yadifad.conf (5) - Linux Manuals
yadifad.conf: configuration file for yadifad(8).
NAME
yadifad.conf - configuration file for yadifad(8).
SYNOPSIS
${PREFIX}/etc/yadifad.conf
DESCRIPTION
The configuration of yadifad has several containers:
- <main>
-
General container - <key>
- TSIG keys
- <acl>
- Access lists
- <nsid>
- NameServer IDentifier
- <rrl>
- Response Rate Limiting directives
- <zone>
- Description of the domain name in specific attributes.
- <channels>
- Description of the logger outputs.
- <dnssec-policy>
- Description of dnssec policies.
- <key-suite>
- Description of the key-suites needed if 'dnssec policies' are used.
- <key-roll>
- Description of the key-rolls needed if 'dnssec policies' are used.
- <key-template>
- Description of the key-templates needed if 'dnssec policies' are used.
- <denial>
- Description of 'denial', this can be used in certain 'dnssec policies'.
The configuration supports included files.
example: include /etc/yadifa/conf.d/local.conf
The configuration files can be nested.
The configuration consists of:
- *
- Container, which starts with <container name> and ends with </container name>
- *
- Variable name
- *
- 1 or 2 arguments
- *
- Arguments can contain 1 or more comma separated values.
eg.
<container> # variable argument variable value1 # variable argument1 argument2 variable value1 value2 # variable argument1 variable value1,value2 </container>
EXAMPLES
Examples of containers defined for a configuration file.
- *
-
Main
-
- 1.
-
Config with includes
-
# start yadifad.conf <main> container include /etc/yadifa/conf.d/local.conf # end yadifad.conf <main> container
-
- 2.
-
Main without includes
-
<main> # Detach from the console (alias: daemonize) daemon off # Jail the application chroot off # The path of the log files (alias: chroot-path) chrootpath "/chroot/yadifad" # The path of the log files (alias: log-path) logpath "/var/log/yadifa" # The location of the pid file (alias: pid-file) pidfile "/var/run/yadifa/yadifad.pid" # The path of the zone files (alias: data-path) datapath "/var/lib/yadifa" # The path of the DNSSEC keys (alias: keys-path) keyspath "/var/lib/yadifa/keys" # The path of the transfer and journaling files (AXFR & IXFR) (alias: xfr-path) xfrpath "/var/lib/yadifa/xfr" # A string returned by a query of hostname. CH TXT # note: if you leave this out, the real hostname will be given back (alias: hostname-chaos) hostname "server-yadifad" # An ID returned by a query to id.server. CH TXT (alias: serverid-chaos) serverid "yadifad-01" # The version returned by a query to version.yadifa. CH TXT (alias: version-chaos) version "2.2.2" # Set the maximum UDP packet size. # note: the packetsize cannot be less than 512 or more than 65535. # Typical choice is 4096. edns0-max-size 4096 # The maximum number of parallel TCP queries (max-tcp-connections) max-tcp-queries 100 # The minimum data rate for a TCP query (in bytes per second) tcp-query-min-rate 512 # The user id to use (alias: user) uid yadifa # The group id to use (alias: group) gid yadifa # The DNS port - any DNS query will use that port unless a specific value is used (alias: server-port) port 53 # The interfaces to listen to. # listen 0.0.0.0 listen 127.0.0.1, 192.0.2.2, 192.0.2.130 port 8053, 2001:db8::2 # Type of querylog to use # 0: none # 1: yadifa # 2: bind # 3: both yadifa and bind queries-log-type 1 # Enable the collection and logging of statistics statistics on # Maximum number of seconds between two statistics lines statistics-max-period 60 # Drop queries with erroneous content # # answer-formerr-packets on answer-formerr-packets off # Maximum number of records in an AXFR packet. Set to 1 for compatibility # with very old name servers (alias: axfr-max-record-by-packet) axfr-maxrecordbypacket 0 # Global Access Control rules # # Rules can be defined on network ranges, TSIG signatures, and ACL rules # simple queries: # # allow-query any allow-query !192.0.2.251,any # dynamic update of a zone # # allow-update none allow-update admins # dynamic update of a slave (forwarded to the master) # # allow-update-forwarding none allow-update-forwarding admins,key abroad-admin-key # transfer of a zone (AXFR or IXFR) # # allow-transfer any allow-transfer transferer # notify of a change in the master # # allow-notify any allow-notify master,admins # If YADIFA has the controller enabled, allow control only for these # clients (none by default) allow-control localhost # overwrite the amount of CPUs detected by yadifad cpu-count-override 3 # set the number of threads to serve queries thread-count-by-address 2 </main>
-
-
- *
-
Key
TSIG-key configuration
-
- 1.
