1PDNSUTIL(1) PowerDNS Authoritative Server PDNSUTIL(1)
2
6 pdnsutil - PowerDNS record and DNSSEC command and control
7
9 pdnsutil [OPTION]... COMMAND
10
12 pdnsutil (formerly pdnssec) is a powerful command that is the opera‐
13 tor-friendly gateway into DNSSEC and zone management for PowerDNS.
14 Behind the scenes, pdnsutil manipulates a PowerDNS backend database,
15 which also means that for many databases, pdnsutil can be run remotely,
16 and can configure key material on different servers.
17
19 -h, --help
20 Show summary of options
21 -v, --verbose
23 Be more verbose.
24 --force
26 Force an action
27 --config-name <NAME>
29 Virtual configuration name
30 --config-dir <DIR>
32 Location of pdns.conf. Default is /etc/powerdns.
33
35 There are many available commands, this section splits them up into
36 their respective uses
37
39 Several commands manipulate the DNSSEC keys and options for zones. Some
40 of these commands require an ALGORITHM to be set. The following algo‐
41 rithms are supported:
42 · rsasha1
44 · rsasha1-nsec3-sha1
46 · rsasha256
48 · rsasha512
50 · ecdsa256
52 · ecdsa384
54 · ed25519
56 · ed448
58 activate-zone-key ZONE KEY-ID
60 Activate a key with id KEY-ID within a zone called ZONE.
61 add-zone-key ZONE {KSK,ZSK} [active,inactive] [published,unpublished]
63 KEYBITS ALGORITHM
64 Create a new key for zone ZONE, and make it a KSK or a ZSK, with
65 the specified algorithm. The key is inactive by default, set it
66 to active to immediately use it to sign ZONE. The key is pub‐
67 lished in the zone by default, set it to unpublished to keep it
68 from being returned in a DNSKEY query, which is useful for algo‐
69 rithm rollovers. Prints the id of the added key.
70 create-bind-db FILE
72 Create DNSSEC database (sqlite3) at FILE for the BIND backend.
73 Remember to set bind-dnssec-db=*FILE* in your pdns.conf.
74 deactivate-zone-key ZONE KEY-ID
76 Deactivate a key with id KEY-ID within a zone called ZONE.
77 disable-dnssec ZONE
79 Deactivate all keys and unset PRESIGNED in ZONE.
80 export-zone-dnskey ZONE KEY-ID
82 Export to standard output DNSKEY and DS of key with key id
83 KEY-ID within zone called ZONE.
84 export-zone-ds ZONE
86 Export to standard output all KSK DS records for ZONE.
87 export-zone-key ZONE KEY-ID
89 Export to standard output full (private) key with key id KEY-ID
90 within zone called ZONE. The format used is compatible with BIND
91 and NSD/LDNS.
92 generate-zone-key {KSK,ZSK} [ALGORITHM] [KEYBITS]
94 Generate a ZSK or KSK to stdout with specified algorithm and
95 bits and print it on STDOUT. If ALGORITHM is not set, ECDSA256
96 is used. If KEYBITS is not set, an appropriate keysize is
97 selected for ALGORITHM. Each ECC-based algorithm supports only
98 one valid KEYBITS value: For ECDSA256 and ED25519, it is 256;
99 for ECDSA384, it is 384; and for ED448, it is 456.
100 import-zone-key ZONE FILE {KSK,ZSK}
102 Import from FILE a full (private) key for zone called ZONE. The
103 format used is compatible with BIND and NSD/LDNS. KSK or ZSK
104 specifies the flags this key should have on import. Prints the
105 id of the added key.
106 publish-zone-key ZONE KEY-ID
108 Publish the key with id KEY-ID within a zone called ZONE.
109 remove-zone-key ZONE KEY-ID
111 Remove a key with id KEY-ID from a zone called ZONE.
112 set-nsec3 ZONE ['HASH-ALGORITHM FLAGS ITERATIONS SALT'] [narrow]
114 Sets NSEC3 parameters for this zone. The quoted parameters are 4
115 values that are used for the the NSEC3PARAM record and decide
116 how NSEC3 records are created. The NSEC3 parameters must be
117 quoted on the command line. HASH-ALGORITHM must be 1 (SHA-1).
