-
-
Save ca0s/f20aa96ac5acb80cb93e918a26b91ab5 to your computer and use it in GitHub Desktop.
yadifad.conf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# | |
# Example yadifa configuration file. | |
# | |
<main> | |
# Detach from the console | |
daemon off | |
# Jail the application | |
chroot off | |
# The path where all the log files will be written | |
logpath "/tmp/yadifa/logs" | |
# The location of the pid file | |
pidfile "/tmp/yadifa/yadifad.pid" | |
# The path where all zone files will be written | |
datapath "/tmp/zones" | |
# The path where the DNSSEC keys are found | |
keyspath "/tmp/zones/keys" | |
# The path where the transfer and journaling files will be written (AXFR & IXFR) | |
xfrpath "/tmp/zones/xfr" | |
# A string returned by a query of hostname. CH TXT (note if you leave this out, the real hostname will be given back) | |
hostname "server-yadifad" | |
# An ID returned by a query to id.server. CH TXT | |
serverid "yadifad-01" | |
# The version returned by a query to version.yadifa. CH TXT | |
version "2.2.5" | |
# Set the maximum UDP packet size. Cannot be less than 512. Cannot be more than 65535. Typical choice is 4096. | |
edns0-max-size 4096 | |
# The maximum number of parallel TCP queries. | |
max-tcp-queries 100 | |
# The user id to use (an integer can be used) | |
user fuzz | |
# The group id to use (an integer can be used) | |
group fuzz | |
# The DNS port. Any DNS query will be made using that port unless a specific value is used. | |
port 1053 | |
# The interfaces to listen to. | |
listen 0.0.0.0 | |
# Enable the collection and logging of statistics | |
statistics on | |
# Choose the query log format (0 for none, 1 for YADIFA, 2 for BIND compatible, 3 for YADIFA and BIND) | |
queries-log-type 1 | |
# Drop queries with erroneous content | |
# answer-formerr-packets on | |
# Maximum number of records in an AXFR packet. Set to one for compatibility | |
# with very old name servers | |
# axfr-maxrecordbypacket 0 | |
# Global Access Control List rules. | |
# | |
# Rules can be defined on network ranges, TSIG signatures, and ACL rules | |
# simple queries: | |
allow-query any | |
# dynamic update of a zone | |
allow-update none | |
# transfer of a zone (AXFR or IXFR) | |
allow-transfer none | |
# notify of a change in the master | |
allow-notify none | |
# If YADIFA has the controller enabled, allow control only for these clients (none by default) | |
# allow-control controller | |
</main> | |
# If YADIFA has NSID support (default) | |
<nsid> | |
ascii "yadifad example NSID" | |
# alternatively, an hexadecimal format can be used | |
# hex 79616469666164206578616d706c65204e5349440a | |
</nsid> | |
# If YADIFA has the controller enabled (needs to have been configured at build using --enable-ctrl) | |
<control> | |
# enable the controller | |
enabled true | |
</control> | |
# If YADIFA has been compiled with the Response Rate Limiter (default) | |
<rrl> | |
# enable the RRL | |
enabled true | |
# don't actually limit the response rate, only log what the filter would do | |
log_only false | |
# how many responses per second are allowed for a (masked with the prefix) client | |
responses_per_second 5 | |
# how many errors per second are allowed for a (masked with the prefix) client | |
errors_per_second 5 | |
# window of time in which the rates are measured, expressed in seconds | |
window 15 | |
# every "slip" dropped answers, a truncated answer may randomly be given so the client can ask again using TCP | |
slip 2 | |
# the minimum size of the table storing (masked with the prefix) clients | |
min_table_size 1024 | |
# the maximum size of the table storing (masked with the prefix) clients | |
max_table_size 16384 | |
# IPv4 clients are masked with this prefix | |
ipv4_prefix_length 24 | |
# IPv6 clients are masked with this prefix | |
ipv6_prefix_length 56 | |
# the list of IP/networks (Access Control List) not impacted by the RRL | |
exempted none | |
</rrl> | |
# | |
# Logging output channels configurations | |
# | |
# name stream-name arguments | |
# | |
# name is arbitrary | |
# stream-name defines the output type (ie: a file name or syslog) | |
# arguments is specific to the output type (ie: unix file access rights or syslog options and facilities | |
<channels> | |
