logo
Free, unlimited AI code reviews that run on commit
git-lrc git-lrc GitHub Install Now We'd appreciate a star git-lrc - Free, unlimited AI code reviews that run on commit | Product Hunt git-lrc - Free, unlimited AI code reviews that run on commit | Product Hunt

yadifad.conf - configuration file for yadifad(8).

Authors

Gery Van Emelen Email: Gery.VanEmelen@EURid.eu Eric Diaz Fernandez Email: Eric.DiazFernandez@EURid.eu WWW: http://www.EURid.eu YADIFA 2025-03-11 YADIFAD-CONF(5)

Changes

Please check the file README from the sources.

Description

The configuration of yadifad is consistent in a text file that can optionally include others. The general structure is a sequence of containers: a sequence of lines of text starting with a <container-name> and ending with a </container-name>. Each line between these delimitters is in the form: variable-name value. The format of the value is determined by the type of the variable. TYPES There are 15 types: ACL A list of ACL descriptors. User-defined ACLs are found in the ACL section. The "any" and "none" descriptors are always defined. Elements of the list are separated by a "," or a ";". DNSSECTYPE A DNSSEC type name. It can be a DNSSEC-enabled value ("nsec", "nsec3" or "nsec3-optout") or a DNSSEC-disabled value ("none", "no", "off" or "0"). ENUM A word from a specified set. FLAG A boolean value. It can be true ("1", "enable", "enabled", "on", "true", "yes") or false ("0", "disable", "disabled", "off", "false", "no"). FQDN A fully-qualified domain name text string. e.g.: www.eurid.eu. GID Group ID. (Can be a number or a name) HOST(S) A (list of) host(s). A host is defined by an IP (v4 or v6) and can be followed by the word `port' and a port number. Elements of the list are separated by a `,' or a `;'. INTEGER/INT A base-ten integer. NETMOD A word or integer that identifies the network model: singleor0 Each working thread reads a single message, processes its answer and replies to it. bufferedor1 Working threads are working by couple. One reads a single message and queues it, one de-queues it, processes its answer and replies to it. multior2 Each working thread reads a multiple messages, processes their answers and replies to them. PATH/FILE A file or directory path. i.e.: "/var/zones". STRING/STR A text string. Double quotes can be used but are not mandatory. Without quotes the string will be taken from the first non-blank character to the last non-blank character. HEXSTR A hexadecimal even-length text string. RELDATE A cron-like date to be matched, relative to another. The columns are minutes [0;59], hours [0;23], days [0;31], months [1;12], weekdays [mon,tue,wed,thu,fri,sat,sun] and week-of-the-month [0;4]. Multiple values can be set in a column cell using ',' as a separator. The '*' character can be used to set all possible values of its column cell. RELTIME A time offset relative to another. It's written as +integer[unit-character] (e.g.: +24h) where the unit character can be seconds, minutes, hours, days or weeks. SECONDS A base-ten integer. HOURS A base-ten integer. DAYS A base-ten integer. UID User ID. (Can be a number or a name) CONTAINERS The configuration of yadifad has several containers: <main> General container <key> TSIG keys <acl> Access lists <nsid> NameServer IDentifier <rrl> Response Rate Limiting directives <zone> Description of the domain name in specific attributes. <channels> Description of the logger outputs. <dnssec-policy> Description of dnssec policies. <key-suite> Description of the key-suites needed if 'dnssec policies' are used. <key-roll> Description of the key-rolls needed if 'dnssec policies' are used. <key-template> Description of the key-templates needed if 'dnssec policies' are used. <denial> Description of 'denial', this can be used in certain 'dnssec policies'. The configuration supports included files. example: include /etc/yadifa/conf.d/local.conf The configuration files can be nested. The configuration consists of: * Container, which starts with <container name> and ends with </container name> * Variable name * 1 or 2 arguments * Arguments can contain 1 or more comma separated values. STANDARDSECTIONS<main> General container, contains all the configuration parameters needed to start up yadifad. allow-controlACL default: none Default server-control access control list. Only the sources matching the ACL are accepted. allow-notifyACL default: any Default notify access control list. Only the servers matching the ACL will be handled. allow-queryACL default: any Default query access control list. Only the clients matching the ACL will be replied to. allow-transferACL default: none Default transfer access control list. Only the clients matching