Provided by: yadifa_2.6.4-1_amd64 bug

NAME

       yadifad.conf - configuration file for yadifad(8).

SYNOPSIS

       ${SYSCONFDIR}/yadifa/yadifad.conf

DESCRIPTION

       The  configuration  of  yadifad  is  consistent in a text file that can optionally include
       others.  The general structure is a sequence of containers: a sequence of  lines  of  text
       starting  with  a <container-name> and ending with a </container-name>.  Each line between
       these delimitters is in the form:  variable-name  value.   The  format  of  the  value  is
       determined by the type of the variable.

   TYPES
       There are 15 types:

       ACL
               A  list  of  ACL  descriptors. User-defined ACLs are found in the ACL section. The
              "any" and "none" descriptors are always defined. Elements of the list are separated
              by a "," or a ";".

       DNSSECTYPE
               A  DNSSEC  type  name.  It  can  be  a  DNSSEC-enabled  value  ("nsec", "nsec3" or
              "nsec3-optout") or a DNSSEC-disabled value ("none", "no", "off" or "0").

       ENUM
               A word from a specified set.

       FLAG
               A boolean value. It can be true ("1", "enable", "enabled", "on", "true", "yes") or
              false ("0", "disable", "disabled", "off", "false", "no").

       FQDN
               A fully-qualified domain name text string. e.g.: www.eurid.eu.

       GID
               Group ID. (Can be a number or a name)

       HOST(S)
               A  (list of) host(s). A host is defined by an IP (v4 or v6) and can be followed by
              the word `port' and a port number. Elements of the list are separated by a `,' or a
              `;'.

       INTEGER / INT
               A base-ten integer.

       NETMOD
               A word or integer that identifies the network model:
              single  or  0  Each working thread reads a single message, processes its answer and
              replies to it.
              buffered or 1 Working threads are working by couple. One reads a single message and
              queues it, one de-queues it, processes its answer and replies to it.
              multi  or  2 Each working thread reads a multiple messages, processes their answers
              and replies to them.

       PATH / FILE
               A file or directory path. i.e.: "/var/zones".

       STRING / STR
               A text string. Double quotes can be used but are not mandatory. Without quotes the
              string  will  be  taken  from  the  first non-blank character to the last non-blank
              character.

       HEXSTR
               A hexadecimal even-length text string.

       RELDATE
               A cron-like date to be matched, relative  to  another.  The  columns  are  minutes
              [0;59],     hours     [0;23],     days     [0;31],    months    [1;12],    weekdays
              [mon,tue,wed,thu,fri,sat,sun] and week-of-the-month [0;4]. Multiple values  can  be
              set in a column cell using ',' as a separator. The '*' character can be used to set
              all possible values of its column cell.

       RELTIME
               A time offset relative to another. It's written as +integer[unit-character] (e.g.:
              +24h) where the unit character can be seconds, minutes, hours, days or weeks.

       SECONDS
               A base-ten integer.

       HOURS
               A base-ten integer.

       DAYS
               A base-ten integer.

       UID
               User ID. (Can be a number or a name)

   CONTAINERS
       The configuration of yadifad has several containers:

       <main>
               General container

       <key>
               TSIG keys

       <acl>
               Access lists

       <nsid>
               NameServer IDentifier

       <rrl>
               Response Rate Limiting directives

       <zone>
               Description of the domain name in specific attributes.

       <channels>
               Description of the logger outputs.

       <dnssec-policy>
               Description of dnssec policies.

       <key-suite>
               Description of the key-suites needed if 'dnssec policies' are used.

       <key-roll>
               Description of the key-rolls needed if 'dnssec policies' are used.

       <key-template>
               Description of the key-templates needed if 'dnssec policies' are used.

       <denial>
               Description of 'denial', this can be used in certain 'dnssec policies'.

       The configuration supports included files.
       example: include /etc/yadifa/conf.d/local.conf

       The configuration files can be nested.

       The configuration consists of:

       *      Container, which starts with <container name> and ends with </container name>

       *      Variable name

       *      1 or 2 arguments

       *      Arguments can contain 1 or more comma separated values.

   STANDARD SECTIONS
       <main>
               General  container,  contains  all the configuration parameters needed to start up
              yadifad.

              allow-control ACL
                      default: none

                     Default server-control access control list. Only the  sources  matching  the
                     ACL are accepted.

              allow-notify ACL
                      default: any

                     Default  notify  access control list. Only the servers matching the ACL will
                     be handled.

              allow-query ACL
                      default: any

                     Default query access control list. Only the clients matching the ACL will be
                     replied to.

              allow-transfer ACL
                      default: none

                     Default transfer access control list. Only the clients matching the ACL will
                     be allowed to transfer a zone (axfr/ixfr).

              allow-update ACL
                      default: none

                     Default update access control list. Only the clients matching the  ACL  will
                     be allowed to update a zone.

              allow-update-forwarding ACL
                      default: none

                     Default update-forwarding access control list. Only the sources matching the
                     ACL are accepted.

