FreeBSD Manual Pages

home | help

YADIFAD-CONF(5) YADIFA YADIFAD-CONF(5)

NAME
yadifad.conf - configuration file for yadifad(8).

SYNOPSIS
${SYSCONFDIR}/yadifad.conf

DESCRIPTION
The configuration of yadifad is consistent in a text file that can op-
tionally include others. The general structure is a sequence of con-
tainers: a sequence of lines of text starting with a <container-name>
and ending with a </container-name>. Each line between these delimit-
ters is in the form: variable-name value. The format of the value is
determined by the type of the variable.

TYPES
There are 15 types:

ACL
A list of ACL descriptors. User-defined ACLs are found in the
ACL section. The "any" and "none" descriptors are always de-
fined. Elements of the list are separated by a "," or a ";".

DNSSECTYPE
A DNSSEC type name. It can be a DNSSEC-enabled value ("nsec",
"nsec3" or "nsec3-optout") or a DNSSEC-disabled value ("none",
"no", "off" or "0").

ENUM
A word from a specified set.

FLAG
A boolean value. It can be true ("1", "enable", "enabled",
"on", "true", "yes") or false ("0", "disable", "disabled",
"off", "false", "no").

FQDN
A fully-qualified domain name text string. e.g.: www.eurid.eu.

GID
Group ID. (Can be a number or a name)

HOST(S)
A (list of) host(s). A host is defined by an IP (v4 or v6) and
can be followed by the word `port' and a port number. Elements
of the list are separated by a `,' or a `;'.

INTEGER / INT
A base-ten integer.

NETMOD
A word or integer that identifies the network model:
single or 0 Each working thread reads a single message,
processes its answer and replies to it.
buffered or 1 Working threads are working by couple. One reads a
single message and queues it, one de-queues it, processes its
answer and replies to it.
multi or 2 Each working thread reads a multiple messages,
processes their answers and replies to them.

PATH / FILE
A file or directory path. i.e.: "/var/zones".

STRING / STR
A text string. Double quotes can be used but are not mandatory.
Without quotes the string will be taken from the first non-blank
charater to the last non-blank character.

HEXSTR
A hexadecimal even-length text string.

RELDATE
A cron-like date to be matched, relative to another. The
columns are minutes [0;59], hours [0;23], days [0;31], months
[1;12], weekdays [mon,tue,wed,thu,fri,sat,sun] and
week-of-the-month [0;4]. Multiple values can be set in a column
cell using ',' as a separator. The '*' character can be used to
set all possible values of its column cell.

RELTIME
A time offset relative to another. It's written as +inte-
ger[unit-character] (e.g.: +24h) where the unit character can be
seconds, minutes, hours, days or weeks.

SECONDS
A base-ten integer.

HOURS
A base-ten integer.

DAYS
A base-ten integer.

UID
User ID. (Can be a number or a name)

CONTAINERS
The configuration of yadifad has several containers:

<main>
General container

<key>
TSIG keys

<acl>
Access lists

<nsid>
NameServer IDentifier

<rrl>
Response Rate Limiting directives

<zone>
Description of the domain name in specific attributes.

<channels>
Description of the logger outputs.

<dnssec-policy>
Description of dnssec policies.

<key-suite>
Description of the key-suites needed if 'dnssec policies' are
used.

<key-roll>
Description of the key-rolls needed if 'dnssec policies' are
used.

<key-template>
Description of the key-templates needed if 'dnssec policies'
are used.

<denial>
Description of 'denial', this can be used in certain 'dnssec
policies'.

The configuration supports included files.
example: include /etc/yadifa/conf.d/local.conf

The configuration files can be nested.

The configuration consists of:

* Container, which starts with <container name> and ends with
</container name>

* Variable name

* 1 or 2 arguments

* Arguments can contain 1 or more comma separated values.

