1YAKEYROLLD-CONF(5)                  YADIFA                  YAKEYROLLD-CONF(5)
2
3
4

NAME

6       yakeyrolld.conf - configuration file for yakeyrolld(8).
7

SYNOPSIS

9       ${SYSCONFDIR}/yakeyrolld.conf
10

DESCRIPTION

12       The  configuration  of yakeyrolld is consistent in a text file that can
13       optionally include others.  The general structure is a  a  sequence  of
14       containers:  a  sequence  of  lines  of  text  starting  with  a  <con‐
15       tainer-name> and ending with a </container-name>.   Each  line  between
16       these  delimitters  is in the form: variable-name value.  The format of
17       the value is determined by the type of the variable.
18
19       There are 7 types:
20
21       FQDN
22               A fully-qualified domain name text string. e.g.: www.eurid.eu.
23
24       GID
25               Group ID. (Can be a number or a name)
26
27       HOST(S)
28               A (list of) host(s). A host is defined by an IP (v4 or v6)  and
29              can  be  followed by the word `port' and a port number. Elements
30              of the list are separated by a `,' or a `;'.
31
32       INTEGER / INT
33               A base-ten integer.
34
35       PATH / FILE
36               A file or directory path. i.e.: "/var/plans".
37
38       STRING / STR
39               A text string. Double quotes can be used but are not mandatory.
40              Without quotes the string will be taken from the first non-blank
41              charater to the last non-blank character.
42
43       UID
44               User ID. (Can be a number or a name)
45
46   STANDARD SECTIONS
47       There are 9 sections:
48
49       <yakeyrolld>
50               General container, contains all  the  configuration  parameters
51              needed to start up yakeyrolld.
52
53              domain  FQDN
54                      default: .
55
56                     Names  one domain to manage, can be used up to 200 times.
57                     In  yadifad.conf,  each  of  these  domains   must   have
58                     rrsig-nsupdate-allowed enabled in their respective <zone>
59                     section.
60
61              log-path  PATH
62                      default: ${localstatedir}/log/yakeyrolld
63
64                     The directory that will contain the log files.
65
66              keys-path  PATH
67                      default: ${localstatedir}/zones/keys
68
69                     The directory the name server uses to read zone key file.
70
71              plan-path  PATH
72                      default: ${localstatedir}/plans
73
74                     The directory of the step files.
75
76              pid-path  PATH
77                      default: ${localstatedir}/run
78
79                     The directory of the pid file.
80
81              pid-file  STRING
82                      default: yakeyrolld.pid
83
84                     The name of the pid file.
85
86              generate-from  STRING
87                      default: "now"
88
89                     For plan generation, when to start the plan, can be over‐
90                     ridden by the command line.
91
92              generate-until  STRING
93                      default: "+1y"
94
95                     For  plan generation, when to stop the plan, can be over‐
96                     ridden by the command line.
97
98              server  HOST
99                      default: 127.0.0.1
100
101                     The address of the name server for  queries  and  dynamic
102                     updates.
103
104              timeout  INT
105                      default: 3
106
107                     The  number  of  seconds spent trying to communicate with
108                     the primary until it's considered a time-out.
109
110              ttl  INT
111                      default: 600
112
113                     The default ttl value to use when generating records.
114
115              update-apply-verify-retries  INT
116                      default: 60
117
118                     If an update isn't  checked  successfully,  retries  that
119                     many times.
120
121              update-apply-verify-retries-delay  INT
122                      default: 1
123
124                     Waits that many seconds between two update apply tries.
125
126              match-verify-retries  INT
127                      default: 60
128
129                     If a match test fails, retries that many times.
130
131              match-verify-retries-delay  INT
132                      default: 1
133
134                     Waits that many seconds between two match test tries.
135
136              policy  STRING
137                      default: undefined
138
139                     The name of the policy to use when generating the plan.
140
141              uid  UID
142                      default: 0
143
144                     The uid to swich to. This should match the name server's.
145
146              gid  GID
147                      default: 0
148
149                     The gid to swich to. This should match the name server's.
150
151       <dnssec-policy>
152               Description of dnssec policies.
153
154              id STR
155                      default: -
156
157                     id of the dnssec-policy section.
158
159              description STR
160                      default: -
161
162                     Description for the dnssec-policy section.
163
164              key-suite STR
165                      default: -
166
167                     id of the key-suite to be used.
168
169       <key-suite>
170               Description  of  the key-suites needed if 'dnssec policies' are