the ACL will be allowed to transfer a zone (axfr/ixfr). allow-updateACL default: none Default update access control list. Only the clients matching the ACL will be allowed to update a zone. allow-update-forwardingACL default: none Default update-forwarding access control list. Only the sources matching the ACL are accepted. answer-formerr-packetsFLAG default: true If this flag is disabled; the server will not reply to badly formatted packets. axfr-compress-packetsFLAG default: true Enables the dns packet compression of each axfr packet. axfr-max-packet-sizeINT default: 4096 bytes The maximum size of an axfr packet. (MIN: 512; MAX: 65535) axfr-max-record-by-packetINT default: 0 The maximum number of records in each axfr packet. Older name servers can only handle 1. Set to 0 to disable the limit. (MIN: 0; MAX: 65535) axfr-retry-delaySECONDS default: 600 Number of seconds between each retry for the first transfer from the primary name server. (MIN: 60; MAX: 86400) axfr-retry-jitterSECONDS default: 180 Jitter applied to axfr-retry-delay. (MIN: 60; MAX: axfr-retry-delay) axfr-retry-failure-delay-multiplierINT default: 5 Linear back-off multiplier. The multiplier times the number of failures is added to the xfr-retry-delay. (MIN: 0; MAX: 86400) axfr-retry-failure-delay-maxSECONDS default: 3600 Maximum delay added for the back-off. (MIN: 0; MAX: 604800) axfr-strict-authorityFLAG default: yes (unless --enable-non-aa-axfr-support was used) Tells yadifad to be strict with the AA flag in AXFR answers chrootFLAG default: off Enabling this flag will make the server jail itself in the chroot-path directory. chroot-path;chrootpathPATH default: / The directory used for the jail. cpu-count-overrideINT default: 0 Overrides the detected number of logical cpus. Set to 0 for automatic. (MIN: 0; MAX: 256) daemon;daemonizeFLAG default: false Enabling this flag will make the server detach from the console and work in background. data-path;datapathPATH default: zones The base path were lies the data (zone file path; journaling data; temporary files; etc.) do-not-listenHOSTS default: - An exclusion list of addresses to never listen to. If set, 0.0.0.0 and ::0 will always be split by interface to isolate the address. edns0-max-sizeINT default: 4096 edns0 packets size. (MIN: 512; MAX: 65535) gid;groupGID default: 0 (or root) The group ID that the server will use. hidden-primary;hidden-masterFLAG default: no As a hidden primary more CPU will be used for various maintenance tasks. hostname-chaos;hostnameSTR default: the host name The string returned by a hostname-chaos TXT CH query. keys-path;keyspathPATH default: zones/keys The base path of the dnssec keys. listenHOSTS default: 0.0.0.0,::0 The list of interfaces to listen to. log-files-disabledFLAG default: no If set, disables checking the log-path directory for existence and writing rights. log-path;logpathPATH default: log The base path where the log files are written. log-unprocessableFLAG default: off Enabling this flag will make the server log unprocessable queries. max-tcp-queries;max-tcp-connectionsINT default: 16 The maximum number of parallel tcp queries; allowed. (MIN: 1; MAX: 255) network-modelNETMOD default: multi Sets the networking model of yadifa. pid-file;pidfileSTR default: run/yadifad.pid The pid file name. queries-log-typeINT default: 1 Query log format. (0: none; 1: yadifa format; 2: BIND format; 3: yadifa and BIND format at once) serverid-chaos;serveridSTR default: - The string returned by a id.server. TXT CH query. If not set; REFUSED is answered. server-port;portINT default: 53 The default dns port. (MIN: 1; MAX: 65535) sig-validity-intervalDAYS default: 30 The number of days for which an automatic signature is valid. (MIN: 7 days; MAX: 30 days) sig-validity-jitter;sig-jitterSECONDS default: 3600 The signature expiration validity jitter in seconds (1 hour). (MIN: 0 sec; MAX: 86400 sec) sig-validity-regenerationHOURS default: automatic Signatures expiring in less than the indicated amount of hours will be recomputed. The default will be chosen by yadifa. (MIN: 24 hours; MAX: 168 hours) statisticsFLAG default: true The server will log a report line about some internal statistics. statistics-max-periodSECONDS default: 60 The period in seconds between two statistics log lines. (MIN: 1 sec; MAX: 31 * 86400 seconds (31 days)) tcp-query-min-rateINT default: 512 bytes/second The minimum transfer rate required in a tcp connection (read and write). Slower connections are closed. The units are bytes per second. (MIN: 0; MAX: 4294967295 thread-affinity-baseINT default: 0 Sets the first CPU to set affinity for. Set it to the real CPU of a core. (MIN: 0; MAX: 3) thread-affinity-multiplierINT