118 Setting FLAGS to 1 enables NSEC3 opt-out operation. Only do this
119 if you know you need it. For ITERATIONS, please consult RFC
120 5155, section 10.3. And be aware that a high number might over‐
121 load validating resolvers and that a limit can be set with
122 max-nsec3-iterations in pdns.conf. The SALT is a hexadecimal
123 string encoding the bits for the salt, or - to use no salt. Set‐
124 ting narrow will make PowerDNS send out "white lies" (RFC 7129)
125 about the next secure record to prevent zone enumeration.
126 Instead of looking it up in the database, it will send out the
127 hash + 1 as the next secure record. Narrow mode requires online
128 signing capabilities by the nameserver and therefore zone trans‐
129 fers are denied. If only the zone is provided as argument, the
130 4-parameter quoted string defaults to '1 0 1 ab'. A sample com‐
131 mandline is: pdnsutil set-nsec3 powerdnssec.org '1 1 1 ab' nar‐
132 row. WARNING: If running in RSASHA1 mode (algorithm 5 or 7),
133 switching from NSEC to NSEC3 will require a DS update in the
134 parent zone.
135 unpublish-zone-key ZONE KEY-ID
137 Unpublish the key with id KEY-ID within a zone called ZONE.
138 unset-nsec3 ZONE
140 Converts ZONE to NSEC operations. WARNING: If running in RSASHA1
141 mode (algorithm 5 or 7), switching from NSEC to NSEC3 will
142 require a DS update at the parent zone!
143 set-publish-cds ZONE [DIGESTALGOS]
145 Set ZONE to respond to queries for its CDS records. the optional
146 argument DIGESTALGOS should be a comma-separated list of DS
147 algorithms to use. By default, this is 2 (SHA-256).
148 set-publish-cdnskey ZONE
150 Set ZONE to publish CDNSKEY records.
151 unset-publish-cds ZONE
153 Set ZONE to stop responding to queries for its CDS records.
154 unset-publish-cdnskey ZONE
156 Set ZONE to stop publishing CDNSKEY records.
157
159 These commands manipulate TSIG key information in the database. Some
160 commands require an ALGORITHM, the following are available:
161 · hmac-md5
163 · hmac-sha1
165 · hmac-sha224
167 · hmac-sha256
169 · hmac-sha384
171 · hmac-sha512
173 activate-tsig-key ZONE NAME {master,slave}
175 Enable TSIG authenticated AXFR using the key NAME for zone ZONE.
176 This sets the TSIG-ALLOW-AXFR (master) or AXFR-MASTER-TSIG
177 (slave) zone metadata.
178 deactivate-tsig-key ZONE NAME {master,slave}
180 Disable TSIG authenticated AXFR using the key NAME for zone
181 ZONE.
182 delete-tsig-key NAME
184 Delete the TSIG key NAME. Warning, this does not deactivate said
185 key.
186 generate-tsig-key NAME ALGORITHM
188 Generate new TSIG key with name NAME and the specified algo‐
189 rithm.
190 import-tsig-key NAME ALGORITHM KEY
192 Import KEY of the specified algorithm as NAME.
193 list-tsig-keys
195 Show a list of all configured TSIG keys.
196
198 add-record ZONE NAME TYPE [TTL] CONTENT
199 Add one or more records of NAME and TYPE to ZONE with CONTENT
200 and optional TTL. If TTL is not set, default will be used.
201 create-zone ZONE
203 Create an empty zone named ZONE.
204 create-slave-zone ZONE MASTER [MASTER]..
206 Create a new slave zone ZONE with masters MASTER. All MASTERs
207 need to to be space-separated IP addresses with an optional
208 port.
209 change-slave-zone-master ZONE MASTER [MASTER]..
211 Change the masters for slave zone ZONE to new masters MASTER.
212 All MASTERs need to to be space-separated IP addresses with an
213 optional port.