171              used.
172
173              id STR
174                      default: -
175
176                     id of the key-suite section.
177
178              key-template STR
179                      default: -
180
181                     id of the key-template to be used.
182
183              key-roll STR
184                      default: -
185
186                     id of the key-roll to be used.
187
188       <key>
189               TSIG keys
190
191              algorithm ENUM
192                      default: -
193
194                     Mandatory. Sets the algorithm of the key.
195
196
197                     Supported values are:
198
199                        hmac-md5
200
201                        hmac-sha1
202
203                        hmac-sha224
204
205                        hmac-sha256
206
207                        hmac-sha384
208
209                        hmac-sha512
210
211                     (the algorithm names are case insensitive)}
212
213              name FQDN
214                      default: -
215
216                     Mandatory. Sets the name of the key.
217
218              secret TEXT
219                      default: -
220
221                     Mandatory. Sets the value of the key. BASE64 encoded.
222
223       <key-roll>
224               Description of the key-rolls needed if  'dnssec  policies'  are
225              used.
226
227              id STR
228                      default: -
229
230                     id of the key-roll section.
231
232              generate STR
233                      default: -
234
235                     Time when the key must be generated.
236
237              publish STR
238                      default: -
239
240                     Time when the key must be published in the zone.
241
242              activate STR
243                      default: -
244
245                     Time  when  the  key will be used for signing the zone or
246                     apex of the zone.
247
248              inactive STR
249                      default: -
250
251                     Time when the key will not be used anymore for signing.
252
253              delete STR
254                      default: -
255
256                     Time when the key will be removed out of the zone.
257
258       <key-template>
259               Description of the key-templates needed  if  'dnssec  policies'
260              are used.
261
262              id STR
263                      default: -
264
265                     id of the key-roll section.
266
267              generate STR
268                      default: -
269
270                     Time when the key must be generated.
271
272              publish STR
273                      default: -
274
275                     Time when the key must be published in the zone.
276
277              activate STR
278                      default: -
279
280                     Time  when  the  key will be used for signing the zone or
281                     apex of the zone.
282
283              inactive STR
284                      default: -
285
286                     Time when the key will not be used anymore for signing.
287
288              delete STR
289                      default: -
290
291                     Time when the key will be removed out of the zone.
292
293       <channels>
294               Description of the logger outputs.
295
296       It contains a list descriptions of user-defined outputs for the logger.
297       Depending on the kind of output, the format is different.
298
299       The  "name"  is  arbitrary  and is used for identification in the <log‐
300       gers>.
301       The "stream-name" defines the output type (i.e.: a file name, a program
302       output or syslog).
303       The "arguments" are specific to the output type (i.e.: unix file access
304       rights or syslog options and facilities).
305
306              *      file output stream channel-name  file-name  access-rights
307                     (octal).
308
309              *      pipe  to  a  program channel-name "| shell command" chan‐
310                     nel-name "|  path-to-program  program  arguments  >>  ap‐
311                     pend-redirect"
312
313              *      STDOUT,  STDERR  output  stream channel-name stdout chan‐
314                     nel-name stderr
315
316              *      syslog channel-name syslog syslog-facility
317
318       <loggers>
319               Description of the logger outputs sources.
320
321       Sets the output of a pre-defined logger for yakeyrolld.
322
323       The format  of  the  line  is:  logger-name  output-filter  comma-sepa‐
324       rated-channel-names
325
326       Filters are:
327       DEBUG7,  DEBUG6,  DEBUG5,  DEBUG4, DEBUG3, DEBUG2, DEBUG1, DEBUG, INFO,
328       NOTICE, WARNING, ERR, CRIT, ALERT, EMERG
329
330       Additionally, there are:
331
332              *      ALL (or '*') meaning all the filters.
333
334              *      PROD means all but the DEBUG filters.
335
336              The defined loggers are:
337
338              keyroll
339                      contains general messages about the keyroll
340
341              dnssec
342                      contains messages about DNSSEC-related computations dur‐
343                     ing the generation.
344
345              system
346                      contains  low  level  messages  about the system such as
347                     memory allocation, threading, IOs, timers and  cryptogra‐
348                     phy, ...
349
350              System operators will mostly be interested in the info and above
351              messages of the keyroll and dnssec loggers.
352

