yadifad.conf man page

yadifad.conf — configuration file for yadifad(8).

Synopsis

${PREFIX}/etc/yadifad.conf

Description

The configuration of yadifad has several containers:

<main>

General container

<key>

TSIG keys

<acl>

Access lists

<nsid>

NameServer IDentifier

<rrl>

Response Rate Limiting directives

<zone>

Description of the domain name in specific attributes.

<channels>

Description of the logger outputs.

<dnssec-policy>

Description of dnssec policies.

<key-suite>

Description of the key-suites needed if 'dnssec policies' are used.

<key-roll>

Description of the key-rolls needed if 'dnssec policies' are used.

<key-template>

Description of the key-templates needed if 'dnssec policies' are used.

<denial>

Description of 'denial', this can be used in certain 'dnssec policies'.

The configuration supports included files.
example: include /etc/yadifa/conf.d/local.conf

The configuration files can be nested.

The configuration consists of:

eg.

<container>
    # variable  argument
    variable    value1  
    # variable  argument1       argument2
    variable    value1          value2
    # variable  argument1
    variable    value1,value2
</container>

Examples

Examples of containers defined for a configuration file.

1.

Admin-key key definition (the name is arbitrary)

<key>
    name        abroad-admin-key
    algorithm   hmac-md5
    secret      WorthlessKeyForExample==
</key>
2.

Master-slave key definition

<key>
    name        master-slave
    algorithm   hmac-md5
    secret      MasterAndSlavesTSIGKey==
</key>
*

ACL
Access Control List definitions

1.

Master-slave key use

<acl>
    transferer  key master-slave
    admins      192.0.2.0/24, 2001:db8::74
    master      192.0.2.53
    localhost   127.0.0.0/8, ::1
</acl>
*

NSID
DNS NameServer IDentifier

1.

Example with ascii

<nsid>
    ascii belgium-brussels-01
</nsid>
2.

Example with hex

<nsid>
    hex 00320201
</nsid>
*

RRL
Response Rate Limiting

<rrl>
    # Number of identical responses per second before responses are being limited
    responses-per-second    5

    # Number of errors per second before responses are being limited
    errors-per-second       5

    # Random slip parameter
    slip                    10

    # If enabled, the rate limits are only logged and not enforced
    log-only                off

    # Mask applied to group the IPv4 clients
    ipv4-prefix-length      24

    # Mask applied to group the IPv6 clients
    ipv6-prefix-length      56

    # Rate limits are not subject to the following clients (aka whitelist)
    exempt-clients          none

    # Enable or disable the rate limit capabilities
    enabled                 yes
</rrl>
1.

Master domain zone config

<zone>
    # This server is master for the zone (mandatory)
    type            master

    # The domain name (mandatory)
    domain          mydomain.eu

    # The zone file, relative to 'datapath'  (mandatory for a master) (alias: file-name)
    file            master/mydomain.eu

    # List of servers also notified of a change (beside the ones in the zone file) (alias: notifies, notify)
    also-notify     192.0.2.84, 192.0.2.149

    # Set the size of the journal file in KB (alias: journal-size-kb)
    journal-size    8192 

    # Allow dynupdate for these ACL entries
    allow-update    admins

    # Allow AXFR/IXFR for these ACL entries
    allow-transfer  transferer

    # Use DNSSEC policies otherwise remove or put in remark line below
    dnssec-policy   1
</zone>
2.

Slave domain zone config

<zone>
    # This server is slave for that zone (mandatory)
    type            slave

    # The domain name (mandatory)
    domain          myotherdomain.eu

    # The address of the master (mandatory for a slave, forbidden for a master) (alias: master)
    masters         191.0.2.53 port 4053 key master-slave

    # The zone file, relative to 'datapath'.
    file            slaves/myotherdomain.eu

    # Accept notifes from these ACL entries
    allow-notify    master
</zone>
*

DNSSEC-Policy

DNSSEC-Policy needs some extra sections: key-suite, key-roll, key-template (and denial if NSEC3 is configured)

1.

dnssec-policy example with all the needed sections

example with NSEC3

<dnssec-policy>
    id              "1"

    description     "Example of ZSK and KSK"
    denial          "nsec3-with-salt-on"
    key-suite       "zsk-1024"
    key-suite       "ksk-2048"
</dnssec-policy>

example with NSEC

<dnssec-policy>
    id              "2"

    description     "Example of ZSK and KSK"
    denial          nsec
    key-suite       "zsk-1024"
    key-suite       "ksk-2048"
</dnssec-policy>
2.

key-suite

<key-suite>                     
    id              "ksk-2048"

    key-template    "ksk-2048"
    key-roll        "key-roll-ksk-2048-short-times"
</key-suite>                            

<key-suite>                     
    id              "zsk-1024"

    key-template    "zsk-1024"
    key-roll        "key-roll-zsk-1024-short-times"
</key-suite>                            
3.

key-roll

<key-roll>      
    id              "key-roll-ksk-2048-short-times"

#   command         minutes    hours      day        month      day-week   week
    generate        5,35       *          *          *          *          *
    publish         6,36       *          *          *          *          *
    activate        7,37       *          *          *          *          *
    inactive        8,38       *          *          *          *          * 
    remove          12,42      *          *          *          *          *
</key-roll>     

