Provided by: yadifa_2.3.7-1build1_amd64 bug

NAME

       yadifad.conf - configuration file for yadifad(8).

SYNOPSIS

       /etc/yadifad.conf

DESCRIPTION

       The configuration of yadifad has several containers:

       <main>
               General container

       <key>  TSIG keys

       <acl>  Access lists

       <nsid> NameServer IDentifier

       <rrl>  Response Rate Limiting directives

       <zone> Description of the domain name in specific attributes.

       <channels>
              Description of the logger outputs.

       <dnssec-policy>
              Description of dnssec policies.

       <key-suite>
              Description of the key-suites needed if 'dnssec policies' are used.

       <key-roll>
              Description of the key-rolls needed if 'dnssec policies' are used.

       <key-template>
              Description of the key-templates needed if 'dnssec policies' are used.

       <denial>
              Description of 'denial', this can be used in certain 'dnssec policies'.

       The configuration supports included files.
       example: include /etc/yadifa/conf.d/local.conf

       The configuration files can be nested.

       The configuration consists of:

       *      Container, which starts with <container name> and ends with </container name>

       *      Variable name

       *      1 or 2 arguments

       *      Arguments can contain 1 or more comma separated values.

       eg.

       <container>
           # variable  argument
           variable    value1
           # variable  argument1       argument2
           variable    value1          value2
           # variable  argument1
           variable    value1,value2
       </container>

EXAMPLES

       Examples of containers defined for a configuration file.

       *      Main

              1.     Config with includes

                     # start yadifad.conf <main> container
                     include /etc/yadifa/conf.d/local.conf
                     # end yadifad.conf <main> container

              2.     Main without includes

                     <main>
                         # Detach from the console (alias: daemonize)
                         daemon                  off

                         # Jail the application
                         chroot                  off

                         # The path of the log files (alias: chroot-path)
                         chrootpath              "/chroot/yadifad"

                         # The path of the log files (alias: log-path)
                         logpath                 "/var/log/yadifa"

                         # The location of the pid file (alias: pid-file)
                         pidfile                 "/var/run/yadifa/yadifad.pid"

                         # The path of the zone files (alias: data-path)
                         datapath                "/var/lib/yadifa"

                         # The path of the DNSSEC keys (alias: keys-path)
                         keyspath                "/var/lib/yadifa/keys"

                         # The path of the transfer and journaling files (AXFR & IXFR) (alias: xfr-path)
                         xfrpath                 "/var/lib/yadifa/xfr"

                         # A string returned by a query of hostname. CH TXT
                         # note: if you leave this out, the real hostname will be given back (alias: hostname-chaos)
                         hostname                "server-yadifad"

                         # An ID returned by a query to id.server. CH TXT (alias: serverid-chaos)
                         serverid                "yadifad-01"

                         # The version returned by a query to version.yadifa. CH TXT (alias: version-chaos)
                         version                 "2.3.7"

                         # Set the maximum UDP packet size.
                         # note: the packetsize cannot be less than 512 or more than 65535.
                         #       Typical choice is 4096.
                         edns0-max-size          4096

                         # The maximum number of parallel TCP queries (max-tcp-connections)
                         max-tcp-queries         100

                         # The minimum data rate for a TCP query (in bytes per second)
                         tcp-query-min-rate      512

                         # The user id to use (alias: user)
                         uid                     yadifa

                         # The group id to use (alias: group)
                         gid                     yadifa

                         # The DNS port - any DNS query will use that port unless a specific value is used (alias: server-port)
                         port                    53

                         # The interfaces to listen to.
                         # listen        0.0.0.0
                         listen                  127.0.0.1, 192.0.2.2, 192.0.2.130 port 8053, 2001:db8::2

                         # Type of querylog to use
                         #   0: none
                         #   1: yadifa
                         #   2: bind
                         #   3: both yadifa and bind
                         queries-log-type        1

                         # Enable the collection and logging of statistics
                         statistics              on

                         # Maximum number of seconds between two statistics lines
                         statistics-max-period   60

                         # Drop queries with erroneous content
                         #
                         # answer-formerr-packets on
                         answer-formerr-packets  off

