YAKEYROLLD is an utility for genrating a sequence of KSK and ZSK for a zone.
yakeyrolld command [argument]
The yakeyrolld program generates a sequence of KSK and ZSK for a zone, with all the steps of their lifecycles.
yakeyrolld is part of the YADIFA distribution from EURid vzw/asbl. The latest version of YADIFA can be found on:
http://www.yadifa.eu/download
A lifecyle for a key has several steps:
* |
Time of creation |
|||
* |
Time of publication |
|||
* |
Time of activation |
|||
* |
Time of de−activation |
|||
* |
Time of un−publication. |
These times are determined using a cron−like schedule.
For all these steps, it computes the following:
* |
The expected DNSSEC and RRSIG DNSSEC records on the primary before the step is started | ||
* |
The ZSK files to add | ||
* |
The ZSK files to remove | ||
* |
The DNSSEC and RRSIG DNSKEY records to add | ||
* |
The DNSKEY and RRSIG DNSKEY records to remove | ||
* |
The expected DNSKEY and RRSIG DNSKEY records on the dns primary after the step has been completed. |
Each step is
stored as a file. The file contains fields like:
epochus An integer with the epoch of the step expressed
in
microseconds.
dateus A user−friendly date text matching the
epochus field.
actions A list of actions expected to happen on the step
(informational).
debug A text meant to help understand the step
(informational).
update Each entry is a dynamic update command to be sent
to the
server.
expect Each entry defines one record expected to be in
the zone on the
server prior to executing the current step.
endresult Each entry defines one record expected to be
in the zone on
the server after the step has been executed.
add Defines a key file to create in
keys−path.
del Names a key file to delete from
keys−path.
−−help|−h
Shows the help
−−version|−V Prints the version of the
software
−−config|−c configfile Sets the
configuration file to use
−−mode|−m generate | play |
playloop | print | print−json Sets the
program mode
−−domain fqdn The domain name
−−path|−p directory The
directory where to store the keys
−−server|−s address The address
of the server
−−ttl|−t seconds The ttl
to use for both dnskey and rrsig records
−−explain prints the planned schedule
−−reset start by removing all the keys and
create a new KSK and a new
ZSK. The server will not be queried.
−−policy Name of the policy to use
−−from time The lower time bound
covered by the plan (now)
−−until time The upper time bound
covered by the plan (+1y)
−−dryrun Do not write files to disk, do not
send updates to the server
−−wait Wait for yadifad to answer before
starting to work (default)
−−nowait Do not wait for yadifad to answer
before starting to work
−−daemon Daemonise the program for supported
modes (default)
−−nodaemon Do not daemonise the program
−−noconfirm Do not ask for confirmation
before doing a data reset
The yakeyrolld
daemon writes key files in the yadifad keys directory and
pushes DNSKEY and RRSIG records with a dynamic update.
Zones managed by the keyroll needs to have the
rrsig−nsupdate−allowed setting enabled
(<zone> section).
In generation mode, the daemon needs access to both the plan
and private keys directory.
For all other modes, the private keys directory is ignored.
When not doing any kind of generation, they should not be
kept on the machine. Their encrypted backup sitting in a
safe place.
Initialisation
Destroys all current data that
could exist and starts from nothing. Creates all the steps
of the rolls for the next two years. Creates all the private
keys in a separate directory.
The directory that contains the private key files is
required for this command as private keys will be added.
yakeyrolld −m generate −−until +1y −−reset
Renewal
In order to extend a plan
further, simply do another generation.
The operation loads the current plan, extends it to cover
the new limit date and saves the updated modified version
back on disk.
Previously stored private keys may be used to generate
signatures and new private keys may be added.
Because of this, the directory that contains the private key
files is required for this command.
yakeyrolld −m generate −−until +1y
Plan calendar
Details of the current plan can be printed on stdout using:
yakeyrolld −m print
The output format of that command isn’t meant to be parsed by a program.
For a script, use instead:
yakeyrolld −m print−json
Daemon |
To start the rolling the keys and pushing them to the server, use:
yakeyrolld −m playloop
${SYSCONFDIR}/yakeyrolld.conf
The default yakeyrolld configuration file.
yakeyrolld.conf.5
Configuration man page for yakeyrolld.
yakeyrolld.conf(5)
OpenSSL
yakeyrolld requires OpenSSL version 1.1.1 or later.
Please check the ChangeLog file from the sources code.
Version: 2.6.5 of 2023−09−06.
There is a mailinglist for questions relating to any program in the yadifa package:
* |
yadifa−[email protected] |
for submitting questions/answers.
* |
http://www.yadifa.eu/mailing−list−users |
for subscription requests.
If you would like to stay informed about new versions and official patches send a subscription request to via:
* |
http://www.yadifa.eu/mailing−list−announcements |
(this is a read−only list).
Copyright
(C)2011−2023, EURid
B−1831 Diegem, Belgium
[email protected]
Gery Van Emelen
Email: [email protected]
Eric Diaz Fernandez
Email: [email protected]
WWW: http://www.EURid.eu