Provided by: yadifa_2.6.7-1_amd64 bug

NAME

       yakeyrolld.conf - configuration file for yakeyrolld(8).

SYNOPSIS

       ${SYSCONFDIR}/yadifa/yakeyrolld.conf

DESCRIPTION

       The  configuration  of yakeyrolld is consistent in a text file that can optionally include
       others.  The general structure is a a sequence of containers: a sequence of lines of  text
       starting  with  a <container-name> and ending with a </container-name>.  Each line between
       these delimitters is in the form:  variable-name  value.   The  format  of  the  value  is
       determined by the type of the variable.

       There are 7 types:

       FQDN
               A fully-qualified domain name text string. e.g.: www.eurid.eu.

       GID
               Group ID. (Can be a number or a name)

       HOST(S)
               A  (list of) host(s). A host is defined by an IP (v4 or v6) and can be followed by
              the word `port' and a port number. Elements of the list are separated by a `,' or a
              `;'.

       INTEGER / INT
               A base-ten integer.

       PATH / FILE
               A file or directory path. i.e.: "/var/plans".

       STRING / STR
               A text string. Double quotes can be used but are not mandatory. Without quotes the
              string will be taken from the first  non-blank  character  to  the  last  non-blank
              character.

       UID
               User ID. (Can be a number or a name)

   STANDARD SECTIONS
       There are 9 sections:

       <yakeyrolld>
               General  container,  contains  all the configuration parameters needed to start up
              yakeyrolld.

              domain  FQDN
                      default: .

                     Names one domain to manage, can be used up to 200  times.  In  yadifad.conf,
                     each  of  these  domains  must  have rrsig-nsupdate-allowed enabled in their
                     respective <zone> section.

              log-path  PATH
                      default: ${localstatedir}/log/yakeyrolld

                     The directory that will contain the log files.

              keys-path  PATH
                      default: ${localstatedir}/zones/keys

                     The directory the name server uses to read zone key file.

              plan-path  PATH
                      default: ${localstatedir}/plans

                     The directory of the step files.

              pid-path  PATH
                      default: ${localstatedir}/run

                     The directory of the pid file.

              pid-file  STRING
                      default: yakeyrolld.pid

                     The name of the pid file.

              generate-from  STRING
                      default: "now"

                     For plan generation, when to start  the  plan,  can  be  overridden  by  the
                     command line.

              generate-until  STRING
                      default: "+1y"

                     For plan generation, when to stop the plan, can be overridden by the command
                     line.

              server  HOST
                      default: 127.0.0.1

                     The address of the name server for queries and dynamic updates.

              timeout  INT
                      default: 3

                     The number of seconds spent trying to communicate  with  the  primary  until
                     it's considered a time-out.

              ttl  INT
                      default: 600

                     The default ttl value to use when generating records.

              update-apply-verify-retries  INT
                      default: 60

                     If an update isn't checked successfully, retries that many times.

              update-apply-verify-retries-delay  INT
                      default: 1

                     Waits that many seconds between two update apply tries.

              match-verify-retries  INT
                      default: 60

                     If a match test fails, retries that many times.

              match-verify-retries-delay  INT
                      default: 1

                     Waits that many seconds between two match test tries.

              policy  STRING
                      default: undefined

                     The name of the policy to use when generating the plan.

              uid  UID
                      default: 0

                     The uid to swich to. This should match the name server's.

              gid  GID
                      default: 0

                     The gid to swich to. This should match the name server's.

       <dnssec-policy>
               Description of dnssec policies.

              id STR
                      default: -

                     id of the dnssec-policy section.

              description STR
                      default: -

                     Description for the dnssec-policy section.

              key-suite STR
                      default: -

                     id of the key-suite to be used.

       <key-suite>
               Description of the key-suites needed if 'dnssec policies' are used.

              id STR
                      default: -

                     id of the key-suite section.

              key-template STR
                      default: -

                     id of the key-template to be used.

              key-roll STR
                      default: -

                     id of the key-roll to be used.

       <key>
               TSIG keys

              algorithm ENUM
                      default: -

                     Mandatory. Sets the algorithm of the key.

