
76 A cron-like date to be matched, relative to another. The col‐
77 umns are minutes [0;59], hours [0;23], days [0;31], months
78 [1;12], weekdays [mon,tue,wed,thu,fri,sat,sun] and
79 week-of-the-month [0;4]. Multiple values can be set in a column
80 cell using ',' as a separator. The '*' character can be used to
81 set all possible values of its column cell.
82 RELTIME
84 A time offset relative to another. It's written as +inte‐
85 ger[unit-character] (e.g.: +24h) where the unit character can be
86 seconds, minutes, hours, days or weeks.
87 SECONDS
89 A base-ten integer.
90 HOURS
92 A base-ten integer.
93 DAYS
95 A base-ten integer.
96 UID
98 User ID. (Can be a number or a name)
99 CONTAINERS
101 The configuration of yadifad has several containers:
102 <main>
104 General container
105 <key>
107 TSIG keys
108 <acl>
110 Access lists
111 <nsid>
113 NameServer IDentifier
114 <rrl>
116 Response Rate Limiting directives
117 <zone>
119 Description of the domain name in specific attributes.
120 <channels>
122 Description of the logger outputs.
123 <dnssec-policy>
125 Description of dnssec policies.
126 <key-suite>
128 Description of the key-suites needed if 'dnssec policies' are
129 used.
130 <key-roll>
132 Description of the key-rolls needed if 'dnssec policies' are
133 used.
134 <key-template>
136 Description of the key-templates needed if 'dnssec policies'
137 are used.
138 <denial>
140 Description of 'denial', this can be used in certain 'dnssec
141 policies'.
142 The configuration supports included files.
144 example: include /etc/yadifa/conf.d/local.conf
145 The configuration files can be nested.
147 The configuration consists of:
149 * Container, which starts with <container name> and ends with
151 </container name>
152 * Variable name
154 * 1 or 2 arguments
156 * Arguments can contain 1 or more comma separated values.
158 STANDARD SECTIONS
160 <main>
161 General container, contains all the configuration parameters
162 needed to start up yadifad.
163 allow-control ACL
165 default: none
166 Default server-control access control list. Only the
168 sources matching the ACL are accepted.
169 allow-notify ACL
171 default: any
172 Default notify access control list. Only the servers
174 matching the ACL will be handled.
175 allow-query ACL
177 default: any
178 Default query access control list. Only the clients
180 matching the ACL will be replied to.
181 allow-transfer ACL
183 default: none
184 Default transfer access control list. Only the clients
186 matching the ACL will be allowed to transfer a zone
187 (axfr/ixfr).
188 allow-update ACL
190 default: none
191 Default update access control list. Only the clients
193 matching the ACL will be allowed to update a zone.
194 allow-update-forwarding ACL
196 default: none
197 Default update-forwarding access control list. Only the
199 sources matching the ACL are accepted.
200 answer-formerr-packets FLAG
202 default: true
203 If this flag is disabled; the server will not reply to
205 badly formatted packets.
206 axfr-compress-packets FLAG
208 default: true
209 Enables the dns packet compression of each axfr packet.
211 axfr-max-packet-size INT
213 default: 4096 bytes
214 The maximum size of an axfr packet. (MIN: 512; MAX:
216 65535)
217 axfr-max-record-by-packet INT
219 default: 0
220 The maximum number of records in each axfr packet. Older
222 name servers can only handle 1. Set to 0 to disable the
223 limit. (MIN: 0; MAX: 65535)
224 axfr-retry-delay SECONDS
226 default: 600
227 Number of seconds between each retry for the first trans‐
229 fer from the primary name server. (MIN: 60; MAX: 86400)
230 axfr-retry-jitter SECONDS
232 default: 180
233 Jitter applied to axfr-retry-delay. (MIN: 60; MAX:
235 axfr-retry-delay)
236 axfr-retry-failure-delay-multiplier INT
238 default: 5
239 Linear back-off multiplier. The multiplier times the num‐
241 ber of failures is added to the xfr-retry-delay. (MIN: 0;
242 MAX: 86400)
243 axfr-retry-failure-delay-max SECONDS
245 default: 3600
246 Maximum delay added for the back-off. (MIN: 0; MAX:
248 604800)
249 axfr-strict-authority FLAG
251 default: yes (unless --enable-non-aa-axfr-support was
252 used)
253 Tells yadifad to be strict with the AA flag in AXFR an‐
255 swers
256 chroot FLAG
258 default: off
259 Enabling this flag will make the server jail itself in
261 the chroot-path directory.
262 chroot-path; chrootpath PATH
264 default: /
265 The directory used for the jail.
267 cpu-count-override INT
269 default: 0
270 Overrides the detected number of logical cpus. Set to 0
272 for automatic. (MIN: 0; MAX: 256)
273 daemon; daemonize FLAG
275 default: false
276 Enabling this flag will make the server detach from the
278 console and work in background.