              answer-formerr-packets FLAG
                      default: true

                     If this flag is disabled; the server  will  not  reply  to  badly  formatted
                     packets.

              axfr-compress-packets FLAG
                      default: true

                     Enables the dns packet compression of each axfr packet.

              axfr-max-packet-size INT
                      default: 4096 bytes

                     The maximum size of an axfr packet. (MIN: 512; MAX: 65535)

              axfr-max-record-by-packet INT
                      default: 0

                     The  maximum  number  of records in each axfr packet. Older name servers can
                     only handle 1. Set to 0 to disable the limit. (MIN: 0; MAX: 65535)

              axfr-retry-delay SECONDS
                      default: 600

                     Number of seconds between each retry for the first transfer from the primary
                     name server. (MIN: 60; MAX: 86400)

              axfr-retry-jitter SECONDS
                      default: 180

                     Jitter applied to axfr-retry-delay. (MIN: 60; MAX: axfr-retry-delay)

              axfr-retry-failure-delay-multiplier INT
                      default: 5

                     Linear  back-off  multiplier. The multiplier times the number of failures is
                     added to the xfr-retry-delay. (MIN: 0; MAX: 86400)

              axfr-retry-failure-delay-max SECONDS
                      default: 3600

                     Maximum delay added for the back-off. (MIN: 0; MAX: 604800)

              axfr-strict-authority FLAG
                      default: yes (unless --enable-non-aa-axfr-support was used)

                     Tells yadifad to be strict with the AA flag in AXFR answers

              chroot FLAG
                      default: off

                     Enabling this flag will make the  server  jail  itself  in  the  chroot-path
                     directory.

              chroot-path; chrootpath PATH
                      default: /

                     The directory used for the jail.

              cpu-count-override INT
                      default: 0

                     Overrides the detected number of logical cpus. Set to 0 for automatic. (MIN:
                     0; MAX: 256)

              daemon; daemonize FLAG
                      default: false

                     Enabling this flag will make the server detach from the console and work  in
                     background.

              data-path; datapath PATH
                      default: zones

                     The base path were lies the data (zone file path; journaling data; temporary
                     files; etc.)

              do-not-listen HOSTS
                      default: -

                     An exclusion list of addresses to never listen to. If set, 0.0.0.0  and  ::0
                     will always be split by interface to isolate the address.

              edns0-max-size INT
                      default: 4096

                     edns0 packets size. (MIN: 512; MAX: 65535)

              gid; group GID
                      default: 0 (or root)

                     The group ID that the server will use.

              hidden-primary; hidden-master FLAG
                      default: no

                     As a hidden primary  more CPU will be used for various maintenance tasks.

              hostname-chaos; hostname STR
                      default: the host name

                     The string returned by a hostname-chaos TXT CH query.

              keys-path; keyspath PATH
                      default: zones/keys

                     The base path of the dnssec keys.

              listen HOSTS
                      default: 0.0.0.0,::0

                     The list of interfaces to listen to.

              log-files-disabled FLAG
                      default: no

                     If  set,  disables checking the log-path directory for existence and writing
                     rights.

              log-path; logpath PATH
                      default: log

                     The base path where the log files are written.

              log-unprocessable FLAG
                      default: off

                     Enabling this flag will make the server log unprocessable queries.

              max-tcp-queries; max-tcp-connections INT
                      default: 16

                     The maximum number of parallel tcp queries; allowed. (MIN: 1; MAX: 255)

              network-model NETMOD
                      default: multi

                     Sets the networking model of yadifa.

              pid-file; pidfile STR
                      default: run/yadifad.pid

                     The pid file name.

              queries-log-type INT
                      default: 1

                     Query log format. (0: none; 1: yadifa format; 2: BIND format; 3: yadifa  and
                     BIND format at once)

              serverid-chaos; serverid STR
                      default: -

                     The  string  returned  by  a id.server. TXT CH query. If not set; REFUSED is
                     answered.

              server-port; port INT
                      default: 53

                     The default dns port. (MIN: 1; MAX: 65535)

              sig-validity-interval DAYS
                      default: 30

                     The number of days for which an automatic signature is valid. (MIN: 7  days;
                     MAX: 30 days)

              sig-validity-jitter; sig-jitter SECONDS
                      default: 3600

                     The  signature  expiration validity jitter in seconds (1 hour). (MIN: 0 sec;
                     MAX: 86400 sec)

              sig-validity-regeneration HOURS
                      default: automatic

                     Signatures expiring in less than the  indicated  amount  of  hours  will  be
                     recomputed.  The default will be chosen by yadifa.  (MIN: 24 hours; MAX: 168
                     hours)

              statistics FLAG
                      default: true

                     The server will log a report line about some internal statistics.

