1PDNSUTIL(1) PowerDNS Authoritative Server PDNSUTIL(1)
2
6 pdnsutil - PowerDNS record and DNSSEC command and control
7
9 pdnsutil [OPTION]... COMMAND
10
12 pdnsutil (formerly pdnssec) is a powerful command that is the opera‐
13 tor-friendly gateway into DNSSEC and zone management for PowerDNS.
14 Behind the scenes, pdnsutil manipulates a PowerDNS backend database,
15 which also means that for many databases, pdnsutil can be run remotely,
16 and can configure key material on different servers.
17
19 -h, --help
20 Show summary of options
21 -v, --verbose
23 Be more verbose.
24 --force
26 Force an action
27 --config-name <NAME>
29 Virtual configuration name
30 --config-dir <DIR>
32 Location of pdns.conf. Default is /etc/powerdns.
33
35 There are many available commands, this section splits them up into
36 their respective uses
37
39 Several commands manipulate the DNSSEC keys and options for zones. Some
40 of these commands require an ALGORITHM to be set. The following algo‐
41 rithms are supported:
42 · rsasha1
44 · rsasha256
46 · rsasha512
48 · ecdsa256
50 · ecdsa384
52 · ed25519
54 · ed448
56 activate-zone-key ZONE KEY-ID
58 Activate a key with id KEY-ID within a zone called ZONE.
59 add-zone-key ZONE {KSK,ZSK} [active,inactive] KEYBITS ALGORITHM
61 Create a new key for zone ZONE, and make it a KSK or a ZSK, with
62 the specified algorithm. The key is inactive by default, set it
63 to active to immediately use it to sign ZONE. Prints the id of
64 the added key.
65 create-bind-db FILE
67 Create DNSSEC database (sqlite3) at FILE for the BIND backend.
68 Remember to set bind-dnssec-db=*FILE* in your pdns.conf.
69 deactivate-zone-key ZONE KEY-ID
71 Deactivate a key with id KEY-ID within a zone called ZONE.
72 disable-dnssec ZONE
74 Deactivate all keys and unset PRESIGNED in ZONE.
75 export-zone-dnskey ZONE KEY-ID
77 Export to standard output DNSKEY and DS of key with key id
78 KEY-ID within zone called ZONE.
79 export-zone-ds ZONE
81 Export to standard output all KSK DS records for ZONE.
82 export-zone-key ZONE KEY-ID
84 Export to standard output full (private) key with key id KEY-ID
85 within zone called ZONE. The format used is compatible with BIND
86 and NSD/LDNS.
87 generate-zone-key {KSK,ZSK} [ALGORITHM] [KEYBITS]
89 Generate a ZSK or KSK to stdout with specified algorithm and
90 bits and print it on STDOUT. If ALGORITHM is not set, ECDSA256
91 is used. If KEYBITS is not set, an appropriate keysize is
92 selected for ALGORITHM. Each ECC-based algorithm supports only
93 one valid KEYBITS value: For ECDSA256 and ED25519, it is 256;
94 for ECDSA384, it is 384; and for ED448, it is 456.
95 import-zone-key ZONE FILE {KSK,ZSK}
97 Import from FILE a full (private) key for zone called ZONE. The
98 format used is compatible with BIND and NSD/LDNS. KSK or ZSK
99 specifies the flags this key should have on import. Prints the
100 id of the added key.
101 remove-zone-key ZONE KEY-ID
103 Remove a key with id KEY-ID from a zone called ZONE.
104 set-nsec3 ZONE ['HASH-ALGORITHM FLAGS ITERATIONS SALT'] [narrow]
106 Sets NSEC3 parameters for this zone. The quoted parameters are 4
107 values that are used for the the NSEC3PARAM record and decide
108 how NSEC3 records are created. The NSEC3 parameters must be
109 quoted on the command line. HASH-ALGORITHM must be 1 (SHA-1).