<key-roll>      
    id              "key-roll-zsk-1024-short-times"

#   command         minutes    hours      day        month      day-week   week
    generate        5,35       *          *          *          *          *
    publish         6,36       *          *          *          *          *
    activate        7,37       *          *          *          *          *
    inactive        8,38       *          *          *          *          * 
    remove          12,42      *          *          *          *          *
</key-roll>     
4.

key-template

<key-template>
    id              "ksk-2048"

    ksk             true
    algorithm       8
    size            2048
</key-template>

<key-template>
    id              "zsk-1024"

    ksk             false
    algorithm       8
    size            1024
</key-template>
5.

denial

<denial>                
    id              "nsec3-with-salt-on"

    salt            "ABCD"
    algorithm       1
    iterations      5
    optout          off             
</denial>                               
<denial>                
    id              "nsec3-with-salt-length-on"

    salt-length     4
    algorithm       1
    iterations      5
    optout          off             
</denial>                               
*

Channels

Logging output-channel configurations:

The "name" is arbitrary and is used in the <loggers>.
The "stream-name" defines the output type (ie: a file name or syslog).
The "arguments" are specific to the output type (ie: unix file access rights or syslog options and facilities).

1.

Example: YADIFA running as daemon channel definition.

<channels>
#   name        stream-name     arguments
    database    database.log    0644
    dnssec      dnssec.log      0644
    server      server.log      0644
    statistics  statistics.log  0644
    system      system.log      0644
    queries     queries.log     0644
    zone        zone.log        0644
    all         all.log         0644

    syslog      syslog          user
</channels>
2.

Example: YADIFA running in debug mode.
This example shows the "stderr" and "stdout" which can also be used in the first example, but will output to the console.

<channels>
#   name        stream-name     arguments
    syslog      syslog          user

    stderr      STDERR
    stdout      STDOUT
</channels>
*

Loggers

Logging input configurations:

The "bundle" name is predefined: database, dnssec, server, statistics, system, zone.
The "debuglevel" uses the same names as syslog or "*" or "all" to filter the input.

The "channels" are a comma-separated list of channels.

1.

Example without syslog

<loggers>
#   bundle          debuglevel                          channels
    database        ALL                                 database,all
    dnssec          warning                             dnssec,all
    server          INFO,WARNING,ERR,CRIT,ALERT,EMERG   server,all
    statistics      *                                   statistics
    system          *                                   system,all
    queries         *                                   queries
    zone            *                                   zone,all
</loggers>
2.

Example with syslog

<loggers>
#   bundle          debuglevel                          channels
    database        ALL                                 database,syslog
    dnssec          warning                             dnssec,syslog
    server          INFO,WARNING,ERR,CRIT,ALERT,EMERG   server,syslog
    stats           *                                   statistics, syslog
    system          *                                   system,syslog
    queries         *                                   queries,syslog
    zone            *                                   zone,syslog
</loggers>

The defined loggers are:

system

contains low level messages about the system such as memory allocation, threading, IOs, timers and cryptography, ...

database

It contains messages about most lower-level operations in the DNS database. ie: journal, updates, zone loading and sanitization, DNS message query resolution, ...)

dnssec

contains messages about lower-level dnssec operations in the DNS database. ie: status, maintenance, verification, ...

server

contains messages about operations in the DNS server. ie: start up, shutdown, configuration, transfers, various services status (database management, network management, DNS notification management, dynamic update management, resource rate limiting, ...)

zone

contains messages about the loading of a zone from a source (file parsing, transferred binary zone reading, ...)

stats

contains the statistics of the server.

queries

contains the queries on the server.  Queries can be logged with the BIND and/or with the YADIFA format.

BIND format:

client sender-ip#port: query: fqdn class type +SETDC (listen-ip)

YADIFA format:

query [ id ] {+SETDC} fqdn class type (sender-ip#port)

where:

id

is the query message id

+

means the message has the Recursion Desired flag set

S

means the message is signed with a TSIG

E

means the message is EDNS

T

means the message was sent using TCP instead of UDP

D

means the message has the DNSSEC OK flag set

C

means the message has the Checking Disabled flag set

fqdn

is the queried FQDN

class

is the queried class

type

is the queried type

sender-ip

is the IP of the client that sent the query

port

is the port of the client that sent the query

listen-ip

is the listen network interface that received the message

Note that on YADIFA any unset flag is replaced by a '-', on BIND only the '+' follows that rule.

System operators will mostly be interested in the info and above messages of queries and stats, as well as the error and above messages of the other loggers.

See Also

yadifad(8)

Notes

Since unquoted leading whitespace is generally ignored in the yadifad.conf you can indent everything to taste.

Changes

Please check the file ChangeLog from the sources.

Version

Version: 2.2.4 of 2017-04-06.

Mailing Lists

There exists a mailinglist for questions relating to any program in the yadifa package:

If you would like to stay informed about new versions and official patches send a subscription request to  via:

(this is a readonly list).

Authors

Gery Van Emelen
Email: Gery.VanEmelen@EURid.eu
Eric Diaz Fernandez
Email: Eric.DiazFernandez@EURid.eu

WWW: http://www.EURid.eu

Referenced By

yadifad(8).

2017-04-06 YADIFA