              statistics-max-period SECONDS
                      default: 60

                     The period in seconds between two statistics log lines. (MIN: 1 sec; MAX: 31
                     * 86400 seconds (31 days))

              tcp-query-min-rate INT
                      default: 512 bytes/second

                     The  minimum  transfer  rate  required in a tcp connection (read and write).
                     Slower connections are closed. The units are bytes per second. (MIN: 0; MAX:
                     4294967295

              thread-affinity-base INT
                      default: 0

                     Sets  the  first  CPU to set affinity for. Set it to the real CPU of a core.
                     (MIN: 0; MAX: 3)

              thread-affinity-multiplier INT
                      default: 0

                     Sets the multiplier choosing  CPU  to  set  affinity  for.  Allows  avoiding
                     hyperthread cores. Set to 0 for automatic avoiding. (MIN: 0; MAX: 4)

              thread-count-by-address INT
                      default: -1

                     Number of independent threads used to process each listening address. Set to
                     -1 for automatic. Set to 0 for single threaded. (MIN:  -1;  MAX:  number  of
                     CPU's)

              uid; user UID
                      default: 0 (or root)

                     The user ID that the server will use.

              version-chaos; version STR
                      default: yadifa version#

                     The text to include in the version TXT CH query.

              xfr-connect-timeout SECONDS
                      default: 5

                     Timeout  for establishing a connection for axfr and ixfr transfers. Set to 0
                     to disable. (MIN: 0; MAX: 4294967295)

              xfr-path; xfrpath PATH
                      default: zones/xfr

                     The base path used for axfr and journal storage.

              zone-download-thread-count INT
                      default: 4

                     Number of independent threads used to download the zones. (MIN: 0; MAX: 255)

              zone-load-thread-count INT
                      default: 1

                     Number of independent threads used to process loading of the zones. (MIN: 0;
                     MAX: 255)

              zone-store-thread-count INT
                      default: 1

                     Sets the number of threads used to store a zone on disk (MIN: 1, MAX: 4).

              zone-unload-thread-count INT
                      default: 1

                     Sets  the  number of threads used to delete a zone from memory (MIN: 1, MAX:
                     4).

              worker-backlog-queue-size INT
                      default: 16384

                     For network-model 1, sets the size of the backlog  queue  (MIN:  4096,  MAX:
                     1048576).

       <key>
               TSIG keys

              algorithm ENUM
                      default: -

                     Mandatory. Sets the algorithm of the key.

                     Supported values are:

                        hmac-md5

                        hmac-sha1

                        hmac-sha224

                        hmac-sha256

                        hmac-sha384

                        hmac-sha512

                     (the algorithm names are case insensitive)}

              name FQDN
                      default: -

                     Mandatory. Sets the name of the key.

              secret TEXT
                      default: -

                     Mandatory. Sets the value of the key. BASE64 encoded.

       <acl>
               Access lists

       Each  entry  of  the  acl section defines a rule of access.  Each rule is a name (a single
       user-defined word) followed by a rule in the form of a list of statements.  The  separator
       can  be  ","  or  ";".   The  "any" and "none" names are reserved.  A statement tells if a
       source is accepted or rejected. Reject statements are prefixed with "!".   Statements  are
       evaluated  in  the  following  order: first from more specific to less specific, then from
       reject to accept.  If a statement matches, the evaluation will stop and accordingly accept
       or reject the source.  If no statement matches, then the source is rejected.

       A statement can be either:

              *      An IPv4 or an IPv6 address followed (or not) by a mask.
                     [!]ipv4 |ipv6 [/mask]

                     For example:

                     *      internal-network 192.0.2.128/26;2001:DB8::/32

              *      The word `key' followed by the name of a TSIG key.
                     key key-name

                     For example:

                     *      slaves key public-slave;key hidden-slave

              *      An ACL statement name from the acl section. Note that negation and recursion
                     are forbidden and duly rejected.
                     acl-name

                     For example:

                     *      who-can-ask-for-an-ixfr primary;secondaries;127.0.0.1

       <nsid>
               NameServer IDentifier

              ascii  STR
                      default: ""

                     The string can be 512 characters long.

              hex
                      default: ""

       <rrl>
               Response Rate Limiting directives

              responses-per-second  INT
                      default: 5

                     Allowed response rate.

              errors-per-second  INT
                      default: 5

                     Allowed error rate.

              slip  INT
                      default: 2

                     Random slip parameter.

              log-only  FLAG
                      default: false

                     If set to true, logs what it should do without doing it.

              ipv4-prefix-length  INT
                      default: 24

                     Mask applied to group the IPv4 clients.

              ipv6-prefix-length  INT
                      default: 56

                     Mask applied to group the IPv6 clients.

              exempt-clients  ACL
                      default: none

                     Clients matching this rule are not subject to the RRL.

              enabled  FLAG
                      default: false

                     Enables the RRL

              min-table-size  INT
                      default: 1024

                     RRL buffer minimum size

              max-table-size  INT
                      default: 16384

                     RRL buffer maximum size

              window  INT
                      default: 15

                     RRL sliding window size in seconds

       <zone>
               Description of the domain name in specific attributes.