EXAMPLES

354       Examples of containers defined for a configuration file.
355
356       *      Main
357
358              1.     Config with includes
359
360                     # start yakeyrolld.conf <yakeyrolld> container
361                     include /etc/yakeyrolld/conf.d/local.conf
362                     # end yakeyrolld.conf <yakeyrolld> container
363
364
365              2.     Main without includes
366
367                     <yakeyrolld>
368                         # Detach from the console (alias: daemonize)
369                         daemon                  off
370
371                         # The directory to use for the log files
372                         log-path                 "/var/log/yakeyrolld"
373
374                         # The directory that yadifad uses to load private keys
375                         keys-path                "/var/lib/yadifa/keys"
376
377                         # The directory to use to store the plans
378                         plan-path                "/var/lib/yadifa/plans"
379
380                         generate-from "now"
381
382                         generate-until "+1y"
383
384                         server 127.0.0.1
385
386                         policy "keyroll-policy"
387                     </yakeyrolld>
388
389
390       *      Key
391              TSIG-key configuration
392
393              1.     Admin-key key definition (the name is arbitrary)
394
395                     <key>
396                         name        abroad-admin-key
397                         algorithm   hmac-md5
398                         secret      WorthlessKeyForExample==
399                     </key>
400
401
402              2.     primary-secondary key definition
403
404                     <key>
405                         name        primary-secondary
406                         algorithm   hmac-md5
407                         secret      PrimaryAndSecondaryKey==
408                     </key>
409
410
411       *      DNSSEC-Policy
412
413       DNSSEC-Policy needs some extra sections: key-suite, key-roll,  key-tem‐
414       plate
415
416              1.     dnssec-policy example with all the needed sections
417                     <dnssec-policy>
418                         id              "keyroll-policy"
419
420                         description     "Example of ZSK and KSK"
421                         key-suite       "zsk-1024"
422                         key-suite       "ksk-2048"
423                     </dnssec-policy>
424
425
426              2.     key-suite
427                     <key-suite>
428                         id              "ksk-2048"
429
430                         key-template    "ksk-2048"
431                         key-roll        "yearly-calendar"
432                     </key-suite>
433
434                     <key-suite>
435                         id              "zsk-1024"
436
437                         key-template    "zsk-1024"
438                         key-roll        "monthly-calendar"
439                     </key-suite>
440
441
442              3.     key-roll
443                     <key-roll>
444                         id                 "yearly-calendar"
445
446                         generate            11        10           *                   1            mon             1 # Januay, Monday of the second week at 10:11
447                         publish             11        10           *                   1            tue             * # following Tuesday at 10:11
448                         activate            11        10           *                   1            wed             * # following Wednesday at 10:11
449                         inactive            11        10           *                   1            mon             * # following Monday, a year after, at 10:11
450                         remove              11        10           *                   1            wed             * # following Wednesday at 10:11
451                     </key-roll>
452
453                     <key-roll>
454                         id                 "monthly-calendar"
455
456                         generate            17        10           *                   *            mon             0 # 1st monday the month at 10:17
457                         publish             17        10           *                   *            tue             * # following tuesday at 10:17
458                         activate            17        10           *                   *            wed             * # following wednesday at 10:17
459                         inactive            17        10           *                   *            wed             * # following wednesday at 10:17 (one week after the activation)
460                         remove              17        10           *                   *            thu             * # following thursday at 10:17
461                     </key-roll>
462
463
464              4.     key-template
465                     <key-template>
466                         id              "ksk-2048"
467
468                         ksk             true
469                         algorithm       RSASHA512
470                         size            2048
471                     </key-template>
472
473                     <key-template>
474                         id              "zsk-1024"
475
476                         ksk             false
477                         algorithm       RSASHA512
478                         size            1024
479                     </key-template>
480
481
482       *      Channels
483
484       Logging output-channel configurations:
485
486       It contains a list of user-defined outputs for the logger.
487
488       The  "name"  is  arbitrary  and is used for identification in the <log‐
489       gers>.
490       The "stream-name" defines the output type (i.e.: a file name, a program
491       output or syslog).
492       The "arguments" are specific to the output type (i.e.: unix file access
493       rights or syslog options and facilities).
494
495              1.     Example: logging channels definition.
496
497                     <channels>
498                     #   name        stream-name     arguments
499                         keyroll     keyroll.log     0644
500                         dnssec      dnssec.log      0644
501                         system      system.log      0644
502                         all         all.log         0644
503                     </channels>
504
505
506       *      Loggers
507
508       Logging input configurations:
509
510       The "bundle" is the name of the  section  of  yakeyroll  being  logged,
511       sources are : database, dnssec, queries, server, stats, system, zone.
512       The "debuglevel" uses the same names as syslog.
513       Additionally,  "*"  or "all" means all the levels; "prod" means all but
514       the debug levels.
515
516       The "channels" are a comma-separated list of channels.
517
518              1.     Example logger configuration
519
520                     <loggers>
521                     #   bundle          debuglevel                          channels
522                         keyroll         prod                                keyroll,all
523                         dnssec          prod                                dnssec,all
524                         system          prod                                system,all
525                     </loggers>
526
527

SEE ALSO

529       yakeyrolld(8)
530

NOTES

532       Since unquoted leading whitespace is generally  ignored  in  the  yadi‐
533       fad.conf you can indent everything to taste.
534

CHANGES

536       Please check the file README from the sources.
537

VERSION

539       Version: 2.5.4 of 2022-02-28.
540

MAILING LISTS

542       There exists a mailinglist for questions relating to any program in the
543       yadifa package:
544
545       *      yadifa-users@mailinglists.yadifa.eu
546              for submitting questions/answers.
547
548       *      http://www.yadifa.eu/mailing-list-users
549              for subscription requests.
550
551       If you would like to stay informed  about  new  versions  and  official
552       patches send a subscription request to via:
553
554       *      http://www.yadifa.eu/mailing-list-announcements
555
556       (this is a readonly list).
557
559       Copyright
560              (C)2011-2021, EURid
561              B-1831 Diegem, Belgium
562              info@yadifa.eu
563

AUTHORS

565       Gery Van Emelen
566       Email: Gery.VanEmelen@EURid.eu
567       Eric Diaz Fernandez
568       Email: Eric.DiazFernandez@EURid.eu
569
570       WWW: http://www.EURid.eu
571
572YAKEYROLLD                        2022-02-28                YAKEYROLLD-CONF(5)
Impressum