FreeBSD Manual Pages

home | help

YAKEYROLLD-CONF(5) YADIFA YAKEYROLLD-CONF(5)

NAME
yakeyrolld.conf - configuration file for yakeyrolld(8).

SYNOPSIS
${SYSCONFDIR}/yakeyrolld.conf

DESCRIPTION
The configuration of yakeyrolld is consistent in a text file that can
optionally include others. The general structure is a a sequence of
containers: a sequence of lines of text starting with a <con-
tainer-name> and ending with a </container-name>. Each line between
these delimitters is in the form: variable-name value. The format of
the value is determined by the type of the variable.

There are 7 types:

FQDN
A fully-qualified domain name text string. e.g.: www.eurid.eu.

GID
Group ID. (Can be a number or a name)

HOST(S)
A (list of) host(s). A host is defined by an IP (v4 or v6) and
can be followed by the word `port' and a port number. Elements
of the list are separated by a `,' or a `;'.

INTEGER / INT
A base-ten integer.

PATH / FILE
A file or directory path. i.e.: "/var/plans".

STRING / STR
A text string. Double quotes can be used but are not mandatory.
Without quotes the string will be taken from the first non-blank
charater to the last non-blank character.

UID
User ID. (Can be a number or a name)

STANDARD SECTIONS
There are 9 sections:

<yakeyrolld>
General container, contains all the configuration parameters
needed to start up yakeyrolld.

domain FQDN
default: .

Names one domain to manage, can be used up to 200 times.
In yadifad.conf, each of these domains must have
rrsig-nsupdate-allowed enabled in their respective <zone>
section.

log-path PATH
default: ${localstatedir}/log/yakeyrolld

The directory that will contain the log files.

keys-path PATH
default: ${localstatedir}/zones/keys

The directory the name server uses to read zone key file.

plan-path PATH
default: ${localstatedir}/plans

The directory of the step files.

pid-path PATH
default: ${localstatedir}/run

The directory of the pid file.

pid-file STRING
default: yakeyrolld.pid

The name of the pid file.

generate-from STRING
default: "now"

For plan generation, when to start the plan, can be over-
ridden by the command line.

generate-until STRING
default: "+1y"

For plan generation, when to stop the plan, can be over-
ridden by the command line.

server HOST
default: 127.0.0.1

The address of the name server for queries and dynamic
updates.

timeout INT
default: 3

The number of seconds spent trying to communicate with
the primary until it's considered a time-out.

ttl INT
default: 600

The default ttl value to use when generating records.

update-apply-verify-retries INT
default: 60

If an update isn't checked successfully, retries that
many times.

update-apply-verify-retries-delay INT
default: 1

Waits that many seconds between two update apply tries.

match-verify-retries INT
default: 60

If a match test fails, retries that many times.

match-verify-retries-delay INT
default: 1

Waits that many seconds between two match test tries.

policy STRING
default: undefined

The name of the policy to use when generating the plan.

uid UID
default: 0

The uid to swich to. This should match the name server's.

gid GID
default: 0

The gid to swich to. This should match the name server's.

<dnssec-policy>
Description of dnssec policies.

id STR
default: -

id of the dnssec-policy section.

description STR
default: -

Description for the dnssec-policy section.

key-suite STR
default: -

id of the key-suite to be used.

<key-suite>
Description of the key-suites needed if 'dnssec policies' are
used.

id STR
default: -

id of the key-suite section.

key-template STR
default: -

id of the key-template to be used.

key-roll STR
default: -

id of the key-roll to be used.

<key>
TSIG keys

algorithm ENUM
default: -

Mandatory. Sets the algorithm of the key.

Supported values are:

hmac-md5

hmac-sha1

hmac-sha224

hmac-sha256

hmac-sha384

hmac-sha512

(the algorithm names are case insensitive)}

name FQDN
default: -

Mandatory. Sets the name of the key.

secret TEXT
default: -

Mandatory. Sets the value of the key. BASE64 encoded.

<key-roll>
Description of the key-rolls needed if 'dnssec policies' are
used.

id STR
default: -

id of the key-roll section.

generate STR
default: -

Time when the key must be generated.

publish STR
default: -

Time when the key must be published in the zone.

activate STR
default: -

Time when the key will be used for signing the zone or
apex of the zone.

inactive STR
default: -

Time when the key will not be used anymore for signing.

delete STR
default: -

Time when the key will be removed out of the zone.

<key-template>
Description of the key-templates needed if 'dnssec policies'
are used.

id STR
default: -

id of the key-roll section.

generate STR
default: -

Time when the key must be generated.

publish STR
default: -

Time when the key must be published in the zone.

activate STR
default: -

Time when the key will be used for signing the zone or
apex of the zone.

inactive STR
default: -

Time when the key will not be used anymore for signing.

delete STR
default: -

Time when the key will be removed out of the zone.

<channels>
Description of the logger outputs.

It contains a list descriptions of user-defined outputs for the logger.
Depending on the kind of output, the format is different.