              allow-control ACL
                      default: as main

                     Control commands control list. Only the matching sources are allowed.

              allow-notify ACL
                      default: as main

                     Notify access control list. Only  the  servers  matching  the  ACL  will  be
                     handled.

              allow-query ACL
                      default: as main

                     Query access control list. Only the clients matching the ACL will be replied
                     to.

              allow-transfer ACL
                      default: as main

                     Tansfer access control list. Only the  clients  matching  the  ACL  will  be
                     allowed to transfer a zone (axfr/ixfr

              allow-update ACL
                      default: as main

                     Update  access  control  list.  Only  the  clients  matching the ACL will be
                     allowed to update a zone.

              allow-update-forwarding ACL
                      default: as main

                     Update forwarding control list. Only the matching sources are allowed.

              dnssec-mode; dnssec DNSSEC-TYPE
                      default: off

                     Type of dnssec used for the zone. As primary name sever; yadifa will try  to
                     maintain that state.

              dnssec-policy STR
                      default: -

                     Sets the dnssec-policy id to be used.

              domain FQDN
                      default: -

                     Mandatory. Sets the domain of the zone (i.e.: eurid.eu).

              drop-before-load FLAG
                      default: off

                     Enabling  this  flag  will  make the server drop the zone before loading the
                     updated zone from disk. Use this on systems constrained for RAM.

              file-name; file FILE
                      default: -

                     Sets the zone file name. Only mandatory for a primary zone.

              journal-size-kb INT
                      default: 0

                     Puts a soft limit on the size of the journal; expressed in KB. (MIN: 0; MAX:
                     3698688 (3GB))

              keys-path; keyspath PATH
                      default: as main

                     The base path of the dnssec keys.

              maintain-dnssec FLAG
                      default: true

                     Enabling this flag will cause the server to try and maintain rrsig records

              primaries; primary; masters; master HOSTS
                      default: -

                     Mandatory  for  a  slave. Sets the primary server(s). Multiple primaries are
                     supported.

              multiprimary-retries; multimaster-retries INT
                      default: 0

                     The number of times  the  primary  is  unreachable  before  switching  to  a
                     different primary (MIN: 0; MAX: 255)

              no-primary-updates; no-master-updates FLAG
                      default: false

                     Enabling  this  flag  will  prevent  the  server from probing or downloading
                     changes from the primary

              notifies; also-notify; notify HOSTS
                      default: -

                     The list of servers to notify in the event of a change. Currently only  used
                     by primaries when a dynamic update occurs.

              notify-auto FLAG
                      default: true

                     Enabling this flag will cause notify messages to be sent to all name servers
                     in the APEX. Disabling this flags causes the content of APEX to  be  ignored
                     (ns Records).

              notify-retry-count INT
                      default: 5

                     Number of times yadifa tries to send a notify.  (MIN: 0; MAX: 10)

              notify-retry-period INT
                      default: 1

                     Time period in minutes between two notify attempts. (MIN: 1; MAX: 600)

              notify-retry-period-increase INT
                      default: 0

                     Increase of the time period in minutes between two notify attempts. (MIN: 0;
                     MAX: 600)

              rrsig-nsupdate-allowed FLAG
                      default: false

                     If this flag is set the server  allows  one  to  edit  RRSIG  records  using
                     dynamic updates.

              sig-validity-interval DAYS
                      default: as main

                     The  number of days for which an automatic signature is valid. (MIN: 7 days;
                     MAX: 30 days)

              sig-validity-regeneration HOURS
                      default: as main

                     The signatures expiring in less than the indicated amount of hours  will  be
                     recomputed. (MIN: 24 hours; MAX: 168 hours)

              sig-validity-jitter SECONDS
                      default: as main

                     The signature expiration validity jitter in seconds. (MIN: 0 sec; MAX: 86400
                     sec)

              true-multiprimary; true-multimaster FLAG
                      default: off

                     Enabling this flag will make the server use axfr when  switching  to  a  new
                     primary

              type ENUM
                      default: -

                     Mandatory. Sets the type of zone : either primary/master or secondary/slave.

       <channels>
               Description of the logger outputs.

       It  contains a list descriptions of user-defined outputs for the logger.  Depending on the
       kind of output, the format is different.

       The "name" is arbitrary and is used for identification in the <loggers>.
       The "stream-name" defines the output type (ie: a file name, a program output or syslog).
       The "arguments" are specific to the output type (ie: unix file  access  rights  or  syslog
       options and facilities).

              *      file output stream channel-name file-name access-rights (octal).

              *      pipe   to   a   program  channel-name  "|  shell  command"  channel-name  "|
                     path-to-program program arguments >> append-redirect"

              *      STDOUT, STDERR output stream channel-name stdout channel-name stderr

              *      syslog channel-name syslog syslog-facility

       <loggers>
               Description of the logger outputs sources.

       Sets the output of a pre-defined logger from yadifad.

