logo
Free, unlimited AI code reviews that run on commit
git-lrc git-lrc GitHub Install Now We'd appreciate a star git-lrc - Free, unlimited AI code reviews that run on commit | Product Hunt git-lrc - Free, unlimited AI code reviews that run on commit | Product Hunt

yakeyrolld.conf - configuration file for yakeyrolld(8).

Authors

Gery Van Emelen Email: Gery.VanEmelen@EURid.eu Eric Diaz Fernandez Email: Eric.DiazFernandez@EURid.eu WWW: http://www.EURid.eu YAKEYROLLD 2025-03-11 YAKEYROLLD-CONF(5)

Changes

Please check the file README from the sources.

Description

The configuration of yakeyrolld is consistent in a text file that can optionally include others. The general structure is a a sequence of containers: a sequence of lines of text starting with a <container-name> and ending with a </container-name>. Each line between these delimitters is in the form: variable-name value. The format of the value is determined by the type of the variable. There are 7 types: FQDN A fully-qualified domain name text string. e.g.: www.eurid.eu. GID Group ID. (Can be a number or a name) HOST(S) A (list of) host(s). A host is defined by an IP (v4 or v6) and can be followed by the word `port' and a port number. Elements of the list are separated by a `,' or a `;'. INTEGER/INT A base-ten integer. PATH/FILE A file or directory path. i.e.: "/var/plans". STRING/STR A text string. Double quotes can be used but are not mandatory. Without quotes the string will be taken from the first non-blank character to the last non-blank character. UID User ID. (Can be a number or a name) STANDARDSECTIONS There are 9 sections: <yakeyrolld> General container, contains all the configuration parameters needed to start up yakeyrolld. domainFQDN default: . Names one domain to manage, can be used up to 200 times. In yadifad.conf, each of these domains must have rrsig-nsupdate-allowed enabled in their respective <zone> section. log-pathPATH default: ${localstatedir}/log/yakeyrolld The directory that will contain the log files. keys-pathPATH default: ${localstatedir}/zones/keys The directory the name server uses to read zone key file. plan-pathPATH default: ${localstatedir}/plans The directory of the step files. pid-pathPATH default: ${localstatedir}/run The directory of the pid file. pid-fileSTRING default: yakeyrolld.pid The name of the pid file. generate-fromSTRING default: "now" For plan generation, when to start the plan, can be overridden by the command line. generate-untilSTRING default: "+1y" For plan generation, when to stop the plan, can be overridden by the command line. serverHOST default: 127.0.0.1 The address of the name server for queries and dynamic updates. timeoutINT default: 3 The number of seconds spent trying to communicate with the primary until it's considered a time-out. ttlINT default: 600 The default ttl value to use when generating records. update-apply-verify-retriesINT default: 60 If an update isn't checked successfully, retries that many times. update-apply-verify-retries-delayINT default: 1 Waits that many seconds between two update apply tries. match-verify-retriesINT default: 60 If a match test fails, retries that many times. match-verify-retries-delayINT default: 1 Waits that many seconds between two match test tries. policySTRING default: undefined The name of the policy to use when generating the plan. uidUID default: 0 The uid to swich to. This should match the name server's. gidGID default: 0 The gid to swich to. This should match the name server's. <dnssec-policy> Description of dnssec policies. idSTR default: - id of the dnssec-policy section. descriptionSTR default: - Description for the dnssec-policy section. key-suiteSTR default: - id of the key-suite to be used. <key-suite> Description of the key-suites needed if 'dnssec policies' are used. idSTR default: - id of the key-suite section. key-templateSTR default: - id of the key-template to be used. key-rollSTR default: - id of the key-roll to be used. <key> TSIG keys algorithmENUM default: - Mandatory. Sets the algorithm of the key. Supported values are: hmac-md5hmac-sha1hmac-sha224hmac-sha256hmac-sha384hmac-sha512 (the algorithm names are case insensitive)} nameFQDN default: - Mandatory. Sets the name of the key. secretTEXT default: - Mandatory. Sets the value of the key. BASE64 encoded. <key-roll> Description of the key-rolls needed if 'dnssec policies' are used. idSTR default: - id of the key-roll section. generateSTR default: - Time when the key must be generated. publishSTR default: - Time when the key must be published in the zone. activateSTR default: - Time when the key will be used for signing the zone or apex of the zone. inactiveSTR default: - Time when the key will not be used anymore for signing. deleteSTR default: - Time when the key will be removed out of the zone. <key-template> Description of the key-templates needed if 'dnssec policies' are used. idSTR default: - id of the key-roll section. generateSTR default: - Time when the key must be generated. publishSTR default: - Time when the key must be published in the zone. activateSTR default: - Time when the key will be used for signing the zone or apex of the zone. inactiveSTR default: - Time when the key will not be used anymore for signing. deleteSTR default: - Time when the key will be removed out of the zone. <channels> Description of the logger outputs. It contains a list descriptions of user-defined outputs for the logger. Depending on the kind of output, the format is different. The "name" is arbitrary and is used for identification in the <loggers>. The "stream-name" defines the output type (i.e.: a file name, a program output or syslog). The "arguments" are specific to the output type (i.e.: unix file access rights or syslog options and facilities). * file output stream channel-name file-name access-rights (octal). * pipe to a program channel-name "| shell command" channel-name "| path-to-program program arguments >> append-redirect" * STDOUT, STDERR output stream channel-name stdout channel-name stderr * syslog channel-name syslog syslog-facility <loggers> Description of the logger outputs sources. Sets the output of a pre-defined logger for yakeyrolld. The format of the line is: logger-name output-filter comma-separated-channel-names Filters are: DEBUG7, DEBUG6, DEBUG5, DEBUG4, DEBUG3, DEBUG2, DEBUG1, DEBUG, INFO, NOTICE, WARNING, ERR, CRIT, ALERT, EMERG Additionally, there are: *ALL (or '*') meaning all the filters. *PROD means all but the DEBUG filters. The defined loggers are: keyroll contains general messages about the keyroll dnssec contains messages about DNSSEC-related computations during the generation. system contains low level messages about the system such as memory allocation, threading, IOs, timers and cryptography, ... System operators will mostly be interested in the info and above messages of the keyroll and dnssec loggers.