STANDARD SECTIONS
<main>
General container, contains all the configuration parameters
needed to start up yadifad.

allow-control ACL
default: none

Default server-control access control list. Only the
sources matching the ACL are accepted.

allow-notify ACL
default: any

Default notify access control list. Only the servers
matching the ACL will be handled.

allow-query ACL
default: any

Default query access control list. Only the clients
matching the ACL will be replied to.

allow-transfer ACL
default: none

Default transfer access control list. Only the clients
matching the ACL will be allowed to transfer a zone
(axfr/ixfr).

allow-update ACL
default: none

Default update access control list. Only the clients
matching the ACL will be allowed to update a zone.

allow-update-forwarding ACL
default: none

Default update-forwarding access control list. Only the
sources matching the ACL are accepted.

answer-formerr-packets FLAG
default: true

If this flag is disabled; the server will not reply to
badly formatted packets.

axfr-compress-packets FLAG
default: true

Enables the dns packet compression of each axfr packet.

axfr-max-packet-size INT
default: 4096 bytes

The maximum size of an axfr packet. (MIN: 512; MAX:
65535)

axfr-max-record-by-packet INT
default: 0

The maximum number of records in each axfr packet. Older
name servers can only handle 1. Set to 0 to disable the
limit. (MIN: 0; MAX: 65535)

axfr-retry-delay SECONDS
default: 600

Number of seconds between each retry for the first trans-
fer from the primary name server. (MIN: 60; MAX: 86400)

axfr-retry-jitter SECONDS
default: 180

Jitter applied to axfr-retry-delay. (MIN: 60; MAX:
axfr-retry-delay)

axfr-retry-failure-delay-multiplier INT
default: 5

Linear back-off multiplier. The multiplier times the num-
ber of failures is added to the xfr-retry-delay. (MIN: 0;
MAX: 86400)

axfr-retry-failure-delay-max SECONDS
default: 3600

Maximum delay added for the back-off. (MIN: 0; MAX:
604800)

axfr-strict-authority FLAG
default: yes (unless --enable-non-aa-axfr-support was
used)

Tells yadifad to be strict with the AA flag in AXFR an-
swers

chroot FLAG
default: off

Enabling this flag will make the server jail itself in
the chroot-path directory.

chroot-path; chrootpath PATH
default: /

The directory used for the jail.

cpu-count-override INT
default: 0

Overrides the detected number of logical cpus. Set to 0
for automatic. (MIN: 0; MAX: 256)

daemon; daemonize FLAG
default: false

Enabling this flag will make the server detach from the
console and work in background.

data-path; datapath PATH
default: zones

The base path were lies the data (zone file path; jour-
naling data; temporary files; etc.)

do-not-listen HOSTS
default: -

An exclusion list of addresses to never listen to. If
set, 0.0.0.0 and ::0 will always be split by interface to
isolate the address.

edns0-max-size INT
default: 4096

edns0 packets size. (MIN: 512; MAX: 65535)

gid; group GID
default: 0 (or root)

The group ID that the server will use.

hidden-primary; hidden-master FLAG
default: no

As a hidden primary more CPU will be used for various
maintenance tasks.

hostname-chaos; hostname STR
default: the host name

The string returned by a hostname-chaos TXT CH query.

keys-path; keyspath PATH
default: zones/keys

The base path of the dnssec keys.

listen HOSTS
default: 0.0.0.0,::0

The list of interfaces to listen to.

log-files-disabled FLAG
default: no

If set, disables checking the log-path directory for ex-
istence and writing rights.

log-path; logpath PATH
default: log

The base path where the log files are written.

log-unprocessable FLAG
default: off

Enabling this flag will make the server log unprocessable
queries.

max-tcp-queries; max-tcp-connections INT
default: 16

The maximum number of parallel tcp queries; allowed.
(MIN: 1; MAX: 255)

network-model NETMOD
default: multi

Sets the networking model of yadifa.

pid-file; pidfile STR
default: run/yadifad.pid

The pid file name.

queries-log-type INT
default: 1

Query log format. (0: none; 1: yadifa format; 2: BIND
format; 3: yadifa and BIND format at once)

serverid-chaos; serverid STR
default: -

The string returned by a id.server. TXT CH query. If not
set; REFUSED is answered.