       The format of the line is: logger-name output-filter comma-separated-channel-names

       Filters are:
       DEBUG7, DEBUG6, DEBUG5, DEBUG4, DEBUG3, DEBUG2, DEBUG1, DEBUG, INFO, NOTICE, WARNING, ERR,
       CRIT, ALERT, EMERG

       Additionally, there are:

              *      ALL (or '*') meaning all the filters.

              *      PROD means all but the DEBUG filters.

              The defined loggers are:

              system
                      contains  low  level  messages  about the system such as memory allocation,
                     threading, IOs, timers and cryptography, ...

              database
                      It contains messages about most lower-level operations in the DNS database.
                     ie:  journal,  updates,  zone  loading  and  sanitization, DNS message query
                     resolution, ...)

              dnssec
                      contains messages about lower-level dnssec operations in the DNS  database.
                     ie: status, maintenance, verification, ...

              server
                      contains  messages  about  operations  in  the  DNS  server.  ie: start up,
                     shutdown,  configuration,  transfers,  various  services  status   (database
                     management,  network management, DNS notification management, dynamic update
                     management, resource rate limiting, ...)

              zone
                      contains messages about the loading of a zone from a source (file  parsing,
                     transferred binary zone reading, ...)

              stats
                      contains the statistics of the server.

              queries
                      contains  the  queries  on the server.  Queries can be logged with the BIND
                     and/or with the YADIFA format.
                     BIND format:
                     client sender-ip#port: query: fqdn class type +SETDC (listen-ip)
                     YADIFA format:
                     query [ id ] {+SETDC} fqdn class type (sender-ip#port)
                     where:

                     id     is the query message id

                     +      means the message has the Recursion Desired flag set

                     S      means the message is signed with a TSIG

                     E      means the message is EDNS

                     T      means the message was sent using TCP instead of UDP

                     D      means the message has the DNSSEC OK flag set

                     C      means the message has the Checking Disabled flag set

                     fqdn   is the queried FQDN

                     class  is the queried class

                     type   is the queried type

                     sender-ip
                            is the IP of the client that sent the query

                     port   is the port of the client that sent the query

                     listen-ip
                            is the listen network interface that received the message

                     Note that on YADIFA any unset flag is replaced by a '-', on  BIND  only  the
                     '+' follows that rule.

              System  operators  will  mostly  be  interested  in  the info and above messages of
              queries and stats, as well as the error and above messages of the other loggers.

   DNSSEC-POLICY
       There are 5 sections:

       <dnssec-policy>
               The dnssec-policy section binds up to four key suites and a  denial  mode.  It  is
              meant  to  be  used  as  a  dnssec-policy parameter in a zone section.  Usually two
              key-suite will be given: one for a KSK and one for a ZSK. The denial  mode  can  be
              either 'nsec' either the name of a denial section.

              id STR
                      default: -

                     id of the dnssec-policy section.

              description STR
                      default: -

                     Description for the dnssec-policy section.

              key-suite STR
                      default: -

                     id  of  the  key-suite  to  be used. Usually both a KSK and a ZSK suites are
                     given.

              denial STR
                      default: nsec

                     id of the denial to be used for nsec3 or the argument 'nsec' to use nsec.

       <key-suite>
               The key-suite section is used by dnssec policies and is meant to be referenced  by
              a  dnssec-policy section.  A key-suite links a key definition (key-template) with a
              deployment calendar (key-roll).

              id STR
                      default: -

                     id of the key-suite section.

              key-template STR
                      default: -

                     id of the key-template to be used.

              key-roll STR
                      default: -

                     id of the key-roll to be used.

       <key-roll>
               The key-roll section is used by dnssec policies and is meant to be referenced by a
              key-suite section.  It's essentially a deployment calendar.  Each event is computed
              relatively to another. Dates are chosen so that there is always a key in an  active
              state. Please look at the examples as a misconfiguration could easily span the life
              of a key over several years. (e.g.: by too restrictive on the matching  conditions)
              If  the  RELDATE  format  is  being used, the first valid date matching the line is
              used. Usage of the RELDATE format is recommended over the RELTIME one.

              id RELDATE|RELTIME
                      default: -

                     id of the key-roll section.

              generate RELDATE|RELTIME
                      default: -

                     Time when the key must be generated. Pre-dated before so it's  active  right
                     now  if  it's  the  first  one.  Always computed so that the next activation
                     happens before the last deactivation.

              publish RELDATE|RELTIME
                      default: -

                     Time when the key must be published in the zone. Relative to the generation.

              activate RELDATE|RELTIME
                      default: -

                     Time when the key will be used for signing the zone or  apex  of  the  zone.
                     Relative to the publication.

              inactive RELDATE|RELTIME
                      default: -

                     Time  when  the  key  will  not be used anymore for signing. Relative to the
                     activation.

              delete RELDATE|RELTIME
                      default: -

                     Time when the key  will  be  removed  out  of  the  zone.  Relative  to  the
                     deactivation.

