NAME

YAKEYROLLD - utility for generating a sequence of KSK and ZSK for a zone.

SYNOPSIS

yakeyrolld command [argument]

DESCRIPTION

The yakeyrolld program generates a sequence of KSK and ZSK for a zone, with all the steps of their lifecycles.

yakeyrolld is part of the YADIFA distribution from EURid vzw/asbl. The latest version of YADIFA can be found on:

http://www.yadifa.eu/download

LIFECYCLE

A lifecyle for a key has several steps:

*

Time of creation

*

Time of publication

*

Time of activation

*

Time of de-activation

*

Time of un-publication.

These times are determined using a cron-like schedule.

For all these steps, it computes the following:

*

The expected DNSSEC and RRSIG DNSSEC records on the primary before the step is started

*

The ZSK files to add

*

The ZSK files to remove

*

The DNSSEC and RRSIG DNSKEY records to add

*

The DNSKEY and RRSIG DNSKEY records to remove

*

The expected DNSKEY and RRSIG DNSKEY records on the dns primary after the step has been completed.

Each step is stored as a file. The file contains fields like:

epochus An integer with the epoch of the step expressed in microseconds.

dateus A user-friendly date text matching the epochus field.

actions A list of actions expected to happen on the step (informational).

debug A text meant to help understand the step (informational).

update Each entry is a dynamic update command to be sent to the server.

expect Each entry defines one record expected to be in the zone on the server prior to executing the current step.

endresult Each entry defines one record expected to be in the zone on the server after the step has been executed.

add Defines a key file to create in keys-path.

del Names a key file to delete from keys-path.

COMMANDS

--help|-h Shows the help

--version|-V Prints the version of the software

--config|-c configfile Sets the configuration file to use

--mode|-m generate | play | playloop | print | print-json Sets the program mode

--domain fqdn The domain name

--path|-p directory The directory where to store the keys

--server|-s address The address of the server

--ttl|-t seconds The ttl to use for both dnskey and rrsig records

--explain prints the planned schedule

--reset start by removing all the keys and create a new KSK and a new ZSK. The server will not be queried.

--policy Name of the policy to use

--from time The lower time bound covered by the plan (now)

--until time The upper time bound covered by the plan (+1y)

--dryrun Do not write files to disk, do not send updates to the server

--wait Wait for yadifad to answer before starting to work (default)

--nowait Do not wait for yadifad to answer before starting to work

--daemon Daemonise the program for supported modes (default)

--nodaemon Do not daemonise the program

--noconfirm Do not ask for confirmation before doing a data reset

USAGE

The yakeyrolld daemon writes key files in the yadifad keys directory and pushes DNSKEY and RRSIG records with a dynamic update.
Zones managed by the keyroll needs to have the rrsig-nsupdate-allowed setting enabled (<zone> section).
In generation mode, the daemon needs access to both the plan and private keys directory.
For all other modes, the private keys directory is ignored.
When not doing any kind of generation, they should not be kept on the machine. Their encrypted backup sitting in a safe place.

Initialisation

Destroys all current data that could exist and starts from nothing. Creates all the steps of the rolls for the next two years. Creates all the private keys in a separate directory.
The directory that contains the private key files is required for this command as private keys will be added.

yakeyrolld -m generate --until +1y --reset

Renewal

In order to extend a plan further, simply do another generation.
The operation loads the current plan, extends it to cover the new limit date and saves the updated modified version back on disk.
Previously stored private keys may be used to generate signatures and new private keys may be added.
Because of this, the directory that contains the private key files is required for this command.

yakeyrolld -m generate --until +1y

Plan calendar

Details of the current plan can be printed on stdout using:

yakeyrolld -m print

The output format of that command isn't meant to be parsed by a program.

For a script, use instead:

yakeyrolld -m print-json

Daemon

To start the rolling the keys and pushing them to the server, use:

yakeyrolld -m playloop

FILES

${SYSCONFDIR}/yakeyrolld.conf

The default yakeyrolld configuration file.

yakeyrolld.conf.5

Configuration man page for yakeyrolld.

SEE ALSO

yakeyrolld.conf(5)

REQUIREMENTS

OpenSSL

yakeyrolld requires OpenSSL version 1.1.1 or later.

CHANGES

Please check the ChangeLog file from the sources code.

VERSION

Version: 2.6.4 of 2023-03-01.

MAILINGLIST

There is a mailinglist for questions relating to any program in the yadifa package:

*

yadifa-users@mailinglists.yadifa.eu
for submitting questions/answers.

*

http://www.yadifa.eu/mailing-list-users
for subscription requests.

If you would like to stay informed about new versions and official patches send a subscription request to via:

*

http://www.yadifa.eu/mailing-list-announcements

(this is a read-only list).

LICENSE AND COPYRIGHT

Copyright

(C)2011-2023, EURid
B-1831 Diegem, Belgium
info@yadifa.eu

AUTHORS

Gery Van Emelen
Email: Gery.VanEmelen@EURid.eu
Eric Diaz Fernandez
Email: Eric.DiazFernandez@EURid.eu

WWW: http://www.EURid.eu