server-port; port INT
default: 53

The default dns port. (MIN: 1; MAX: 65535)

sig-validity-interval DAYS
default: 30

The number of days for which an automatic signature is
valid. (MIN: 7 days; MAX: 30 days)

sig-validity-jitter; sig-jitter SECONDS
default: 3600

The signature expiration validity jitter in seconds (1
hour). (MIN: 0 sec; MAX: 86400 sec)

sig-validity-regeneration HOURS
default: automatic

Signatures expiring in less than the indicated amount of
hours will be recomputed. The default will be chosen by
yadifa. (MIN: 24 hours; MAX: 168 hours)

statistics FLAG
default: true

The server will log a report line about some internal
statistics.

statistics-max-period SECONDS
default: 60

The period in seconds between two statistics log lines.
(MIN: 1 sec; MAX: 31 * 86400 seconds (31 days))

tcp-query-min-rate INT
default: 512 bytes/second

The minimum transfer rate required in a tcp connection
(read and write). Slower connections are closed. The
units are bytes per second. (MIN: 0; MAX: 4294967295

thread-affinity-base INT
default: 0

Sets the first CPU to set affinity for. Set it to the
real CPU of a core. (MIN: 0; MAX: 3)

thread-affinity-multiplier INT
default: 0

Sets the multiplier chosing CPU to set affinity for. Al-
lows avoiding hyperthread cores. Set to 0 for automatic
avoiding. (MIN: 0; MAX: 4)

thread-count-by-address INT
default: -1

Number of independent threads used to process each lis-
tening address. Set to -1 for automatic. Set to 0 for
single threaded. (MIN: -1; MAX: number of CPU's)

uid; user UID
default: 0 (or root)

The user ID that the server will use.

version-chaos; version STR
default: yadifa version#

The text to include in the version TXT CH query.

xfr-connect-timeout SECONDS
default: 5

Timeout for establishing a connection for axfr and ixfr
transfers. Set to 0 to disable. (MIN: 0; MAX: 4294967295)

xfr-path; xfrpath PATH
default: zones/xfr

The base path used for axfr and journal storage.

zone-download-thread-count INT
default: 4

Number of independent threads used to download the zones.
(MIN: 0; MAX: 255)

zone-load-thread-count INT
default: 1

Number of independent threads used to process loading of
the zones. (MIN: 0; MAX: 255)

zone-store-thread-count INT
default: 1

Sets the number of threads used to store a zone on disk
(MIN: 1, MAX: 4).

zone-unload-thread-count INT
default: 1

Sets the number of threads used to delete a zone from
memory (MIN: 1, MAX: 4).

worker-backlog-queue-size INT
default: 16384

For network-model 1, sets the size of the backlog queue
(MIN: 4096, MAX: 1048576).

<key>
TSIG keys

algorithm ENUM
default: -

Mandatory. Sets the algorithm of the key.

Supported values are:

hmac-md5

hmac-sha1

hmac-sha224

hmac-sha256

hmac-sha384

hmac-sha512

(the algorithm names are case insensitive)}

name FQDN
default: -

Mandatory. Sets the name of the key.

secret TEXT
default: -

Mandatory. Sets the value of the key. BASE64 encoded.

<acl>
Access lists

Each entry of the acl section defines a rule of access. Each rule is a
name (a single user-defined word) followed by a rule in the form of a
list of statements. The separator can be "," or ";". The "any" and
"none" names are reserved. A statement tells if a source is accepted
or rejected. Reject statements are prefixed with "!". Statements are
evaluated in the following order: first from more specific to less spe-
cific, then from reject to accept. If a statement matches, the evalua-
tion will stop and accordingly accept or reject the source. If no
statement matches, then the source is rejected.

A statement can be either:

* An IPv4 or an IPv6 address followed (or not) by a mask.
[!]ipv4 |ipv6 [/mask]

For example:

* internal-network 192.0.2.128/26;2001:DB8::/32

* The word `key' followed by the name of a TSIG key.
key key-name

For example:

* slaves key public-slave;key hidden-slave

* An ACL statement name from the acl section. Note that
negation and recursion are forbidden and duly rejected.
acl-name

For example:

* who-can-ask-for-an-ixfr primary;secon-
daries;127.0.0.1

<nsid>
NameServer IDentifier

ascii STR
default: ""

The string can be 512 characters long.

hex
default: ""

<rrl>
Response Rate Limiting directives

responses-per-second INT
default: 5

Allowed response rate.

