YAKEYROLLD-CONF(5) | YADIFA | YAKEYROLLD-CONF(5) |
yakeyrolld.conf - configuration file for yakeyrolld(8).
${SYSCONFDIR}/yadifa/yakeyrolld.conf
The configuration of yakeyrolld is consistent in a text file that can optionally include others. The general structure is a a sequence of containers: a sequence of lines of text starting with a <container-name> and ending with a </container-name>. Each line between these delimitters is in the form: variable-name value. The format of the value is determined by the type of the variable.
There are 7 types:
There are 9 sections:
Names one domain to manage, can be used up to 200 times. In yadifad.conf, each of these domains must have rrsig-nsupdate-allowed enabled in their respective <zone> section.
The directory that will contain the log files.
The directory the name server uses to read zone key file.
The directory of the step files.
The directory of the pid file.
The name of the pid file.
For plan generation, when to start the plan, can be overridden by the command line.
For plan generation, when to stop the plan, can be overridden by the command line.
The address of the name server for queries and dynamic updates.
The number of seconds spent trying to communicate with the primary until it's considered a time-out.
The default ttl value to use when generating records.
If an update isn't checked successfully, retries that many times.
Waits that many seconds between two update apply tries.
If a match test fails, retries that many times.
Waits that many seconds between two match test tries.
The name of the policy to use when generating the plan.
The uid to swich to. This should match the name server's.
The gid to swich to. This should match the name server's.
id of the dnssec-policy section.
Description for the dnssec-policy section.
id of the key-suite to be used.
id of the key-suite section.
id of the key-template to be used.
id of the key-roll to be used.
Mandatory. Sets the algorithm of the key.
Supported values are:
(the algorithm names are case insensitive)}
Mandatory. Sets the name of the key.
Mandatory. Sets the value of the key. BASE64 encoded.
id of the key-roll section.
Time when the key must be generated.
Time when the key must be published in the zone.
Time when the key will be used for signing the zone or apex of the zone.
Time when the key will not be used anymore for signing.
Time when the key will be removed out of the zone.
id of the key-roll section.
Time when the key must be generated.
Time when the key must be published in the zone.
Time when the key will be used for signing the zone or apex of the zone.
Time when the key will not be used anymore for signing.
Time when the key will be removed out of the zone.
It contains a list descriptions of user-defined outputs for the logger. Depending on the kind of output, the format is different.
The "name" is arbitrary and is used for identification
in the <loggers>.
The "stream-name" defines the output type (i.e.: a file name, a
program output or syslog).
The "arguments" are specific to the output type (i.e.: unix file
access rights or syslog options and facilities).
Sets the output of a pre-defined logger for yakeyrolld.
The format of the line is: logger-name output-filter
comma-separated-channel-names
Filters are:
DEBUG7, DEBUG6, DEBUG5, DEBUG4, DEBUG3,
DEBUG2, DEBUG1, DEBUG, INFO, NOTICE,
WARNING, ERR, CRIT, ALERT, EMERG
Additionally, there are:
The defined loggers are:
System operators will mostly be interested in the info and above messages of the keyroll and dnssec loggers.
Examples of containers defined for a configuration file.
# start yakeyrolld.conf <yakeyrolld> container include /etc/yakeyrolld/conf.d/local.conf # end yakeyrolld.conf <yakeyrolld> container
<yakeyrolld>
# Detach from the console (alias: daemonize)
daemon off
# The directory to use for the log files
log-path "/var/log/yakeyrolld"
# The directory that yadifad uses to load private keys
keys-path "/var/lib/yadifa/keys"
# The directory to use to store the plans
plan-path "/var/lib/yadifa/plans"
generate-from "now"
generate-until "+1y"
server 127.0.0.1
policy "keyroll-policy" </yakeyrolld>
<key>
name abroad-admin-key
algorithm hmac-md5
secret WorthlessKeyForExample== </key>
<key>
name primary-secondary
algorithm hmac-md5
secret PrimaryAndSecondaryKey== </key>
DNSSEC-Policy needs some extra sections: key-suite, key-roll, key-template
<dnssec-policy>
id "keyroll-policy"
description "Example of ZSK and KSK"
key-suite "zsk-1024"
key-suite "ksk-2048" </dnssec-policy>
<key-suite>
id "ksk-2048"
key-template "ksk-2048"
key-roll "yearly-calendar" </key-suite> <key-suite>
id "zsk-1024"
key-template "zsk-1024"
key-roll "monthly-calendar" </key-suite>
<key-roll>
id "yearly-calendar"
generate 11 10 * 1 mon 1 # Januay, Monday of the second week at 10:11
publish 11 10 * 1 tue * # following Tuesday at 10:11
activate 11 10 * 1 wed * # following Wednesday at 10:11
inactive 11 10 * 1 mon * # following Monday, a year after, at 10:11
remove 11 10 * 1 wed * # following Wednesday at 10:11 </key-roll> <key-roll>
id "monthly-calendar"
generate 17 10 * * mon 0 # 1st monday the month at 10:17
publish 17 10 * * tue * # following tuesday at 10:17
activate 17 10 * * wed * # following wednesday at 10:17
inactive 17 10 * * wed * # following wednesday at 10:17 (one week after the activation)
remove 17 10 * * thu * # following thursday at 10:17 </key-roll>
<key-template>
id "ksk-2048"
ksk true
algorithm RSASHA512
size 2048 </key-template> <key-template>
id "zsk-1024"
ksk false
algorithm RSASHA512
size 1024 </key-template>
Logging output-channel configurations:
It contains a list of user-defined outputs for the logger.
The "name" is arbitrary and is used for identification
in the <loggers>.
The "stream-name" defines the output type (i.e.: a file name, a
program output or syslog).
The "arguments" are specific to the output type (i.e.: unix file
access rights or syslog options and facilities).
<channels> # name stream-name arguments
keyroll keyroll.log 0644
dnssec dnssec.log 0644
system system.log 0644
all all.log 0644 </channels>
Logging input configurations:
The "bundle" is the name of the section of yakeyroll
being logged, sources are : database, dnssec, queries, server, stats,
system, zone.
The "debuglevel" uses the same names as syslog.
Additionally, "*" or "all" means all the levels;
"prod" means all but the debug levels.
The "channels" are a comma-separated list of channels.
<loggers> # bundle debuglevel channels
keyroll prod keyroll,all
dnssec prod dnssec,all
system prod system,all </loggers>
Since unquoted leading whitespace is generally ignored in the yadifad.conf you can indent everything to taste.
Please check the file README from the sources.
Version: 2.4.2 of 2021-02-23.
There exists a mailinglist for questions relating to any program
in the yadifa package:
If you would like to stay informed about new versions and official patches send a subscription request to via:
(this is a readonly list).
Gery Van Emelen
Email: Gery.VanEmelen@EURid.eu
Eric Diaz Fernandez
Email: Eric.DiazFernandez@EURid.eu
WWW: http://www.EURid.eu
2021-02-23 | YAKEYROLLD |