GSP
Quick Navigator
Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Support
Contact Us
Online Help
Handbooks
Domain Status
Man Pages

FAQ
Virtual Servers
Pricing
Billing
Technical

Network
Facilities
Connectivity
Topology Map

Miscellaneous
Server Agreement
Year 2038
Credits
 

USA Flag

 

 

Man Pages
YAKEYROLLD(8) YADIFA YAKEYROLLD(8)

YAKEYROLLD is an utility for genrating a sequence of KSK and ZSK for a zone.

yakeyrolld command [argument]

The yakeyrolld program generates a sequence of KSK and ZSK for a zone, with all the steps of their lifecycles.

yakeyrolld is part of the YADIFA distribution from EURid vzw/asbl. The latest version of YADIFA can be found on:

http://www.yadifa.eu/download

A lifecyle for a key has several steps:

*
Time of creation
*
Time of publication
*
Time of activation
*
Time of de-activation
*
Time of un-publication.

These times are determined using a cron-like schedule.

For all these steps, it computes the following:

*
The expected DNSSEC and RRSIG DNSSEC records on the primary before the step is started
*
The ZSK files to add
*
The ZSK files to remove
*
The DNSSEC and RRSIG DNSKEY records to add
*
The DNSKEY and RRSIG DNSKEY records to remove
*
The expected DNSKEY and RRSIG DNSKEY records on the dns primary after the step has been completed.

Each step is stored as a file. The file contains fields like:

The yakeyrolld daemon writes key files in the yadifad keys directory and pushes DNSKEY and RRSIG records with a dynamic update.
Zones managed by the keyroll needs to have the rrsig-nsupdate-allowed setting enabled (<zone> section).
In generation mode, the daemon needs access to both the plan and private keys directory.
For all other modes, the private keys directory is ignored.
When not doing any kind of generation, they should not be kept on the machine. Their encrypted backup sitting in a safe place.


Destroys all current data that could exist and starts from nothing. Creates all the steps of the rolls for the next two years. Creates all the private keys in a separate directory.
The directory that contains the private key files is required for this command as private keys will be added.

yakeyrolld -m generate --until +1y --reset


In order to extend a plan further, simply do another generation.
The operation loads the current plan, extends it to cover the new limit date and saves the updated modified version back on disk.
Previously stored private keys may be used to generate signatures and new private keys may be added.
Because of this, the directory that contains the private key files is required for this command.

yakeyrolld -m generate --until +1y


Details of the current plan can be printed on stdout using:

yakeyrolld -m print

The output format of that command isn't meant to be parsed by a program.

For a script, use instead:

yakeyrolld -m print-json


To start the rolling the keys and pushing them to the server, use:

yakeyrolld -m playloop

${SYSCONFDIR}/yakeyrolld.conf

The default yakeyrolld configuration file.

Configuration man page for yakeyrolld.

yakeyrolld.conf(5)

yakeyrolld requires OpenSSL version 1.1.1 or later.

Please check the ChangeLog file from the sources code.

Version: 3.0.2 of 2025-03-11.

There is a mailinglist for questions relating to any program in the yadifa package:

*
yadifa-users@mailinglists.yadifa.eu
for submitting questions/answers.
*
http://www.yadifa.eu/mailing-list-users
for subscription requests.

If you would like to stay informed about new versions and official patches send a subscription request to via:

*
http://www.yadifa.eu/mailing-list-announcements

(this is a read-only list).

(C)2011-2025, EURid
B-1831 Diegem, Belgium
info@yadifa.eu

Gery Van Emelen
Email: Gery.VanEmelen@EURid.eu
Eric Diaz Fernandez
Email: Eric.DiazFernandez@EURid.eu

WWW: http://www.EURid.eu

2025-03-11 YAKEYROLLD
Search for    or go to Top of page |  Section 8 |  Main Index

Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with ManDoc.