errors-per-second INT
default: 5

Allowed error rate.

slip INT
default: 2

Random slip parameter.

log-only FLAG
default: false

If set to true, logs what it should do without doing it.

ipv4-prefix-length INT
default: 24

Mask applied to group the IPv4 clients.

ipv6-prefix-length INT
default: 56

Mask applied to group the IPv6 clients.

exempt-clients ACL
default: none

Clients maching this rule are not subject to the RRL.

enabled FLAG
default: false

Enables the RRL

min-table-size INT
default: 1024

RRL buffer minimum size

max-table-size INT
default: 16384

RRL buffer maximum size

window INT
default: 15

RRL sliding window size in seconds

<zone>
Description of the domain name in specific attributes.

allow-control ACL
default: as main

Control commands control list. Only the matching sources
are allowed.

allow-notify ACL
default: as main

Notify access control list. Only the servers matching the
ACL will be handled.

allow-query ACL
default: as main

Query access control list. Only the clients matching the
ACL will be replied to.

allow-transfer ACL
default: as main

Tansfer access control list. Only the clients matching
the ACL will be allowed to transfer a zone (axfr/ixfr

allow-update ACL
default: as main

Update access control list. Only the clients matching the
ACL will be allowed to update a zone.

allow-update-forwarding ACL
default: as main

Update forwarding control list. Only the matching sources
are allowed.

dnssec-mode; dnssec DNSSEC-TYPE
default: off

Type of dnssec used for the zone. As primary name sever;
yadifa will try to maintain that state.

dnssec-policy STR
default: -

Sets the dnssec-policy id to be used.

domain FQDN
default: -

Mandatory. Sets the domain of the zone (i.e.: eurid.eu).

drop-before-load FLAG
default: off

Enabling this flag will make the server drop the zone be-
fore loading the updated zone from disk. Use this on sys-
tems constrained for RAM.

file-name; file FILE
default: -

Sets the zone file name. Only mandatory for a primary
zone.

journal-size-kb INT
default: 0

Puts a soft limit on the size of the journal; expressed
in KB. (MIN: 0; MAX: 3698688 (3GB))

keys-path; keyspath PATH
default: as main

The base path of the dnssec keys.

maintain-dnssec FLAG
default: true

Enabling this flag will cause the server to try and main-
tain rrsig records

primaries; primary; masters; master HOSTS
default: -

Mandatory for a slave. Sets the primary server(s). Multi-
ple primaries are supported.

multiprimary-retries; multimaster-retries INT
default: 0

The number of times the primary is unreachable before
switching to a different primary (MIN: 0; MAX: 255)

no-primary-updates; no-master-updates FLAG
default: false

Enabling this flag will prevent the server from probing
or downloading changes from the primary

notifies; also-notify; notify HOSTS
default: -

The list of servers to notify in the event of a change.
Currently only used by primaries when a dynamic update
occurs.

notify-auto FLAG
default: true

Enabling this flag will cause notify messages to be sent
to all name servers in the APEX. Disabling this flags
causes the content of APEX to be ignored (ns Records).

notify-retry-count INT
default: 5

Number of times yadifa tries to send a notify. (MIN: 0;
MAX: 10)

notify-retry-period INT
default: 1

Time period in minutes between two notify attempts. (MIN:
1; MAX: 600)

notify-retry-period-increase INT
default: 0

Increase of the time period in minutes between two notify
attempts. (MIN: 0; MAX: 600)

rrsig-nsupdate-allowed FLAG
default: false

If this flag is set the server allows to edit RRSIG
records using dynamic updates.

sig-validity-interval DAYS
default: as main

The number of days for which an automatic signature is
valid. (MIN: 7 days; MAX: 30 days)

sig-validity-regeneration HOURS
default: as main

The signatures expiring in less than the indicated amount
of hours will be recomputed. (MIN: 24 hours; MAX: 168
hours)

sig-validity-jitter SECONDS
default: as main

The signature expiration validity jitter in seconds.
(MIN: 0 sec; MAX: 86400 sec)

true-multiprimary; true-multimaster FLAG
default: off

Enabling this flag will make the server use axfr when
switching to a new primary

type ENUM
default: -

Mandatory. Sets the type of zone : either primary/master
or secondary/slave.

