yadifad.conf(5) configuration file for yadifad(8).




The configuration of yadifad has several containers:


 General container 
TSIG keys
Access lists
NameServer IDentifier
Response Rate Limiting directives
Description of the domain name in specific attributes
Description of the logger outputs
Description of the loggers.

The configuration supports included files.
example: include /etc/yadifa/conf.d/local.conf

The configuration files can be nested.

The configuration consists of:

Container, which starts with <container name> and ends with </container name>
Variable name
1 or 2 arguments
Arguments can contain 1 or more comma separated values.


# variable  argument
variable    value1  
# variable  argument1       argument2
variable    value1          value2
# variable  argument1
variable    value1,value2


Examples of containers defined for a configuration file.

Config with includes

# start yadifad.conf <main> container
include /etc/yadifa/conf.d/local.conf
# end yadifad.conf <main> container

Main without includes

    # Detach from the console (alias: daemonize)
    daemon                  off
    # Jail the application
    chroot                  off
    # The path of the log files (alias: chroot-path)
    chrootpath              "/chroot/yadifad"
    # The path of the log files (alias: log-path)
    logpath                 "/var/log/yadifa"
    # The location of the pid file (alias: pid-file)
    pidfile                 "/var/run/yadifa/yadifad.pid"
    # The path of the zone files (alias: data-path)
    datapath                "/var/lib/yadifa"
    # The path of the DNSSEC keys (alias: keys-path)
    keyspath                "/var/lib/yadifa/keys"
    # The path of the transfer and journaling files (AXFR & IXFR) (alias: xfr-path)
    xfrpath                 "/var/lib/yadifa/xfr"
    # A string returned by a query of hostname. CH TXT 
    # note: if you leave this out, the real hostname will be given back (alias: hostname-chaos)
    hostname                "server-yadifad"
    # An ID returned by a query to id.server. CH TXT (alias: serverid-chaos)
    serverid                "yadifad-01"
    # The version returned by a query to version.yadifa. CH TXT (alias: version-chaos)
    version                 "2.1.6"
    # Set the maximum UDP packet size.  
    # note: the packetsize cannot be less than 512 or more than 65535.
    #       Typical choice is 4096.
    edns0-max-size          4096
    # The maximum number of parallel TCP queries (max-tcp-connections)
    max-tcp-queries         100
    # The minimum data rate for a TCP query (in bytes per second)
    tcp-query-min-rate      512
    # The user id to use (alias: user)
    uid                     yadifa
    # The group id to use (alias: group)
    gid                     yadifa
    # The DNS port - any DNS query will use that port unless a specific value is used (alias: server-port)
    port                    53
    # The interfaces to listen to.
    # listen
    listen        ,, port 8053, 2001:db8::2
    # Type of querylog to use
    #   0: none
    #   1: yadifa
    #   2: bind
    #   3: both yadifa and bind
    queries-log-type        1
    # Enable the collection and logging of statistics
    statistics              on
    # Maximum number of seconds between two statistics lines
    statistics-max-period   60
    # Drop queries with erroneous content
    # answer-formerr-packets on
    answer-formerr-packets  off
    # Maximum number of records in an AXFR packet. Set to 1 for compatibility
    # with very old name servers (alias: axfr-max-record-by-packet)
    axfr-maxrecordbypacket  0
    # Global Access Control rules
    # Rules can be defined on network ranges, TSIG signatures, and ACL rules
    # simple queries:
    # allow-query any
    allow-query             !,any
    # dynamic update of a zone
    # allow-update none
    allow-update            admins
    # dynamic update of a slave (forwarded to the master)
    # allow-update-forwarding   none
    allow-update-forwarding admins,key abroad-admin-key
    # transfer of a zone (AXFR or IXFR)
    # allow-transfer any
    allow-transfer          transferer
    # notify of a change in the master
    # allow-notify any
    allow-notify            master,admins
    # If YADIFA has the controller enabled, allow control only for these
    # clients (none by default)
    allow-control           localhost
    # overwrite the amount of CPUs detected by yadifad
    cpu-count-override 3
    # set the number of threads to serve queries
    thread-count-by-address 2

TSIG-key configuration

Admin-key key definition (the name is arbitrary)

        name        abroad-admin-key
        algorithm   hmac-md5
        secret      WorthlessKeyForExample==

Master-slave key definition

        name        master-slave
        algorithm   hmac-md5
        secret      MasterAndSlavesTSIGKey==

Access Control List definitions

Master-slave key use

        transferer  key master-slave
        admins, 2001:db8::74
        localhost, ::1

DNS NameServer IDentifier

Example with ascii

        ascii belgium-brussels-01

Example with hex

        hex 00320201

Response Rate Limiting

            # Number of identical responses per second before responses are being limited
            responses-per-second 5
            # Number of errors per second before responses are being limited
            errors-per-second 5
            # Random slip parameter
            slip 10
            # If enabled, the rate limits are only logged and not enforced
            log-only off
            # Mask applied to group the IPv4 clients
            ipv4-prefix-length 24
            # Mask applied to group the IPv6 clients
            ipv6-prefix-length 56
            # Rate limits are not subject to the following clients (aka whitelist)
            exempt-clients none
            # Enable or disable the rate limit capabilities
            enabled yes


