You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
263 lines
11 KiB
263 lines
11 KiB
7 years ago
|
<main>
|
||
|
daemon off
|
||
|
chroot on
|
||
|
logpath "/var/log/yadifa"
|
||
|
pidfile "/run/yadifa/yadifad.pid"
|
||
|
datapath "/var/lib/yadifa"
|
||
|
keyspath "/var/lib/yadifa/keys"
|
||
|
xfrpath "/var/lib/yadifa/xfr"
|
||
|
# hostname "server-yadifad"
|
||
|
# serverid "yadifad-01"
|
||
|
# version "2.2.0"
|
||
|
edns0-max-size 4096
|
||
|
max-tcp-queries 100
|
||
|
uid yadifa
|
||
|
gid yadifa
|
||
|
port 53
|
||
|
listen 0.0.0.0
|
||
|
statistics on
|
||
|
queries-log-type 1
|
||
|
answer-formerr-packets off
|
||
|
# axfr-maxrecordbypacket 0
|
||
|
allow-query any
|
||
|
allow-update none
|
||
|
allow-transfer none
|
||
|
allow-notify none
|
||
|
allow-control controller
|
||
|
</main>
|
||
|
<nsid>
|
||
|
ascii "ns1"
|
||
|
</nsid>
|
||
|
<control>
|
||
|
enabled true
|
||
|
</control>
|
||
|
<rrl>
|
||
|
enabled true
|
||
|
log_only false
|
||
|
responses_per_second 5
|
||
|
errors_per_second 5
|
||
|
window 15
|
||
|
slip 2
|
||
|
min_table_size 1024
|
||
|
max_table_size 16384
|
||
|
ipv4_prefix_length 24
|
||
|
# ipv6_prefix_length 56
|
||
|
exempted none
|
||
|
</rrl>
|
||
|
<channels>
|
||
|
database database.log 0644
|
||
|
dnssec dnssec.log 0644
|
||
|
server server.log 0644
|
||
|
statistics statistics.log 0644
|
||
|
system system.log 0644
|
||
|
zone zone.log 0644
|
||
|
queries queries.log 0644
|
||
|
all all.log 0644
|
||
|
syslog syslog USER,CRON,PID
|
||
|
stderr STDERR
|
||
|
stdout STDOUT
|
||
|
</channels>
|
||
|
<loggers>
|
||
|
database EMERG,ALERT,CRIT,ERR,WARNING,NOTICE database,all
|
||
|
dnssec EMERG,ALERT,CRIT,ERR,WARNING,NOTICE dnssec,all
|
||
|
server EMERG,ALERT,CRIT,ERR,WARNING,NOTICE server,all
|
||
|
stats * statistics
|
||
|
system EMERG,ALERT,CRIT,ERR,WARNING,NOTICE system,all
|
||
|
zone EMERG,ALERT,CRIT,ERR,WARNING,NOTICE zone,all
|
||
|
# queries * queries
|
||
|
</loggers>
|
||
|
#include "keys.conf"
|
||
|
#<key>
|
||
|
# name master-slave
|
||
|
# algorithm hmac-md5
|
||
|
# secret MasterAndSlavesTSIGKey==
|
||
|
#</key>
|
||
|
#<acl>
|
||
|
# transferer key master-slave
|
||
|
# admins 192.0.2.0/24, 2001:db8::74
|
||
|
# master 192.0.2.53
|
||
|
# controller key abroad-admin-key
|
||
|
#</acl>
|
||
|
<acl>
|
||
|
controller 127.0.0.0/8, ::1
|
||
|
</acl>
|
||
|
<zone>
|
||
|
type master
|
||
|
domain localhost
|
||
|
file masters/localhost.zone
|
||
|
allow-transfer none
|
||
|
allow-update none
|
||
|
allow-update-forwarding none
|
||
|
</zone>
|
||
|
<zone>
|
||
|
type master
|
||
|
domain 0.0.127.in-addr.arpa
|
||
|
file masters/0.0.127.in-addr.arpa.zone
|
||
|
allow-transfer none
|
||
|
allow-update none
|
||
|
allow-update-forwarding none
|
||
|
</zone>
|
||
|
<zone>
|
||
|
type master
|
||
|
domain solipsists.org
|
||
|
file masters/solipsists.org.zone
|
||
|
allow-transfer 96.126.96.118,172.104.125.227,172.104.165.223,139.162.176.183,45.56.110.60,45.79.215.191,176.58.103.36,185.70.105.134,114.142.160.48,118.89.221.146,217.182.128.77,54.36.54.14,85.17.15.147,129.232.222.82,145.239.149.66,145.239.2.154,145.239.1.3,91.90.42.178,164.132.206.84,66.11.121.31,174.128.229.130,163.172.35.98,104.219.168.143,174.128.229.131,37.228.129.89
|
||
|
allow-update none
|
||
|
allow-update-forwarding none
|
||
|
</zone>
|
||
|
<dnssec-policy>
|
||
|
id "normal-policy"
|
||
|
description "Example of a policy with ZSK and KSK"
|
||
|
denial "nsec3-fixed"
|
||
|
key-suite "zsk-1024"
|
||
|
key-suite "ksk-2048"
|
||
|
</dnssec-policy>
|
||
|
<key-suite>
|
||
|
id "zsk-1024"
|
||
|
key-template "zsk-rsa-sha256-1024"
|
||
|
key-roll "monthly-diary"
|
||
|
</key-suite>
|
||
|
<key-suite>
|
||
|
id "ksk-2048"
|
||
|
key-template "ksk-rsa-sha256-2048"
|
||
|
key-roll "yearly-diary"
|
||
|