default: 0 Sets the multiplier choosing CPU to set affinity for. Allows avoiding hyperthread cores. Set to 0 for automatic avoiding. (MIN: 0; MAX: 4) thread-count-by-addressINT default: -1 Number of independent threads used to process each listening address. Set to -1 for automatic. Set to 0 for single threaded. (MIN: -1; MAX: number of CPU's) uid;userUID default: 0 (or root) The user ID that the server will use. version-chaos;versionSTR default: yadifa version# The text to include in the version TXT CH query. xfr-connect-timeoutSECONDS default: 5 Timeout for establishing a connection for axfr and ixfr transfers. Set to 0 to disable. (MIN: 0; MAX: 4294967295) xfr-path;xfrpathPATH default: zones/xfr The base path used for axfr and journal storage. zone-download-thread-countINT default: 4 Number of independent threads used to download the zones. (MIN: 0; MAX: 255) zone-load-thread-countINT default: 1 Number of independent threads used to process loading of the zones. (MIN: 0; MAX: 255) zone-store-thread-countINT default: 1 Sets the number of threads used to store a zone on disk (MIN: 1, MAX: 4). zone-unload-thread-countINT default: 1 Sets the number of threads used to delete a zone from memory (MIN: 1, MAX: 4). worker-backlog-queue-sizeINT default: 16384 For network-model 1, sets the size of the backlog queue (MIN: 4096, MAX: 1048576). <key> TSIG keys algorithmENUM default: - Mandatory. Sets the algorithm of the key. Supported values are: hmac-md5hmac-sha1hmac-sha224hmac-sha256hmac-sha384hmac-sha512 (the algorithm names are case insensitive)} nameFQDN default: - Mandatory. Sets the name of the key. secretTEXT default: - Mandatory. Sets the value of the key. BASE64 encoded. <acl> Access lists Each entry of the acl section defines a rule of access. Each rule is a name (a single user-defined word) followed by a rule in the form of a list of statements. The separator can be "," or ";". The "any" and "none" names are reserved. A statement tells if a source is accepted or rejected. Reject statements are prefixed with "!". Statements are evaluated in the following order: first from more specific to less specific, then from reject to accept. If a statement matches, the evaluation will stop and accordingly accept or reject the source. If no statement matches, then the source is rejected. A statement can be either: * An IPv4 or an IPv6 address followed (or not) by a mask. [!]ipv4 |ipv6 [/mask] For example: * internal-network 192.0.2.128/26;2001:DB8::/32 * The word `key' followed by the name of a TSIG key. key key-name For example: * slaves key public-slave;key hidden-slave * An ACL statement name from the acl section. Note that negation and recursion are forbidden and duly rejected. acl-name For example: * who-can-ask-for-an-ixfr primary;secondaries;127.0.0.1 <nsid> NameServer IDentifier asciiSTR default: "" The string can be 512 characters long. hex default: "" <rrl> Response Rate Limiting directives responses-per-secondINT default: 5 Allowed response rate. errors-per-secondINT default: 5 Allowed error rate. slipINT default: 2 Random slip parameter. log-onlyFLAG default: false If set to true, logs what it should do without doing it. ipv4-prefix-lengthINT default: 24 Mask applied to group the IPv4 clients. ipv6-prefix-lengthINT default: 56 Mask applied to group the IPv6 clients. exempt-clientsACL default: none Clients matching this rule are not subject to the RRL. enabledFLAG default: false Enables the RRL min-table-sizeINT default: 1024 RRL buffer minimum size max-table-sizeINT default: 16384 RRL buffer maximum size windowINT default: 15 RRL sliding window size in seconds <zone> Description of the domain name in specific attributes. allow-controlACL default: as main Control commands control list. Only the matching sources are allowed. allow-notifyACL default: as main Notify access control list. Only the servers matching the ACL will be handled. allow-queryACL default: as main Query access control list. Only the clients matching the ACL will be replied to. allow-transferACL default: as main Tansfer access control list. Only the clients matching the ACL will be allowed to transfer a zone (axfr/ixfrallow-updateACL default: as main Update access control list. Only the clients matching the ACL will be allowed to update a zone. allow-update-forwardingACL default: as main Update forwarding control list. Only the matching sources are allowed. dnssec-mode;dnssecDNSSEC-TYPE default: off Type of dnssec used for the zone. As primary name sever; yadifa will try to maintain that state. dnssec-policySTR default: - Sets the dnssec-policy id to be used. domainFQDN default: - Mandatory. Sets the domain of the zone (i.e.: eurid.eu). drop-before-loadFLAG