The "name" is arbitrary and is used for identification in the <log-
gers>.
The "stream-name" defines the output type (i.e.: a file name, a program
output or syslog).
The "arguments" are specific to the output type (i.e.: unix file access
rights or syslog options and facilities).

* file output stream channel-name file-name access-rights
(octal).

* pipe to a program channel-name "| shell command" chan-
nel-name "| path-to-program program arguments >> ap-
pend-redirect"

* STDOUT, STDERR output stream channel-name stdout chan-
nel-name stderr

* syslog channel-name syslog syslog-facility

<loggers>
Description of the logger outputs sources.

Sets the output of a pre-defined logger for yakeyrolld.

The format of the line is: logger-name output-filter comma-sepa-
rated-channel-names

Filters are:
DEBUG7, DEBUG6, DEBUG5, DEBUG4, DEBUG3, DEBUG2, DEBUG1, DEBUG, INFO,
NOTICE, WARNING, ERR, CRIT, ALERT, EMERG

Additionally, there are:

* ALL (or '*') meaning all the filters.

* PROD means all but the DEBUG filters.

The defined loggers are:

keyroll
contains general messages about the keyroll

dnssec
contains messages about DNSSEC-related computations dur-
ing the generation.

system
contains low level messages about the system such as
memory allocation, threading, IOs, timers and cryptogra-
phy, ...

System operators will mostly be interested in the info and above
messages of the keyroll and dnssec loggers.

EXAMPLES
Examples of containers defined for a configuration file.

* Main

1. Config with includes

# start yakeyrolld.conf <yakeyrolld> container
include /etc/yakeyrolld/conf.d/local.conf
# end yakeyrolld.conf <yakeyrolld> container

2. Main without includes

<yakeyrolld>
# Detach from the console (alias: daemonize)
daemon off

# The directory to use for the log files
log-path "/var/log/yakeyrolld"

# The directory that yadifad uses to load private keys
keys-path "/var/lib/yadifa/keys"

# The directory to use to store the plans
plan-path "/var/lib/yadifa/plans"

generate-from "now"

generate-until "+1y"

server 127.0.0.1

policy "keyroll-policy"
</yakeyrolld>

* Key
TSIG-key configuration

1. Admin-key key definition (the name is arbitrary)

<key>
name abroad-admin-key
algorithm hmac-md5
secret WorthlessKeyForExample==
</key>

2. primary-secondary key definition

<key>
name primary-secondary
algorithm hmac-md5
secret PrimaryAndSecondaryKey==
</key>

* DNSSEC-Policy

DNSSEC-Policy needs some extra sections: key-suite, key-roll, key-tem-
plate

1. dnssec-policy example with all the needed sections
<dnssec-policy>
id "keyroll-policy"

description "Example of ZSK and KSK"
key-suite "zsk-1024"
key-suite "ksk-2048"
</dnssec-policy>

2. key-suite
<key-suite>
id "ksk-2048"

key-template "ksk-2048"
key-roll "yearly-calendar"
</key-suite>

<key-suite>
id "zsk-1024"

key-template "zsk-1024"
key-roll "monthly-calendar"
</key-suite>

3. key-roll
<key-roll>
id "yearly-calendar"

generate 11 10 * 1 mon 1 # Januay, Monday of the second week at 10:11
publish 11 10 * 1 tue * # following Tuesday at 10:11
activate 11 10 * 1 wed * # following Wednesday at 10:11
inactive 11 10 * 1 mon * # following Monday, a year after, at 10:11
remove 11 10 * 1 wed * # following Wednesday at 10:11
</key-roll>

<key-roll>
id "monthly-calendar"

generate 17 10 * * mon 0 # 1st monday the month at 10:17
publish 17 10 * * tue * # following tuesday at 10:17
activate 17 10 * * wed * # following wednesday at 10:17
inactive 17 10 * * wed * # following wednesday at 10:17 (one week after the activation)
remove 17 10 * * thu * # following thursday at 10:17
</key-roll>

4. key-template
<key-template>
id "ksk-2048"

ksk true
algorithm RSASHA512
size 2048
</key-template>

<key-template>
id "zsk-1024"

ksk false
algorithm RSASHA512
size 1024
</key-template>

* Channels

Logging output-channel configurations:

It contains a list of user-defined outputs for the logger.

1. Example: logging channels definition.

<channels>
# name stream-name arguments
keyroll keyroll.log 0644
dnssec dnssec.log 0644
system system.log 0644
all all.log 0644
</channels>

* Loggers

Logging input configurations:

The "bundle" is the name of the section of yakeyroll being logged,
sources are : database, dnssec, queries, server, stats, system, zone.
The "debuglevel" uses the same names as syslog.
Additionally, "*" or "all" means all the levels; "prod" means all but
the debug levels.

The "channels" are a comma-separated list of channels.

1. Example logger configuration

<loggers>
# bundle debuglevel channels
keyroll prod keyroll,all
dnssec prod dnssec,all
system prod system,all
</loggers>

Header And Logo

Peripheral Links

Site Navigation

FreeBSD Manual Pages

Header And Logo

Peripheral Links

Search

Site Navigation

FreeBSD Manual Pages