                         # Maximum number of records in an AXFR packet. Set to 1 for compatibility
                         # with very old name servers (alias: axfr-max-record-by-packet)
                         axfr-maxrecordbypacket  0

                         # Global Access Control rules
                         #
                         # Rules can be defined on network ranges, TSIG signatures, and ACL rules

                         # simple queries:
                         #
                         # allow-query any
                         allow-query             !192.0.2.251,any

                         # dynamic update of a zone
                         #
                         # allow-update none
                         allow-update            admins

                         # dynamic update of a slave (forwarded to the master)
                         #
                         # allow-update-forwarding   none
                         allow-update-forwarding admins,key abroad-admin-key

                         # transfer of a zone (AXFR or IXFR)
                         #
                         # allow-transfer any
                         allow-transfer          transferer

                         # notify of a change in the master
                         #
                         # allow-notify any
                         allow-notify            master,admins

                         # If YADIFA has the controller enabled, allow control only for these
                         # clients (none by default)
                         allow-control           localhost

                         # overwrite the amount of CPUs detected by yadifad
                         cpu-count-override 3

                         # set the number of threads to serve queries
                         thread-count-by-address 2

                     </main>

       *      Key
              TSIG-key configuration

              1.     Admin-key key definition (the name is arbitrary)

                     <key>
                         name        abroad-admin-key
                         algorithm   hmac-md5
                         secret      WorthlessKeyForExample==
                     </key>

              2.     Master-slave key definition

                     <key>
                         name        master-slave
                         algorithm   hmac-md5
                         secret      MasterAndSlavesTSIGKey==
                     </key>

       *      ACL
              Access Control List definitions

              1.     Master-slave key use

                     <acl>
                         transferer  key master-slave
                         admins      192.0.2.0/24, 2001:db8::74
                         master      192.0.2.53
                         localhost   127.0.0.0/8, ::1
                     </acl>

       *      NSID
              DNS NameServer IDentifier

              1.     Example with ascii

                     <nsid>
                         ascii belgium-brussels-01
                     </nsid>

              2.     Example with hex

                     <nsid>
                         hex 00320201
                     </nsid>

       *      RRL
              Response Rate Limiting

       <rrl>
           # Number of identical responses per second before responses are being limited
           responses-per-second    5

           # Number of errors per second before responses are being limited
           errors-per-second       5

           # Random slip parameter
           slip                    10

           # If enabled, the rate limits are only logged and not enforced
           log-only                off

           # Mask applied to group the IPv4 clients
           ipv4-prefix-length      24

           # Mask applied to group the IPv6 clients
           ipv6-prefix-length      56

           # Rate limits are not subject to the following clients (aka whitelist)
           exempt-clients          none

           # Enable or disable the rate limit capabilities
           enabled                 yes
       </rrl>

       *      Zone

              1.     Master domain zone config

                     <zone>
                         # This server is master for the zone (mandatory)
                         type            master

                         # The domain name (mandatory)
                         domain          mydomain.eu

                         # The zone file, relative to 'datapath'  (mandatory for a master) (alias: file-name)
                         file            master/mydomain.eu

                         # List of servers also notified of a change (beside the ones in the zone file) (alias: notifies, notify)
                         also-notify     192.0.2.84, 192.0.2.149

                         # Set the size of the journal file in KB (alias: journal-size-kb)
                         journal-size    8192

                         # Allow dynupdate for these ACL entries
                         allow-update    admins

                         # Allow AXFR/IXFR for these ACL entries
                         allow-transfer  transferer

                         # Use DNSSEC policies otherwise remove or put in remark line below
                         dnssec-policy   1
                     </zone>

              2.     Slave domain zone config

                     <zone>
                         # This server is slave for that zone (mandatory)
                         type            slave

                         # The domain name (mandatory)
                         domain          myotherdomain.eu

                         # The address of the master (mandatory for a slave, forbidden for a master) (alias: master)
                         masters         191.0.2.53 port 4053 key master-slave