279 data-path; datapath PATH
281 default: zones
282 The base path were lies the data (zone file path; jour‐
284 naling data; temporary files; etc.)
285 do-not-listen HOSTS
287 default: -
288 An exclusion list of addresses to never listen to. If
290 set, 0.0.0.0 and ::0 will always be split by interface to
291 isolate the address.
292 edns0-max-size INT
294 default: 4096
295 edns0 packets size. (MIN: 512; MAX: 65535)
297 gid; group GID
299 default: 0 (or root)
300 The group ID that the server will use.
302 hidden-primary; hidden-master FLAG
304 default: no
305 As a hidden primary more CPU will be used for various
307 maintenance tasks.
308 hostname-chaos; hostname STR
310 default: the host name
311 The string returned by a hostname-chaos TXT CH query.
313 keys-path; keyspath PATH
315 default: zones/keys
316 The base path of the dnssec keys.
318 listen HOSTS
320 default: 0.0.0.0,::0
321 The list of interfaces to listen to.
323 log-files-disabled FLAG
325 default: no
326 If set, disables checking the log-path directory for ex‐
328 istence and writing rights.
329 log-path; logpath PATH
331 default: log
332 The base path where the log files are written.
334 log-unprocessable FLAG
336 default: off
337 Enabling this flag will make the server log unprocessable
339 queries.
340 max-tcp-queries; max-tcp-connections INT
342 default: 16
343 The maximum number of parallel tcp queries; allowed.
345 (MIN: 1; MAX: 255)
346 network-model NETMOD
348 default: multi
349 Sets the networking model of yadifa.
351 pid-file; pidfile STR
353 default: run/yadifad.pid
354 The pid file name.
356 queries-log-type INT
358 default: 1
359 Query log format. (0: none; 1: yadifa format; 2: BIND
361 format; 3: yadifa and BIND format at once)
362 serverid-chaos; serverid STR
364 default: -
365 The string returned by a id.server. TXT CH query. If not
367 set; REFUSED is answered.
368 server-port; port INT
370 default: 53
371 The default dns port. (MIN: 1; MAX: 65535)
373 sig-validity-interval DAYS
375 default: 30
376 The number of days for which an automatic signature is
378 valid. (MIN: 7 days; MAX: 30 days)
379 sig-validity-jitter; sig-jitter SECONDS
381 default: 3600
382 The signature expiration validity jitter in seconds (1
384 hour). (MIN: 0 sec; MAX: 86400 sec)
385 sig-validity-regeneration HOURS
387 default: automatic
388 Signatures expiring in less than the indicated amount of
390 hours will be recomputed. The default will be chosen by
391 yadifa. (MIN: 24 hours; MAX: 168 hours)
392 statistics FLAG
394 default: true
395 The server will log a report line about some internal
397 statistics.
398 statistics-max-period SECONDS
400 default: 60
401 The period in seconds between two statistics log lines.
403 (MIN: 1 sec; MAX: 31 * 86400 seconds (31 days))
404 tcp-query-min-rate INT
406 default: 512 bytes/second
407 The minimum transfer rate required in a tcp connection
409 (read and write). Slower connections are closed. The
410 units are bytes per second. (MIN: 0; MAX: 4294967295
411 thread-affinity-base INT
413 default: 0
414 Sets the first CPU to set affinity for. Set it to the
416 real CPU of a core. (MIN: 0; MAX: 3)
417 thread-affinity-multiplier INT
419 default: 0
420 Sets the multiplier chosing CPU to set affinity for. Al‐
422 lows avoiding hyperthread cores. Set to 0 for automatic
423 avoiding. (MIN: 0; MAX: 4)
424 thread-count-by-address INT
426 default: -1
427 Number of independent threads used to process each lis‐
429 tening address. Set to -1 for automatic. Set to 0 for
430 single threaded. (MIN: -1; MAX: number of CPU's)
431 uid; user UID
433 default: 0 (or root)
434 The user ID that the server will use.
436 version-chaos; version STR
438 default: yadifa version#
439 The text to include in the version TXT CH query.
441 xfr-connect-timeout SECONDS
443 default: 5
444 Timeout for establishing a connection for axfr and ixfr
446 transfers. Set to 0 to disable. (MIN: 0; MAX: 4294967295)
447 xfr-path; xfrpath PATH
449 default: zones/xfr
450 The base path used for axfr and journal storage.
452 zone-download-thread-count INT
454 default: 4
455 Number of independent threads used to download the zones.
457 (MIN: 0; MAX: 255)
458 zone-load-thread-count INT
460 default: 1
461 Number of independent threads used to process loading of
463 the zones. (MIN: 0; MAX: 255)
464 zone-store-thread-count INT
466 default: 1
467 Sets the number of threads used to store a zone on disk
469 (MIN: 1, MAX: 4).