       <key-template>
               The  key-template section is used by dnssec policies and is meant to be referenced
              by a key-suite section.  It contains the  various  parameters  of  a  key  for  its
              generation.

              id STR
                      default: -

                     id of the key-template section.

              ksk FLAG
                      default: false

                     When  this flag is enabled a ksk will be generated. When disabled a zsk will
                     be generated.

              algorithm ENUM
                      default: 7

                     Sets the algorithm of the key. Supported values are: ’DSA’; 3; ’RSASHA1’; 5;
                     ’NSEC3DSA’;   6;   ’NSEC3RSASHA1’;   7;  ’RSASHA256’;  8;  ’RSASHA512’;  10;
                     ’ECDSAP256SHA256’; 13; ’ECDSAP384SHA384’; 14.

              size INT
                      default: 0

                     The length of the key in bits (incompatible sizes will be  rejected).  (MIN:
                     0; MAX: 4096)

       <denial>
               The  denial  section is used by dnssec policies and is meant to be referenced by a
              dnssec-policy section.  It is used to define  the  NSEC3  denial  parameters  of  a
              dnssec policy. Policies using a NSEC denial don't need to use this section.

              id STR
                      default: -

                     id of the denial section.

              salt HEXSTR
                      default: empty

                     A  base16  encoded sequence of bytes used as the salt parameter of the NSEC3
                     chain.

              salt-length INT
                      default: 0

                     If the salt parameter isn't set, generates a random salt parameter  of  that
                     length. (MIN: 0; MAX: 255)

              iterations INT
                      default: 1

                     Iteration parameter of the NSEC3 chain. (MIN: 0; MAX: 65535)

              optout FLAG
                      default: false

                     Enables  opt-out  coverage  in  the  NSEC3 chain. When this flag is enabled,
                     delegations which do not have a DS record will not be covered  by  an  NSEC3
                     record.

EXAMPLES

       Examples of containers defined for a configuration file.

       *      Main

              1.     Main section example

                     <main>
                         # Detach from the console (alias: daemonize)
                         daemon                  off

                         # Jail the application
                         chroot                  off

                         # The path of the log files (alias: chroot-path)
                         chrootpath              "/chroot/yadifad"

                         # The path of the log files (alias: log-path)
                         logpath                 "/var/log/yadifa"

                         # The location of the pid file (alias: pid-file)
                         pidfile                 "/var/run/yadifa/yadifad.pid"

                         # The path of the zone files (alias: data-path)
                         datapath                "/var/lib/yadifa"

                         # The path of the DNSSEC keys (alias: keys-path)
                         keyspath                "/var/lib/yadifa/keys"

                         # The path of the transfer and journaling files (AXFR & IXFR) (alias: xfr-path)
                         xfrpath                 "/var/lib/yadifa/xfr"

                         # A string returned by a query of hostname. CH TXT
                         # note: if you leave this out, the real hostname will be given back (alias: hostname-chaos)
                         hostname                "server-yadifad"

                         # An ID returned by a query to id.server. CH TXT (alias: serverid-chaos)
                         serverid                "yadifad-01"

                         # The version returned by a query to version.yadifa. CH TXT (alias: version-chaos)
                         version                 2.5.0

                         # Set the maximum UDP packet size.
                         # note: the packetsize cannot be less than 512 or more than 65535.
                         #       Typical choice is 4096.
                         edns0-max-size          4096

                         # The maximum number of parallel TCP queries (max-tcp-connections)
                         max-tcp-queries         100

                         # The minimum data rate for a TCP query (in bytes per second)
                         tcp-query-min-rate      512

                         # The user id to use (alias: user)
                         uid                     yadifa

                         # The group id to use (alias: group)
                         gid                     yadifa

                         # The DNS port - any DNS query will use that port unless a specific value is used (alias: server-port)
                         port                    53

                         # The interfaces to listen to.
                         listen                  127.0.0.1, 192.0.2.2, 192.0.2.130 port 8053, 2001:db8::2

                         # Type of querylog to use
                         #   0: none
                         #   1: yadifa
                         #   2: bind
                         #   3: both yadifa and bind
                         queries-log-type        1

                         # Enable the collection and logging of statistics
                         statistics              on

                         # Maximum number of seconds between two statistics lines
                         statistics-max-period   60

                         # Drop queries with erroneous content
                         #
                         # answer-formerr-packets on
                         answer-formerr-packets  off

                         # Maximum number of records in an AXFR packet. Set to 1 for compatibility
                         # with very old name servers (alias: axfr-max-record-by-packet)
                         axfr-maxrecordbypacket  0

                         # Global Access Control rules
                         #
                         # Rules can be defined on network ranges, TSIG signatures, and ACL rules

                         # simple queries:
                         #
                         # allow-query any
                         allow-query             !192.0.2.251,any

                         # dynamic update of a zone
                         #
                         # allow-update none
                         allow-update            admins

                         # dynamic update of a slave (forwarded to the primary)
                         #
                         # allow-update-forwarding   none
                         allow-update-forwarding admins,key abroad-admin-key

