Install Now
YAKEYROLLD - utility for generating a sequence of KSK and ZSK for a zone.
Contents
Changes
Please check the ChangeLog file from the sources code.
Commands
--help|-h Shows the help
--version|-V Prints the version of the software
--config|-cconfigfile Sets the configuration file to use
--mode|-mgenerate|play|playloop|print|print-json Sets the program mode
--domainfqdn The domain name
--path|-pdirectory The directory where to store the keys
--server|-saddress The address of the server
--ttl|-tseconds The ttl to use for both dnskey and rrsig records
--explain prints the planned schedule
--reset start by removing all the keys and create a new KSK and a new ZSK. The server will not be
queried.
--policy Name of the policy to use
--fromtime The lower time bound covered by the plan (now)
--untiltime The upper time bound covered by the plan (+1y)
--dryrun Do not write files to disk, do not send updates to the server
--wait Wait for yadifad to answer before starting to work (default)
--nowait Do not wait for yadifad to answer before starting to work
--daemon Daemonise the program for supported modes (default)
--nodaemon Do not daemonise the program
--noconfirm Do not ask for confirmation before doing a data reset
Description
The yakeyrolld program generates a sequence of KSK and ZSK for a zone, with all the steps of their
lifecycles.
yakeyrolld is part of the YADIFA distribution from EURid vzw/asbl. The latest version of YADIFA can be
found on:
http://www.yadifa.eu/downloadFiles
${SYSCONFDIR}/yakeyrolld.conf
The default yakeyrolld configuration file.
yakeyrolld.conf.5
Configuration man page for yakeyrolld.
License And Copyright
Copyright
(C)2011-2025, EURid
B-1831 Diegem, Belgium
info@yadifa.euLifecycle
A lifecyle for a key has several steps:
* Time of creation
* Time of publication
* Time of activation
* Time of de-activation
* Time of un-publication.
These times are determined using a cron-like schedule.
For all these steps, it computes the following:
* The expected DNSSEC and RRSIGDNSSEC records on the primary before the step is started
* The ZSK files to add
* The ZSK files to remove
* The DNSSEC and RRSIGDNSKEY records to add
* The DNSKEY and RRSIGDNSKEY records to remove
* The expected DNSKEY and RRSIGDNSKEY records on the dns primary after the step has been completed.
Each step is stored as a file. The file contains fields like:
epochus An integer with the epoch of the step expressed in microseconds.
dateus A user-friendly date text matching the epochus field.
actions A list of actions expected to happen on the step (informational).
debug A text meant to help understand the step (informational).
update Each entry is a dynamic update command to be sent to the server.
expect Each entry defines one record expected to be in the zone on the server prior to executing the
current step.
endresult Each entry defines one record expected to be in the zone on the server after the step has been
executed.
add Defines a key file to create in keys-path.
del Names a key file to delete from keys-path.
Mailinglist
There is a mailinglist for questions relating to any program in the yadifa package:
*yadifa-users@mailinglists.yadifa.eu
for submitting questions/answers.
*http://www.yadifa.eu/mailing-list-users
for subscription requests.
If you would like to stay informed about new versions and official patches send a subscription request to
via:
*http://www.yadifa.eu/mailing-list-announcements
(this is a read-only list).
Name
YAKEYROLLD - utility for generating a sequence of KSK and ZSK for a zone.
Requirements
OpenSSL
yakeyrolld requires OpenSSL version 1.1.1 or later.
See Also
yakeyrolld.conf(5)
Synopsis
yakeyrolld command [argument]
Usage
The yakeyrolld daemon writes key files in the yadifad keys directory and pushes DNSKEY and RRSIG records
with a dynamic update.
Zones managed by the keyroll needs to have the rrsig-nsupdate-allowed setting enabled (<zone> section).
In generation mode, the daemon needs access to both the plan and private keys directory.
For all other modes, the private keys directory is ignored.
When not doing any kind of generation, they should not be kept on the machine. Their encrypted backup
sitting in a safe place.
Initialisation
Destroys all current data that could exist and starts from nothing. Creates all the steps of the
rolls for the next two years. Creates all the private keys in a separate directory.
The directory that contains the private key files is required for this command as private keys
will be added.
yakeyrolld -mgenerate--until+1y--resetRenewal
In order to extend a plan further, simply do another generation.
The operation loads the current plan, extends it to cover the new limit date and saves the updated
modified version back on disk.
Previously stored private keys may be used to generate signatures and new private keys may be
added.
Because of this, the directory that contains the private key files is required for this command.
yakeyrolld -mgenerate--until+1yPlancalendar
Details of the current plan can be printed on stdout using:
yakeyrolld -mprint
The output format of that command isn't meant to be parsed by a program.
For a script, use instead:
yakeyrolld -mprint-jsonDaemon
To start the rolling the keys and pushing them to the server, use:
yakeyrolld -mplayloopVersion
Version: 3.0.2 of 2025-03-11.
PNG Icons
