GSP
Quick Navigator

Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Support
Contact Us
Online Help
Handbooks
Domain Status
Man Pages

FAQ
Virtual Servers
Pricing
Billing
Technical

Network
Facilities
Connectivity
Topology Map

Miscellaneous
Server Agreement
Year 2038
Credits
 

USA Flag

 

 

Man Pages
YAKEYROLLD-CONF(5) YADIFA YAKEYROLLD-CONF(5)

yakeyrolld.conf - configuration file for yakeyrolld(8).

${SYSCONFDIR}/yakeyrolld.conf

The configuration of yakeyrolld is consistent in a text file that can optionally include others. The general structure is a a sequence of containers: a sequence of lines of text starting with a <container-name> and ending with a </container-name>. Each line between these delimitters is in the form: variable-name value. The format of the value is determined by the type of the variable.

There are 7 types:

FQDN
A fully-qualified domain name text string. e.g.: www.eurid.eu.
GID
Group ID. (Can be a number or a name)
HOST(S)
A (list of) host(s). A host is defined by an IP (v4 or v6) and can be followed by the word `port' and a port number. Elements of the list are separated by a `,' or a `;'.
INTEGER / INT
A base-ten integer.
PATH / FILE
A file or directory path. i.e.: "/var/plans".
STRING / STR
A text string. Double quotes can be used but are not mandatory. Without quotes the string will be taken from the first non-blank charater to the last non-blank character.
UID
User ID. (Can be a number or a name)

There are 9 sections:
<yakeyrolld>
General container, contains all the configuration parameters needed to start up yakeyrolld.
domain FQDN
default: .

Names one domain to manage, can be used up to 200 times. In yadifad.conf, each of these domains must have rrsig-nsupdate-allowed enabled in their respective <zone> section.

log-path PATH
default: ${localstatedir}/log/yakeyrolld

The directory that will contain the log files.

keys-path PATH
default: ${localstatedir}/zones/keys

The directory the name server uses to read zone key file.

plan-path PATH
default: ${localstatedir}/plans

The directory of the step files.

pid-path PATH
default: ${localstatedir}/run

The directory of the pid file.

pid-file STRING
default: yakeyrolld.pid

The name of the pid file.

generate-from STRING
default: "now"

For plan generation, when to start the plan, can be overridden by the command line.

generate-until STRING
default: "+1y"

For plan generation, when to stop the plan, can be overridden by the command line.

server HOST
default: 127.0.0.1

The address of the name server for queries and dynamic updates.

timeout INT
default: 3

The number of seconds spent trying to communicate with the primary until it's considered a time-out.

ttl INT
default: 600

The default ttl value to use when generating records.

update-apply-verify-retries INT
default: 60

If an update isn't checked successfully, retries that many times.

update-apply-verify-retries-delay INT
default: 1

Waits that many seconds between two update apply tries.

match-verify-retries INT
default: 60

If a match test fails, retries that many times.

match-verify-retries-delay INT
default: 1

Waits that many seconds between two match test tries.

policy STRING
default: undefined

The name of the policy to use when generating the plan.

uid UID
default: 0

The uid to swich to. This should match the name server's.

gid GID
default: 0

The gid to swich to. This should match the name server's.

<dnssec-policy>
Description of dnssec policies.

id STR
default: -

id of the dnssec-policy section.

description STR
default: -

Description for the dnssec-policy section.

key-suite STR
default: -

id of the key-suite to be used.

<key-suite>
Description of the key-suites needed if 'dnssec policies' are used.

id STR
default: -

id of the key-suite section.

key-template STR
default: -

id of the key-template to be used.

key-roll STR
default: -

id of the key-roll to be used.

<key>
TSIG keys

algorithm ENUM
default: -

Mandatory. Sets the algorithm of the key.