214 check-all-zones
216 Check all zones for correctness.
217 check-zone ZONE
219 Check zone ZONE for correctness.
220 clear-zone ZONE
222 Clear the records in zone ZONE, but leave actual domain and set‐
223 tings unchanged
224 delete-rrset ZONE NAME TYPE
226 Delete named RRSET from zone.
227 delete-zone ZONE:
229 Delete the zone named ZONE.
230 edit-zone ZONE
232 Opens ZONE in zonefile format (regardless of backend it was
233 loaded from) in the editor set in the environment variable EDI‐
234 TOR. if EDITOR is empty, pdnsutil falls back to using editor.
235 get-meta ZONE [ATTRIBUTE]...
237 Get zone metadata. If no ATTRIBUTE given, lists all known.
238 hash-zone-record ZONE RNAME
240 This convenience command hashes the name RNAME according to the
241 NSEC3 settings of ZONE. Refuses to hash for zones with no NSEC3
242 settings.
243 increase-serial ZONE
245 Increases the SOA-serial by 1. Uses SOA-EDIT.
246 list-keys [ZONE]
248 List DNSSEC information for all keys or for ZONE.
249 list-all-zones:
251 List all zone names.
252 list-zone ZONE
254 Show all records for ZONE.
255 load-zone ZONE FILE
257 Load records for ZONE from FILE. If ZONE already exists, all
258 records are overwritten, this operation is atomic. If ZONE
259 doesn't exist, it is created.
260 rectify-zone ZONE
262 Calculates the 'ordername' and 'auth' fields for a zone called
263 ZONE so they comply with DNSSEC settings. Can be used to fix up
264 migrated data. Can always safely be run, it does no harm.
265 rectify-all-zones
267 Calculates the 'ordername' and 'auth' fields for all zones so
268 they comply with DNSSEC settings. Can be used to fix up migrated
269 data. Can always safely be run, it does no harm.
270 replace-rrset ZONE NAME TYPE [TTL] CONTENT [CONTENT..]
272 Replace existing NAME in zone ZONE with a new set.
273 secure-zone ZONE
275 Configures a zone called ZONE with reasonable DNSSEC settings.
276 You should manually run 'pdnsutil rectify-zone' afterwards.
277 secure-all-zones [increase-serial]
279 Configures all zones that are not currently signed with reason‐
280 able DNSSEC settings. Setting increase-serial will increase the
281 serial of those zones too. You should manually run 'pdnsutil
282 rectify-all-zones' afterwards.
283 set-kind ZONE KIND
285 Change the kind of ZONE to KIND (master, slave, native).
286 set-account ZONE ACCOUNT
288 Change the account (owner) of ZONE to ACCOUNT.
289 add-meta ZONE ATTRIBUTE VALUE [VALUE]...
291 Append VALUE to the existing ATTRIBUTE metadata for ZONE. Will
292 return an error if ATTRIBUTE does not support multiple values,
293 use set-meta for these values.
294 set-meta ZONE ATTRIBUTE [VALUE]...
296 Set domainmetadata ATTRIBUTE for ZONE to VALUE. An empty value
297 clears it.
298 set-presigned ZONE
300 Switches ZONE to presigned operation, utilizing in-zone RRSIGs.
301 show-zone ZONE
303 Shows all DNSSEC related settings of a zone called ZONE.
304 test-schema ZONE
306 Test database schema, this creates the zone ZONE
307 unset-presigned ZONE
309 Disables presigned operation for ZONE.
310
312 backend-cmd BACKEND CMD [CMD..]
313 Send a text command to a backend for execution. GSQL backends
314 will take SQL commands, other backends may take different
315 things. Be careful!
316 bench-db [FILE]
318 Perform a benchmark of the backend-database. FILE can be a file
319 with a list, one per line, of domain names to use for this. If
320 FILE is not specified, powerdns.com is used.
321
323 ipencrypt IP-ADDRESS passsword
324 Encrypt an IP address according to the 'ipcipher' standard
325 ipdecrypt IP-ADDRESS passsword
327 Encrypt an IP address according to the 'ipcipher' standard
328
330 pdns_server (1), pdns_control (1)
331
333 PowerDNS.COM BV
334
336 2001-2019, PowerDNS.COM BV
337 Apr 06, 2020 PDNSUTIL(1)