<channels>
Description of the logger outputs.

It contains a list descriptions of user-defined outputs for the logger.
Depending on the kind of output, the format is different.

The "name" is arbitrary and is used for identification in the <log-
gers>.
The "stream-name" defines the output type (ie: a file name, a program
output or syslog).
The "arguments" are specific to the output type (ie: unix file access
rights or syslog options and facilities).

* file output stream channel-name file-name access-rights
(octal).

* pipe to a program channel-name "| shell command" chan-
nel-name "| path-to-program program arguments >> ap-
pend-redirect"

* STDOUT, STDERR output stream channel-name stdout chan-
nel-name stderr

* syslog channel-name syslog syslog-facility

<loggers>
Description of the logger outputs sources.

Sets the output of a pre-defined logger from yadifad.

The format of the line is: logger-name output-filter comma-sepa-
rated-channel-names

Filters are:
DEBUG7, DEBUG6, DEBUG5, DEBUG4, DEBUG3, DEBUG2, DEBUG1, DEBUG, INFO,
NOTICE, WARNING, ERR, CRIT, ALERT, EMERG

Additionally, there are:

* ALL (or '*') meaning all the filters.

* PROD means all but the DEBUG filters.

The defined loggers are:

system
contains low level messages about the system such as
memory allocation, threading, IOs, timers and cryptogra-
phy, ...

database
It contains messages about most lower-level operations
in the DNS database. ie: journal, updates, zone loading
and sanitization, DNS message query resolution, ...)

dnssec
contains messages about lower-level dnssec operations in
the DNS database. ie: status, maintenance, verification,
...

server
contains messages about operations in the DNS server.
ie: start up, shutdown, configuration, transfers, various
services status (database management, network management,
DNS notification management, dynamic update management,
resource rate limiting, ...)

zone
contains messages about the loading of a zone from a
source (file parsing, transferred binary zone reading,
...)

stats
contains the statistics of the server.

queries
contains the queries on the server. Queries can be
logged with the BIND and/or with the YADIFA format.
BIND format:
client sender-ip#port: query: fqdn class type +SETDC
(listen-ip)
YADIFA format:
query [ id ] {+SETDC} fqdn class type (sender-ip#port)
where:

id is the query message id

+ means the message has the Recursion Desired flag
set

S means the message is signed with a TSIG

E means the message is EDNS

T means the message was sent using TCP instead of
UDP

D means the message has the DNSSEC OK flag set

C means the message has the Checking Disabled flag
set

fqdn is the queried FQDN

class is the queried class

type is the queried type

sender-ip
is the IP of the client that sent the query

port is the port of the client that sent the query

listen-ip
is the listen network interface that received the
message

Note that on YADIFA any unset flag is replaced by a '-',
on BIND only the '+' follows that rule.

System operators will mostly be interested in the info and above
messages of queries and stats, as well as the error and above
messages of the other loggers.

DNSSEC-POLICY
There are 5 sections:

<dnssec-policy>
The dnssec-policy section binds up to four key suites and a de-
nial mode. It is meant to be used as a dnssec-policy parameter
in a zone section. Usually two key-suite will be given: one for
a KSK and one for a ZSK. The denial mode can be either 'nsec'
either the name of a denial section.

id STR
default: -

id of the dnssec-policy section.

description STR
default: -

Description for the dnssec-policy section.

key-suite STR
default: -

id of the key-suite to be used. Usually both a KSK and a
ZSK suites are given.

denial STR
default: nsec

id of the denial to be used for nsec3 or the argument
'nsec' to use nsec.

<key-suite>
The key-suite section is used by dnssec policies and is meant
to be referenced by a dnssec-policy section. A key-suite links
a key definition (key-template) with a deployment calendar
(key-roll).

id STR
default: -

id of the key-suite section.

key-template STR
default: -

id of the key-template to be used.

key-roll STR
default: -

id of the key-roll to be used.