470 zone-unload-thread-count INT
472 default: 1
473 Sets the number of threads used to delete a zone from
475 memory (MIN: 1, MAX: 4).
476 worker-backlog-queue-size INT
478 default: 16384
479 For network-model 1, sets the size of the backlog queue
481 (MIN: 4096, MAX: 1048576).
482 <key>
484 TSIG keys
485 algorithm ENUM
487 default: -
488 Mandatory. Sets the algorithm of the key.
490 Supported values are:
493 hmac-md5
495 hmac-sha1
497 hmac-sha224
499 hmac-sha256
501 hmac-sha384
503 hmac-sha512
505 (the algorithm names are case insensitive)}
507 name FQDN
509 default: -
510 Mandatory. Sets the name of the key.
512 secret TEXT
514 default: -
515 Mandatory. Sets the value of the key. BASE64 encoded.
517 <acl>
519 Access lists
520 Each entry of the acl section defines a rule of access. Each rule is a
522 name (a single user-defined word) followed by a rule in the form of a
523 list of statements. The separator can be "," or ";". The "any" and
524 "none" names are reserved. A statement tells if a source is accepted
525 or rejected. Reject statements are prefixed with "!". Statements are
526 evaluated in the following order: first from more specific to less spe‐
527 cific, then from reject to accept. If a statement matches, the evalua‐
528 tion will stop and accordingly accept or reject the source. If no
529 statement matches, then the source is rejected.
530 A statement can be either:
532 * An IPv4 or an IPv6 address followed (or not) by a mask.
534 [!]ipv4 |ipv6 [/mask]
535 For example:
537 * internal-network 192.0.2.128/26;2001:DB8::/32
539 * The word `key' followed by the name of a TSIG key.
541 key key-name
542 For example:
544 * slaves key public-slave;key hidden-slave
546 * An ACL statement name from the acl section. Note that
548 negation and recursion are forbidden and duly rejected.
549 acl-name
550 For example:
552 * who-can-ask-for-an-ixfr primary;secon‐
554 daries;127.0.0.1
555 <nsid>
557 NameServer IDentifier
558 ascii STR
560 default: ""
561 The string can be 512 characters long.
563 hex
565 default: ""
566 <rrl>
568 Response Rate Limiting directives
569 responses-per-second INT
571 default: 5
572 Allowed response rate.
574 errors-per-second INT
576 default: 5
577 Allowed error rate.
579 slip INT
581 default: 2
582 Random slip parameter.
584 log-only FLAG
586 default: false
587 If set to true, logs what it should do without doing it.
589 ipv4-prefix-length INT
591 default: 24
592 Mask applied to group the IPv4 clients.
594 ipv6-prefix-length INT
596 default: 56
597 Mask applied to group the IPv6 clients.
599 exempt-clients ACL
601 default: none
602 Clients maching this rule are not subject to the RRL.
604 enabled FLAG
606 default: false
607 Enables the RRL
609 min-table-size INT
611 default: 1024
612 RRL buffer minimum size
614 max-table-size INT
616 default: 16384
617 RRL buffer maximum size
619 window INT
621 default: 15
622 RRL sliding window size in seconds
624 <zone>
626 Description of the domain name in specific attributes.
627 allow-control ACL
629 default: as main
630 Control commands control list. Only the matching sources
632 are allowed.
633 allow-notify ACL
635 default: as main
636 Notify access control list. Only the servers matching the
638 ACL will be handled.
639 allow-query ACL
641 default: as main
642 Query access control list. Only the clients matching the
644 ACL will be replied to.
645 allow-transfer ACL
647 default: as main
648 Tansfer access control list. Only the clients matching
650 the ACL will be allowed to transfer a zone (axfr/ixfr
651 allow-update ACL
653 default: as main
654 Update access control list. Only the clients matching the
656 ACL will be allowed to update a zone.
657 allow-update-forwarding ACL
659 default: as main
660 Update forwarding control list. Only the matching sources
662 are allowed.
663 dnssec-mode; dnssec DNSSEC-TYPE
665 default: off
666 Type of dnssec used for the zone. As primary name sever;
668 yadifa will try to maintain that state.
669 dnssec-policy STR
671 default: -
672 Sets the dnssec-policy id to be used.
674 domain FQDN
676 default: -
677 Mandatory. Sets the domain of the zone (i.e.: eurid.eu).
679 drop-before-load FLAG
681 default: off
682 Enabling this flag will make the server drop the zone be‐
684 fore loading the updated zone from disk. Use this on sys‐
685 tems constrained for RAM.
686 file-name; file FILE
688 default: -
689 Sets the zone file name. Only mandatory for a primary
691 zone.
