You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

263 lines
11 KiB

<main>
daemon off
chroot on
logpath "/var/log/yadifa"
pidfile "/run/yadifa/yadifad.pid"
datapath "/var/lib/yadifa"
keyspath "/var/lib/yadifa/keys"
xfrpath "/var/lib/yadifa/xfr"
# hostname "server-yadifad"
# serverid "yadifad-01"
# version "2.2.0"
edns0-max-size 4096
max-tcp-queries 100
uid yadifa
gid yadifa
port 53
listen 0.0.0.0
statistics on
queries-log-type 1
answer-formerr-packets off
# axfr-maxrecordbypacket 0
allow-query any
allow-update none
allow-transfer none
allow-notify none
allow-control controller
</main>
<nsid>
ascii "ns1"
</nsid>
<control>
enabled true
</control>
<rrl>
enabled true
log_only false
responses_per_second 5
errors_per_second 5
window 15
slip 2
min_table_size 1024
max_table_size 16384
ipv4_prefix_length 24
# ipv6_prefix_length 56
exempted none
</rrl>
<channels>
database database.log 0644
dnssec dnssec.log 0644
server server.log 0644
statistics statistics.log 0644
system system.log 0644
zone zone.log 0644
queries queries.log 0644
all all.log 0644
syslog syslog USER,CRON,PID
stderr STDERR
stdout STDOUT
</channels>
<loggers>
database EMERG,ALERT,CRIT,ERR,WARNING,NOTICE database,all
dnssec EMERG,ALERT,CRIT,ERR,WARNING,NOTICE dnssec,all
server EMERG,ALERT,CRIT,ERR,WARNING,NOTICE server,all
stats * statistics
system EMERG,ALERT,CRIT,ERR,WARNING,NOTICE system,all
zone EMERG,ALERT,CRIT,ERR,WARNING,NOTICE zone,all
# queries * queries
</loggers>
#include "keys.conf"
#<key>
# name master-slave
# algorithm hmac-md5
# secret MasterAndSlavesTSIGKey==
#</key>
#<acl>
# transferer key master-slave
# admins 192.0.2.0/24, 2001:db8::74
# master 192.0.2.53
# controller key abroad-admin-key
#</acl>
<acl>
controller 127.0.0.0/8, ::1
</acl>
<zone>
type master
domain localhost
file masters/localhost.zone
allow-transfer none
allow-update none
allow-update-forwarding none
</zone>
<zone>
type master
domain 0.0.127.in-addr.arpa
file masters/0.0.127.in-addr.arpa.zone
allow-transfer none
allow-update none
allow-update-forwarding none
</zone>
<zone>
type master
domain solipsists.org
file masters/solipsists.org.zone
allow-transfer 96.126.96.118,172.104.125.227,172.104.165.223,139.162.176.183,45.56.110.60,45.79.215.191,176.58.103.36,185.70.105.134,114.142.160.48,118.89.221.146,217.182.128.77,54.36.54.14,85.17.15.147,129.232.222.82,145.239.149.66,145.239.2.154,145.239.1.3,91.90.42.178,164.132.206.84,66.11.121.31,174.128.229.130,163.172.35.98,104.219.168.143,174.128.229.131,37.228.129.89
allow-update none
allow-update-forwarding none
</zone>
<dnssec-policy>
id "normal-policy"
description "Example of a policy with ZSK and KSK"
denial "nsec3-fixed"
key-suite "zsk-1024"
key-suite "ksk-2048"
</dnssec-policy>
<key-suite>
id "zsk-1024"
key-template "zsk-rsa-sha256-1024"
key-roll "monthly-diary"
</key-suite>
<key-suite>
id "ksk-2048"
key-template "ksk-rsa-sha256-2048"
key-roll "yearly-diary"
</key-suite>
<key-template>
id "zsk-rsa-sha512-1024"
algorithm RSASHA512
size 1024
</key-template>
<key-template>
id "zsk-rsa-sha512-2048"
algorithm RSASHA512
size 2048
</key-template>
<key-template>
id "zsk-rsa-sha256-1024"
algorithm RSASHA256
size 1024
</key-template>
<key-template>
id "zsk-rsa-sha256-2048"
algorithm RSASHA256
size 2048
</key-template>
<key-template>
id "ksk-rsa-sha512-1024"
ksk 1
algorithm RSASHA512
size 1024
</key-template>
<key-template>
id "ksk-rsa-sha512-2048"
ksk 1
algorithm RSASHA512
size 2048
</key-template>
<key-template>
id "ksk-rsa-sha256-1024"
ksk 1
algorithm RSASHA256
size 1024
</key-template>
<key-template>
id "ksk-rsa-sha256-2048"
ksk 1
algorithm RSASHA256
size 2048
</key-template>
<denial>
type NSEC3
id "nsec3-random"
salt-length 32
iterations 10
optout off
</denial>
<denial>
type NSEC3
id "nsec3-fixed"
salt "BA5EBA11" # if nsec3-resalting is off
iterations 5 # the number of additional times the hash function has been performe
optout off
</denial>
<key-roll>
id "yearly-diary"
generate 5 0 15 6 * * # this year (2016) 15/06 at 00:05
publish 10 0 15 6 * * # 00:10
activate 15 0 16 6 * * # 16/06 at 00:15
inactive 15 0 17 6 * * # (2017) 17/06 at 00:15
remove 15 11 18 6 * * # (2017) 18/06 at 11:15
</key-roll>
<key-roll>
id "monthly-diary"
generate 5 0 * * tue 0 # 1 tuesday of the month at 00:05
publish 10 0 * * tue 0 # 00:10
activate 15 0 * * wed 0 # 1 wednesday of the month at 00:15
inactive 15 0 * * thu 0 # 1 thursday of the month at 00:15
remove 15 11 * * fri 0 # 1 friday of the month at 11:15
</key-roll>
<key-roll>
id "weekly-diary"
generate 25 0 * * sun * # every sunday of the month at 00:25
publish 30 0 * * sun * # at 00:30
activate 35 0 * * sun * # at 00:35
inactive 35 0 * * sun * # at 00:35
remove 35 11 * * sun * # at 11:35
</key-roll>
<key-roll>
id "daily-diary"
generate 5 0 * * * * # at 00:05
publish 10 0 * * * * # at 00:10
activate 15 0 * * * * # at 00:15
inactive 15 0 * * * * # at 00:15
remove 15 11 * * * * # at 11:15
</key-roll>
<key-roll>
id "hourly-diary"
generate 1 * * * * *
publish 5 * * * * *
activate 10 * * * * *
inactive 15 * * * * *
remove 20 * * * * *
</key-roll>
<key-roll>
id "half-hourly-diary"
generate 0,30 * * * * *
publish 1,31 * * * * *
activate 2,32 * * * * *
inactive 34,04 * * * * *
remove 38,08 * * * * *
</key-roll>
<key-roll>
id "insane-diary"
generate * * * * * *
publish * * * * * *
activate * * * * * *
inactive * * * * * *
remove * * * * * *
</key-roll>
<key-roll>
id "monthly-relative"
generate +31d
publish +60
activate +120
inactive +33d # must be bigger than generate, to avoid a gap
remove +1d
</key-roll>
<key-roll>
id "insane-relative"
generate +60
publish +0
activate +0
inactive +60
remove +0
</key-roll>
<key-roll>
id "less-insane-relative"
generate +120
publish +0
activate +0
inactive +160
remove +0
</key-roll>