<key-roll>
The key-roll section is used by dnssec policies and is meant to
be referenced by a key-suite section. It's essentially a de-
ployment calendar. Each event is computed relatively to an-
other. Dates are chosen so that there is always a key in an ac-
tive state. Please look at the examples as a misconfiguration
could easily span the life of a key over several years. (e.g.:
by too restrictive on the matching conditions) If the RELDATE
format is being used, the first valid date matching the line is
used. Usage of the RELDATE format is recommended over the REL-
TIME one.

id RELDATE|RELTIME
default: -

id of the key-roll section.

generate RELDATE|RELTIME
default: -

Time when the key must be generated. Pre-dated before so
it's active right now if it's the first one. Always com-
puted so that the next activation happens before the last
deactivation.

publish RELDATE|RELTIME
default: -

Time when the key must be published in the zone. Relative
to the generation.

activate RELDATE|RELTIME
default: -

Time when the key will be used for signing the zone or
apex of the zone. Relative to the publication.

inactive RELDATE|RELTIME
default: -

Time when the key will not be used anymore for signing.
Relative to the activation.

delete RELDATE|RELTIME
default: -

Time when the key will be removed out of the zone. Rela-
tive to the deactivation.

<key-template>
The key-template section is used by dnssec policies and is
meant to be referenced by a key-suite section. It contains the
various parameters of a key for its generation.

id STR
default: -

id of the key-template section.

ksk FLAG
default: false

When this flag is enabled a ksk will be generated. When
disabled a zsk will be generated.

algorithm ENUM
default: 7

Sets the algorithm of the key. Supported values are: DSA;
3; RSASHA1; 5; NSEC3DSA; 6; NSEC3RSASHA1; 7; RSASHA256;
8; RSASHA512; 10; ECDSAP256SHA256; 13; ECDSAP384SHA384;
14.

size INT
default: 0

The length of the key in bits (incompatible sizes will be
rejected). (MIN: 0; MAX: 4096)

<denial>
The denial section is used by dnssec policies and is meant to
be referenced by a dnssec-policy section. It is used to define
the NSEC3 denial parameters of a dnssec policy. Policies using a
NSEC denial don't need to use this section.

id STR
default: -

id of the denial section.

salt HEXSTR
default: empty

A base16 encoded sequence of bytes used as the salt para-
meter of the NSEC3 chain.

salt-length INT
default: 0

If the salt parameter isn't set, generates a random salt
parameter of that length. (MIN: 0; MAX: 255)

iterations INT
default: 1

Iteration parameter of the NSEC3 chain. (MIN: 0; MAX:
65535)

optout FLAG
default: false

Enables opt-out coverage in the NSEC3 chain. When this
flag is enabled, delegations which do not have a DS
record will not be covered by an NSEC3 record.

EXAMPLES
Examples of containers defined for a configuration file.

* Main

1. Main section example

<main>
# Detach from the console (alias: daemonize)
daemon off

# Jail the application
chroot off

# The path of the log files (alias: chroot-path)
chrootpath "/chroot/yadifad"

# The path of the log files (alias: log-path)
logpath "/var/log/yadifa"

# The location of the pid file (alias: pid-file)
pidfile "/var/run/yadifa/yadifad.pid"

# The path of the zone files (alias: data-path)
datapath "/var/lib/yadifa"

# The path of the DNSSEC keys (alias: keys-path)
keyspath "/var/lib/yadifa/keys"

# The path of the transfer and journaling files (AXFR & IXFR) (alias: xfr-path)
xfrpath "/var/lib/yadifa/xfr"

# A string returned by a query of hostname. CH TXT
# note: if you leave this out, the real hostname will be given back (alias: hostname-chaos)
hostname "server-yadifad"

# An ID returned by a query to id.server. CH TXT (alias: serverid-chaos)
serverid "yadifad-01"

# The version returned by a query to version.yadifa. CH TXT (alias: version-chaos)
version 2.5.0

# Set the maximum UDP packet size.
# note: the packetsize cannot be less than 512 or more than 65535.
# Typical choice is 4096.
edns0-max-size 4096