692 journal-size-kb INT
694 default: 0
695 Puts a soft limit on the size of the journal; expressed
697 in KB. (MIN: 0; MAX: 3698688 (3GB))
698 keys-path; keyspath PATH
700 default: as main
701 The base path of the dnssec keys.
703 maintain-dnssec FLAG
705 default: true
706 Enabling this flag will cause the server to try and main‐
708 tain rrsig records
709 primaries; primary; masters; master HOSTS
711 default: -
712 Mandatory for a slave. Sets the primary server(s). Multi‐
714 ple primaries are supported.
715 multiprimary-retries; multimaster-retries INT
717 default: 0
718 The number of times the primary is unreachable before
720 switching to a different primary (MIN: 0; MAX: 255)
721 no-primary-updates; no-master-updates FLAG
723 default: false
724 Enabling this flag will prevent the server from probing
726 or downloading changes from the primary
727 notifies; also-notify; notify HOSTS
729 default: -
730 The list of servers to notify in the event of a change.
732 Currently only used by primaries when a dynamic update
733 occurs.
734 notify-auto FLAG
736 default: true
737 Enabling this flag will cause notify messages to be sent
739 to all name servers in the APEX. Disabling this flags
740 causes the content of APEX to be ignored (ns Records).
741 notify-retry-count INT
743 default: 5
744 Number of times yadifa tries to send a notify. (MIN: 0;
746 MAX: 10)
747 notify-retry-period INT
749 default: 1
750 Time period in minutes between two notify attempts. (MIN:
752 1; MAX: 600)
753 notify-retry-period-increase INT
755 default: 0
756 Increase of the time period in minutes between two notify
758 attempts. (MIN: 0; MAX: 600)
759 rrsig-nsupdate-allowed FLAG
761 default: false
762 If this flag is set the server allows to edit RRSIG
764 records using dynamic updates.
765 sig-validity-interval DAYS
767 default: as main
768 The number of days for which an automatic signature is
770 valid. (MIN: 7 days; MAX: 30 days)
771 sig-validity-regeneration HOURS
773 default: as main
774 The signatures expiring in less than the indicated amount
776 of hours will be recomputed. (MIN: 24 hours; MAX: 168
777 hours)
778 sig-validity-jitter SECONDS
780 default: as main
781 The signature expiration validity jitter in seconds.
783 (MIN: 0 sec; MAX: 86400 sec)
784 true-multiprimary; true-multimaster FLAG
786 default: off
787 Enabling this flag will make the server use axfr when
789 switching to a new primary
790 type ENUM
792 default: -
793 Mandatory. Sets the type of zone : either primary/master
795 or secondary/slave.
796 <channels>
798 Description of the logger outputs.
799 It contains a list descriptions of user-defined outputs for the logger.
801 Depending on the kind of output, the format is different.
802 The "name" is arbitrary and is used for identification in the <log‐
804 gers>.
805 The "stream-name" defines the output type (ie: a file name, a program
806 output or syslog).
807 The "arguments" are specific to the output type (ie: unix file access
808 rights or syslog options and facilities).
809 * file output stream channel-name file-name access-rights
811 (octal).
812 * pipe to a program channel-name "| shell command" chan‐
814 nel-name "| path-to-program program arguments >> ap‐
815 pend-redirect"
816 * STDOUT, STDERR output stream channel-name stdout chan‐
818 nel-name stderr
819 * syslog channel-name syslog syslog-facility
821 <loggers>
823 Description of the logger outputs sources.
824 Sets the output of a pre-defined logger from yadifad.
826 The format of the line is: logger-name output-filter comma-sepa‐
828 rated-channel-names
829 Filters are:
831 DEBUG7, DEBUG6, DEBUG5, DEBUG4, DEBUG3, DEBUG2, DEBUG1, DEBUG, INFO,
832 NOTICE, WARNING, ERR, CRIT, ALERT, EMERG
833 Additionally, there are:
835 * ALL (or '*') meaning all the filters.
837 * PROD means all but the DEBUG filters.
839 The defined loggers are:
841 system
843 contains low level messages about the system such as
844 memory allocation, threading, IOs, timers and cryptogra‐
845 phy, ...
846 database
848 It contains messages about most lower-level operations
849 in the DNS database. ie: journal, updates, zone loading
850 and sanitization, DNS message query resolution, ...)
851 dnssec
853 contains messages about lower-level dnssec operations in
854 the DNS database. ie: status, maintenance, verification,
855 ...
856 server
858 contains messages about operations in the DNS server.
859 ie: start up, shutdown, configuration, transfers, various
860 services status (database management, network management,
861 DNS notification management, dynamic update management,
862 resource rate limiting, ...)
863 zone
865 contains messages about the loading of a zone from a
866 source (file parsing, transferred binary zone reading,
867 ...)
868 stats
870 contains the statistics of the server.
871 queries
873 contains the queries on the server. Queries can be
874 logged with the BIND and/or with the YADIFA format.