Examples

Examples of containers defined for a configuration file. * Main 1. Config with includes # start yakeyrolld.conf <yakeyrolld> container include /etc/yakeyrolld/conf.d/local.conf # end yakeyrolld.conf <yakeyrolld> container 2. Main without includes <yakeyrolld> # Detach from the console (alias: daemonize) daemon off # The directory to use for the log files log-path "/var/log/yakeyrolld" # The directory that yadifad uses to load private keys keys-path "/var/lib/yadifa/keys" # The directory to use to store the plans plan-path "/var/lib/yadifa/plans" generate-from "now" generate-until "+1y" server 127.0.0.1 policy "keyroll-policy" </yakeyrolld> * Key TSIG-key configuration 1. Admin-key key definition (the name is arbitrary) <key> name abroad-admin-key algorithm hmac-md5 secret WorthlessKeyForExample== </key> 2. primary-secondary key definition <key> name primary-secondary algorithm hmac-md5 secret PrimaryAndSecondaryKey== </key> * DNSSEC-Policy DNSSEC-Policy needs some extra sections: key-suite, key-roll, key-template 1. dnssec-policy example with all the needed sections <dnssec-policy> id "keyroll-policy" description "Example of ZSK and KSK" key-suite "zsk-1024" key-suite "ksk-2048" </dnssec-policy> 2. key-suite <key-suite> id "ksk-2048" key-template "ksk-2048" key-roll "yearly-calendar" </key-suite> <key-suite> id "zsk-1024" key-template "zsk-1024" key-roll "monthly-calendar" </key-suite> 3. key-roll <key-roll> id "yearly-calendar" generate 11 10 * 1 mon 1 # Januay, Monday of the second week at 10:11 publish 11 10 * 1 tue * # following Tuesday at 10:11 activate 11 10 * 1 wed * # following Wednesday at 10:11 inactive 11 10 * 1 mon * # following Monday, a year after, at 10:11 remove 11 10 * 1 wed * # following Wednesday at 10:11 </key-roll> <key-roll> id "monthly-calendar" generate 17 10 * * mon 0 # 1st monday the month at 10:17 publish 17 10 * * tue * # following tuesday at 10:17 activate 17 10 * * wed * # following wednesday at 10:17 inactive 17 10 * * wed * # following wednesday at 10:17 (one week after the activation) remove 17 10 * * thu * # following thursday at 10:17 </key-roll> 4. key-template <key-template> id "ksk-2048" ksk true algorithm RSASHA512 size 2048 </key-template> <key-template> id "zsk-1024" ksk false algorithm RSASHA512 size 1024 </key-template> * Channels Logging output-channel configurations: It contains a list of user-defined outputs for the logger. The "name" is arbitrary and is used for identification in the <loggers>. The "stream-name" defines the output type (i.e.: a file name, a program output or syslog). The "arguments" are specific to the output type (i.e.: unix file access rights or syslog options and facilities). 1. Example: logging channels definition. <channels> # name stream-name arguments keyroll keyroll.log 0644 dnssec dnssec.log 0644 system system.log 0644 all all.log 0644 </channels> * Loggers Logging input configurations: The "bundle" is the name of the section of yakeyroll being logged, sources are : database, dnssec, queries, server, stats, system, zone. The "debuglevel" uses the same names as syslog. Additionally, "*" or "all" means all the levels; "prod" means all but the debug levels. The "channels" are a comma-separated list of channels. 1. Example logger configuration <loggers> # bundle debuglevel channels keyroll prod keyroll,all dnssec prod dnssec,all system prod system,all </loggers>

Mailing Lists

There exists a mailinglist for questions relating to any program in the yadifa package: *yadifa-users@mailinglists.yadifa.eu for submitting questions/answers. *http://www.yadifa.eu/mailing-list-users for subscription requests. If you would like to stay informed about new versions and official patches send a subscription request to via: *http://www.yadifa.eu/mailing-list-announcements (this is a readonly list).

Name

yakeyrolld.conf - configuration file for yakeyrolld(8).

Notes

Since unquoted leading whitespace is generally ignored in the yadifad.conf you can indent everything to taste.

See Also

yakeyrolld(8)

Synopsis

${SYSCONFDIR}/yadifa/yakeyrolld.conf

Version

Version: 3.0.2 of 2025-03-11.

See Also