default: off Enabling this flag will make the server drop the zone before loading the updated zone from disk. Use this on systems constrained for RAM. file-name;fileFILE default: - Sets the zone file name. Only mandatory for a primary zone. journal-size-kbINT default: 0 Puts a soft limit on the size of the journal; expressed in KB. (MIN: 0; MAX: 3698688 (3GB)) keys-path;keyspathPATH default: as main The base path of the dnssec keys. maintain-dnssecFLAG default: true Enabling this flag will cause the server to try and maintain rrsig records primaries;primary;masters;masterHOSTS default: - Mandatory for a secondary. Sets the primary server(s). Multiple primaries are supported. multiprimary-retries;multimaster-retriesINT default: 0 The number of times the primary is unreachable before switching to a different primary (MIN: 0; MAX: 255) no-primary-updates;no-master-updatesFLAG default: false Enabling this flag will prevent the server from probing or downloading changes from the primary notifies;also-notify;notifyHOSTS default: - The list of servers to notify in the event of a change. Currently only used by primaries when a dynamic update occurs. notify-autoFLAG default: true Enabling this flag will cause notify messages to be sent to all name servers in the APEX. Disabling this flags causes the content of APEX to be ignored (ns Records). notify-retry-countINT default: 5 Number of times yadifa tries to send a notify. (MIN: 0; MAX: 10) notify-retry-periodINT default: 1 Time period in minutes between two notify attempts. (MIN: 1; MAX: 600) notify-retry-period-increaseINT default: 0 Increase of the time period in minutes between two notify attempts. (MIN: 0; MAX: 600) rrsig-nsupdate-allowedFLAG default: false If this flag is set the server allows one to edit RRSIG records using dynamic updates. sig-validity-intervalDAYS default: as main The number of days for which an automatic signature is valid. (MIN: 7 days; MAX: 30 days) sig-validity-regenerationHOURS default: as main The signatures expiring in less than the indicated amount of hours will be recomputed. (MIN: 24 hours; MAX: 168 hours) sig-validity-jitterSECONDS default: as main The signature expiration validity jitter in seconds. (MIN: 0 sec; MAX: 86400 sec) true-multiprimary;true-multimasterFLAG default: off Enabling this flag will make the server use axfr when switching to a new primary typeENUM default: - Mandatory. Sets the type of zone : either primary/master or secondary/slave. <channels> Description of the logger outputs. It contains a list descriptions of user-defined outputs for the logger. Depending on the kind of output, the format is different. The "name" is arbitrary and is used for identification in the <loggers>. The "stream-name" defines the output type (ie: a file name, a program output or syslog). The "arguments" are specific to the output type (ie: unix file access rights or syslog options and facilities). * file output stream channel-name file-name access-rights (octal). * pipe to a program channel-name "| shell command" channel-name "| path-to-program program arguments >> append-redirect" * STDOUT, STDERR output stream channel-name stdout channel-name stderr * syslog channel-name syslog syslog-facility <loggers> Description of the logger outputs sources. Sets the output of a pre-defined logger from yadifad. The format of the line is: logger-name output-filter comma-separated-channel-names Filters are: DEBUG7, DEBUG6, DEBUG5, DEBUG4, DEBUG3, DEBUG2, DEBUG1, DEBUG, INFO, NOTICE, WARNING, ERR, CRIT, ALERT, EMERG Additionally, there are: *ALL (or '*') meaning all the filters. *PROD means all but the DEBUG filters. The defined loggers are: system contains low level messages about the system such as memory allocation, threading, IOs, timers and cryptography, ... database It contains messages about most lower-level operations in the DNS database. ie: journal, updates, zone loading and sanitization, DNS message query resolution, ...) dnssec contains messages about lower-level dnssec operations in the DNS database. ie: status, maintenance, verification, ... server contains messages about operations in the DNS server. ie: start up, shutdown, configuration, transfers, various services status (database management, network management, DNS notification management, dynamic update management, resource rate limiting, ...) zone contains messages about the loading of a zone from a source (file parsing, transferred binary zone reading, ...) stats contains the statistics of the server. queries contains the queries on the server. Queries can be logged with the BIND and/or with the YADIFA format. BINDformat: client sender-ip#port: query: fqdn class type +SETDC (listen-ip) YADIFAformat: query [ id ] {+SETDC} fqdn class type (sender-ip#port) where: id is the query message id + means the message has the Recursion Desired flag set S means the message is signed with a TSIG E means the message is EDNS T means the message was sent using TCP instead of UDP D means the message has the DNSSEC OK flag set C means the message has the Checking Disabled flag set fqdn is the queried FQDN class is the queried class type is the queried type sender-ip is the IP of the client that sent the query port is the port of the client that sent the query listen-ip is the listen network interface that received the message Note that on YADIFA any unset flag is replaced by a '-', on BIND only the '+' follows that rule. System operators will mostly be interested in the info and above messages of queries and stats, as well as the error and above messages of the other loggers. DNSSEC-POLICY There are 5 sections: <dnssec-policy> The dnssec-policy section binds up to four key suites and a denial mode. It is meant to be used as a dnssec-policy parameter in a zone section. Usually two key-suite will be given: one for a KSK and one for a ZSK. The denial mode can be either 'nsec' either the name of a denial section. idSTR default: - id of the dnssec-policy section. descriptionSTR default: - Description for the dnssec-policy section. key-suiteSTR default: - id of the key-suite to be used. Usually both a KSK and a ZSK suites are given. denialSTR default: nsec id of the denial to be used for nsec3 or the argument 'nsec' to use nsec. <key-suite> The key-suite section is used by dnssec policies and is meant to be referenced by a dnssec-policy section. A key-suite links a key definition (key-template) with a deployment calendar (key-roll). idSTR default: - id of the key-suite section. key-templateSTR default: - id of the key-template to be used. key-rollSTR default: - id of the key-roll to be used. <key-roll> The key-roll section is used by dnssec policies and is meant to be referenced by a key-suite section. It's essentially a deployment calendar. Each event is computed relatively to another. Dates are chosen so that there is always a key in an active state. Please look at the examples as a misconfiguration could easily span the life of a key over several years. (e.g.: by too restrictive on the matching conditions) If the RELDATE format is being used, the first valid date matching the line is used. Usage of the RELDATE format is recommended over the RELTIME one. idRELDATE|RELTIME default: - id of the key-roll section. generateRELDATE|RELTIME default: - Time when the key must be generated. Pre-dated before so it's active right now if it's the first one. Always computed so that the next activation happens before the last deactivation. publishRELDATE|RELTIME default: - Time when the key must be published in the zone. Relative to the generation. activateRELDATE|RELTIME default: - Time when the key will be used for signing the zone or apex of the zone. Relative to the publication. inactiveRELDATE|RELTIME default: - Time when the key will not be used anymore for signing. Relative to the activation. deleteRELDATE|RELTIME default: - Time when the key will be removed out of the zone. Relative to the deactivation. <key-template> The key-template section is used by dnssec policies and is meant to be referenced by a key-suite section. It contains the various parameters of a key for its generation. idSTR default: - id of the key-template section. kskFLAG default: false When this flag is enabled a ksk will be generated. When disabled a zsk will be generated. algorithmENUM default: 7 Sets the algorithm of the key. Supported values are: ’DSA’; 3; ’RSASHA1’; 5; ’NSEC3DSA’; 6; ’NSEC3RSASHA1’; 7; ’RSASHA256’; 8; ’RSASHA512’; 10; ’ECDSAP256SHA256’; 13; ’ECDSAP384SHA384’; 14. sizeINT default: 0 The length of the key in bits (incompatible sizes will be rejected). (MIN: 0; MAX: 4096) <denial> The denial section is used by dnssec policies and is meant to be referenced by a dnssec-policy section. It is used to define the NSEC3 denial parameters of a dnssec policy. Policies using a NSEC denial don't need to use this section. idSTR default: - id of the denial section. saltHEXSTR default: empty A base16 encoded sequence of bytes used as the salt parameter of the NSEC3 chain. salt-lengthINT default: 0 If the salt parameter isn't set, generates a random salt parameter of that length. (MIN: 0; MAX: 255) iterationsINT default: 1 Iteration parameter of the NSEC3 chain. (MIN: 0; MAX: 65535) optoutFLAG default: false Enables opt-out coverage in the NSEC3 chain. When this flag is enabled, delegations which do not have a DS record will not be covered by an NSEC3 record.