875 BIND format:
876 client sender-ip#port: query: fqdn class type +SETDC
877 (listen-ip)
878 YADIFA format:
879 query [ id ] {+SETDC} fqdn class type (sender-ip#port)
880 where:
881 id is the query message id
883 + means the message has the Recursion Desired flag
885 set
886 S means the message is signed with a TSIG
888 E means the message is EDNS
890 T means the message was sent using TCP instead of
892 UDP
893 D means the message has the DNSSEC OK flag set
895 C means the message has the Checking Disabled flag
897 set
898 fqdn is the queried FQDN
900 class is the queried class
902 type is the queried type
904 sender-ip
906 is the IP of the client that sent the query
907 port is the port of the client that sent the query
909 listen-ip
911 is the listen network interface that received the
912 message
913 Note that on YADIFA any unset flag is replaced by a '-',
915 on BIND only the '+' follows that rule.
916 System operators will mostly be interested in the info and above
918 messages of queries and stats, as well as the error and above
919 messages of the other loggers.
920 DNSSEC-POLICY
922 There are 5 sections:
923 <dnssec-policy>
925 The dnssec-policy section binds up to four key suites and a de‐
926 nial mode. It is meant to be used as a dnssec-policy parameter
927 in a zone section. Usually two key-suite will be given: one for
928 a KSK and one for a ZSK. The denial mode can be either 'nsec'
929 either the name of a denial section.
930 id STR
932 default: -
933 id of the dnssec-policy section.
935 description STR
937 default: -
938 Description for the dnssec-policy section.
940 key-suite STR
942 default: -
943 id of the key-suite to be used. Usually both a KSK and a
945 ZSK suites are given.
946 denial STR
948 default: nsec
949 id of the denial to be used for nsec3 or the argument
951 'nsec' to use nsec.
952 <key-suite>
954 The key-suite section is used by dnssec policies and is meant
955 to be referenced by a dnssec-policy section. A key-suite links
956 a key definition (key-template) with a deployment calendar
957 (key-roll).
958 id STR
960 default: -
961 id of the key-suite section.
963 key-template STR
965 default: -
966 id of the key-template to be used.
968 key-roll STR
970 default: -
971 id of the key-roll to be used.
973 <key-roll>
975 The key-roll section is used by dnssec policies and is meant to
976 be referenced by a key-suite section. It's essentially a de‐
977 ployment calendar. Each event is computed relatively to an‐
978 other. Dates are chosen so that there is always a key in an ac‐
979 tive state. Please look at the examples as a misconfiguration
980 could easily span the life of a key over several years. (e.g.:
981 by too restrictive on the matching conditions) If the RELDATE
982 format is being used, the first valid date matching the line is
983 used. Usage of the RELDATE format is recommended over the REL‐
984 TIME one.
985 id RELDATE|RELTIME
987 default: -
988 id of the key-roll section.
990 generate RELDATE|RELTIME
992 default: -
993 Time when the key must be generated. Pre-dated before so
995 it's active right now if it's the first one. Always com‐
996 puted so that the next activation happens before the last
997 deactivation.
998 publish RELDATE|RELTIME
1000 default: -
1001 Time when the key must be published in the zone. Relative
1003 to the generation.
1004 activate RELDATE|RELTIME
1006 default: -
1007 Time when the key will be used for signing the zone or
1009 apex of the zone. Relative to the publication.
1010 inactive RELDATE|RELTIME
1012 default: -
1013 Time when the key will not be used anymore for signing.
1015 Relative to the activation.
1016 delete RELDATE|RELTIME
1018 default: -
1019 Time when the key will be removed out of the zone. Rela‐
1021 tive to the deactivation.
1022 <key-template>
1024 The key-template section is used by dnssec policies and is
1025 meant to be referenced by a key-suite section. It contains the
1026 various parameters of a key for its generation.
1027 id STR
1029 default: -
1030 id of the key-template section.
1032 ksk FLAG
1034 default: false
1035 When this flag is enabled a ksk will be generated. When
1037 disabled a zsk will be generated.
1038 algorithm ENUM
1040 default: 7
1041 Sets the algorithm of the key. Supported values are:
1043 ’DSA’; 3; ’RSASHA1’; 5; ’NSEC3DSA’; 6; ’NSEC3RSASHA1’; 7;
1044 ’RSASHA256’; 8; ’RSASHA512’; 10; ’ECDSAP256SHA256’; 13;
1045 ’ECDSAP384SHA384’; 14.
1046 size INT
1048 default: 0
1049 The length of the key in bits (incompatible sizes will be
1051 rejected). (MIN: 0; MAX: 4096)
1052 <denial>
1054 The denial section is used by dnssec policies and is meant to
1055 be referenced by a dnssec-policy section. It is used to define
1056 the NSEC3 denial parameters of a dnssec policy. Policies using a
1057 NSEC denial don't need to use this section.
1058 id STR
1060 default: -
1061 id of the denial section.