Supported values are:

hmac-md5
hmac-sha1
hmac-sha224
hmac-sha256
hmac-sha384
hmac-sha512

(the algorithm names are case insensitive)}

name FQDN
default: -

Mandatory. Sets the name of the key.

secret TEXT
default: -

Mandatory. Sets the value of the key. BASE64 encoded.

<key-roll>
Description of the key-rolls needed if 'dnssec policies' are used.

id STR
default: -

id of the key-roll section.

generate STR
default: -

Time when the key must be generated.

publish STR
default: -

Time when the key must be published in the zone.

activate STR
default: -

Time when the key will be used for signing the zone or apex of the zone.

inactive STR
default: -

Time when the key will not be used anymore for signing.

delete STR
default: -

Time when the key will be removed out of the zone.

<key-template>
Description of the key-templates needed if 'dnssec policies' are used.

id STR
default: -

id of the key-roll section.

generate STR
default: -

Time when the key must be generated.

publish STR
default: -

Time when the key must be published in the zone.

activate STR
default: -

Time when the key will be used for signing the zone or apex of the zone.

inactive STR
default: -

Time when the key will not be used anymore for signing.

delete STR
default: -

Time when the key will be removed out of the zone.

<channels>
Description of the logger outputs.

It contains a list descriptions of user-defined outputs for the logger. Depending on the kind of output, the format is different.

The "name" is arbitrary and is used for identification in the <loggers>.
The "stream-name" defines the output type (i.e.: a file name, a program output or syslog).
The "arguments" are specific to the output type (i.e.: unix file access rights or syslog options and facilities).

*
file output stream channel-name file-name access-rights (octal).
*
pipe to a program channel-name "| shell command" channel-name "| path-to-program program arguments >> append-redirect"
*
STDOUT, STDERR output stream channel-name stdout channel-name stderr
*
syslog channel-name syslog syslog-facility
<loggers>
Description of the logger outputs sources.

Sets the output of a pre-defined logger for yakeyrolld.

The format of the line is: logger-name output-filter comma-separated-channel-names

Filters are:
DEBUG7, DEBUG6, DEBUG5, DEBUG4, DEBUG3, DEBUG2, DEBUG1, DEBUG, INFO, NOTICE, WARNING, ERR, CRIT, ALERT, EMERG

Additionally, there are:

*
ALL (or '*') meaning all the filters.
*
PROD means all but the DEBUG filters.

The defined loggers are:

keyroll
contains general messages about the keyroll
dnssec
contains messages about DNSSEC-related computations during the generation.
system
contains low level messages about the system such as memory allocation, threading, IOs, timers and cryptography, ...

System operators will mostly be interested in the info and above messages of the keyroll and dnssec loggers.

Examples of containers defined for a configuration file.
*
Main
1.
Config with includes

# start yakeyrolld.conf <yakeyrolld> container
include /etc/yakeyrolld/conf.d/local.conf
# end yakeyrolld.conf <yakeyrolld> container
2.
Main without includes

<yakeyrolld>
    # Detach from the console (alias: daemonize)
    daemon                  off
    # The directory to use for the log files
    log-path                 "/var/log/yakeyrolld"
    # The directory that yadifad uses to load private keys
    keys-path                "/var/lib/yadifa/keys"
    # The directory to use to store the plans
    plan-path                "/var/lib/yadifa/plans"
    generate-from "now"
    generate-until "+1y"
    server 127.0.0.1
    policy "keyroll-policy"
</yakeyrolld>
*
Key
TSIG-key configuration

1.
Admin-key key definition (the name is arbitrary)

<key>
    name        abroad-admin-key
    algorithm   hmac-md5
    secret      WorthlessKeyForExample==
</key>
2.
primary-secondary key definition

<key>
    name        primary-secondary
    algorithm   hmac-md5
    secret      PrimaryAndSecondaryKey==
</key>
*
DNSSEC-Policy

