1PDNSUTIL(1) PowerDNS Recursor PDNSUTIL(1)
2
6 pdnsutil -
7 pdnsutil - PowerDNS dnssec command and control
9
11 pdnsutil [OPTION]... COMMAND
12
14 pdnsutil (formerly pdnssec) is a powerful command that is the opera‐
15 tor-friendly gateway into DNSSEC and zone management for PowerDNS.
16 Behind the scenes, pdnsutil manipulates a PowerDNS backend database,
17 which also means that for many databases, pdnsutil can be run remotely,
18 and can configure key material on different servers.
19
21 -h, --help
22 Show summary of options
23 -v, --verbose
25 Be more verbose.
26 --force
28 Force an action
29 --config-name <NAME>
31 Virtual configuration name
32 --config-dir <DIR>
34 Location of pdns.conf. Default is /etc/powerdns.
35
37 There are many available commands, this section splits them up into
38 their respective uses
39
41 Several commands manipulate the DNSSEC keys and options for zones. Some
42 of these commands require an ALGORITHM to be set. The following algo‐
43 rithms are supported:
44 · rsasha1
46 · rsasha256
48 · rsasha512
50 · gost
52 · ecdsa256
54 · ecdsa384
56 activate-zone-key ZONE KEY-ID
58 Activate a key with id KEY-ID within a zone called ZONE.
59 add-zone-key ZONE {KSK,ZSK} [active,inactive] KEYBITS ALGORITHM
61 Create a new key for zone ZONE, and make it a KSK or a ZSK, with
62 the specified algorithm. The key is inactive by default, set it
63 to active to immediately use it to sign ZONE. Prints the id of
64 the added key.
65 create-bind-db FILE
67 Create DNSSEC database (sqlite3) at FILE for the BIND backend.
68 Remember to set bind-dnssec-db=*FILE* in your pdns.conf.
69 deactivate-zone-key ZONE KEY-ID
71 Deactivate a key with id KEY-ID within a zone called ZONE.
72 disable-dnssec ZONE
74 Deactivate all keys and unset PRESIGNED in ZONE.
75 export-zone-dnskey ZONE KEY-ID
77 Export to standard output DNSKEY and DS of key with key id
78 KEY-ID within zone called ZONE.
79 export-zone-key ZONE KEY-ID
81 Export to standard output full (private) key with key id KEY-ID
82 within zone called ZONE. The format used is compatible with BIND
83 and NSD/LDNS.
84 generate-zone-key {KSK,ZSK} [ALGORITHM] [KEYBITS]
86 Generate a ZSK or KSK to stdout with specified algorithm and
87 bits and print it on STDOUT. If ALGORITHM is not set, RSASHA512
88 is used. If KEYBITS is not set, an appropriate keysize is
89 selected for ALGORITHM.
90 import-zone-key ZONE FILE {KSK,ZSK}
92 Import from FILE a full (private) key for zone called ZONE. The
93 format used is compatible with BIND and NSD/LDNS. KSK or ZSK
94 specifies the flags this key should have on import. Prints the
95 id of the added key.
96 remove-zone-key ZONE KEY-ID
98 Remove a key with id KEY-ID from a zone called ZONE.
99 set-nsec3 ZONE 'HASH-ALGORITHM FLAGS ITERATIONS SALT' [narrow]
101 Sets NSEC3 parameters for this zone. The quoted parameters are 4
102 values that are used for the the NSEC3PARAM record and decide
103 how NSEC3 records are created. The NSEC3 parameters must be
104 quoted on the command line. HASH-ALGORITHM must be 1 (SHA-1).
105 Setting FLAGS to 1 enables NSEC3 opt-out operation. Only do this
106 if you know you need it. For ITERATIONS, please consult RFC
107 5155, section 10.3. And be aware that a high number might over‐
108 load validating resolvers. The SALT is a hexadecimal string
109 encoding the bits for the salt, or - to use no salt. Setting
110 narrow will make PowerDNS send out "white lies" about the next
111 secure record. Instead of looking it up in the database, it will
112 send out the hash + 1 as the next secure record. A sample com‐
113 mandline is: "pdnsutil set-nsec3 powerdnssec.org '1 1 1 ab' nar‐
114 row". WARNING: If running in RSASHA1 mode (algorithm 5 or 7),
115 switching from NSEC to NSEC3 will require a DS update in the
116 parent zone.
117 unset-nsec3 ZONE
119 Converts ZONE to NSEC operations. WARNING: If running in RSASHA1
120 mode (algorithm 5 or 7), switching from NSEC to NSEC3 will
121 require a DS update at the parent zone!
122 set-publish-cds ZONE [DIGESTALGOS]
124 Set ZONE to respond to queries for its CDS records. the optional
125 argument DIGESTALGOS should be a comma-separated list of DS
126 algorithms to use. By default, this is 1,2 (SHA1 and SHA2-256).