# The maximum number of parallel TCP queries (max-tcp-connections)
max-tcp-queries 100

# The minimum data rate for a TCP query (in bytes per second)
tcp-query-min-rate 512

# The user id to use (alias: user)
uid yadifa

# The group id to use (alias: group)
gid yadifa

# The DNS port - any DNS query will use that port unless a specific value is used (alias: server-port)
port 53

# The interfaces to listen to.
listen 127.0.0.1, 192.0.2.2, 192.0.2.130 port 8053, 2001:db8::2

# Type of querylog to use
# 0: none
# 1: yadifa
# 2: bind
# 3: both yadifa and bind
queries-log-type 1

# Enable the collection and logging of statistics
statistics on

# Maximum number of seconds between two statistics lines
statistics-max-period 60

# Drop queries with erroneous content
#
# answer-formerr-packets on
answer-formerr-packets off

# Maximum number of records in an AXFR packet. Set to 1 for compatibility
# with very old name servers (alias: axfr-max-record-by-packet)
axfr-maxrecordbypacket 0

# Global Access Control rules
#
# Rules can be defined on network ranges, TSIG signatures, and ACL rules

# simple queries:
#
# allow-query any
allow-query !192.0.2.251,any

# dynamic update of a zone
#
# allow-update none
allow-update admins

# dynamic update of a slave (forwarded to the primary)
#
# allow-update-forwarding none
allow-update-forwarding admins,key abroad-admin-key

# transfer of a zone (AXFR or IXFR)
#
# allow-transfer any
allow-transfer transferer

# notify of a change in the primary
#
# allow-notify any
allow-notify primary,admins

# If YADIFA has the controller enabled, allow control only for these
# clients (none by default)
allow-control controller

# overwrite the amount of CPUs detected by yadifad
cpu-count-override 3

# set the number of threads to serve queries
thread-count-by-address 2

</main>

* Key
TSIG-key configuration

1. Admin-key key definition (the name is arbitrary)

<key>
name abroad-admin-key
algorithm hmac-md5
secret WorthlessKeyForExample==
</key>

2. primary-secondary key definition (the name is arbitrary)

<key>
name primary-secondary
algorithm hmac-md5
secret PrimaryAndSecondaryKey==
</key>

* ACL
Access Control List definitions

1. primary-secondary key use

<acl>
transferer key primary-secondary
admins 192.0.2.0/24, 2001:db8::74
primary 192.0.2.53
localhost 127.0.0.0/8, ::1
controller key controller # the ACL for the controller MUST use a key
</acl>

* NSID
DNS NameServer IDentifier

1. Example with ascii

<nsid>
ascii belgium-brussels-01
</nsid>

2. Example with hex

* RRL
Response Rate Limiting

1. Example

<rrl>
# Number of identical responses per second before responses are being limited
responses-per-second 5

# Number of errors per second before responses are being limited
errors-per-second 5

# Random slip parameter
slip 10

# If enabled, the rate limits are only logged and not enforced
log-only off

# Mask applied to group the IPv4 clients
ipv4-prefix-length 24

# Mask applied to group the IPv6 clients
ipv6-prefix-length 56

# Rate limits are not subject to the following clients (aka whitelist)
exempt-clients none

# Enable or disable the rate limit capabilities
enabled yes
</rrl>

* Zone

1. Primary domain zone config

<zone>
# This server is primary for the zone (mandatory)
type primary

# The domain name (mandatory)
domain mydomain.eu

# The zone file, relative to 'datapath' (mandatory for a primary) (alias: file-name)
file primaries/mydomain.eu

# List of servers also notified of a change (beside the ones in the zone file) (alias: notifies, notify)
also-notify 192.0.2.84, 192.0.2.149

# Set the size of the journal file in KB (alias: journal-size-kb)
journal-size 8192

# Allow dynupdate for these ACL entries
allow-update admins

# Allow AXFR/IXFR for these ACL entries
allow-transfer transferer

# Use DNSSEC policies otherwise remove or put in remark line below
dnssec-policy 1
</zone>

2. Slave domain zone config

<zone>
# This server is slave for that zone (mandatory)
type slave

# The domain name (mandatory)
domain myotherdomain.eu

# The address of the primary (mandatory for a slave, forbidden for a primary) (alias: primary)
primaries 191.0.2.53 port 4053 key primary-secondary