-
Admin-key key definition (the name is arbitrary)
-
<key> name abroad-admin-key algorithm hmac-md5 secret WorthlessKeyForExample== </key>
-
- 2.
-
Master-slave key definition
-
<key> name master-slave algorithm hmac-md5 secret MasterAndSlavesTSIGKey== </key>
-
- *
-
ACL
Access Control List definitions
-
- 1.
-
Master-slave key use
-
<acl> transferer key master-slave admins 192.0.2.0/24, 2001:db8::74 master 192.0.2.53 localhost 127.0.0.0/8, ::1 </acl>
-
- *
-
NSID
DNS NameServer IDentifier
-
- 1.
-
Example with ascii
-
<nsid> ascii belgium-brussels-01 </nsid>
-
- 2.
-
Example with hex
-
<nsid> hex 00320201 </nsid>
-
- *
-
RRL
Response Rate Limiting
<rrl> # Number of identical responses per second before responses are being limited responses-per-second 5 # Number of errors per second before responses are being limited errors-per-second 5 # Random slip parameter slip 10 # If enabled, the rate limits are only logged and not enforced log-only off # Mask applied to group the IPv4 clients ipv4-prefix-length 24 # Mask applied to group the IPv6 clients ipv6-prefix-length 56 # Rate limits are not subject to the following clients (aka whitelist) exempt-clients none # Enable or disable the rate limit capabilities enabled yes </rrl>
- *
- Zone
-
- 1.
-
Master domain zone config
-
<zone> # This server is master for the zone (mandatory) type master # The domain name (mandatory) domain mydomain.eu # The zone file, relative to 'datapath' (mandatory for a master) (alias: file-name) file master/mydomain.eu # List of servers also notified of a change (beside the ones in the zone file) (alias: notifies, notify) also-notify 192.0.2.84, 192.0.2.149 # Set the size of the journal file in KB (alias: journal-size-kb) journal-size 8192 # Allow dynupdate for these ACL entries allow-update admins # Allow AXFR/IXFR for these ACL entries allow-transfer transferer # Use DNSSEC policies otherwise remove or put in remark line below dnssec-policy 1 </zone>
-
- 2.
-
Slave domain zone config
-
<zone> # This server is slave for that zone (mandatory) type slave # The domain name (mandatory) domain myotherdomain.eu # The address of the master (mandatory for a slave, forbidden for a master) (alias: master) masters 191.0.2.53 port 4053 key master-slave # The zone file, relative to 'datapath'. file slaves/myotherdomain.eu # Accept notifes from these ACL entries allow-notify master </zone>
-
- *
- DNSSEC-Policy
DNSSEC-Policy needs some extra sections: key-suite, key-roll, key-template (and denial if NSEC3 is configured)
-
- 1.
-
dnssec-policy example with all the needed sections
-
example with NSEC3
<dnssec-policy> id "1" description "Example of ZSK and KSK" denial "nsec3-with-salt-on" key-suite "zsk-1024" key-suite "ksk-2048" </dnssec-policy>
example with NSEC<dnssec-policy> id "2" description "Example of ZSK and KSK" denial nsec key-suite "zsk-1024" key-suite "ksk-2048" </dnssec-policy>
-
- 2.
-
key-suite
<key-suite> id "ksk-2048" key-template "ksk-2048" key-roll "key-roll-ksk-2048-short-times" </key-suite> <key-suite> id "zsk-1024" key-template "zsk-1024" key-roll "key-roll-zsk-1024-short-times" </key-suite>
- 3.
-
key-roll
<key-roll> id "key-roll-ksk-2048-short-times" # command minutes hours day month day-week week generate 5,35 * * * * * publish 6,36 * * * * * activate 7,37 * * * * * inactive 8,38 * * * * * remove 12,42 * * * * * </key-roll> <key-roll> id "key-roll-zsk-1024-short-times" # command minutes hours day month day-week week generate 5,35 * * * * * publish 6,36 * * * * * activate 7,37 * * * * * inactive 8,38 * * * * * remove 12,42 * * * * * </key-roll>
- 4.
-
key-template
<key-template> id "ksk-2048" ksk true algorithm 8 size 2048 </key-template> <key-template> id "zsk-1024" ksk false algorithm 8 size 1024 </key-template>
- 5.
-
denial
<denial> id "nsec3-with-salt-on" salt "ABCD" algorithm 1 iterations 5 optout off </denial>
-
<denial> id "nsec3-with-salt-length-on" salt-length 4 algorithm 1 iterations 5 optout off </denial>
-
- *
- Channels
Logging output-channel configurations:
The "name" is arbitrary and is used in the <loggers>.
The "stream-name" defines the output type (ie: a file name or syslog).
The "arguments" are specific to the output type (ie: unix file access rights or syslog options and facilities).
-
- 1.
-
Example: YADIFA running as daemon channel definition.
-
<channels> # name stream-name arguments database database.log 0644 dnssec dnssec.log 0644 server server.log 0644 statistics statistics.log 0644 system system.log 0644 queries queries.log 0644 zone zone.log 0644 all all.log 0644 syslog syslog user </channels>
-
- 2.
-
Example: YADIFA running in debug mode.
This example shows the "stderr" and "stdout" which can also be used in the first example, but will output to the console.-
<channels> # name stream-name arguments syslog syslog user stderr STDERR stdout STDOUT </channels>
-
-
- *
- Loggers
Logging input configurations:
The "bundle" name is predefined: database, dnssec, server, statistics, system, zone.
The "debuglevel" uses the same names as syslog or "*" or "all" to filter the input.
The "channels" are a comma-separated list of channels.
-
- 1.
-
Example without syslog
-
<loggers> # bundle debuglevel channels database ALL database,all dnssec warning dnssec,all server INFO,WARNING,ERR,CRIT,ALERT,EMERG server,all statistics * statistics system * system,all queries * queries zone * zone,all </loggers>
-
- 2.
-
Example with syslog
-
<loggers> # bundle debuglevel channels database ALL database,syslog dnssec warning dnssec,syslog server INFO,WARNING,ERR,CRIT,ALERT,EMERG server,syslog stats * statistics, syslog system * system,syslog queries * queries,syslog zone * zone,syslog </loggers>
-
The defined loggers are:
- system
- contains low level messages about the system such as memory allocation, threading, IOs, timers and cryptography, ...
- database
- It contains messages about most lower-level operations in the DNS database. ie: journal, updates, zone loading and sanitization, DNS message query resolution, ...)
- dnssec
- contains messages about lower-level dnssec operations in the DNS database. ie: status, maintenance, verification, ...
- server
- contains messages about operations in the DNS server. ie: start up, shutdown, configuration, transfers, various services status (database management, network management, DNS notification management, dynamic update management, resource rate limiting, ...)
- zone
- contains messages about the loading of a zone from a source (file parsing, transferred binary zone reading, ...)
- stats
- contains the statistics of the server.
- queries
-
contains the queries on the server.
Queries can be logged with the BIND and/or with the YADIFA format.
BIND format:
client sender-ip#port: query: fqdn class type +SETDC (listen-ip)
YADIFA format:
query [ id ] {+SETDC} fqdn class type (sender-ip#port)
where:-
- id
- is the query message id
- +
- means the message has the Recursion Desired flag set
- S
- means the message is signed with a TSIG
- E
- means the message is EDNS
- T
- means the message was sent using TCP instead of UDP
- D
- means the message has the DNSSEC OK flag set
- C
- means the message has the Checking Disabled flag set
- fqdn
- is the queried FQDN
- class
- is the queried class
- type
- is the queried type
- sender-ip
- is the IP of the client that sent the query
- port
- is the port of the client that sent the query
- listen-ip
- is the listen network interface that received the message
-
Note that on YADIFA any unset flag is replaced by a '-', on BIND only the '+' follows that rule.
-
System operators will mostly be interested in the info and above messages of queries and stats, as well as the error and above messages of the other loggers.
NOTES
Since unquoted leading whitespace is generally ignored in the yadifad.conf you can indent everything to taste.
CHANGES
Please check the file ChangeLog from the sources.
VERSION
Version: 2.2.3 of 2016-12-15.
MAILING LISTS
There exists a mailinglist for questions relating to any program in the yadifa package:
- *
-
yadifa-users [at] mailinglists.yadifa.eu
for submitting questions/answers.
- *
-
http://www.yadifa.eu/mailing-list-users
for subscription requests.
If you would like to stay informed about new versions and official patches send a subscription request to via:
(this is a readonly list).
LICENSE AND COPYRIGHT
- Copyright
-
(C)2012-2016, EURid
B-1831 Diegem, Belgium
info [at] yadifa.eu
AUTHORS
Gery Van Emelen
Email: Gery.VanEmelen [at] EURid.eu
Eric Diaz Fernandez
Email: Eric.DiazFernandez [at] EURid.eu
WWW: http://www.EURid.eu