                         # The zone file, relative to 'datapath'.
                         file            slaves/myotherdomain.eu

                         # Accept notifes from these ACL entries
                         allow-notify    master
                     </zone>

       *      DNSSEC-Policy

       DNSSEC-Policy  needs some extra sections: key-suite, key-roll, key-template (and denial if
       NSEC3 is configured)

              1.     dnssec-policy example with all the needed sections

                     example with NSEC3
                     <dnssec-policy>
                         id              "1"

                         description     "Example of ZSK and KSK"
                         denial          "nsec3-with-salt-on"
                         key-suite       "zsk-1024"
                         key-suite       "ksk-2048"
                     </dnssec-policy>

                     example with NSEC
                     <dnssec-policy>
                         id              "2"

                         description     "Example of ZSK and KSK"
                         denial          nsec
                         key-suite       "zsk-1024"
                         key-suite       "ksk-2048"
                     </dnssec-policy>

              2.     key-suite
                     <key-suite>
                         id              "ksk-2048"

                         key-template    "ksk-2048"
                         key-roll        "key-roll-ksk-2048-short-times"
                     </key-suite>

                     <key-suite>
                         id              "zsk-1024"

                         key-template    "zsk-1024"
                         key-roll        "key-roll-zsk-1024-short-times"
                     </key-suite>

              3.     key-roll
                     <key-roll>
                         id              "key-roll-ksk-2048-short-times"

                     #   command         minutes    hours      day        month      day-week   week
                         generate        5,35       *          *          *          *          *
                         publish         6,36       *          *          *          *          *
                         activate        7,37       *          *          *          *          *
                         inactive        8,38       *          *          *          *          *
                         remove          12,42      *          *          *          *          *
                     </key-roll>

                     <key-roll>
                         id              "key-roll-zsk-1024-short-times"

                     #   command         minutes    hours      day        month      day-week   week
                         generate        5,35       *          *          *          *          *
                         publish         6,36       *          *          *          *          *
                         activate        7,37       *          *          *          *          *
                         inactive        8,38       *          *          *          *          *
                         remove          12,42      *          *          *          *          *
                     </key-roll>

              4.     key-template
                     <key-template>
                         id              "ksk-2048"

                         ksk             true
                         algorithm       8
                         size            2048
                     </key-template>

                     <key-template>
                         id              "zsk-1024"

                         ksk             false
                         algorithm       8
                         size            1024
                     </key-template>

              5.     denial
                     <denial>
                         id              "nsec3-with-salt-on"

                         salt            "ABCD"
                         algorithm       1
                         iterations      5
                         optout          off
                     </denial>

                     <denial>
                         id              "nsec3-with-salt-length-on"

                         salt-length     4
                         algorithm       1
                         iterations      5
                         optout          off
                     </denial>

       *      Channels

       Logging output-channel configurations:

       The "name" is arbitrary and is used in the <loggers>.
       The "stream-name" defines the output type (ie: a file name or syslog).
       The "arguments" are specific to the output type (ie: unix file  access  rights  or  syslog
       options and facilities).

              1.     Example: YADIFA running as daemon channel definition.

                     <channels>
                     #   name        stream-name     arguments
                         database    database.log    0644
                         dnssec      dnssec.log      0644
                         server      server.log      0644
                         statistics  statistics.log  0644
                         system      system.log      0644
                         queries     queries.log     0644
                         zone        zone.log        0644
                         all         all.log         0644

                         syslog      syslog          user
                     </channels>

              2.     Example: YADIFA running in debug mode.
                     This  example  shows the "stderr" and "stdout" which can also be used in the
                     first example, but will output to the console.

                     <channels>
                     #   name        stream-name     arguments
                         syslog      syslog          user

                         stderr      STDERR
                         stdout      STDOUT
                     </channels>

       *      Loggers

       Logging input configurations:

       The "bundle" is the name of the section of YADIDA being logged, sources  are  :  database,
       dnssec, queries, server, stats, system, zone.
       The "debuglevel" uses the same names as syslog or "*" or "all" to filter the input.