                         # transfer of a zone (AXFR or IXFR)
                         #
                         # allow-transfer any
                         allow-transfer          transferer

                         # notify of a change in the primary
                         #
                         # allow-notify any
                         allow-notify            primary,admins

                         # If YADIFA has the controller enabled, allow control only for these
                         # clients (none by default)
                         allow-control           controller

                         # overwrite the amount of CPUs detected by yadifad
                         cpu-count-override 3

                         # set the number of threads to serve queries
                         thread-count-by-address 2

                     </main>

       *      Key
              TSIG-key configuration

              1.     Admin-key key definition (the name is arbitrary)

                     <key>
                         name        abroad-admin-key
                         algorithm   hmac-md5
                         secret      WorthlessKeyForExample==
                     </key>

              2.     primary-secondary key definition (the name is arbitrary)

                     <key>
                         name        primary-secondary
                         algorithm   hmac-md5
                         secret      PrimaryAndSecondaryKey==
                     </key>

       *      ACL
              Access Control List definitions

              1.     primary-secondary key use

                     <acl>
                         transferer  key primary-secondary
                         admins      192.0.2.0/24, 2001:db8::74
                         primary     192.0.2.53
                         localhost   127.0.0.0/8, ::1
                         controller  key controller # the ACL for the controller MUST use a key
                     </acl>

       *      NSID
              DNS NameServer IDentifier

              1.     Example with ascii

                     <nsid>
                         ascii belgium-brussels-01
                     </nsid>

              2.     Example with hex

                     <nsid>
                         hex 00320201
                     </nsid>

       *      RRL
              Response Rate Limiting

              1.     Example

                     <rrl>
                         # Number of identical responses per second before responses are being limited
                         responses-per-second    5

                         # Number of errors per second before responses are being limited
                         errors-per-second       5

                         # Random slip parameter
                         slip                    10

                         # If enabled, the rate limits are only logged and not enforced
                         log-only                off

                         # Mask applied to group the IPv4 clients
                         ipv4-prefix-length      24

                         # Mask applied to group the IPv6 clients
                         ipv6-prefix-length      56

                         # Rate limits are not subject to the following clients (aka whitelist)
                         exempt-clients          none

                         # Enable or disable the rate limit capabilities
                         enabled                 yes
                     </rrl>

       *      Zone

              1.     Primary domain zone config

                     <zone>
                         # This server is primary for the zone (mandatory)
                         type            primary

                         # The domain name (mandatory)
                         domain          mydomain.eu

                         # The zone file, relative to 'datapath'  (mandatory for a primary) (alias: file-name)
                         file            primaries/mydomain.eu

                         # List of servers also notified of a change (beside the ones in the zone file) (alias: notifies, notify)
                         also-notify     192.0.2.84, 192.0.2.149

                         # Set the size of the journal file in KB (alias: journal-size-kb)
                         journal-size    8192

                         # Allow dynupdate for these ACL entries
                         allow-update    admins

                         # Allow AXFR/IXFR for these ACL entries
                         allow-transfer  transferer

                         # Use DNSSEC policies otherwise remove or put in remark line below
                         dnssec-policy   1
                     </zone>

              2.     Slave domain zone config

                     <zone>
                         # This server is slave for that zone (mandatory)
                         type            slave

                         # The domain name (mandatory)
                         domain          myotherdomain.eu

                         # The address of the primary (mandatory for a slave, forbidden for a primary) (alias: primary)
                         primaries       191.0.2.53 port 4053 key primary-secondary

                         # The zone file, relative to 'datapath'.
                         file            slaves/myotherdomain.eu

                         # Accept notifes from these ACL entries
                         allow-notify    primary
                     </zone>

       *      DNSSEC-Policy

       DNSSEC-Policy  needs some extra sections: key-suite, key-roll, key-template (and denial if
       NSEC3 is configured)

              1.     dnssec-policy example with all the needed sections

                     example with NSEC3
                     <dnssec-policy>
                         id              "1"

                         description     "Example of ZSK and KSK"
                         denial          "nsec3-with-salt-on"
                         key-suite       "zsk-1024"
                         key-suite       "ksk-2048"
                     </dnssec-policy>

                     example with NSEC
                     <dnssec-policy>
                         id              "2"

                         description     "Example of ZSK and KSK"
                         denial          nsec
                         key-suite       "zsk-1024"
                         key-suite       "ksk-2048"
                     </dnssec-policy>

              2.     key-suite
                     <key-suite>
                         id              "ksk-2048"

                         key-template    "ksk-2048"
                         key-roll        "yearly-schedule"
                     </key-suite>

                     <key-suite>
                         id              "zsk-1024"

                         key-template    "zsk-1024"
                         key-roll        "monthly-schedule"
                     </key-suite>

              3.     key-roll
                     <key-roll>
                         id                 "yearly-schedule"