Examples

Examples of containers defined for a configuration file. * Main 1. Main section example <main> # Detach from the console (alias: daemonize) daemon off # Jail the application chroot off # The path of the log files (alias: chroot-path) chrootpath "/chroot/yadifad" # The path of the log files (alias: log-path) logpath "/var/log/yadifa" # The location of the pid file (alias: pid-file) pidfile "/var/run/yadifa/yadifad.pid" # The path of the zone files (alias: data-path) datapath "/var/lib/yadifa" # The path of the DNSSEC keys (alias: keys-path) keyspath "/var/lib/yadifa/keys" # The path of the transfer and journaling files (AXFR & IXFR) (alias: xfr-path) xfrpath "/var/lib/yadifa/xfr" # A string returned by a query of hostname. CH TXT # note: if you leave this out, the real hostname will be given back (alias: hostname-chaos) hostname "server-yadifad" # An ID returned by a query to id.server. CH TXT (alias: serverid-chaos) serverid "yadifad-01" # The version returned by a query to version.yadifa. CH TXT (alias: version-chaos) version {3.0.2} # Set the maximum UDP packet size. # note: the packetsize cannot be less than 512 or more than 65535. # Typical choice is 4096. edns0-max-size 4096 # The maximum number of parallel TCP queries (max-tcp-connections) max-tcp-queries 100 # The minimum data rate for a TCP query (in bytes per second) tcp-query-min-rate 512 # The user id to use (alias: user) uid yadifa # The group id to use (alias: group) gid yadifa # The DNS port - any DNS query will use that port unless a specific value is used (alias: server-port) port 53 # The interfaces to listen to. listen 127.0.0.1, 192.0.2.2, 192.0.2.130 port 8053, 2001:db8::2 # Type of querylog to use # 0: none # 1: yadifa # 2: bind # 3: both yadifa and bind queries-log-type 1 # Enable the collection and logging of statistics statistics on # Maximum number of seconds between two statistics lines statistics-max-period 60 # Drop queries with erroneous content # # answer-formerr-packets on answer-formerr-packets off # Maximum number of records in an AXFR packet. Set to 1 for compatibility # with very old name servers (alias: axfr-max-record-by-packet) axfr-maxrecordbypacket 0 # Global Access Control rules # # Rules can be defined on network ranges, TSIG signatures, and ACL rules # simple queries: # # allow-query any allow-query !192.0.2.251,any # dynamic update of a zone # # allow-update none allow-update admins # dynamic update of a secondary (forwarded to the primary) # # allow-update-forwarding none allow-update-forwarding admins,key abroad-admin-key # transfer of a zone (AXFR or IXFR) # # allow-transfer any allow-transfer transferer # notify of a change in the primary # # allow-notify any allow-notify primary,admins # If YADIFA has the controller enabled, allow control only for these # clients (none by default) allow-control controller # overwrite the amount of CPUs detected by yadifad cpu-count-override 3 # set the number of threads to serve queries thread-count-by-address 2 </main> * Key TSIG-key configuration 1. Admin-key key definition (the name is arbitrary) <key> name abroad-admin-key algorithm hmac-md5 secret WorthlessKeyForExample== </key> 2. primary-secondary key definition (the name is arbitrary) <key> name primary-secondary