Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
YAKEYROLLD(8)			    YADIFA			 YAKEYROLLD(8)

NAME
       YAKEYROLLD  is an utility for genrating a sequence of KSK and ZSK for a
       zone.

SYNOPSIS
       yakeyrolld command [argument]

DESCRIPTION
       The yakeyrolld program generates	a sequence of KSK and ZSK for a	 zone,
       with all	the steps of their lifecycles.

       yakeyrolld  is part of the YADIFA distribution from EURid vzw/asbl. The
       latest version of YADIFA	can be found on:
			    http://www.yadifa.eu/download

LIFECYCLE
       A lifecyle for a	key has	several	steps:

       *      Time of creation

       *      Time of publication

       *      Time of activation

       *      Time of de-activation

       *      Time of un-publication.

       These times are determined using	a cron-like schedule.

       For all these steps, it computes	the following:

       *      The expected DNSSEC and RRSIG DNSSEC records on the  master  be-
	      fore the step is started

       *      The ZSK files to add

       *      The ZSK files to remove

       *      The DNSSEC and RRSIG DNSKEY records to add

       *      The DNSKEY and RRSIG DNSKEY records to remove

       *      The  expected  DNSKEY and	RRSIG DNSKEY records on	the dns	master
	      after the	step has been completed.

       Each step is stored as a	file. The file contains	fields like:

       epochus	An integer with	the epoch of the step expressed	 in  microsec-
       onds.

       dateus  A user-friendly date text matching the epochus field.

       actions	 A  list  of  actions expected to happen on the	step (informa-
       tional).

       debug  A	text meant to help understand the step (informational).

       update  Each entry is a dynamic	update	command	 to  be	 sent  to  the
       server.

       expect  Each entry defines one record expected to be in the zone	on the
       server prior to executing the current step.

       endresult  Each entry defines one record	expected to be in the zone  on
       the server after	the step has been executed.

       add  Defines a key file to create in keys-path.

       del  Names a key	file to	delete from keys-path.

COMMANDS
       --help|-h  Shows	the help

       --version|-V  Prints the	version	of the software

       --config|-c  configfile Sets the	configuration file to use

       --mode|-m   generate  |	play | playloop	| print	| print-json  Sets the
       program mode

       --domain	 fqdn The domain name

       --path|-p  directory The	directory where	to store the keys

       --server|-s  address The	address	of the server

       --ttl|-t	 seconds The ttl to use	for both dnskey	and rrsig records

       --explain  prints the planned schedule

       --reset	start by removing all the keys and create a new	KSK and	a  new
       ZSK. The	server will not	be queried.

       --policy	 Name of the policy to use

       --from  time The	lower time bound covered by the	plan (now)

       --until	time The upper time bound covered by the plan (+1y)

       --dryrun	 Do not	write files to disk, do	not send updates to the	server

       --wait  Wait for	yadifad	to answer before starting to work (default)

       --nowait	 Do not	wait for yadifad to answer before starting to work

       --daemon	 Daemonise the program for supported modes (default)

       --nodaemon  Do not daemonise the	program

       --noconfirm  Do not ask for confirmation	before doing a data reset

USAGE
       The  yakeyrolld	daemon	writes key files in the	yadifad	keys directory
       and pushes DNSKEY and RRSIG records with	a dynamic update.
       Zones managed by	the keyroll needs to have  the	rrsig-nsupdate-allowed
       setting enabled (<zone> section).
       In  generation  mode, the daemon	needs access to	both the plan and pri-
       vate keys directory.
       For all other modes, the	private	keys directory is ignored.
       When not	doing any kind of generation, they should not be kept  on  the
       machine.	Their encrypted	backup sitting in a safe place.

       Initialisation
	      Destroys all current data	that could exist and starts from noth-
	      ing. Creates all the steps of the	rolls for the next two	years.
	      Creates all the private keys in a	separate directory.
	      The  directory  that  contains the private key files is required
	      for this command as private keys will be added.

	      yakeyrolld -m generate --until +1y --reset

       Renewal
	      In order to extend a plan	further, simply	do another generation.
	      The operation loads the current plan, extends it	to  cover  the
	      new  limit  date	and saves the updated modified version back on
	      disk.
	      Previously stored	private	keys may be used  to  generate	signa-
	      tures and	new private keys may be	added.
	      Because  of  this,  the  directory that contains the private key
	      files is required	for this command.

	      yakeyrolld -m generate --until +1y

       Plan calendar
	      Details of the current plan can be printed on stdout using:

	      yakeyrolld -m print

	      The output format	of that	command	isn't meant to be parsed by  a
	      program.

	      For a script, use	instead:

	      yakeyrolld -m print-json

       Daemon
	      To  start	 the  rolling the keys and pushing them	to the server,
	      use:

	      yakeyrolld -m playloop

FILES
       ${SYSCONFDIR}/yakeyrolld.conf
	       The default yakeyrolld configuration file.

       yakeyrolld.conf.5
	       Configuration man page for yakeyrolld.

SEE ALSO
       yakeyrolld.conf(5)

REQUIREMENTS
       OpenSSL
	      yakeyrolld requires OpenSSL version 1.1.1	or later.

CHANGES
       Please check the	ChangeLog file from the	sources	code.

VERSION
       Version:	2.4.1 of 2020-12-09.

MAILINGLIST
       There is	a mailinglist for questions relating to	 any  program  in  the
       yadifa package:

       *      yadifa-users@mailinglists.yadifa.eu
	      for submitting questions/answers.

       *      http://www.yadifa.eu/mailing-list-users
	      for subscription requests.

       If  you	would  like  to	 stay informed about new versions and official
       patches send a subscription request to via:

       *      http://www.yadifa.eu/mailing-list-announcements

       (this is	a read-only list).

LICENSE	AND COPYRIGHT
       Copyright
	      (C)2011-2020, EURid
	      B-1831 Diegem, Belgium
	      info@yadifa.eu

AUTHORS
       Gery Van	Emelen
       Email: Gery.VanEmelen@EURid.eu
       Eric Diaz Fernandez
       Email: Eric.DiazFernandez@EURid.eu

       WWW: http://www.EURid.eu

YAKEYROLLD			  2020-12-09			 YAKEYROLLD(8)

NAME | SYNOPSIS | DESCRIPTION | LIFECYCLE | COMMANDS | USAGE | FILES | SEE ALSO | REQUIREMENTS | CHANGES | VERSION | MAILINGLIST | LICENSE AND COPYRIGHT | AUTHORS

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=yakeyrolld&sektion=8&manpath=FreeBSD+13.0-RELEASE+and+Ports>

home | help