| YADIFAD-CONF(5) | YADIFA | YADIFAD-CONF(5) |
yadifad.conf - configuration file for yadifad(8).
${SYSCONFDIR}/yadifa/yadifad.conf
The configuration of yadifad is consistent in a text file that can optionally include others. The general structure is a sequence of containers: a sequence of lines of text starting with a <container-name> and ending with a </container-name>. Each line between these delimitters is in the form: variable-name value. The format of the value is determined by the type of the variable.
There are 15 types:
The configuration of yadifad has several containers:
The configuration supports included files.
example: include /etc/yadifa/conf.d/local.conf
The configuration files can be nested.
The configuration consists of:
Default server-control access control list. Only the sources matching the ACL are accepted.
Default notify access control list. Only the servers matching the ACL will be handled.
Default query access control list. Only the clients matching the ACL will be replied to.
Default transfer access control list. Only the clients matching the ACL will be allowed to transfer a zone (axfr/ixfr).
Default update access control list. Only the clients matching the ACL will be allowed to update a zone.
Default update-forwarding access control list. Only the sources matching the ACL are accepted.
If this flag is disabled; the server will not reply to badly formatted packets.
Enables the dns packet compression of each axfr packet.
The maximum size of an axfr packet. (MIN: 512; MAX: 65535)
The maximum number of records in each axfr packet. Older name servers can only handle 1. Set to 0 to disable the limit. (MIN: 0; MAX: 65535)
Number of seconds between each retry for the first transfer from the primary name server. (MIN: 60; MAX: 86400)
Jitter applied to axfr-retry-delay. (MIN: 60; MAX: axfr-retry-delay)
Linear back-off multiplier. The multiplier times the number of failures is added to the xfr-retry-delay. (MIN: 0; MAX: 86400)
Maximum delay added for the back-off. (MIN: 0; MAX: 604800)
Tells yadifad to be strict with the AA flag in AXFR answers
Enabling this flag will make the server jail itself in the chroot-path directory.
The directory used for the jail.
Overrides the detected number of logical cpus. Set to 0 for automatic. (MIN: 0; MAX: 256)
Enabling this flag will make the server detach from the console and work in background.
The base path were lies the data (zone file path; journaling data; temporary files; etc.)
An exclusion list of addresses to never listen to. If set, 0.0.0.0 and ::0 will always be split by interface to isolate the address.
edns0 packets size. (MIN: 512; MAX: 65535)
The group ID that the server will use.
As a hidden primary more CPU will be used for various maintenance tasks.
The string returned by a hostname-chaos TXT CH query.
The base path of the dnssec keys.
The list of interfaces to listen to.
If set, disables checking the log-path directory for existence and writing rights.
The base path where the log files are written.
Enabling this flag will make the server log unprocessable queries.
The maximum number of parallel tcp queries; allowed. (MIN: 1; MAX: 255)
Sets the networking model of yadifa.
The pid file name.
Query log format. (0: none; 1: yadifa format; 2: BIND format; 3: yadifa and BIND format at once)
The string returned by a id.server. TXT CH query. If not set; REFUSED is answered.
The default dns port. (MIN: 1; MAX: 65535)
The number of days for which an automatic signature is valid. (MIN: 7 days; MAX: 30 days)
The signature expiration validity jitter in seconds (1 hour). (MIN: 0 sec; MAX: 86400 sec)
Signatures expiring in less than the indicated amount of hours will be recomputed. The default will be chosen by yadifa. (MIN: 24 hours; MAX: 168 hours)
The server will log a report line about some internal statistics.
The period in seconds between two statistics log lines. (MIN: 1 sec; MAX: 31 * 86400 seconds (31 days))
The minimum transfer rate required in a tcp connection (read and write). Slower connections are closed. The units are bytes per second. (MIN: 0; MAX: 4294967295
Sets the first CPU to set affinity for. Set it to the real CPU of a core. (MIN: 0; MAX: 3)
Sets the multiplier choosing CPU to set affinity for. Allows avoiding hyperthread cores. Set to 0 for automatic avoiding. (MIN: 0; MAX: 4)
Number of independent threads used to process each listening address. Set to -1 for automatic. Set to 0 for single threaded. (MIN: -1; MAX: number of CPU's)
The user ID that the server will use.