1063 salt HEXSTR
1065 default: empty
1066 A base16 encoded sequence of bytes used as the salt pa‐
1068 rameter of the NSEC3 chain.
1069 salt-length INT
1071 default: 0
1072 If the salt parameter isn't set, generates a random salt
1074 parameter of that length. (MIN: 0; MAX: 255)
1075 iterations INT
1077 default: 1
1078 Iteration parameter of the NSEC3 chain. (MIN: 0; MAX:
1080 65535)
1081 optout FLAG
1083 default: false
1084 Enables opt-out coverage in the NSEC3 chain. When this
1086 flag is enabled, delegations which do not have a DS
1087 record will not be covered by an NSEC3 record.
1088
1090 Examples of containers defined for a configuration file.
1091 * Main
1093 1. Main section example
1095 <main>
1097 # Detach from the console (alias: daemonize)
1098 daemon off
1099 # Jail the application
1101 chroot off
1102 # The path of the log files (alias: chroot-path)
1104 chrootpath "/chroot/yadifad"
1105 # The path of the log files (alias: log-path)
1107 logpath "/var/log/yadifa"
1108 # The location of the pid file (alias: pid-file)
1110 pidfile "/var/run/yadifa/yadifad.pid"
1111 # The path of the zone files (alias: data-path)
1113 datapath "/var/lib/yadifa"
1114 # The path of the DNSSEC keys (alias: keys-path)
1116 keyspath "/var/lib/yadifa/keys"
1117 # The path of the transfer and journaling files (AXFR & IXFR) (alias: xfr-path)
1119 xfrpath "/var/lib/yadifa/xfr"
1120 # A string returned by a query of hostname. CH TXT
1122 # note: if you leave this out, the real hostname will be given back (alias: hostname-chaos)
1123 hostname "server-yadifad"
1124 # An ID returned by a query to id.server. CH TXT (alias: serverid-chaos)
1126 serverid "yadifad-01"
1127 # The version returned by a query to version.yadifa. CH TXT (alias: version-chaos)
1129 version 2.5.0
1130 # Set the maximum UDP packet size.
1132 # note: the packetsize cannot be less than 512 or more than 65535.
1133 # Typical choice is 4096.
1134 edns0-max-size 4096
1135 # The maximum number of parallel TCP queries (max-tcp-connections)
1137 max-tcp-queries 100
1138 # The minimum data rate for a TCP query (in bytes per second)
1140 tcp-query-min-rate 512
1141 # The user id to use (alias: user)
1143 uid yadifa
1144 # The group id to use (alias: group)
1146 gid yadifa
1147 # The DNS port - any DNS query will use that port unless a specific value is used (alias: server-port)
1149 port 53
1150 # The interfaces to listen to.
1152 listen 127.0.0.1, 192.0.2.2, 192.0.2.130 port 8053, 2001:db8::2
1153 # Type of querylog to use
1155 # 0: none
1156 # 1: yadifa
1157 # 2: bind
1158 # 3: both yadifa and bind
1159 queries-log-type 1
1160 # Enable the collection and logging of statistics
1162 statistics on
1163 # Maximum number of seconds between two statistics lines
1165 statistics-max-period 60
1166 # Drop queries with erroneous content
1168 #
1169 # answer-formerr-packets on
1170 answer-formerr-packets off
1171 # Maximum number of records in an AXFR packet. Set to 1 for compatibility
1173 # with very old name servers (alias: axfr-max-record-by-packet)
1174 axfr-maxrecordbypacket 0
1175 # Global Access Control rules
1177 #
1178 # Rules can be defined on network ranges, TSIG signatures, and ACL rules
1179 # simple queries:
1181 #
1182 # allow-query any
1183 allow-query !192.0.2.251,any
1184 # dynamic update of a zone
1186 #
1187 # allow-update none
1188 allow-update admins
1189 # dynamic update of a slave (forwarded to the primary)
1191 #
1192 # allow-update-forwarding none
1193 allow-update-forwarding admins,key abroad-admin-key
1194 # transfer of a zone (AXFR or IXFR)
1196 #
1197 # allow-transfer any
1198 allow-transfer transferer
1199 # notify of a change in the primary
1201 #
1202 # allow-notify any
1203 allow-notify primary,admins
1204 # If YADIFA has the controller enabled, allow control only for these
1206 # clients (none by default)
1207 allow-control controller
1208 # overwrite the amount of CPUs detected by yadifad
1210 cpu-count-override 3
1211 # set the number of threads to serve queries
1213 thread-count-by-address 2
1214 </main>
1216 * Key
1219 TSIG-key configuration
1220 1. Admin-key key definition (the name is arbitrary)
1222 <key>
1224 name abroad-admin-key
1225 algorithm hmac-md5
1226 secret WorthlessKeyForExample==
1227 </key>
1228 2. primary-secondary key definition (the name is arbitrary)
1231 <key>
1233 name primary-secondary
1234 algorithm hmac-md5
1235 secret PrimaryAndSecondaryKey==
1236 </key>
1237 * ACL