</key-suite>
|
||
|
<key-template>
|
||
|
id "zsk-rsa-sha512-1024"
|
||
|
algorithm RSASHA512
|
||
|
size 1024
|
||
|
</key-template>
|
||
|
<key-template>
|
||
|
id "zsk-rsa-sha512-2048"
|
||
|
algorithm RSASHA512
|
||
|
size 2048
|
||
|
</key-template>
|
||
|
<key-template>
|
||
|
id "zsk-rsa-sha256-1024"
|
||
|
algorithm RSASHA256
|
||
|
size 1024
|
||
|
</key-template>
|
||
|
<key-template>
|
||
|
id "zsk-rsa-sha256-2048"
|
||
|
algorithm RSASHA256
|
||
|
size 2048
|
||
|
</key-template>
|
||
|
<key-template>
|
||
|
id "ksk-rsa-sha512-1024"
|
||
|
ksk 1
|
||
|
algorithm RSASHA512
|
||
|
size 1024
|
||
|
</key-template>
|
||
|
<key-template>
|
||
|
id "ksk-rsa-sha512-2048"
|
||
|
ksk 1
|
||
|
algorithm RSASHA512
|
||
|
size 2048
|
||
|
</key-template>
|
||
|
<key-template>
|
||
|
id "ksk-rsa-sha256-1024"
|
||
|
ksk 1
|
||
|
algorithm RSASHA256
|
||
|
size 1024
|
||
|
</key-template>
|
||
|
<key-template>
|
||
|
id "ksk-rsa-sha256-2048"
|
||
|
ksk 1
|
||
|
algorithm RSASHA256
|
||
|
size 2048
|
||
|
</key-template>
|
||
|
<denial>
|
||
|
type NSEC3
|
||
|
id "nsec3-random"
|
||
|
salt-length 32
|
||
|
iterations 10
|
||
|
optout off
|
||
|
</denial>
|
||
|
<denial>
|
||
|
type NSEC3
|
||
|
id "nsec3-fixed"
|
||
|
salt "BA5EBA11" # if nsec3-resalting is off
|
||
|
iterations 5 # the number of additional times the hash function has been performe
|
||
|
optout off
|
||
|
</denial>
|
||
|
<key-roll>
|
||
|
id "yearly-diary"
|
||
|
generate 5 0 15 6 * * # this year (2016) 15/06 at 00:05
|
||
|
publish 10 0 15 6 * * # 00:10
|
||
|
activate 15 0 16 6 * * # 16/06 at 00:15
|
||
|
inactive 15 0 17 6 * * # (2017) 17/06 at 00:15
|
||
|
remove 15 11 18 6 * * # (2017) 18/06 at 11:15
|
||
|
</key-roll>
|
||
|
<key-roll>
|
||
|
id "monthly-diary"
|
||
|
generate 5 0 * * tue 0 # 1 tuesday of the month at 00:05
|
||
|
publish 10 0 * * tue 0 # 00:10
|
||
|
activate 15 0 * * wed 0 # 1 wednesday of the month at 00:15
|
||
|
inactive 15 0 * * thu 0 # 1 thursday of the month at 00:15
|
||
|
remove 15 11 * * fri 0 # 1 friday of the month at 11:15
|
||
|
</key-roll>
|
||
|
<key-roll>
|
||
|
id "weekly-diary"
|
||
|
generate 25 0 * * sun * # every sunday of the month at 00:25
|
||
|
publish 30 0 * * sun * # at 00:30
|
||
|
activate 35 0 * * sun * # at 00:35
|
||
|
inactive 35 0 * * sun * # at 00:35
|
||
|
remove 35 11 * * sun * # at 11:35
|
||
|
</key-roll>
|
||
|
<key-roll>
|
||
|
id "daily-diary"
|
||
|
generate 5 0 * * * * # at 00:05
|
||
|
publish 10 0 * * * * # at 00:10
|
||
|
activate 15 0 * * * * # at 00:15
|
||
|
inactive 15 0 * * * * # at 00:15
|
||
|
remove 15 11 * * * * # at 11:15
|
||
|
</key-roll>
|
||
|
<key-roll>
|
||
|
id "hourly-diary"
|
||
|
generate 1 * * * * *
|
||
|
publish 5 * * * * *
|
||
|
activate 10 * * * * *
|
||
|
inactive 15 * * * * *
|
||
|
remove 20 * * * * *
|
||
|
</key-roll>
|
||
|
<key-roll>
|
||
|
id "half-hourly-diary"
|
||
|
generate 0,30 * * * * *
|
||
|
publish 1,31 * * * * *
|
||
|
activate 2,32 * * * * *
|
||
|
inactive 34,04 * * * * *
|
||
|
remove 38,08 * * * * *
|
||
|
</key-roll>
|
||
|
<key-roll>
|
||
|
id "insane-diary"
|
||
|
generate * * * * * *
|
||
|
publish * * * * * *
|
||
|
activate * * * * * *
|
||
|
inactive * * * * * *
|
||
|
remove * * * * * *
|
||
|
</key-roll>
|
||
|
<key-roll>
|
||
|
id "monthly-relative"
|
||
|
generate +31d
|
||
|
publish +60
|
||
|
activate +120
|
||
|
inactive +33d # must be bigger than generate, to avoid a gap
|
||
|
remove +1d
|
||
|
</key-roll>
|
||
|
<key-roll>
|
||
|
id "insane-relative"
|
||
|
generate +60
|
||
|
publish +0
|
||
|
activate +0
|
||
|
inactive +60
|
||
|
remove +0
|
||
|
</key-roll>
|
||
|
<key-roll>
|
||
|
id "less-insane-relative"
|
||
|
generate +120
|
||
|
publish +0
|
||
|
activate +0
|
||
|
inactive +160
|
||
|
remove +0
|
||
|
</key-roll>
|