1YAKEYROLLD(8) YADIFA YAKEYROLLD(8)
2
3
4
6 YAKEYROLLD is an utility for genrating a sequence of KSK and ZSK for a
7 zone.
8
10 yakeyrolld command [argument]
11
13 The yakeyrolld program generates a sequence of KSK and ZSK for a zone,
14 with all the steps of their lifecycles.
15
16 yakeyrolld is part of the YADIFA distribution from EURid vzw/asbl. The
17 latest version of YADIFA can be found on:
18 http://www.yadifa.eu/download
19
20
22 A lifecyle for a key has several steps:
23
24 * Time of creation
25
26 * Time of publication
27
28 * Time of activation
29
30 * Time of de-activation
31
32 * Time of un-publication.
33
34 These times are determined using a cron-like schedule.
35
36 For all these steps, it computes the following:
37
38 * The expected DNSSEC and RRSIG DNSSEC records on the primary be‐
39 fore the step is started
40
41 * The ZSK files to add
42
43 * The ZSK files to remove
44
45 * The DNSSEC and RRSIG DNSKEY records to add
46
47 * The DNSKEY and RRSIG DNSKEY records to remove
48
49 * The expected DNSKEY and RRSIG DNSKEY records on the dns primary
50 after the step has been completed.
51
52 Each step is stored as a file. The file contains fields like:
53
54 epochus An integer with the epoch of the step expressed in microsec‐
55 onds.
56
57 dateus A user-friendly date text matching the epochus field.
58
59 actions A list of actions expected to happen on the step (informa‐
60 tional).
61
62 debug A text meant to help understand the step (informational).
63
64 update Each entry is a dynamic update command to be sent to the
65 server.
66
67 expect Each entry defines one record expected to be in the zone on the
68 server prior to executing the current step.
69
70 endresult Each entry defines one record expected to be in the zone on
71 the server after the step has been executed.
72
73 add Defines a key file to create in keys-path.
74
75 del Names a key file to delete from keys-path.
76
78 --help|-h Shows the help
79
80 --version|-V Prints the version of the software
81
82 --config|-c configfile Sets the configuration file to use
83
84 --mode|-m generate | play | playloop | print | print-json Sets the
85 program mode
86
87 --domain fqdn The domain name
88
89 --path|-p directory The directory where to store the keys
90
91 --server|-s address The address of the server
92
93 --ttl|-t seconds The ttl to use for both dnskey and rrsig records
94
95 --explain prints the planned schedule
96
97 --reset start by removing all the keys and create a new KSK and a new
98 ZSK. The server will not be queried.
99
100 --policy Name of the policy to use
101
102 --from time The lower time bound covered by the plan (now)
103
104 --until time The upper time bound covered by the plan (+1y)
105
106 --dryrun Do not write files to disk, do not send updates to the server
107
108 --wait Wait for yadifad to answer before starting to work (default)
109
110 --nowait Do not wait for yadifad to answer before starting to work
111
112 --daemon Daemonise the program for supported modes (default)
113
114 --nodaemon Do not daemonise the program
115
116 --noconfirm Do not ask for confirmation before doing a data reset
117
119 The yakeyrolld daemon writes key files in the yadifad keys directory
120 and pushes DNSKEY and RRSIG records with a dynamic update.
121 Zones managed by the keyroll needs to have the rrsig-nsupdate-allowed
122 setting enabled (<zone> section).
123 In generation mode, the daemon needs access to both the plan and pri‐
124 vate keys directory.
125 For all other modes, the private keys directory is ignored.
126 When not doing any kind of generation, they should not be kept on the
127 machine. Their encrypted backup sitting in a safe place.
128
129 Initialisation
130 Destroys all current data that could exist and starts from noth‐
131 ing. Creates all the steps of the rolls for the next two years.
132 Creates all the private keys in a separate directory.
133 The directory that contains the private key files is required
134 for this command as private keys will be added.
135
136 yakeyrolld -m generate --until +1y --reset
137
138 Renewal
139 In order to extend a plan further, simply do another generation.
140 The operation loads the current plan, extends it to cover the
141 new limit date and saves the updated modified version back on
142 disk.
143 Previously stored private keys may be used to generate signa‐
144 tures and new private keys may be added.
145 Because of this, the directory that contains the private key
146 files is required for this command.
147
148 yakeyrolld -m generate --until +1y
149
150 Plan calendar
151 Details of the current plan can be printed on stdout using:
152
153 yakeyrolld -m print
154
155 The output format of that command isn't meant to be parsed by a
156 program.
157
158 For a script, use instead:
159
160 yakeyrolld -m print-json
161
162 Daemon
163 To start the rolling the keys and pushing them to the server,
164 use:
165
166 yakeyrolld -m playloop
167
169 ${SYSCONFDIR}/yakeyrolld.conf
170 The default yakeyrolld configuration file.
171
172 yakeyrolld.conf.5
173 Configuration man page for yakeyrolld.
174
176 yakeyrolld.conf(5)
177
179 OpenSSL
180 yakeyrolld requires OpenSSL version 1.1.1 or later.
181
183 Please check the ChangeLog file from the sources code.
184
186 Version: 2.6.4 of 2023-03-01.
187
189 There is a mailinglist for questions relating to any program in the
190 yadifa package:
191
192 * yadifa-users@mailinglists.yadifa.eu
193 for submitting questions/answers.
194
195 * http://www.yadifa.eu/mailing-list-users
196 for subscription requests.
197
198 If you would like to stay informed about new versions and official
199 patches send a subscription request to via:
200
201 * http://www.yadifa.eu/mailing-list-announcements
202
203 (this is a read-only list).
204
206 Copyright
207 (C)2011-2023, EURid
208 B-1831 Diegem, Belgium
209 info@yadifa.eu
210
212 Gery Van Emelen
213 Email: Gery.VanEmelen@EURid.eu
214 Eric Diaz Fernandez
215 Email: Eric.DiazFernandez@EURid.eu
216
217 WWW: http://www.EURid.eu
218
219YAKEYROLLD 2023-03-01 YAKEYROLLD(8)