1240 Access Control List definitions
1241 1. primary-secondary key use
1243 <acl>
1245 transferer key primary-secondary
1246 admins 192.0.2.0/24, 2001:db8::74
1247 primary 192.0.2.53
1248 localhost 127.0.0.0/8, ::1
1249 controller key controller # the ACL for the controller MUST use a key
1250 </acl>
1251 * NSID
1254 DNS NameServer IDentifier
1255 1. Example with ascii
1257 <nsid>
1259 ascii belgium-brussels-01
1260 </nsid>
1261 2. Example with hex
1264 <nsid>
1266 hex 00320201
1267 </nsid>
1268 * RRL
1271 Response Rate Limiting
1272 1. Example
1274 <rrl>
1276 # Number of identical responses per second before responses are being limited
1277 responses-per-second 5
1278 # Number of errors per second before responses are being limited
1280 errors-per-second 5
1281 # Random slip parameter
1283 slip 10
1284 # If enabled, the rate limits are only logged and not enforced
1286 log-only off
1287 # Mask applied to group the IPv4 clients
1289 ipv4-prefix-length 24
1290 # Mask applied to group the IPv6 clients
1292 ipv6-prefix-length 56
1293 # Rate limits are not subject to the following clients (aka whitelist)
1295 exempt-clients none
1296 # Enable or disable the rate limit capabilities
1298 enabled yes
1299 </rrl>
1300 * Zone
1303 1. Primary domain zone config
1305 <zone>
1307 # This server is primary for the zone (mandatory)
1308 type primary
1309 # The domain name (mandatory)
1311 domain mydomain.eu
1312 # The zone file, relative to 'datapath' (mandatory for a primary) (alias: file-name)
1314 file primaries/mydomain.eu
1315 # List of servers also notified of a change (beside the ones in the zone file) (alias: notifies, notify)
1317 also-notify 192.0.2.84, 192.0.2.149
1318 # Set the size of the journal file in KB (alias: journal-size-kb)
1320 journal-size 8192
1321 # Allow dynupdate for these ACL entries
1323 allow-update admins
1324 # Allow AXFR/IXFR for these ACL entries
1326 allow-transfer transferer
1327 # Use DNSSEC policies otherwise remove or put in remark line below
1329 dnssec-policy 1
1330 </zone>
1331 2. Slave domain zone config
1334 <zone>
1336 # This server is slave for that zone (mandatory)
1337 type slave
1338 # The domain name (mandatory)
1340 domain myotherdomain.eu
1341 # The address of the primary (mandatory for a slave, forbidden for a primary) (alias: primary)
1343 primaries 191.0.2.53 port 4053 key primary-secondary
1344 # The zone file, relative to 'datapath'.
1346 file slaves/myotherdomain.eu
1347 # Accept notifes from these ACL entries
1349 allow-notify primary
1350 </zone>
1351 * DNSSEC-Policy
1354 DNSSEC-Policy needs some extra sections: key-suite, key-roll, key-tem‐
1356 plate (and denial if NSEC3 is configured)
1357 1. dnssec-policy example with all the needed sections
1359 example with NSEC3
1361 <dnssec-policy>
1362 id "1"
1363 description "Example of ZSK and KSK"
1365 denial "nsec3-with-salt-on"
1366 key-suite "zsk-1024"
1367 key-suite "ksk-2048"
1368 </dnssec-policy>
1369 example with NSEC
1371 <dnssec-policy>
1372 id "2"
1373 description "Example of ZSK and KSK"
1375 denial nsec
1376 key-suite "zsk-1024"
1377 key-suite "ksk-2048"
1378 </dnssec-policy>
1379 2. key-suite
1382 <key-suite>
1383 id "ksk-2048"
1384 key-template "ksk-2048"
1386 key-roll "yearly-schedule"
1387 </key-suite>
1388 <key-suite>
1390 id "zsk-1024"
1391 key-template "zsk-1024"
1393 key-roll "monthly-schedule"
1394 </key-suite>
1395 3. key-roll
1398 <key-roll>
1399 id "yearly-schedule"
1400 generate 5 0 15 6 * * # this year (2018) 15/06 at 00:05
1402 publish 10 0 15 6 * * # 00:10
1403 activate 15 0 16 6 * * # 16/06 at 00:15
1404 inactive 15 0 17 6 * * # (2019) 17/06 at 00:15
1405 remove 15 11 18 6 * * # (2019) 18/06 at 11:15
1406 </key-roll>
1407 <key-roll>
1409 id "monthly-schedule"
1410 generate 5 0 * * tue 0 # 1 tuesday of the month at 00:05
1412 publish 10 0 * * tue 0 # 00:10
1413 activate 15 0 * * wed 0 # 1 wednesday of the month at 00:15
1414 inactive 15 0 * * thu 0 # 1 thursday of the month at 00:15
1415 remove 15 11 * * fri 0 # 1 friday of the month at 11:15
1416 </key-roll>
1417 4. key-template
1420 <key-template>
1421 id "ksk-2048"
1422 ksk true
1424 algorithm 8
1425 size 2048
1426 </key-template>
1427 <key-template>
1429 id "zsk-1024"
1430 ksk false
1432 algorithm 8
1433 size 1024
1434 </key-template>
1435 5. denial
1438 <denial>
1439 id "nsec3-with-salt-on"
1440 salt "ABCD"
1442 algorithm 1
1443 iterations 5
1444 optout off
1445 </denial>
1446 <denial>
1449 id "nsec3-with-salt-length-on"