The text to include in the version TXT CH query.
Timeout for establishing a connection for axfr and ixfr transfers. Set to 0 to disable. (MIN: 0; MAX: 4294967295)
The base path used for axfr and journal storage.
Number of independent threads used to download the zones. (MIN: 0; MAX: 255)
Number of independent threads used to process loading of the zones. (MIN: 0; MAX: 255)
Sets the number of threads used to store a zone on disk (MIN: 1, MAX: 4).
Sets the number of threads used to delete a zone from memory (MIN: 1, MAX: 4).
For network-model 1, sets the size of the backlog queue (MIN: 4096, MAX: 1048576).
Mandatory. Sets the algorithm of the key.
Supported values are:
(the algorithm names are case insensitive)}
Mandatory. Sets the name of the key.
Mandatory. Sets the value of the key. BASE64 encoded.
Each entry of the acl section defines a rule of access. Each rule is a name (a single user-defined word) followed by a rule in the form of a list of statements. The separator can be "," or ";". The "any" and "none" names are reserved. A statement tells if a source is accepted or rejected. Reject statements are prefixed with "!". Statements are evaluated in the following order: first from more specific to less specific, then from reject to accept. If a statement matches, the evaluation will stop and accordingly accept or reject the source. If no statement matches, then the source is rejected.
A statement can be either:
For example:
For example:
For example:
Allowed response rate.
Allowed error rate.
Random slip parameter.
If set to true, logs what it should do without doing it.
Mask applied to group the IPv4 clients.
Mask applied to group the IPv6 clients.
Clients matching this rule are not subject to the RRL.
Enables the RRL
RRL buffer minimum size
RRL buffer maximum size
RRL sliding window size in seconds
Control commands control list. Only the matching sources are allowed.
Notify access control list. Only the servers matching the ACL will be handled.
Query access control list. Only the clients matching the ACL will be replied to.
Tansfer access control list. Only the clients matching the ACL will be allowed to transfer a zone (axfr/ixfr
Update access control list. Only the clients matching the ACL will be allowed to update a zone.
Update forwarding control list. Only the matching sources are allowed.
Type of dnssec used for the zone. As primary name sever; yadifa will try to maintain that state.
Sets the dnssec-policy id to be used.
Mandatory. Sets the domain of the zone (i.e.: eurid.eu).
Enabling this flag will make the server drop the zone before loading the updated zone from disk. Use this on systems constrained for RAM.
Sets the zone file name. Only mandatory for a primary zone.
Puts a soft limit on the size of the journal; expressed in KB. (MIN: 0; MAX: 3698688 (3GB))
The base path of the dnssec keys.
Enabling this flag will cause the server to try and maintain rrsig records
Mandatory for a slave. Sets the primary server(s). Multiple primaries are supported.
The number of times the primary is unreachable before switching to a different primary (MIN: 0; MAX: 255)
Enabling this flag will prevent the server from probing or downloading changes from the primary
The list of servers to notify in the event of a change. Currently only used by primaries when a dynamic update occurs.
Enabling this flag will cause notify messages to be sent to all name servers in the APEX. Disabling this flags causes the content of APEX to be ignored (ns Records).
Number of times yadifa tries to send a notify. (MIN: 0; MAX: 10)
Time period in minutes between two notify attempts. (MIN: 1; MAX: 600)
Increase of the time period in minutes between two notify attempts. (MIN: 0; MAX: 600)
If this flag is set the server allows one to edit RRSIG records using dynamic updates.
The number of days for which an automatic signature is valid. (MIN: 7 days; MAX: 30 days)
The signatures expiring in less than the indicated amount of hours will be recomputed. (MIN: 24 hours; MAX: 168 hours)
The signature expiration validity jitter in seconds. (MIN: 0 sec; MAX: 86400 sec)
Enabling this flag will make the server use axfr when switching to a new primary
Mandatory. Sets the type of zone : either primary/master or secondary/slave.