       The "channels" are a comma-separated list of channels.

              1.     Example without syslog

                     <loggers>
                     #   bundle          debuglevel                          channels
                         database        ALL                                 database,all
                         dnssec          warning                             dnssec,all
                         server          INFO,WARNING,ERR,CRIT,ALERT,EMERG   server,all
                         stats           prod                                statistics
                         system          *                                   system,all
                         queries         *                                   queries
                         zone            *                                   zone,all
                     </loggers>

              2.     Example with syslog

                     <loggers>
                     #   bundle          debuglevel                          channels
                         database        ALL                                 database,syslog
                         dnssec          warning                             dnssec,syslog
                         server          INFO,WARNING,ERR,CRIT,ALERT,EMERG   server,syslog
                         stats           prod                                statistics, syslog
                         system          *                                   system,syslog
                         queries         *                                   queries,syslog
                         zone            *                                   zone,syslog
                     </loggers>

       The defined loggers are:

       system contains  low level messages about the system such as memory allocation, threading,
              IOs, timers and cryptography, ...

       database
              It contains messages about most lower-level operations in  the  DNS  database.  ie:
              journal, updates, zone loading and sanitization, DNS message query resolution, ...)

       dnssec contains  messages  about  lower-level  dnssec  operations in the DNS database. ie:
              status, maintenance, verification, ...

       server contains messages about operations in the  DNS  server.  ie:  start  up,  shutdown,
              configuration,  transfers,  various  services  status (database management, network
              management, DNS notification management, dynamic update management,  resource  rate
              limiting, ...)

       zone   contains  messages  about  the  loading  of  a  zone  from  a source (file parsing,
              transferred binary zone reading, ...)

       stats  contains the statistics of the server.

       queries
              contains the queries on the server.  Queries can be logged  with  the  BIND  and/or
              with the YADIFA format.
              BIND format:
              client sender-ip#port: query: fqdn class type +SETDC (listen-ip)
              YADIFA format:
              query [ id ] {+SETDC} fqdn class type (sender-ip#port)
              where:

              id     is the query message id

              +      means the message has the Recursion Desired flag set

              S      means the message is signed with a TSIG

              E      means the message is EDNS

              T      means the message was sent using TCP instead of UDP

              D      means the message has the DNSSEC OK flag set

              C      means the message has the Checking Disabled flag set

              fqdn   is the queried FQDN

              class  is the queried class

              type   is the queried type

              sender-ip
                     is the IP of the client that sent the query

              port   is the port of the client that sent the query

              listen-ip
                     is the listen network interface that received the message

              Note  that  on  YADIFA  any  unset  flag is replaced by a '-', on BIND only the '+'
              follows that rule.

       System operators will mostly be interested in the info and above messages of  queries  and
       stats, as well as the error and above messages of the other loggers.

SEE ALSO

       yadifad(8)

NOTES

       Since  unquoted leading whitespace is generally ignored in the yadifad.conf you can indent
       everything to taste.

CHANGES

       Please check the file ChangeLog from the sources.

VERSION

       Version: 2.3.7 of 2017-12-08 .

MAILING LISTS

       There exists a mailinglist for questions relating to any program in the yadifa package:

       *      yadifa-users@mailinglists.yadifa.eu
              for submitting questions/answers.

       *      http://www.yadifa.eu/mailing-list-users
              for subscription requests.

       If you would like to stay  informed  about  new  versions  and  official  patches  send  a
       subscription request to via:

       *      http://www.yadifa.eu/mailing-list-announcements

       (this is a readonly list).

LICENSE AND COPYRIGHT

       Copyright
              (C)2011-2017, EURid
              B-1831 Diegem, Belgium
              info@yadifa.eu

AUTHORS

       Gery Van Emelen
       Email: Gery.VanEmelen@EURid.eu
       Eric Diaz Fernandez
       Email: Eric.DiazFernandez@EURid.eu

       WWW: http://www.EURid.eu