                         generate            5          0           15                  6            *                 * # this year   (2018) 15/06 at 00:05
                         publish             10         0           15                  6            *                 * #                             00:10
                         activate            15         0           16                  6            *                 * #                    16/06 at 00:15
                         inactive            15         0           17                  6            *                 * #             (2019) 17/06 at 00:15
                         remove              15        11           18                  6            *                 * #             (2019) 18/06 at 11:15
                     </key-roll>

                     <key-roll>
                         id                 "monthly-schedule"

                         generate            5          0           *                   *            tue               0 # 1 tuesday   of the month at 00:05
                         publish             10         0           *                   *            tue               0 #                             00:10
                         activate            15         0           *                   *            wed               0 # 1 wednesday of the month at 00:15
                         inactive            15         0           *                   *            thu               0 # 1 thursday  of the month at 00:15
                         remove              15        11           *                   *            fri               0 # 1 friday    of the month at 11:15
                     </key-roll>

              4.     key-template
                     <key-template>
                         id              "ksk-2048"

                         ksk             true
                         algorithm       8
                         size            2048
                     </key-template>

                     <key-template>
                         id              "zsk-1024"

                         ksk             false
                         algorithm       8
                         size            1024
                     </key-template>

              5.     denial
                     <denial>
                         id              "nsec3-with-salt-on"

                         salt            "ABCD"
                         algorithm       1
                         iterations      5
                         optout          off
                     </denial>

                     <denial>
                         id              "nsec3-with-salt-length-on"

                         salt-length     4
                         algorithm       1
                         iterations      5
                         optout          off
                     </denial>

       *      Channels

       Logging output-channel configurations:

       It contains a list of user-defined outputs for the logger.

       The "name" is arbitrary and is used for identification in the <loggers>.
       The "stream-name" defines the output type (ie: a file name, a program output or syslog).
       The "arguments" are specific to the output type (ie: unix file  access  rights  or  syslog
       options and facilities).

              1.     Example: YADIFA running as daemon channel definition.

                     <channels>
                     #   name        stream-name     arguments
                         database    database.log    0644
                         dnssec      dnssec.log      0644
                         server      server.log      0644
                         statistics  statistics.log  0644
                         system      system.log      0644
                         queries     queries.log     0644
                         zone        zone.log        0644
                         all         all.log         0644

                         gziplog     "|/usr/bin/gzip \- >> /var/log/yadifa.log.gz"

                         syslog      syslog          user
                     </channels>

              2.     Example: YADIFA running in debug mode.
                     This  example  shows the "stderr" and "stdout" which can also be used in the
                     first example, but will output to the console.

                     <channels>
                     #   name        stream-name     arguments
                         syslog      syslog          user

                         stderr      STDERR
                         stdout      STDOUT
                     </channels>

       *      Loggers

       Logging input configurations:

       The "bundle" is the name of the section of YADIDA being logged, sources  are  :  database,
       dnssec, queries, server, stats, system, zone.
       The "debuglevel" uses the same names as syslog.
       Additionally, "*" or "all" means all the levels; "prod" means all but the debug levels.

       The "channels" are a comma-separated list of channels.

              1.     Example without syslog

                     <loggers>
                     #   bundle          debuglevel                          channels
                         database        ALL                                 database,all
                         dnssec          warning                             dnssec,all
                         server          INFO,WARNING,ERR,CRIT,ALERT,EMERG   server,all
                         stats           prod                                statistics
                         system          *                                   system,all
                         queries         *                                   queries
                         zone            *                                   zone,all
                     </loggers>

              2.     Example with syslog

                     <loggers>
                     #   bundle          debuglevel                          channels
                         database        ALL                                 database,syslog
                         dnssec          warning                             dnssec,syslog
                         server          INFO,WARNING,ERR,CRIT,ALERT,EMERG   server,syslog
                         stats           prod                                statistics, syslog
                         system          *                                   system,syslog
                         queries         *                                   queries,syslog
                         zone            *                                   zone,syslog
                     </loggers>

SEE ALSO

       yadifad(8)

NOTES

       Since  unquoted leading whitespace is generally ignored in the yadifad.conf you can indent
       everything to taste.

CHANGES

       Please check the file README from the sources.

VERSION

       Version: 2.6.4 of 2023-03-01.

MAILING LISTS

       There exists a mailinglist for questions relating to any program in the yadifa package:

       *      yadifa-users@mailinglists.yadifa.eu
              for submitting questions/answers.

       *      http://www.yadifa.eu/mailing-list-users
              for subscription requests.

       If you would like to stay  informed  about  new  versions  and  official  patches  send  a
       subscription request to via:

       *      http://www.yadifa.eu/mailing-list-announcements

       (this is a readonly list).

LICENSE AND COPYRIGHT

       Copyright
              (C)2011-2023, EURid
              B-1831 Diegem, Belgium
              info@yadifa.eu

AUTHORS

       Gery Van Emelen
       Email: Gery.VanEmelen@EURid.eu
       Eric Diaz Fernandez
       Email: Eric.DiazFernandez@EURid.eu

       WWW: http://www.EURid.eu