It contains a list descriptions of user-defined outputs for the logger. Depending on the kind of output, the format is different.
The "name" is arbitrary and is used for identification
in the <loggers>.
The "stream-name" defines the output type (ie: a file name, a
program output or syslog).
The "arguments" are specific to the output type (ie: unix file
access rights or syslog options and facilities).
Sets the output of a pre-defined logger from yadifad.
The format of the line is: logger-name output-filter
comma-separated-channel-names
Filters are:
DEBUG7, DEBUG6, DEBUG5, DEBUG4, DEBUG3,
DEBUG2, DEBUG1, DEBUG, INFO, NOTICE,
WARNING, ERR, CRIT, ALERT, EMERG
Additionally, there are:
The defined loggers are:
Note that on YADIFA any unset flag is replaced by a '-', on BIND only the '+' follows that rule.
System operators will mostly be interested in the info and above messages of queries and stats, as well as the error and above messages of the other loggers.
There are 5 sections:
id of the dnssec-policy section.
Description for the dnssec-policy section.
id of the key-suite to be used. Usually both a KSK and a ZSK suites are given.
id of the denial to be used for nsec3 or the argument 'nsec' to use nsec.
id of the key-suite section.
id of the key-template to be used.
id of the key-roll to be used.
id of the key-roll section.
Time when the key must be generated. Pre-dated before so it's active right now if it's the first one. Always computed so that the next activation happens before the last deactivation.
Time when the key must be published in the zone. Relative to the generation.
Time when the key will be used for signing the zone or apex of the zone. Relative to the publication.
Time when the key will not be used anymore for signing. Relative to the activation.
Time when the key will be removed out of the zone. Relative to the deactivation.
id of the key-template section.
When this flag is enabled a ksk will be generated. When disabled a zsk will be generated.
Sets the algorithm of the key. Supported values are: ’DSA’; 3; ’RSASHA1’; 5; ’NSEC3DSA’; 6; ’NSEC3RSASHA1’; 7; ’RSASHA256’; 8; ’RSASHA512’; 10; ’ECDSAP256SHA256’; 13; ’ECDSAP384SHA384’; 14.
The length of the key in bits (incompatible sizes will be rejected). (MIN: 0; MAX: 4096)
id of the denial section.
A base16 encoded sequence of bytes used as the salt parameter of the NSEC3 chain.
If the salt parameter isn't set, generates a random salt parameter of that length. (MIN: 0; MAX: 255)
Iteration parameter of the NSEC3 chain. (MIN: 0; MAX: 65535)
Enables opt-out coverage in the NSEC3 chain. When this flag is enabled, delegations which do not have a DS record will not be covered by an NSEC3 record.
Examples of containers defined for a configuration file.
<main>
# Detach from the console (alias: daemonize)
daemon off
# Jail the application
chroot off
# The path of the log files (alias: chroot-path)
chrootpath "/chroot/yadifad"
# The path of the log files (alias: log-path)
logpath "/var/log/yadifa"
# The location of the pid file (alias: pid-file)
pidfile "/var/run/yadifa/yadifad.pid"
# The path of the zone files (alias: data-path)
datapath "/var/lib/yadifa"
# The path of the DNSSEC keys (alias: keys-path)
keyspath "/var/lib/yadifa/keys"
# The path of the transfer and journaling files (AXFR & IXFR) (alias: xfr-path)
xfrpath "/var/lib/yadifa/xfr"
# A string returned by a query of hostname. CH TXT
# note: if you leave this out, the real hostname will be given back (alias: hostname-chaos)
hostname "server-yadifad"
# An ID returned by a query to id.server. CH TXT (alias: serverid-chaos)
serverid "yadifad-01"