1450 salt-length 4
1452 algorithm 1
1453 iterations 5
1454 optout off
1455 </denial>
1456 * Channels
1459 Logging output-channel configurations:
1461 It contains a list of user-defined outputs for the logger.
1463 The "name" is arbitrary and is used for identification in the <log‐
1465 gers>.
1466 The "stream-name" defines the output type (ie: a file name, a program
1467 output or syslog).
1468 The "arguments" are specific to the output type (ie: unix file access
1469 rights or syslog options and facilities).
1470 1. Example: YADIFA running as daemon channel definition.
1472 <channels>
1474 # name stream-name arguments
1475 database database.log 0644
1476 dnssec dnssec.log 0644
1477 server server.log 0644
1478 statistics statistics.log 0644
1479 system system.log 0644
1480 queries queries.log 0644
1481 zone zone.log 0644
1482 all all.log 0644
1483 gziplog "|/usr/bin/gzip \- >> /var/log/yadifa.log.gz"
1485 syslog syslog user
1487 </channels>
1488 2. Example: YADIFA running in debug mode.
1491 This example shows the "stderr" and "stdout" which can
1492 also be used in the first example, but will output to the
1493 console.
1494 <channels>
1496 # name stream-name arguments
1497 syslog syslog user
1498 stderr STDERR
1500 stdout STDOUT
1501 </channels>
1502 * Loggers
1505 Logging input configurations:
1507 The "bundle" is the name of the section of YADIDA being logged, sources
1509 are : database, dnssec, queries, server, stats, system, zone.
1510 The "debuglevel" uses the same names as syslog.
1511 Additionally, "*" or "all" means all the levels; "prod" means all but
1512 the debug levels.
1513 The "channels" are a comma-separated list of channels.
1515 1. Example without syslog
1517 <loggers>
1519 # bundle debuglevel channels
1520 database ALL database,all
1521 dnssec warning dnssec,all
1522 server INFO,WARNING,ERR,CRIT,ALERT,EMERG server,all
1523 stats prod statistics
1524 system * system,all
1525 queries * queries
1526 zone * zone,all
1527 </loggers>
1528 2. Example with syslog
1531 <loggers>
1533 # bundle debuglevel channels
1534 database ALL database,syslog
1535 dnssec warning dnssec,syslog
1536 server INFO,WARNING,ERR,CRIT,ALERT,EMERG server,syslog
1537 stats prod statistics, syslog
1538 system * system,syslog
1539 queries * queries,syslog
1540 zone * zone,syslog
1541 </loggers>
1542
1545 yadifad(8)
1546
1548 Since unquoted leading whitespace is generally ignored in the yadi‐
1549 fad.conf you can indent everything to taste.
1550
1552 Please check the file README from the sources.
1553
1555 Version: 2.5.3 of 2021-10-25.
1556
1558 There exists a mailinglist for questions relating to any program in the
1559 yadifa package:
1560 * yadifa-users@mailinglists.yadifa.eu
1562 for submitting questions/answers.
1563 * http://www.yadifa.eu/mailing-list-users
1565 for subscription requests.
1566 If you would like to stay informed about new versions and official
1568 patches send a subscription request to via:
1569 * http://www.yadifa.eu/mailing-list-announcements
1571 (this is a readonly list).
1573
1575 Copyright
1576 (C)2011-2021, EURid
1577 B-1831 Diegem, Belgium
1578 info@yadifa.eu
1579
1581 Gery Van Emelen
1582 Email: Gery.VanEmelen@EURid.eu
1583 Eric Diaz Fernandez
1584 Email: Eric.DiazFernandez@EURid.eu
1585 WWW: http://www.EURid.eu
1587YADIFA 2021-10-25 YADIFAD-CONF(5)