# name stream-name arguments | |
# database database.log 0644 | |
# dnssec dnssec.log 0644 | |
# server server.log 0644 | |
# statistics statistics.log 0644 | |
# system system.log 0644 | |
# zone zone.log 0644 | |
# queries queries.log 0644 | |
# all all.log 0644 | |
syslog syslog USER,CRON,PID | |
# although possible, these two do not do make much sense if daemon is enabled | |
stderr STDERR | |
stdout STDOUT | |
</channels> | |
# Logging input configurations | |
# | |
# name debug-level channels | |
# | |
# name is predefined | |
# debuglevel uses the same names as syslog or * or all to filter the input | |
# channels is a comma-separated list of channels | |
# In production, use EMERG,ALERT,CRIT,ERR,WARNING,NOTICE,INFO instead of * | |
<loggers> | |
# bundle debuglevel channels | |
database prod database,all | |
dnssec prod dnssec,all | |
server prod server,all | |
stats prod statistics | |
system prod system,all | |
zone prod zone,all | |
queries prod queries | |
</loggers> | |
# | |
# TSIG Key configuration | |
# | |
#include "keys.conf" | |
<key> | |
name master-slave | |
algorithm hmac-md5 | |
secret MasterAndSlavesTSIGKey== | |
</key> | |
# | |
# Access Control List definitions | |
# | |
# Meant to be used in access lists parameters (allow-*) | |
# arbitrary-name comma-separated-list | |
# | |
#<acl> | |
# transferer key master-slave | |
# admins 192.0.2.0/24, 2001:db8::74 | |
# master 192.0.2.53 | |
# controller key abroad-admin-key | |
#</acl> | |
# | |
# Master domain zone config | |
# | |
<zone> | |
type master | |
domain localhost | |
file masters/localhost. | |
allow-transfer none | |
allow-update none | |
allow-update-forwarding none | |
</zone> | |
<zone> | |
type master | |
domain localhost6 | |
file masters/localhost6. | |
allow-transfer none | |
allow-update none | |
allow-update-forwarding none | |
</zone> | |
<zone> | |
type master | |
domain 0.0.127.in-addr.arpa | |
file masters/0.0.127.in-addr.arpa. | |
allow-transfer none | |
allow-update none | |
allow-update-forwarding none | |
</zone> | |
<zone> | |
type master | |
domain 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa | |
file masters/0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. | |
allow-transfer none | |
allow-update none | |
allow-update-forwarding none | |
</zone> | |
<zone> | |
# This server is master for that zone (mandatory) | |
type master | |
# The domain name (mandatory) | |
domain somedomain.eu. | |
# The zone file, relative to 'datapath'. (mandatory for a master) | |
file masters/somedomain.eu. | |
dnssec-policy "normal-policy" | |
</zone> | |
################################################################################ | |
################################################################################ | |
### | |
### POLICIES | |
### | |
################################################################################ | |
################################################################################ | |
<dnssec-policy> | |
# name of the 'dnssec-policy' | |
id "normal-policy" | |
description "Example of a policy with ZSK and KSK" | |
# denial nsec|"nsec3-parameters-section-name" | |
# can be the keyword 'nsec' or the 'id | name' of a 'denial' section | |
denial "nsec3-fixed" | |
# at least one: key-descriptor "name" | |
# they define KSK & ZSK keys | |
key-suite "zsk-1024" | |
key-suite "ksk-2048" | |
</dnssec-policy> | |
<dnssec-policy> | |
# name of the 'dnssec-policy' | |
id "fast-roll-policy" | |
description "Fast rolling policy" | |
denial "nsec" | |
key-suite "zsk-1024-fast-roll" | |
key-suite "ksk-2048-fast-roll" | |
</dnssec-policy> | |
<key-suite> | |
# name of the key-suite | |
id "zsk-1024-fast-roll" | |
key-template "zsk-rsa-sha256-1024" | |
# optional, without it, the keys found in the storage are used | |
key-roll "daily-diary" | |
</key-suite> | |
<key-suite> | |
# name of the key-suite | |
id "ksk-2048-fast-roll" | |
key-template "ksk-rsa-sha256-2048" | |
# optional, without it, the keys found in the storage are used | |
key-roll "weekly-diary" | |
</key-suite> | |
<key-suite> | |