DNSSEC-Policy needs some extra sections: key-suite, key-roll, key-template

1.
dnssec-policy example with all the needed sections
<dnssec-policy>
    id              "keyroll-policy"
    description     "Example of ZSK and KSK"
    key-suite       "zsk-1024"
    key-suite       "ksk-2048"
</dnssec-policy>
    
2.
key-suite
<key-suite>                     
    id              "ksk-2048"
    key-template    "ksk-2048"
    key-roll        "yearly-calendar"
</key-suite>                            
<key-suite>                     
    id              "zsk-1024"
    key-template    "zsk-1024"
    key-roll        "monthly-calendar"
</key-suite>                            
    
3.
key-roll
<key-roll>
    id                 "yearly-calendar"
    generate            11        10           *                   1            mon             1 # Januay, Monday of the second week at 10:11
    publish             11        10           *                   1            tue             * # following Tuesday at 10:11
    activate            11        10           *                   1            wed             * # following Wednesday at 10:11
    inactive            11        10           *                   1            mon             * # following Monday, a year after, at 10:11
    remove              11        10           *                   1            wed             * # following Wednesday at 10:11
</key-roll>
<key-roll>
    id                 "monthly-calendar"
    generate            17        10           *                   *            mon             0 # 1st monday the month at 10:17
    publish             17        10           *                   *            tue             * # following tuesday at 10:17
    activate            17        10           *                   *            wed             * # following wednesday at 10:17
    inactive            17        10           *                   *            wed             * # following wednesday at 10:17 (one week after the activation)
    remove              17        10           *                   *            thu             * # following thursday at 10:17
</key-roll>
    
4.
key-template
<key-template>
    id              "ksk-2048"
    ksk             true
    algorithm       RSASHA512
    size            2048
</key-template>
<key-template>
    id              "zsk-1024"
    ksk             false
    algorithm       RSASHA512
    size            1024
</key-template>
    

*
Channels

Logging output-channel configurations:

It contains a list of user-defined outputs for the logger.

The "name" is arbitrary and is used for identification in the <loggers>.
The "stream-name" defines the output type (i.e.: a file name, a program output or syslog).
The "arguments" are specific to the output type (i.e.: unix file access rights or syslog options and facilities).

1.
Example: logging channels definition.

<channels>
#   name        stream-name     arguments
    keyroll     keyroll.log     0644
    dnssec      dnssec.log      0644
    system      system.log      0644
    all         all.log         0644
</channels>

*
Loggers

Logging input configurations:

The "bundle" is the name of the section of yakeyroll being logged, sources are : database, dnssec, queries, server, stats, system, zone.
The "debuglevel" uses the same names as syslog.
Additionally, "*" or "all" means all the levels; "prod" means all but the debug levels.

The "channels" are a comma-separated list of channels.

1.
Example logger configuration

<loggers>
#   bundle          debuglevel                          channels
    keyroll         prod                                keyroll,all
    dnssec          prod                                dnssec,all
    system          prod                                system,all
</loggers>

yakeyrolld(8)

Since unquoted leading whitespace is generally ignored in the yadifad.conf you can indent everything to taste.

Please check the file README from the sources.

Version: 2.5.3 of 2021-10-25.

There exists a mailinglist for questions relating to any program in the yadifa package:
*
yadifa-users@mailinglists.yadifa.eu
for submitting questions/answers.
*
http://www.yadifa.eu/mailing-list-users
for subscription requests.

If you would like to stay informed about new versions and official patches send a subscription request to via:

*
http://www.yadifa.eu/mailing-list-announcements

(this is a readonly list).

Copyright
(C)2011-2021, EURid
B-1831 Diegem, Belgium
info@yadifa.eu

Gery Van Emelen
Email: Gery.VanEmelen@EURid.eu
Eric Diaz Fernandez
Email: Eric.DiazFernandez@EURid.eu

WWW: http://www.EURid.eu

2021-10-25 YAKEYROLLD

Search for    or go to Top of page |  Section 5 |  Main Index

Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with ManDoc.