                     Supported values are:

                        hmac-md5

                        hmac-sha1

                        hmac-sha224

                        hmac-sha256

                        hmac-sha384

                        hmac-sha512

                     (the algorithm names are case insensitive)}

              name FQDN
                      default: -

                     Mandatory. Sets the name of the key.

              secret TEXT
                      default: -

                     Mandatory. Sets the value of the key. BASE64 encoded.

       <key-roll>
               Description of the key-rolls needed if 'dnssec policies' are used.

              id STR
                      default: -

                     id of the key-roll section.

              generate STR
                      default: -

                     Time when the key must be generated.

              publish STR
                      default: -

                     Time when the key must be published in the zone.

              activate STR
                      default: -

                     Time when the key will be used for signing the zone or apex of the zone.

              inactive STR
                      default: -

                     Time when the key will not be used anymore for signing.

              delete STR
                      default: -

                     Time when the key will be removed out of the zone.

       <key-template>
               Description of the key-templates needed if 'dnssec policies' are used.

              id STR
                      default: -

                     id of the key-roll section.

              generate STR
                      default: -

                     Time when the key must be generated.

              publish STR
                      default: -

                     Time when the key must be published in the zone.

              activate STR
                      default: -

                     Time when the key will be used for signing the zone or apex of the zone.

              inactive STR
                      default: -

                     Time when the key will not be used anymore for signing.

              delete STR
                      default: -

                     Time when the key will be removed out of the zone.

       <channels>
               Description of the logger outputs.

       It  contains a list descriptions of user-defined outputs for the logger.  Depending on the
       kind of output, the format is different.

       The "name" is arbitrary and is used for identification in the <loggers>.
       The "stream-name" defines the output type (i.e.: a file name, a program output or syslog).
       The "arguments" are specific to the output type (i.e.: unix file access rights  or  syslog
       options and facilities).

              *      file output stream channel-name file-name access-rights (octal).

              *      pipe   to   a   program  channel-name  "|  shell  command"  channel-name  "|
                     path-to-program program arguments >> append-redirect"

              *      STDOUT, STDERR output stream channel-name stdout channel-name stderr

              *      syslog channel-name syslog syslog-facility

       <loggers>
               Description of the logger outputs sources.

       Sets the output of a pre-defined logger for yakeyrolld.

       The format of the line is: logger-name output-filter comma-separated-channel-names

       Filters are:
       DEBUG7, DEBUG6, DEBUG5, DEBUG4, DEBUG3, DEBUG2, DEBUG1, DEBUG, INFO, NOTICE, WARNING, ERR,
       CRIT, ALERT, EMERG

       Additionally, there are:

              *      ALL (or '*') meaning all the filters.

              *      PROD means all but the DEBUG filters.

              The defined loggers are:

              keyroll
                      contains general messages about the keyroll

              dnssec
                      contains messages about DNSSEC-related computations during the generation.

              system
                      contains  low  level  messages  about the system such as memory allocation,
                     threading, IOs, timers and cryptography, ...

              System operators will mostly be interested in the info and above  messages  of  the
              keyroll and dnssec loggers.

EXAMPLES

       Examples of containers defined for a configuration file.

       *      Main

              1.     Config with includes

                     # start yakeyrolld.conf <yakeyrolld> container
                     include /etc/yakeyrolld/conf.d/local.conf
                     # end yakeyrolld.conf <yakeyrolld> container

              2.     Main without includes

                     <yakeyrolld>
                         # Detach from the console (alias: daemonize)
                         daemon                  off

                         # The directory to use for the log files
                         log-path                 "/var/log/yakeyrolld"

                         # The directory that yadifad uses to load private keys
                         keys-path                "/var/lib/yadifa/keys"

                         # The directory to use to store the plans
                         plan-path                "/var/lib/yadifa/plans"

                         generate-from "now"

                         generate-until "+1y"

                         server 127.0.0.1

                         policy "keyroll-policy"
                     </yakeyrolld>

       *      Key
              TSIG-key configuration

              1.     Admin-key key definition (the name is arbitrary)

                     <key>
                         name        abroad-admin-key
                         algorithm   hmac-md5
                         secret      WorthlessKeyForExample==
                     </key>

              2.     primary-secondary key definition

                     <key>
                         name        primary-secondary
                         algorithm   hmac-md5
                         secret      PrimaryAndSecondaryKey==
                     </key>