110 Setting FLAGS to 1 enables NSEC3 opt-out operation. Only do this
111 if you know you need it. For ITERATIONS, please consult RFC
112 5155, section 10.3. And be aware that a high number might over‐
113 load validating resolvers and that a limit can be set with
114 max-nsec3-iterations in pdns.conf. The SALT is a hexadecimal
115 string encoding the bits for the salt, or - to use no salt. Set‐
116 ting narrow will make PowerDNS send out "white lies" (RFC 7129)
117 about the next secure record to prevent zone enumeration.
118 Instead of looking it up in the database, it will send out the
119 hash + 1 as the next secure record. Narrow mode requires online
120 signing capabilities by the nameserver and therefore zone trans‐
121 fers are denied. If only the zone is provided as argument, the
122 4-parameter quoted string defaults to '1 0 1 ab'. A sample com‐
123 mandline is: pdnsutil set-nsec3 powerdnssec.org '1 1 1 ab' nar‐
124 row. WARNING: If running in RSASHA1 mode (algorithm 5 or 7),
125 switching from NSEC to NSEC3 will require a DS update in the
126 parent zone.
127 unset-nsec3 ZONE
129 Converts ZONE to NSEC operations. WARNING: If running in RSASHA1
130 mode (algorithm 5 or 7), switching from NSEC to NSEC3 will
131 require a DS update at the parent zone!
132 set-publish-cds ZONE [DIGESTALGOS]
134 Set ZONE to respond to queries for its CDS records. the optional
135 argument DIGESTALGOS should be a comma-separated list of DS
136 algorithms to use. By default, this is 2 (SHA-256).
137 set-publish-cdnskey ZONE
139 Set ZONE to publish CDNSKEY records.
140 unset-publish-cds ZONE
142 Set ZONE to stop responding to queries for its CDS records.
143 unset-publish-cdnskey ZONE
145 Set ZONE to stop publishing CDNSKEY records.
146
148 These commands manipulate TSIG key information in the database. Some
149 commands require an ALGORITHM, the following are available:
150 · hmac-md5
152 · hmac-sha1
154 · hmac-sha224
156 · hmac-sha256
158 · hmac-sha384
160 · hmac-sha512
162 activate-tsig-key ZONE NAME {master,slave}
164 Enable TSIG authenticated AXFR using the key NAME for zone ZONE.
165 This sets the TSIG-ALLOW-AXFR (master) or AXFR-MASTER-TSIG
166 (slave) zone metadata.
167 deactivate-tsig-key ZONE NAME {master,slave}
169 Disable TSIG authenticated AXFR using the key NAME for zone
170 ZONE.
171 delete-tsig-key NAME
173 Delete the TSIG key NAME. Warning, this does not deactivate said
174 key.
175 generate-tsig-key NAME ALGORITHM
177 Generate new TSIG key with name NAME and the specified algo‐
178 rithm.
179 import-tsig-key NAME ALGORITHM KEY
181 Import KEY of the specified algorithm as NAME.
182 list-tsig-keys
184 Show a list of all configured TSIG keys.
185
187 add-record ZONE NAME TYPE [TTL] CONTENT
188 Add one or more records of NAME and TYPE to ZONE with CONTENT
189 and optional TTL. If TTL is not set, default will be used.
190 create-zone ZONE
192 Create an empty zone named ZONE.
193 create-slave-zone ZONE MASTER [MASTER]..
195 Create a new slave zone ZONE with masters MASTER. All MASTERs
196 need to to be space-separated IP addresses with an optional
197 port.
198 change-slave-zone-master ZONE MASTER [MASTER]..
200 Change the masters for slave zone ZONE to new masters MASTER.
201 All MASTERs need to to be space-separated IP addresses with an
202 optional port.