Master domain zone config

        # This server is master for the zone (mandatory)
        type            master
        # The domain name (mandatory)
        domain          mydomain.eu
        # The zone file, relative to 'datapath'  (mandatory for a master) (alias: file-name)
        file            master/mydomain.eu
        # List of servers also notified of a change (beside the ones in the zone file) (alias: notifies, notify)
        # Set the size of the journal file in KB (alias: journal-size-kb)
        journal-size    8192 
        # Allow dynupdate for these ACL entries
        allow-update    admins
        # Allow AXFR/IXFR for these ACL entries
        allow-transfer  transferer

Slave domain zone config

        # This server is slave for that zone (mandatory)
        type            slave
        # The domain name (mandatory)
        domain          myotherdomain.eu
        # The address of the master (mandatory for a slave, forbidden for a master) (alias: master)
        masters port 4053 key master-slave
        # The zone file, relative to 'datapath'.
        file            slaves/myotherdomain.eu
        # Accept notifes from these ACL entries
        allow-notify    master


Logging output-channel configurations:

The "name" is arbitrary and is used in the <loggers>.
The "stream-name" defines the output type (ie: a file name or syslog).
The "arguments" are specific to the output type (ie: unix file access rights or syslog options and facilities).

Example: YADIFA running as daemon channel definition.

        #   name        stream-name     arguments
        database    database.log    0644
        dnssec      dnssec.log      0644
        server      server.log      0644
        statistics  statistics.log  0644
        system      system.log      0644
        queries     queries.log     0644
        zone        zone.log        0644
        all         all.log         0644
        syslog      syslog          user

Example: YADIFA running in debug mode.
This example shows the "stderr" and "stdout" which can also be used in the first example, but will output to the console.

        #   name        stream-name     arguments
        syslog      syslog          user
        stderr      STDERR
        stdout      STDOUT


Logging input configurations:

The "bundle" name is predifined: database, dnssec, server, statistics, system, zone.
The "debuglevel" uses the same names as syslog or "*" or "all" to filter the input.

The "channels" are a comma-separated list of channels.

Example without syslog

        #   bundle          debuglevel                          channels
        database        ALL                                 database,all
        dnssec          warning                             dnssec,all
        server          INFO,WARNING,ERR,CRIT,ALERT,EMERG   server,all
        statistics      *                                   statistics
        system          *                                   system,all
        queries         *                                   queries
        zone            *                                   zone,all

Example with syslog

        #   bundle          debuglevel                          channels
        database        ALL                                 database,syslog
        dnssec          warning                             dnssec,syslog
        server          INFO,WARNING,ERR,CRIT,ALERT,EMERG   server,syslog
        stats           *                                   statistics, syslog
        system          *                                   system,syslog
        queries         *                                   queries,syslog
        zone            *                                   zone,syslog

The defined loggers are:

contains low level messages about the system such as memory allocation, threading, IOs, timers and cryptography, ...
It contains messages about most lower-level operations in the DNS database. ie: journal, updates, zone loading and sanitization, DNS message query resolution, ...)
contains messages about lower-level dnssec operations in the DNS database. ie: status, maintenance, verification, ...
contains messages about operations in the DNS server. ie: start up, shutdown, configuration, transfers, various services status (database management, network management, DNS notification management, dynamic update management, resource rate limiting, ...)
contains messages about the loading of a zone from a source (file parsing, transferred binary zone reading, ...)
contains the statistics of the server.
contains the queries on the server. Queries can be logged with the BIND and/or with the YADIFA format.

BIND format:

client sender-ip#port: query: fqdn class type +SETDC (listen-ip)

YADIFA format:

query [ id ] {+SETDC} fqdn class type (sender-ip#port)

is the query message id
means the message has the Recursion Desired flag set
means the message is signed with a TSIG
means the message is EDNS
means the message was sent using TCP instead of UDP
means the message has the DNSSEC OK flag set
means the message has the Checking Disabled flag set
is the queried FQDN
is the queried class
is the queried type
is the IP of the client that sent the query
is the port of the client that sent the query
is the listen network interface that received the message

Note that on YADIFA any unset flag is replaced by a '-', on BIND only the '+' follows that rule.

System operators will mostly be interested in the info and above messages of queries and stats, as well as the error and above messages of the other loggers.


Since unquoted leading whitespace is generally ignored in the yadifad.conf you can indent everything to taste.


Please check the file ChangeLog from the sources.


Version: 2.1.6 of 2016-02-04.


There exists a mailinglist for questions relating to any program in the yadifa package:

[email protected]
for submitting questions/answers.

for subscription requests.

If you would like to stay informed about new versions and official patches send a subscription request to via:


(this is a readonly list).


(C) 2011-2016, EURid
B-1831 Diegem, Belgium
[email protected]


Gery Van Emelen
Email: [email protected]
Eric Diaz Fernandez
Email: [email protected]

WWW: http://www.EURid.eu