# The zone file, relative to 'datapath'.
file slaves/myotherdomain.eu

# Accept notifes from these ACL entries
allow-notify primary
</zone>

* DNSSEC-Policy

DNSSEC-Policy needs some extra sections: key-suite, key-roll, key-tem-
plate (and denial if NSEC3 is configured)

1. dnssec-policy example with all the needed sections

example with NSEC3
<dnssec-policy>
id "1"

description "Example of ZSK and KSK"
denial "nsec3-with-salt-on"
key-suite "zsk-1024"
key-suite "ksk-2048"
</dnssec-policy>

example with NSEC
<dnssec-policy>
id "2"

description "Example of ZSK and KSK"
denial nsec
key-suite "zsk-1024"
key-suite "ksk-2048"
</dnssec-policy>

2. key-suite
<key-suite>
id "ksk-2048"

key-template "ksk-2048"
key-roll "yearly-schedule"
</key-suite>

<key-suite>
id "zsk-1024"

key-template "zsk-1024"
key-roll "monthly-schedule"
</key-suite>

3. key-roll
<key-roll>
id "yearly-schedule"

generate 5 0 15 6 * * # this year (2018) 15/06 at 00:05
publish 10 0 15 6 * * # 00:10
activate 15 0 16 6 * * # 16/06 at 00:15
inactive 15 0 17 6 * * # (2019) 17/06 at 00:15
remove 15 11 18 6 * * # (2019) 18/06 at 11:15
</key-roll>

<key-roll>
id "monthly-schedule"

generate 5 0 * * tue 0 # 1 tuesday of the month at 00:05
publish 10 0 * * tue 0 # 00:10
activate 15 0 * * wed 0 # 1 wednesday of the month at 00:15
inactive 15 0 * * thu 0 # 1 thursday of the month at 00:15
remove 15 11 * * fri 0 # 1 friday of the month at 11:15
</key-roll>

4. key-template
<key-template>
id "ksk-2048"

ksk true
algorithm 8
size 2048
</key-template>

<key-template>
id "zsk-1024"

ksk false
algorithm 8
size 1024
</key-template>

5. denial
<denial>
id "nsec3-with-salt-on"

salt "ABCD"
algorithm 1
iterations 5
optout off
</denial>

<denial>
id "nsec3-with-salt-length-on"

salt-length 4
algorithm 1
iterations 5
optout off
</denial>

* Channels

Logging output-channel configurations:

It contains a list of user-defined outputs for the logger.

1. Example: YADIFA running as daemon channel definition.

<channels>
# name stream-name arguments
database database.log 0644
dnssec dnssec.log 0644
server server.log 0644
statistics statistics.log 0644
system system.log 0644
queries queries.log 0644
zone zone.log 0644
all all.log 0644

gziplog "|/usr/bin/gzip \- >> /var/log/yadifa.log.gz"

syslog syslog user
</channels>

2. Example: YADIFA running in debug mode.
This example shows the "stderr" and "stdout" which can
also be used in the first example, but will output to the
console.

<channels>
# name stream-name arguments
syslog syslog user

stderr STDERR
stdout STDOUT
</channels>

* Loggers

Logging input configurations:

The "bundle" is the name of the section of YADIDA being logged, sources
are : database, dnssec, queries, server, stats, system, zone.
The "debuglevel" uses the same names as syslog.
Additionally, "*" or "all" means all the levels; "prod" means all but
the debug levels.

The "channels" are a comma-separated list of channels.

1. Example without syslog

<loggers>
# bundle debuglevel channels
database ALL database,all
dnssec warning dnssec,all
server INFO,WARNING,ERR,CRIT,ALERT,EMERG server,all
stats prod statistics
system * system,all
queries * queries
zone * zone,all
</loggers>

2. Example with syslog

<loggers>
# bundle debuglevel channels
database ALL database,syslog
dnssec warning dnssec,syslog
server INFO,WARNING,ERR,CRIT,ALERT,EMERG server,syslog
stats prod statistics, syslog
system * system,syslog
queries * queries,syslog
zone * zone,syslog
</loggers>

Header And Logo

Peripheral Links

Site Navigation

FreeBSD Manual Pages

Header And Logo

Peripheral Links

Search

Site Navigation

FreeBSD Manual Pages