       *      DNSSEC-Policy

       DNSSEC-Policy needs some extra sections: key-suite, key-roll, key-template

              1.     dnssec-policy example with all the needed sections
                     <dnssec-policy>
                         id              "keyroll-policy"

                         description     "Example of ZSK and KSK"
                         key-suite       "zsk-1024"
                         key-suite       "ksk-2048"
                     </dnssec-policy>

              2.     key-suite
                     <key-suite>
                         id              "ksk-2048"

                         key-template    "ksk-2048"
                         key-roll        "yearly-calendar"
                     </key-suite>

                     <key-suite>
                         id              "zsk-1024"

                         key-template    "zsk-1024"
                         key-roll        "monthly-calendar"
                     </key-suite>

              3.     key-roll
                     <key-roll>
                         id                 "yearly-calendar"

                         generate            11        10           *                   1            mon             1 # Januay, Monday of the second week at 10:11
                         publish             11        10           *                   1            tue             * # following Tuesday at 10:11
                         activate            11        10           *                   1            wed             * # following Wednesday at 10:11
                         inactive            11        10           *                   1            mon             * # following Monday, a year after, at 10:11
                         remove              11        10           *                   1            wed             * # following Wednesday at 10:11
                     </key-roll>

                     <key-roll>
                         id                 "monthly-calendar"

                         generate            17        10           *                   *            mon             0 # 1st monday the month at 10:17
                         publish             17        10           *                   *            tue             * # following tuesday at 10:17
                         activate            17        10           *                   *            wed             * # following wednesday at 10:17
                         inactive            17        10           *                   *            wed             * # following wednesday at 10:17 (one week after the activation)
                         remove              17        10           *                   *            thu             * # following thursday at 10:17
                     </key-roll>

              4.     key-template
                     <key-template>
                         id              "ksk-2048"

                         ksk             true
                         algorithm       RSASHA512
                         size            2048
                     </key-template>

                     <key-template>
                         id              "zsk-1024"

                         ksk             false
                         algorithm       RSASHA512
                         size            1024
                     </key-template>

       *      Channels

       Logging output-channel configurations:

       It contains a list of user-defined outputs for the logger.

       The "name" is arbitrary and is used for identification in the <loggers>.
       The "stream-name" defines the output type (i.e.: a file name, a program output or syslog).
       The  "arguments"  are specific to the output type (i.e.: unix file access rights or syslog
       options and facilities).

              1.     Example: logging channels definition.

                     <channels>
                     #   name        stream-name     arguments
                         keyroll     keyroll.log     0644
                         dnssec      dnssec.log      0644
                         system      system.log      0644
                         all         all.log         0644
                     </channels>

       *      Loggers

       Logging input configurations:

       The "bundle" is the name of the section of yakeyroll being logged, sources are : database,
       dnssec, queries, server, stats, system, zone.
       The "debuglevel" uses the same names as syslog.
       Additionally, "*" or "all" means all the levels; "prod" means all but the debug levels.

       The "channels" are a comma-separated list of channels.

              1.     Example logger configuration

                     <loggers>
                     #   bundle          debuglevel                          channels
                         keyroll         prod                                keyroll,all
                         dnssec          prod                                dnssec,all
                         system          prod                                system,all
                     </loggers>

SEE ALSO

       yakeyrolld(8)

NOTES

       Since  unquoted leading whitespace is generally ignored in the yadifad.conf you can indent
       everything to taste.

CHANGES

       Please check the file README from the sources.

VERSION

       Version: 2.6.7 of 2024-07-19.

MAILING LISTS

       There exists a mailinglist for questions relating to any program in the yadifa package:

       *      yadifa-users@mailinglists.yadifa.eu
              for submitting questions/answers.

       *      http://www.yadifa.eu/mailing-list-users
              for subscription requests.

       If you would like to stay  informed  about  new  versions  and  official  patches  send  a
       subscription request to via:

       *      http://www.yadifa.eu/mailing-list-announcements

       (this is a readonly list).

LICENSE AND COPYRIGHT

       Copyright
              (C)2011-2023, EURid
              B-1831 Diegem, Belgium
              info@yadifa.eu

AUTHORS

       Gery Van Emelen
       Email: Gery.VanEmelen@EURid.eu
       Eric Diaz Fernandez
       Email: Eric.DiazFernandez@EURid.eu

       WWW: http://www.EURid.eu