203 check-all-zones
205 Check all zones for correctness.
206 check-zone ZONE
208 Check zone ZONE for correctness.
209 clear-zone ZONE
211 Clear the records in zone ZONE, but leave actual domain and set‐
212 tings unchanged
213 delete-rrset ZONE NAME TYPE
215 Delete named RRSET from zone.
216 delete-zone ZONE:
218 Delete the zone named ZONE.
219 edit-zone ZONE
221 Opens ZONE in zonefile format (regardless of backend it was
222 loaded from) in the editor set in the environment variable EDI‐
223 TOR. if EDITOR is empty, pdnsutil falls back to using editor.
224 get-meta ZONE [ATTRIBUTE]...
226 Get zone metadata. If no ATTRIBUTE given, lists all known.
227 hash-zone-record ZONE RNAME
229 This convenience command hashes the name RNAME according to the
230 NSEC3 settings of ZONE. Refuses to hash for zones with no NSEC3
231 settings.
232 list-keys [ZONE]
234 List DNSSEC information for all keys or for ZONE.
235 list-all-zones:
237 List all zone names.
238 list-zone ZONE
240 Show all records for ZONE.
241 load-zone ZONE FILE
243 Load records for ZONE from FILE. If ZONE already exists, all
244 records are overwritten, this operation is atomic. If ZONE
245 doesn't exist, it is created.
246 rectify-zone ZONE
248 Calculates the 'ordername' and 'auth' fields for a zone called
249 ZONE so they comply with DNSSEC settings. Can be used to fix up
250 migrated data. Can always safely be run, it does no harm.
251 rectify-all-zones
253 Calculates the 'ordername' and 'auth' fields for all zones so
254 they comply with DNSSEC settings. Can be used to fix up migrated
255 data. Can always safely be run, it does no harm.
256 replace-rrset ZONE NAME TYPE [TTL] CONTENT [CONTENT..]
258 Replace existing NAME in zone ZONE with a new set.
259 secure-zone ZONE
261 Configures a zone called ZONE with reasonable DNSSEC settings.
262 You should manually run 'pdnsutil rectify-zone' afterwards.
263 secure-all-zones [increase-serial]
265 Configures all zones that are not currently signed with reason‐
266 able DNSSEC settings. Setting increase-serial will increase the
267 serial of those zones too. You should manually run 'pdnsutil
268 rectify-all-zones' afterwards.
269 set-kind ZONE KIND
271 Change the kind of ZONE to KIND (master, slave, native).
272 set-account ZONE ACCOUNT
274 Change the account (owner) of ZONE to ACCOUNT.
275 add-meta ZONE ATTRIBUTE VALUE [VALUE]...
277 Append VALUE to the existing ATTRIBUTE metadata for ZONE. Will
278 return an error if ATTRIBUTE does not support multiple values,
279 use set-meta for these values.
280 set-meta ZONE ATTRIBUTE [VALUE]...
282 Set domainmetadata ATTRIBUTE for ZONE to VALUE. An empty value
283 clears it.
284 set-presigned ZONE
286 Switches ZONE to presigned operation, utilizing in-zone RRSIGs.
287 show-zone ZONE
289 Shows all DNSSEC related settings of a zone called ZONE.
290 test-schema ZONE
292 Test database schema, this creates the zone ZONE
293 unset-presigned ZONE
295 Disables presigned operation for ZONE.
296
298 backend-cmd BACKEND CMD [CMD..]
299 Send a text command to a backend for execution. GSQL backends
300 will take SQL commands, other backends may take different
301 things. Be careful!
302 bench-db [FILE]
304 Perform a benchmark of the backend-database. FILE can be a file
305 with a list, one per line, of domain names to use for this. If
306 FILE is not specified, powerdns.com is used.
307
309 ipencrypt IP-ADDRESS passsword
310 Encrypt an IP address according to the 'ipcipher' standard
311 ipdecrypt IP-ADDRESS passsword
313 Encrypt an IP address according to the 'ipcipher' standard
314
316 pdns_server (1), pdns_control (1)
317
319 PowerDNS.COM BV
320
322 2001-2019, PowerDNS.COM BV
3234.2 Nov 29, 2019 PDNSUTIL(1)