1YAKEYROLLD(8)                       YADIFA                       YAKEYROLLD(8)
2
3
4

NAME

6       YAKEYROLLD  is an utility for genrating a sequence of KSK and ZSK for a
7       zone.
8

SYNOPSIS

10       yakeyrolld command [argument]
11

DESCRIPTION

13       The yakeyrolld program generates a sequence of KSK and ZSK for a  zone,
14       with all the steps of their lifecycles.
15
16       yakeyrolld  is part of the YADIFA distribution from EURid vzw/asbl. The
17       latest version of YADIFA can be found on:
18                            http://www.yadifa.eu/download
19
20

LIFECYCLE

22       A lifecyle for a key has several steps:
23
24       *      Time of creation
25
26       *      Time of publication
27
28       *      Time of activation
29
30       *      Time of de-activation
31
32       *      Time of un-publication.
33
34       These times are determined using a cron-like schedule.
35
36       For all these steps, it computes the following:
37
38       *      The expected DNSSEC and RRSIG DNSSEC records on the primary  be‐
39              fore the step is started
40
41       *      The ZSK files to add
42
43       *      The ZSK files to remove
44
45       *      The DNSSEC and RRSIG DNSKEY records to add
46
47       *      The DNSKEY and RRSIG DNSKEY records to remove
48
49       *      The  expected DNSKEY and RRSIG DNSKEY records on the dns primary
50              after the step has been completed.
51
52       Each step is stored as a file. The file contains fields like:
53
54       epochus  An integer with the epoch of the step expressed  in  microsec‐
55       onds.
56
57       dateus  A user-friendly date text matching the epochus field.
58
59       actions   A  list  of  actions expected to happen on the step (informa‐
60       tional).
61
62       debug  A text meant to help understand the step (informational).
63
64       update  Each entry is a dynamic  update  command  to  be  sent  to  the
65       server.
66
67       expect  Each entry defines one record expected to be in the zone on the
68       server prior to executing the current step.
69
70       endresult  Each entry defines one record expected to be in the zone  on
71       the server after the step has been executed.
72
73       add  Defines a key file to create in keys-path.
74
75       del  Names a key file to delete from keys-path.
76

COMMANDS

78       --help|-h  Shows the help
79
80       --version|-V  Prints the version of the software
81
82       --config|-c  configfile Sets the configuration file to use
83
84       --mode|-m   generate  |  play | playloop | print | print-json  Sets the
85       program mode
86
87       --domain  fqdn The domain name
88
89       --path|-p  directory The directory where to store the keys
90
91       --server|-s  address The address of the server
92
93       --ttl|-t  seconds The ttl to use for both dnskey and rrsig records
94
95       --explain  prints the planned schedule
96
97       --reset  start by removing all the keys and create a new KSK and a  new
98       ZSK. The server will not be queried.
99
100       --policy  Name of the policy to use
101
102       --from  time The lower time bound covered by the plan (now)
103
104       --until  time The upper time bound covered by the plan (+1y)
105
106       --dryrun  Do not write files to disk, do not send updates to the server
107
108       --wait  Wait for yadifad to answer before starting to work (default)
109
110       --nowait  Do not wait for yadifad to answer before starting to work
111
112       --daemon  Daemonise the program for supported modes (default)
113
114       --nodaemon  Do not daemonise the program
115
116       --noconfirm  Do not ask for confirmation before doing a data reset
117

USAGE

119       The  yakeyrolld  daemon  writes key files in the yadifad keys directory
120       and pushes DNSKEY and RRSIG records with a dynamic update.
121       Zones managed by the keyroll needs to have  the  rrsig-nsupdate-allowed
122       setting enabled (<zone> section).
123       In  generation  mode, the daemon needs access to both the plan and pri‐
124       vate keys directory.
125       For all other modes, the private keys directory is ignored.
126       When not doing any kind of generation, they should not be kept  on  the
127       machine. Their encrypted backup sitting in a safe place.
128
129       Initialisation
130              Destroys all current data that could exist and starts from noth‐
131              ing. Creates all the steps of the rolls for the next two  years.
132              Creates all the private keys in a separate directory.
133              The  directory  that  contains the private key files is required
134              for this command as private keys will be added.
135
136              yakeyrolld -m generate --until +1y --reset
137
138       Renewal
139              In order to extend a plan further, simply do another generation.
140              The operation loads the current plan, extends it  to  cover  the
141              new  limit  date  and saves the updated modified version back on
142              disk.
143              Previously stored private keys may be used  to  generate  signa‐
144              tures and new private keys may be added.
145              Because  of  this,  the  directory that contains the private key
146              files is required for this command.
147
148              yakeyrolld -m generate --until +1y
149
150       Plan calendar
151              Details of the current plan can be printed on stdout using:
152
153              yakeyrolld -m print
154
155              The output format of that command isn't meant to be parsed by  a
156              program.
157
158              For a script, use instead:
159
160              yakeyrolld -m print-json
161
162       Daemon
163              To  start  the  rolling the keys and pushing them to the server,
164              use:
165
166              yakeyrolld -m playloop
167

FILES

169       ${SYSCONFDIR}/yakeyrolld.conf
170               The default yakeyrolld configuration file.
171
172       yakeyrolld.conf.5
173               Configuration man page for yakeyrolld.
174

SEE ALSO

176       yakeyrolld.conf(5)
177

REQUIREMENTS

179       OpenSSL
180              yakeyrolld requires OpenSSL version 1.1.1 or later.
181

CHANGES

183       Please check the ChangeLog file from the sources code.
184

VERSION

186       Version: 2.6.2 of 2022-12-09.
187

MAILINGLIST

189       There is a mailinglist for questions relating to  any  program  in  the
190       yadifa package:
191
192       *      yadifa-users@mailinglists.yadifa.eu
193              for submitting questions/answers.
194
195       *      http://www.yadifa.eu/mailing-list-users
196              for subscription requests.
197
198       If  you  would  like  to  stay informed about new versions and official
199       patches send a subscription request to via:
200
201       *      http://www.yadifa.eu/mailing-list-announcements
202
203       (this is a read-only list).
204
206       Copyright
207              (C)2011-2021, EURid
208              B-1831 Diegem, Belgium
209              info@yadifa.eu
210

AUTHORS

212       Gery Van Emelen
213       Email: Gery.VanEmelen@EURid.eu
214       Eric Diaz Fernandez
215       Email: Eric.DiazFernandez@EURid.eu
216
217       WWW: http://www.EURid.eu
218
219YAKEYROLLD                        2022-12-09                     YAKEYROLLD(8)
Impressum