# The version returned by a query to version.yadifa. CH TXT (alias: version-chaos)
version 2.5.0
# Set the maximum UDP packet size.
# note: the packetsize cannot be less than 512 or more than 65535.
# Typical choice is 4096.
edns0-max-size 4096
# The maximum number of parallel TCP queries (max-tcp-connections)
max-tcp-queries 100
# The minimum data rate for a TCP query (in bytes per second)
tcp-query-min-rate 512
# The user id to use (alias: user)
uid yadifa
# The group id to use (alias: group)
gid yadifa
# The DNS port - any DNS query will use that port unless a specific value is used (alias: server-port)
port 53
# The interfaces to listen to.
listen 127.0.0.1, 192.0.2.2, 192.0.2.130 port 8053, 2001:db8::2
# Type of querylog to use
# 0: none
# 1: yadifa
# 2: bind
# 3: both yadifa and bind
queries-log-type 1
# Enable the collection and logging of statistics
statistics on
# Maximum number of seconds between two statistics lines
statistics-max-period 60
# Drop queries with erroneous content
#
# answer-formerr-packets on
answer-formerr-packets off
# Maximum number of records in an AXFR packet. Set to 1 for compatibility
# with very old name servers (alias: axfr-max-record-by-packet)
axfr-maxrecordbypacket 0
# Global Access Control rules
#
# Rules can be defined on network ranges, TSIG signatures, and ACL rules
# simple queries:
#
# allow-query any
allow-query !192.0.2.251,any
# dynamic update of a zone
#
# allow-update none
allow-update admins
# dynamic update of a slave (forwarded to the primary)
#
# allow-update-forwarding none
allow-update-forwarding admins,key abroad-admin-key
# transfer of a zone (AXFR or IXFR)
#
# allow-transfer any
allow-transfer transferer
# notify of a change in the primary
#
# allow-notify any
allow-notify primary,admins
# If YADIFA has the controller enabled, allow control only for these
# clients (none by default)
allow-control controller
# overwrite the amount of CPUs detected by yadifad
cpu-count-override 3
# set the number of threads to serve queries
thread-count-by-address 2 </main>
<key>
name abroad-admin-key
algorithm hmac-md5
secret WorthlessKeyForExample== </key>
<key>
name primary-secondary
algorithm hmac-md5
secret PrimaryAndSecondaryKey== </key>
<acl>
transferer key primary-secondary
admins 192.0.2.0/24, 2001:db8::74
primary 192.0.2.53
localhost 127.0.0.0/8, ::1
controller key controller # the ACL for the controller MUST use a key </acl>
<nsid>
ascii belgium-brussels-01 </nsid>
<nsid>
hex 00320201 </nsid>
<rrl>
# Number of identical responses per second before responses are being limited
responses-per-second 5
# Number of errors per second before responses are being limited
errors-per-second 5
# Random slip parameter
slip 10
# If enabled, the rate limits are only logged and not enforced
log-only off
# Mask applied to group the IPv4 clients
ipv4-prefix-length 24
# Mask applied to group the IPv6 clients
ipv6-prefix-length 56
# Rate limits are not subject to the following clients (aka whitelist)
exempt-clients none
# Enable or disable the rate limit capabilities
enabled yes </rrl>
<zone>
# This server is primary for the zone (mandatory)
type primary
# The domain name (mandatory)
domain mydomain.eu
# The zone file, relative to 'datapath' (mandatory for a primary) (alias: file-name)
file primaries/mydomain.eu
# List of servers also notified of a change (beside the ones in the zone file) (alias: notifies, notify)
also-notify 192.0.2.84, 192.0.2.149
# Set the size of the journal file in KB (alias: journal-size-kb)
journal-size 8192
# Allow dynupdate for these ACL entries
allow-update admins
# Allow AXFR/IXFR for these ACL entries
allow-transfer transferer
# Use DNSSEC policies otherwise remove or put in remark line below
dnssec-policy 1 </zone>
<zone>
# This server is slave for that zone (mandatory)
type slave
# The domain name (mandatory)
domain myotherdomain.eu