algorithm hmac-md5 secret PrimaryAndSecondaryKey== </key> * ACL Access Control List definitions 1. primary-secondary key use <acl> transferer key primary-secondary admins 192.0.2.0/24, 2001:db8::74 primary 192.0.2.53 localhost 127.0.0.0/8, ::1 controller key controller # the ACL for the controller MUST use a key </acl> * NSID DNS NameServer IDentifier 1. Example with ascii <nsid> ascii belgium-brussels-01 </nsid> 2. Example with hex <nsid> hex 00320201 </nsid> * RRL Response Rate Limiting 1. Example <rrl> # Number of identical responses per second before responses are being limited responses-per-second 5 # Number of errors per second before responses are being limited errors-per-second 5 # Random slip parameter slip 10 # If enabled, the rate limits are only logged and not enforced log-only off # Mask applied to group the IPv4 clients ipv4-prefix-length 24 # Mask applied to group the IPv6 clients ipv6-prefix-length 56 # Rate limits are not subject to the following clients (aka whitelist) exempt-clients none # Enable or disable the rate limit capabilities enabled yes </rrl> * Zone 1. Primary domain zone config <zone> # This server is primary for the zone (mandatory) type primary # The domain name (mandatory) domain mydomain.eu # The zone file, relative to 'datapath' (mandatory for a primary) (alias: file-name) file primaries/mydomain.eu # List of servers also notified of a change (beside the ones in the zone file) (alias: notifies, notify) also-notify 192.0.2.84, 192.0.2.149 # Set the size of the journal file in KB (alias: journal-size-kb) journal-size 8192 # Allow dynupdate for these ACL entries allow-update admins # Allow AXFR/IXFR for these ACL entries allow-transfer transferer # Use DNSSEC policies otherwise remove or put in remark line below dnssec-policy 1 </zone> 2. Slave domain zone config <zone> # This server is slave for that zone (mandatory) type slave # The domain name (mandatory) domain myotherdomain.eu # The address of the primary (mandatory for a secondary, forbidden for a primary) (alias: primary) primaries 191.0.2.53 port 4053 key primary-secondary # The zone file, relative to 'datapath'. file slaves/myotherdomain.eu # Accept notifes from these ACL entries allow-notify primary </zone> * DNSSEC-Policy DNSSEC-Policy needs some extra sections: key-suite, key-roll, key-template (and denial if NSEC3 is configured) 1. dnssec-policy example with all the needed sections example with NSEC3 <dnssec-policy> id "1" description "Example of ZSK and KSK" denial "nsec3-with-salt-on" key-suite "zsk-1024" key-suite "ksk-2048" </dnssec-policy> example with NSEC <dnssec-policy> id "2" description "Example of ZSK and KSK" denial nsec key-suite "zsk-1024" key-suite "ksk-2048" </dnssec-policy> 2. key-suite <key-suite> id "ksk-2048" key-template "ksk-2048" key-roll "yearly-schedule" </key-suite> <key-suite> id "zsk-1024" key-template "zsk-1024" key-roll "monthly-schedule" </key-suite> 3. key-roll <key-roll> id "yearly-schedule" generate 5 0 15 6 * * # this year (2018) 15/06 at 00:05 publish 10 0 15 6 * * # 00:10 activate 15 0 16 6 * * # 16/06 at 00:15 inactive 15 0 17 6 * * # (2019) 17/06 at 00:15 remove 15 11 18 6 * * # (2019) 18/06 at 11:15 </key-roll> <key-roll> id "monthly-schedule" generate 5 0 * * tue 