127 set-publish-cdnskey ZONE
129 Set ZONE to publish CDNSKEY records.
130 unset-publish-cds ZONE
132 Set ZONE to stop responding to queries for its CDS records.
133 unset-publish-cdnskey ZONE
135 Set ZONE to stop publishing CDNSKEY records.
136
138 These commands manipulate TSIG key information in the database. Some
139 commands require an ALGORITHM, the following are available:
140 · hmac-md5
142 · hmac-sha1
144 · hmac-sha224
146 · hmac-sha256
148 · hmac-sha384
150 · hmac-sha512
152 activate-tsig-key ZONE NAME {master,slave}
154 Enable TSIG authenticated AXFR using the key NAME for zone ZONE.
155 This sets the TSIG-ALLOW-AXFR (master) or AXFR-MASTER-TSIG
156 (slave) zone metadata.
157 deactivate-tsig-key ZONE NAME {master,slave}
159 Disable TSIG authenticated AXFR using the key NAME for zone
160 ZONE.
161 delete-tsig-key NAME
163 Delete the TSIG key NAME. Warning, this does not deactivate said
164 key.
165 generate-tsig-key NAME ALGORITHM
167 Generate new TSIG key with name NAME and the specified algo‐
168 rithm.
169 import-tsig-key NAME ALGORITHM KEY
171 Import KEY of the specified algorithm as NAME.
172 list-tsig-keys
174 Show a list of all configured TSIG keys.
175
177 add-record ZONE NAME TYPE [TTL] CONTENT
178 Add one or more records of NAME and TYPE to ZONE with CONTENT
179 and optional TTL. If TTL is not set, default will be used.
180 create-zone ZONE
182 Create an empty zone named ZONE.
183 create-slave-zone ZONE MASTER [MASTER]..
185 Create a new slave zone ZONE with masters MASTER. All MASTERs
186 need to to be IP addresses with an optional port.
187 change-slave-zone-master ZONE MASTER [MASTER]..
189 Change the masters for slave zone ZONE to new masters MASTER.
190 All MASTERs need to to be IP addresses with an optional port.
191 check-all-zones
193 Check all zones for correctness.
194 check-zone ZONE
196 Check zone ZONE for correctness.
197 clear-zone ZONE
199 Clear the records in zone ZONE, but leave actual domain and set‐
200 tings unchanged
201 delete-zone ZONE:
203 Delete the zone named ZONE.
204 edit-zone ZONE
206 Opens ZONE in zonefile format (regardless of backend it was
207 loaded from) in the editor set in the environment variable EDI‐
208 TOR. if EDITOR is empty, pdnsutil falls back to using editor.
209 get-meta ZONE [ATTRIBUTE]...
211 Get zone metadata. If no ATTRIBUTE given, lists all known.
212 hash-zone-record ZONE RNAME
214 This convenience command hashes the name RNAME according to the
215 NSEC3 settings of ZONE. Refuses to hash for zones with no NSEC3
216 settings.
217 list-keys [ZONE]
219 List DNSSEC information for all keys or for ZONE.
220 list-all-zones:
222 List all zone names.
223 list-zone ZONE
225 Show all records for ZONE.
226 load-zone ZONE FILE
228 Load records for ZONE from FILE. If ZONE already exists, all
229 records are overwritten, this operation is atomic. If ZONE
230 doesn't exist, it is created.
231 rectify-zone ZONE
233 Calculates the 'ordername' and 'auth' fields for a zone called
234 ZONE so they comply with DNSSEC settings. Can be used to fix up
235 migrated data. Can always safely be run, it does no harm.
236 rectify-all-zones
238 Calculates the 'ordername' and 'auth' fields for all zones so
239 they comply with DNSSEC settings. Can be used to fix up migrated
240 data. Can always safely be run, it does no harm.
241 secure-zone ZONE
243 Configures a zone called ZONE with reasonable DNSSEC settings.
244 You should manually run 'pdnsutil rectify-zone' afterwards.
245 secure-all-zones [increase-serial]
247 Configures all zones that are not currently signed with reason‐
248 able DNSSEC settings. Setting increase-serial will increase the
249 serial of those zones too. You should manually run 'pdnsutil
250 rectify-all-zones' afterwards.
251 set-kind ZONE KIND
253 Change the kind of ZONE to KIND (master, slave, native).
254 set-account ZONE ACCOUNT
256 Change the account (owner) of ZONE to ACCOUNT.
257 add-meta ZONE ATTRIBUTE VALUE [VALUE]...
259 Append VALUE to the existing ATTRIBUTE metadata for ZONE. Will
260 return an error if ATTRIBUTE does not support multiple values,
261 use set-meta for these values.
262 set-meta ZONE ATTRIBUTE [VALUE]...
264 Set domainmetadata ATTRIBUTE for ZONE to VALUE. An empty value
265 clears it.
266 set-presigned ZONE
268 Switches ZONE to presigned operation, utilizing in-zone RRSIGs.
269 show-zone ZONE
271 Shows all DNSSEC related settings of a zone called ZONE.
272 test-schema ZONE
274 Test database schema, this creates the zone ZONE
275 unset-presigned ZONE
277 Disables presigned operation for ZONE.
278
280 backend-cmd BACKEND CMD [CMD..]
281 Send a text command to a backend for execution. GSQL backends
282 will take SQL commands, other backends may take different
283 things. Be careful!
284
286 pdns_server (1), pdns_control (1)
287
289 PowerDNS.COM BV
290
292 2001-2018, PowerDNS.COM BV
2934.1 Mar 22, 2019 PDNSUTIL(1)