# The address of the primary (mandatory for a slave, forbidden for a primary) (alias: primary)
primaries 191.0.2.53 port 4053 key primary-secondary
# The zone file, relative to 'datapath'.
file slaves/myotherdomain.eu
# Accept notifes from these ACL entries
allow-notify primary </zone>
DNSSEC-Policy needs some extra sections: key-suite, key-roll, key-template (and denial if NSEC3 is configured)
example with NSEC3
<dnssec-policy>example with NSEC
id "1"
description "Example of ZSK and KSK"
denial "nsec3-with-salt-on"
key-suite "zsk-1024"
key-suite "ksk-2048" </dnssec-policy>
<dnssec-policy>
id "2"
description "Example of ZSK and KSK"
denial nsec
key-suite "zsk-1024"
key-suite "ksk-2048" </dnssec-policy>
<key-suite>
id "ksk-2048"
key-template "ksk-2048"
key-roll "yearly-schedule" </key-suite> <key-suite>
id "zsk-1024"
key-template "zsk-1024"
key-roll "monthly-schedule" </key-suite>
<key-roll>
id "yearly-schedule"
generate 5 0 15 6 * * # this year (2018) 15/06 at 00:05
publish 10 0 15 6 * * # 00:10
activate 15 0 16 6 * * # 16/06 at 00:15
inactive 15 0 17 6 * * # (2019) 17/06 at 00:15
remove 15 11 18 6 * * # (2019) 18/06 at 11:15 </key-roll> <key-roll>
id "monthly-schedule"
generate 5 0 * * tue 0 # 1 tuesday of the month at 00:05
publish 10 0 * * tue 0 # 00:10
activate 15 0 * * wed 0 # 1 wednesday of the month at 00:15
inactive 15 0 * * thu 0 # 1 thursday of the month at 00:15
remove 15 11 * * fri 0 # 1 friday of the month at 11:15 </key-roll>
<key-template>
id "ksk-2048"
ksk true
algorithm 8
size 2048 </key-template> <key-template>
id "zsk-1024"
ksk false
algorithm 8
size 1024 </key-template>
<denial>
id "nsec3-with-salt-on"
salt "ABCD"
algorithm 1
iterations 5
optout off </denial>
<denial>
id "nsec3-with-salt-length-on"
salt-length 4
algorithm 1
iterations 5
optout off </denial>
Logging output-channel configurations:
It contains a list of user-defined outputs for the logger.
The "name" is arbitrary and is used for identification
in the <loggers>.
The "stream-name" defines the output type (ie: a file name, a
program output or syslog).
The "arguments" are specific to the output type (ie: unix file
access rights or syslog options and facilities).
<channels> # name stream-name arguments
database database.log 0644
dnssec dnssec.log 0644
server server.log 0644
statistics statistics.log 0644
system system.log 0644
queries queries.log 0644
zone zone.log 0644
all all.log 0644
gziplog "|/usr/bin/gzip \- >> /var/log/yadifa.log.gz"
syslog syslog user </channels>
<channels> # name stream-name arguments
syslog syslog user
stderr STDERR
stdout STDOUT </channels>
Logging input configurations:
The "bundle" is the name of the section of YADIDA being
logged, sources are : database, dnssec, queries, server, stats, system,
zone.
The "debuglevel" uses the same names as syslog.
Additionally, "*" or "all" means all the levels;
"prod" means all but the debug levels.
The "channels" are a comma-separated list of channels.
<loggers> # bundle debuglevel channels
database ALL database,all
dnssec warning dnssec,all
server INFO,WARNING,ERR,CRIT,ALERT,EMERG server,all
stats prod statistics
system * system,all
queries * queries
zone * zone,all </loggers>
<loggers> # bundle debuglevel channels
database ALL database,syslog
dnssec warning dnssec,syslog
server INFO,WARNING,ERR,CRIT,ALERT,EMERG server,syslog
stats prod statistics, syslog
system * system,syslog
queries * queries,syslog
zone * zone,syslog </loggers>
Since unquoted leading whitespace is generally ignored in the yadifad.conf you can indent everything to taste.
Please check the file README from the sources.
Version: 2.6.4 of 2023-03-01.
There exists a mailinglist for questions relating to any program
in the yadifa package:
If you would like to stay informed about new versions and official patches send a subscription request to via:
(this is a readonly list).
Gery Van Emelen
Email: Gery.VanEmelen@EURid.eu
Eric Diaz Fernandez
Email: Eric.DiazFernandez@EURid.eu
WWW: http://www.EURid.eu
| 2023-03-01 | YADIFA |