0 # 1 tuesday of the month at 00:05 publish 10 0 * * tue 0 # 00:10 activate 15 0 * * wed 0 # 1 wednesday of the month at 00:15 inactive 15 0 * * thu 0 # 1 thursday of the month at 00:15 remove 15 11 * * fri 0 # 1 friday of the month at 11:15 </key-roll> 4. key-template <key-template> id "ksk-2048" ksk true algorithm 8 size 2048 </key-template> <key-template> id "zsk-1024" ksk false algorithm 8 size 1024 </key-template> 5. denial <denial> id "nsec3-with-salt-on" salt "ABCD" algorithm 1 iterations 5 optout off </denial> <denial> id "nsec3-with-salt-length-on" salt-length 4 algorithm 1 iterations 5 optout off </denial> * Channels Logging output-channel configurations: It contains a list of user-defined outputs for the logger. The "name" is arbitrary and is used for identification in the <loggers>. The "stream-name" defines the output type (ie: a file name, a program output or syslog). The "arguments" are specific to the output type (ie: unix file access rights or syslog options and facilities). 1. Example: YADIFA running as daemon channel definition. <channels> # name stream-name arguments database database.log 0644 dnssec dnssec.log 0644 server server.log 0644 statistics statistics.log 0644 system system.log 0644 queries queries.log 0644 zone zone.log 0644 all all.log 0644 gziplog "|/usr/bin/gzip \- >> /var/log/yadifa.log.gz" syslog syslog user </channels> 2. Example: YADIFA running in debug mode. This example shows the "stderr" and "stdout" which can also be used in the first example, but will output to the console. <channels> # name stream-name arguments syslog syslog user stderr STDERR stdout STDOUT </channels> * Loggers Logging input configurations: The "bundle" is the name of the section of YADIDA being logged, sources are : database, dnssec, queries, server, stats, system, zone. The "debuglevel" uses the same names as syslog. Additionally, "*" or "all" means all the levels; "prod" means all but the debug levels. The "channels" are a comma-separated list of channels. 1. Example without syslog <loggers> # bundle debuglevel channels database ALL database,all dnssec warning dnssec,all server INFO,WARNING,ERR,CRIT,ALERT,EMERG server,all stats prod statistics system * system,all queries * queries zone * zone,all </loggers> 2. Example with syslog <loggers> # bundle debuglevel channels database ALL database,syslog dnssec warning dnssec,syslog server INFO,WARNING,ERR,CRIT,ALERT,EMERG server,syslog stats prod statistics, syslog system * system,syslog queries * queries,syslog zone * zone,syslog </loggers>

Mailing Lists

There exists a mailinglist for questions relating to any program in the yadifa package: *yadifa-users@mailinglists.yadifa.eu for submitting questions/answers. *http://www.yadifa.eu/mailing-list-users for subscription requests. If you would like to stay informed about new versions and official patches send a subscription request to via: *http://www.yadifa.eu/mailing-list-announcements (this is a readonly list).

Name

yadifad.conf - configuration file for yadifad(8).

Notes

Since unquoted leading whitespace is generally ignored in the yadifad.conf you can indent everything to taste.

See Also

yadifad(8)

Synopsis

${SYSCONFDIR}/yadifa/yadifad.conf

Version

Version: 3.0.2 of 2025-03-11.

See Also