oracular (8) yakeyrolld.8.gz

Provided by: yadifa_2.6.5-1build2_amd64 bug

NAME

       YAKEYROLLD - utility for generating a sequence of KSK and ZSK for a zone.

SYNOPSIS

       yakeyrolld command [argument]

DESCRIPTION

       The  yakeyrolld program generates a sequence of KSK and ZSK for a zone, with all the steps
       of their lifecycles.

       yakeyrolld is part of the YADIFA distribution from EURid vzw/asbl. The latest  version  of
       YADIFA can be found on:
                                     http://www.yadifa.eu/download

LIFECYCLE

       A lifecyle for a key has several steps:

       *      Time of creation

       *      Time of publication

       *      Time of activation

       *      Time of de-activation

       *      Time of un-publication.

       These times are determined using a cron-like schedule.

       For all these steps, it computes the following:

       *      The  expected  DNSSEC  and  RRSIG  DNSSEC records on the primary before the step is
              started

       *      The ZSK files to add

       *      The ZSK files to remove

       *      The DNSSEC and RRSIG DNSKEY records to add

       *      The DNSKEY and RRSIG DNSKEY records to remove

       *      The expected DNSKEY and RRSIG DNSKEY records on the dns primary after the step  has
              been completed.

       Each step is stored as a file. The file contains fields like:

       epochus  An integer with the epoch of the step expressed in microseconds.

       dateus  A user-friendly date text matching the epochus field.

       actions  A list of actions expected to happen on the step (informational).

       debug  A text meant to help understand the step (informational).

       update  Each entry is a dynamic update command to be sent to the server.

       expect   Each  entry  defines one record expected to be in the zone on the server prior to
       executing the current step.

       endresult  Each entry defines one record expected to be in the zone on  the  server  after
       the step has been executed.

       add  Defines a key file to create in keys-path.

       del  Names a key file to delete from keys-path.

COMMANDS

       --help|-h  Shows the help

       --version|-V  Prints the version of the software

       --config|-c  configfile Sets the configuration file to use

       --mode|-m  generate | play | playloop | print | print-json  Sets the program mode

       --domain  fqdn The domain name

       --path|-p  directory The directory where to store the keys

       --server|-s  address The address of the server

       --ttl|-t  seconds The ttl to use for both dnskey and rrsig records

       --explain  prints the planned schedule

       --reset   start  by  removing  all the keys and create a new KSK and a new ZSK. The server
       will not be queried.

       --policy  Name of the policy to use

       --from  time The lower time bound covered by the plan (now)

       --until  time The upper time bound covered by the plan (+1y)

       --dryrun  Do not write files to disk, do not send updates to the server

       --wait  Wait for yadifad to answer before starting to work (default)

       --nowait  Do not wait for yadifad to answer before starting to work

       --daemon  Daemonise the program for supported modes (default)

       --nodaemon  Do not daemonise the program

       --noconfirm  Do not ask for confirmation before doing a data reset

USAGE

       The yakeyrolld daemon writes key files in the yadifad keys directory and pushes DNSKEY and
       RRSIG records with a dynamic update.
       Zones  managed  by  the  keyroll  needs to have the rrsig-nsupdate-allowed setting enabled
       (<zone> section).
       In generation mode, the daemon needs access to both the plan and private keys directory.
       For all other modes, the private keys directory is ignored.
       When not doing any kind of generation, they should not  be  kept  on  the  machine.  Their
       encrypted backup sitting in a safe place.

       Initialisation
              Destroys all current data that could exist and starts from nothing. Creates all the
              steps of the rolls for the next two years.  Creates  all  the  private  keys  in  a
              separate directory.
              The  directory  that contains the private key files is required for this command as
              private keys will be added.

              yakeyrolld -m generate --until +1y --reset

       Renewal
              In order to extend a plan further, simply do another generation.
              The operation loads the current plan, extends it to cover the new  limit  date  and
              saves the updated modified version back on disk.
              Previously  stored  private keys may be used to generate signatures and new private
              keys may be added.
              Because of this, the directory that contains the private key files is required  for
              this command.

              yakeyrolld -m generate --until +1y

       Plan calendar
              Details of the current plan can be printed on stdout using:

              yakeyrolld -m print

              The output format of that command isn't meant to be parsed by a program.

              For a script, use instead:

              yakeyrolld -m print-json

       Daemon
              To start the rolling the keys and pushing them to the server, use:

              yakeyrolld -m playloop

FILES

       ${SYSCONFDIR}/yakeyrolld.conf
               The default yakeyrolld configuration file.

       yakeyrolld.conf.5
               Configuration man page for yakeyrolld.

SEE ALSO

       yakeyrolld.conf(5)

REQUIREMENTS

       OpenSSL
              yakeyrolld requires OpenSSL version 1.1.1 or later.

CHANGES

       Please check the ChangeLog file from the sources code.

VERSION

       Version: 2.6.5 of 2023-09-06.

MAILINGLIST

       There is a mailinglist for questions relating to any program in the yadifa package:

       *      yadifa-users@mailinglists.yadifa.eu
              for submitting questions/answers.

       *      http://www.yadifa.eu/mailing-list-users
              for subscription requests.

       If  you  would  like  to  stay  informed  about  new  versions and official patches send a
       subscription request to via:

       *      http://www.yadifa.eu/mailing-list-announcements

       (this is a read-only list).

       Copyright
              (C)2011-2023, EURid
              B-1831 Diegem, Belgium
              info@yadifa.eu

AUTHORS

       Gery Van Emelen
       Email: Gery.VanEmelen@EURid.eu
       Eric Diaz Fernandez
       Email: Eric.DiazFernandez@EURid.eu

       WWW: http://www.EURid.eu