1# 2# Example yakeyrolld configuration file. 3# 4 5<yakeyrolld> 6 domain example.eu 7 8 # This MUST point into yadifa's keys directory. 9 # Only one key path is supported, one path per zone handling can be implemented if needed 10 11 keys-path "/usr/local/var/zones/keys" 12 plan-path "/usr/local/var/plans" 13 log-path "/usr/local/var/log/yakeyrolld" 14 15 uid yadifad 16 gid yadifad 17 18 generate-from "now" 19 generate-until "+1y" 20 server 127.0.0.1 21 policy "primary-policy" 22</yakeyrolld> 23 24# 25# TSIG Key configuration 26# 27 28<key> 29 name primary-secondary 30 algorithm hmac-md5 31 secret PrimaryAndSecondaryKey== 32</key> 33 34<channels> 35 dnssec dnssec.log 0644 36 system system.log 0644 37 keyroll keyroll.log 0644 38 all all.log 0644 39</channels> 40 41<loggers> 42 system prod system 43 dnssec prod dnssec 44 keyroll prod keyroll,all 45</loggers> 46 47################################################################################ 48################################################################################ 49### 50### POLICIES 51### 52################################################################################ 53################################################################################ 54 55<dnssec-policy> 56 57 # name of the 'dnssec-policy' 58 59 id "primary-policy" 60 description "primary zone policy" 61 62 # at least one: key-descriptor "name" 63 # they define KSK & ZSK keys 64 65 key-suite "zsk-2048" 66 key-suite "ksk-2048" 67</dnssec-policy> 68 69<key-suite> 70 # name of the key-suite 71 72 id "zsk-2048" 73 key-template "zsk-rsa-sha512-2048" 74 key-roll "monthly-calendar" 75</key-suite> 76 77<key-suite> 78 # name of the key-suite 79 80 id "ksk-2048" 81 key-template "ksk-rsa-sha512-2048" 82 83 key-roll "yearly-calendar" 84</key-suite> 85 86<key-template> 87 id "zsk-rsa-sha512-2048" 88 algorithm RSASHA512 89 size 1024 90</key-template> 91 92<key-template> 93 id "ksk-rsa-sha512-2048" 94 ksk 1 95 algorithm RSASHA512 96 size 2048 97</key-template> 98 99# 100# Quick note about how the sheduler computes times. 101# 102# The calendar triggers events in this order: Generates, publishes, activates, de-activates, removes. 103# The sheduling always arranges so the de-activation occurs at or after the next sheduled activation. 104# So if generate, publish and activate are relative to each-other, inactive is relative to the activate of the next key. 105# 106 107 108<key-roll> 109 id "yearly-calendar" 110 111 generate 11 10 * 1 mon 1 # Januay, Monday of the second week at 10:11 112 publish 11 10 * 1 tue * # following Tuesday at 10:11 113 activate 11 10 * 1 wed * # following Wednesday at 10:11 114 inactive 11 10 * 1 mon * # following Monday, a year after, at 10:11 115 remove 11 10 * 1 wed * # following Wednesday at 10:11 116</key-roll> 117 118<key-roll> 119 id "monthly-calendar" 120 121 generate 17 10 * * mon 0 # 1st monday the month at 10:17 122 publish 17 10 * * tue * # following tuesday at 10:17 123 activate 17 10 * * wed * # following wednesday at 10:17 124 inactive 17 10 * * wed * # following wednesday at 10:17 (one week after the activation) 125 remove 17 10 * * thu * # following thursday at 10:17 126</key-roll> 127 128<key-roll> 129 id "weekly-calendar" 130 131 generate 0 9 * * mon * # Monday at 09:00 132 publish 0 8 * * tue * # Tuesday at 08:00 133 activate 0 6 * * wed * # Wednesday at 06:00 134 inactive 0 6 * * wed * # Wednesday at 06:00 (next Wednesday, if >06:00 the Wednesday in two weeks) 135 remove 0 12 * * fri * # Friday at 12:00 136</key-roll> 137 138