# name of the key-suite | |
id "zsk-1024" | |
key-template "zsk-rsa-sha256-1024" | |
# optional, without it, the keys found in the storage are used | |
key-roll "monthly-diary" | |
</key-suite> | |
<key-suite> | |
# name of the key-suite | |
id "ksk-2048" | |
key-template "ksk-rsa-sha256-2048" | |
# optional, without it, the keys found in the storage are used | |
key-roll "yearly-diary" | |
</key-suite> | |
###################################################### | |
<key-template> | |
id "zsk-rsa-sha512-1024" | |
algorithm RSASHA512 | |
size 1024 | |
</key-template> | |
<key-template> | |
id "zsk-rsa-sha512-2048" | |
algorithm RSASHA512 | |
size 2048 | |
</key-template> | |
<key-template> | |
id "zsk-rsa-sha256-1024" | |
algorithm RSASHA256 | |
size 1024 | |
</key-template> | |
<key-template> | |
id "zsk-rsa-sha256-2048" | |
algorithm RSASHA256 | |
size 2048 | |
</key-template> | |
<key-template> | |
id "ksk-rsa-sha512-1024" | |
ksk 1 | |
algorithm RSASHA512 | |
size 1024 | |
</key-template> | |
<key-template> | |
id "ksk-rsa-sha512-2048" | |
ksk 1 | |
algorithm RSASHA512 | |
size 2048 | |
</key-template> | |
<key-template> | |
id "ksk-rsa-sha256-1024" | |
ksk 1 | |
algorithm RSASHA256 | |
size 1024 | |
</key-template> | |
<key-template> | |
id "ksk-rsa-sha256-2048" | |
ksk 1 | |
algorithm RSASHA256 | |
size 2048 | |
</key-template> | |
###################################################### | |
<denial> | |
type NSEC3 | |
id "nsec3-random" | |
salt-length 32 | |
iterations 10 | |
# can be 0 or 1, true or false, and on or off | |
optout off | |
</denial> | |
<denial> | |
type NSEC3 | |
id "nsec3-fixed" | |
salt "BA5EBA11" # if nsec3-resalting is off | |
iterations 5 # the number of additional times the hash function has been performe | |
# can be 0 or 1, true or false, and on or off | |
optout off | |
</denial> | |
###################################################### | |
# minutes hours days months weekdays weeks | |
<key-roll> | |
id "yearly-diary" | |
generate 5 0 15 6 * * # this year (2017) 15/06 at 00:05 | |
publish 10 0 15 6 * * # 00:10 | |
activate 15 0 16 6 * * # 16/06 at 00:15 | |
inactive 15 0 17 6 * * # (2017) 17/06 at 00:15 | |
remove 15 11 18 6 * * # (2017) 18/06 at 11:15 | |
</key-roll> | |
<key-roll> | |
id "monthly-diary" | |
generate 5 0 * * tue 0 # 1 tuesday of the month at 00:05 | |
publish 10 0 * * tue 0 # 00:10 | |
activate 15 0 * * wed 0 # 1 wednesday of the month at 00:15 | |
inactive 15 0 * * thu 0 # 1 thursday of the month at 00:15 | |
remove 15 11 * * fri 0 # 1 friday of the month at 11:15 | |
</key-roll> | |
<key-roll> | |
id "weekly-diary" | |
generate 25 0 * * sun * # every sunday of the month at 00:25 | |
publish 30 0 * * sun * # at 00:30 | |
activate 35 0 * * sun * # at 00:35 | |
inactive 35 0 * * sun * # at 00:35 | |
remove 35 11 * * sun * # at 11:35 | |
</key-roll> | |
<key-roll> | |
id "daily-diary" | |
generate 5 0 * * * * # at 00:05 | |
publish 10 0 * * * * # at 00:10 | |
activate 15 0 * * * * # at 00:15 | |
inactive 15 0 * * * * # at 00:15 | |
remove 15 11 * * * * # at 11:15 | |
</key-roll> | |
<key-roll> | |
id "hourly-diary" | |
generate 1 * * * * * | |
publish 5 * * * * * | |
activate 10 * * * * * | |
inactive 15 * * * * * | |
remove 20 * * * * * | |
</key-roll> | |
<key-roll> | |
id "half-hourly-diary" | |
generate 0,30 * * * * * | |
publish 1,31 * * * * * | |
activate 2,32 * * * * * | |
inactive 34,04 * * * * * | |
remove 38,08 * * * * * | |
</key-roll> | |
<key-roll> | |
id "insane-diary" | |
generate * * * * * * | |
publish * * * * * * | |
activate * * * * * * | |
inactive * * * * * * | |
remove * * * * * * | |
</key-roll> | |
<key-roll> | |
id "monthly-relative" | |
generate +31d | |
publish +60 | |
activate +120 | |
inactive +33d # must be bigger than generate, to avoid a gap | |
remove +1d | |
</key-roll> | |
<key-roll> | |
id "insane-relative" | |
generate +60 | |
publish +0 | |
activate +0 | |
inactive +60 | |
remove +0 | |
</key-roll> | |
<key-roll> | |
id "less-insane-relative" | |
generate +120 | |
publish +0 | |
activate +0 | |
inactive +160 | |
remove +0 | |
</key-roll> | |
###################################################### |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment