1PDNSUTIL(1)              PowerDNS Authoritative Server             PDNSUTIL(1)
2
3
4

NAME

6       pdnsutil - PowerDNS record and DNSSEC command and control
7

SYNOPSIS

9       pdnsutil [OPTION]... COMMAND
10

DESCRIPTION

12       pdnsutil  (formerly  pdnssec)  is a powerful command that is the opera‐
13       tor-friendly gateway into DNSSEC and zone management for PowerDNS.  Be‐
14       hind  the  scenes,  pdnsutil  manipulates  a PowerDNS backend database,
15       which also means that for many databases, pdnsutil can be run remotely,
16       and can configure key material on different servers.
17

OPTIONS

19       -h, --help
20              Show summary of options
21
22       -v, --verbose
23              Be more verbose.
24
25       --force
26              Force an action
27
28       --config-name <NAME>
29              Virtual configuration name
30
31       --config-dir <DIR>
32              Location of pdns.conf. Default is /etc/powerdns.
33

COMMANDS

35       There  are  many  available  commands, this section splits them up into
36       their respective uses
37
39       Several commands manipulate the DNSSEC keys and options for zones. Some
40       of  these  commands require an ALGORITHM to be set. The following algo‐
41       rithms are supported:
42
43       • rsasha1
44
45       • rsasha1-nsec3-sha1
46
47       • rsasha256
48
49       • rsasha512
50
51       • ecdsa256
52
53       • ecdsa384
54
55       • ed25519
56
57       • ed448
58
59       activate-zone-key ZONE KEY-ID
60              Activate a key with id KEY-ID within a zone called ZONE.
61
62       add-zone-key ZONE [KSK,ZSK]  [active,inactive]  [published,unpublished]
63       KEYBITS ALGORITHM
64              Create  a new key for zone ZONE, and make it a KSK or a ZSK (de‐
65              fault), with the specified algorithm. The key is inactive by de‐
66              fault,  set it to active to immediately use it to sign ZONE. The
67              key is published in the zone by default, set it  to  unpublished
68              to  keep it from being returned in a DNSKEY query, which is use‐
69              ful for algorithm rollovers. Prints the id of the added key.
70
71       create-bind-db FILE
72              Create DNSSEC database (sqlite3) at FILE for the  BIND  backend.
73              Remember to set bind-dnssec-db=*FILE* in your pdns.conf.
74
75       deactivate-zone-key ZONE KEY-ID
76              Deactivate a key with id KEY-ID within a zone called ZONE.
77
78       disable-dnssec ZONE
79              Deactivate all keys and unset PRESIGNED in ZONE.
80
81       export-zone-dnskey ZONE KEY-ID
82              Export  to  standard  output  DNSKEY  and  DS of key with key id
83              KEY-ID within zone called ZONE.
84
85       export-zone-ds ZONE
86              Export to standard output all KSK DS records for ZONE.
87
88       export-zone-key ZONE KEY-ID
89              Export to standard output full (private) key with key id  KEY-ID
90              within zone called ZONE. The format used is compatible with BIND
91              and NSD/LDNS.
92
93       generate-zone-key {KSK,ZSK} [ALGORITHM] [KEYBITS]
94              Generate a ZSK or KSK to stdout  with  specified  algorithm  and
95              bits  and  print it on STDOUT. If ALGORITHM is not set, ECDSA256
96              is used. If KEYBITS is not set, an appropriate  keysize  is  se‐
97              lected for ALGORITHM. Each ECC-based algorithm supports only one
98              valid KEYBITS value: For ECDSA256 and ED25519, it  is  256;  for
99              ECDSA384, it is 384; and for ED448, it is 456.
100
101       import-zone-key ZONE FILE {KSK,ZSK}
102              Import  from FILE a full (private) key for zone called ZONE. The
103              format used is compatible with BIND and  NSD/LDNS.  KSK  or  ZSK
104              specifies  the  flags this key should have on import. Prints the
105              id of the added key.
106
107       publish-zone-key ZONE KEY-ID
108              Publish the key with id KEY-ID within a zone called ZONE.
109
110       remove-zone-key ZONE KEY-ID
111              Remove a key with id KEY-ID from a zone called ZONE.
112
113       set-nsec3 ZONE ['HASH-ALGORITHM FLAGS ITERATIONS SALT'] [narrow]
114              Sets NSEC3 parameters for this zone. The quoted parameters are 4
115              values  that  are  used for the the NSEC3PARAM record and decide
116              how NSEC3 records are created.  The  NSEC3  parameters  must  be
117              quoted  on  the  command line. HASH-ALGORITHM must be 1 (SHA-1).
118              Setting FLAGS to 1 enables NSEC3 opt-out operation. Only do this
119              if  you  know  you  need  it. For ITERATIONS, please consult RFC
120              5155, section 10.3. And be aware that a high number might  over‐
121              load  validating  resolvers  and  that  a  limit can be set with
122              max-nsec3-iterations in pdns.conf. The  SALT  is  a  hexadecimal
123              string encoding the bits for the salt, or - to use no salt. Set‐
124              ting narrow will make PowerDNS send out "white lies" (RFC  7129)
125              about  the  next  secure record to prevent zone enumeration. In‐
126              stead of looking it up in the database, it  will  send  out  the
127              hash  + 1 as the next secure record. Narrow mode requires online
128              signing capabilities by the nameserver and therefore zone trans‐
129              fers  are  denied. If only the zone is provided as argument, the
130              4-parameter quoted string defaults to '1 0 0 -'. A  sample  com‐
131              mandline  is: pdnsutil set-nsec3 powerdnssec.org '1 1 1 ab' nar‐
132              row.  WARNING: If running in RSASHA1 mode (algorithm  5  or  7),
133              switching  from  NSEC  to  NSEC3 will require a DS update in the
134              parent zone.
135
136       unpublish-zone-key ZONE KEY-ID
137              Unpublish the key with id KEY-ID within a zone called ZONE.
138
139       unset-nsec3 ZONE
140              Converts ZONE to NSEC operations. WARNING: If running in RSASHA1
141              mode  (algorithm  5 or 7), switching from NSEC to NSEC3 will re‐
142              quire a DS update at the parent zone!
143
144       set-publish-cds ZONE [DIGESTALGOS]
145              Set ZONE to respond to queries for its CDS records. the optional
146              argument  DIGESTALGOS should be a comma-separated list of DS al‐
147              gorithms to use. By default, this is 2 (SHA-256). 0 will publish
148              a CDS with a DNSSEC delete algorithm.
149
150       set-publish-cdnskey ZONE [delete]
151              Set  ZONE  to publish CDNSKEY records. Add 'delete' to publish a
152              CDNSKEY with a DNSSEC delete algorithm.
153
154       unset-publish-cds ZONE
155              Set ZONE to stop responding to queries for its CDS records.
156
157       unset-publish-cdnskey ZONE
158              Set ZONE to stop publishing CDNSKEY records.
159
161       These commands manipulate TSIG key information in  the  database.  Some
162       commands require an ALGORITHM, the following are available:
163
164       • hmac-md5
165
166       • hmac-sha1
167
168       • hmac-sha224
169
170       • hmac-sha256
171
172       • hmac-sha384
173
174       • hmac-sha512
175
176       activate-tsig-key ZONE NAME {primary,secondary}
177              Enable TSIG authenticated AXFR using the key NAME for zone ZONE.
178              This sets  the  TSIG-ALLOW-AXFR  (primary)  or  AXFR-MASTER-TSIG
179              (secondary) zone metadata.
180
181       deactivate-tsig-key ZONE NAME {primary,secondary}
182              Disable  TSIG  authenticated  AXFR  using  the key NAME for zone
183              ZONE.
184
185       delete-tsig-key NAME
186              Delete the TSIG key NAME. Warning, this does not deactivate said
187              key.
188
189       generate-tsig-key NAME ALGORITHM
190              Generate  new  TSIG  key  with name NAME and the specified algo‐
191              rithm.
192
193       import-tsig-key NAME ALGORITHM KEY
194              Import KEY of the specified algorithm as NAME.
195
196       list-tsig-keys
197              Show a list of all configured TSIG keys.
198

ZONE MANIPULATION COMMANDS

200       add-record ZONE NAME TYPE [TTL] CONTENT
201              Add one or more records of NAME and TYPE to  ZONE  with  CONTENT
202              and optional TTL. If TTL is not set, default will be used.
203
204       add-autoprimary IP NAMESERVER [ACCOUNT]
205              Add a autoprimary entry into the backend. This enables receiving
206              zone updates from other servers.
207
208       remove-autoprimary IP NAMESERVER
209              Remove an autoprimary from backend. Not supported by BIND  back‐
210              end.
211
212       list-autoprimaries
213              List all autoprimaries.
214
215       create-zone ZONE
216              Create an empty zone named ZONE.
217
218       create-secondary-zone ZONE PRIMARY [PRIMARY]..
219              Create  a  new  secondary  zone ZONE with primaries PRIMARY. All
220              PRIMARYs need to to be space-separated IP addresses with an  op‐
221              tional port.
222
223       change-secondary-zone-primary ZONE PRIMARY [PRIMARY]..
224              Change  the  primaries  for secondary zone ZONE to new primaries
225              PRIMARY. All PRIMARYs need to to be space-separated IP addresses
226              with an optional port.
227
228       check-all-zones
229              Check all zones for correctness.
230
231       check-zone ZONE
232              Check zone ZONE for correctness.
233
234       clear-zone ZONE
235              Clear  the  records in zone ZONE, but leave actual zone and set‐
236              tings unchanged
237
238       delete-rrset ZONE NAME TYPE
239              Delete named RRSET from zone.
240
241       delete-zone ZONE:
242              Delete the zone named ZONE.
243
244       edit-zone ZONE
245              Opens ZONE in zonefile format  (regardless  of  backend  it  was
246              loaded  from) in the editor set in the environment variable EDI‐
247              TOR. if EDITOR is empty, pdnsutil falls back to using editor.
248
249       get-meta ZONE [ATTRIBUTE]...
250              Get zone metadata. If no ATTRIBUTE given, lists all known.
251
252       hash-password [WORK-FACTOR]
253              This convenience command asks  for  a  password  and  returns  a
254              hashed  and  salted  version, for use as a webserver password or
255              api key.  An optional scrypt work factor can  be  specified,  in
256              power of two, otherwise it defaults to 1024.
257
258       hash-zone-record ZONE RNAME
259              This  convenience command hashes the name RNAME according to the
260              NSEC3 settings of ZONE. Refuses to hash for zones with no  NSEC3
261              settings.
262
263       increase-serial ZONE
264              Increases the SOA-serial by 1. Uses SOA-EDIT.
265
266       list-keys [ZONE]
267              List  DNSSEC  information for all keys or for ZONE. --verbose or
268              -v will also include the keys for disabled or empty zones.
269
270       list-all-zones:
271              List all active zone names. --verbose or -v  will  also  include
272              disabled or empty zones.
273
274       list-zone ZONE
275              Show all records for ZONE.
276
277       load-zone ZONE FILE
278              Load  records  for  ZONE  from FILE. If ZONE already exists, all
279              records are overwritten,  this  operation  is  atomic.  If  ZONE
280              doesn't exist, it is created.
281
282       rectify-zone ZONE
283              Calculates  the  'ordername' and 'auth' fields for a zone called
284              ZONE so they comply with DNSSEC settings. Can be used to fix  up
285              migrated data. Can always safely be run, it does no harm.
286
287       rectify-all-zones
288              Calculates  the  'ordername'  and 'auth' fields for all zones so
289              they comply with DNSSEC settings. Can be used to fix up migrated
290              data.  Can always safely be run, it does no harm.
291
292       replace-rrset ZONE NAME TYPE [TTL] CONTENT [CONTENT..]
293              Replace existing NAME in zone ZONE with a new set.
294
295       secure-zone ZONE
296              Configures  a  zone called ZONE with reasonable DNSSEC settings.
297              You should manually run 'pdnsutil rectify-zone' afterwards.
298
299       secure-all-zones [increase-serial]
300              Configures all zones that are not currently signed with  reason‐
301              able  DNSSEC settings. Setting increase-serial will increase the
302              serial of those zones too. You  should  manually  run  'pdnsutil
303              rectify-all-zones' afterwards.
304
305       set-kind ZONE KIND
306              Change the kind of ZONE to KIND (primary, secondary, native).
307
308       set-account ZONE ACCOUNT
309              Change the account (owner) of ZONE to ACCOUNT.
310
311       add-meta ZONE ATTRIBUTE VALUE [VALUE]...
312              Append  VALUE to the existing ATTRIBUTE metadata for ZONE.  Will
313              return an error if ATTRIBUTE does not support  multiple  values,
314              use set-meta for these values.
315
316       set-meta ZONE ATTRIBUTE [VALUE]...
317              Set  zonemetadata  ATTRIBUTE  for  ZONE to VALUE. An empty value
318              clears it.
319
320       set-presigned ZONE
321              Switches ZONE to presigned operation, utilizing in-zone RRSIGs.
322
323       show-zone ZONE
324              Shows all DNSSEC related settings of a zone called ZONE.
325
326       test-schema ZONE
327              Test database schema, this creates the zone ZONE
328
329       unset-presigned ZONE
330              Disables presigned operation for ZONE.
331
332       raw-lua-from-content TYPE CONTENT
333              Display  record  contents  in  a  form  suitable  for  dnsdist's
334              SpoofRawAction.
335

DEBUGGING TOOLS

337       backend-cmd BACKEND CMD [CMD..]
338              Send  a  text  command to a backend for execution. GSQL backends
339              will take  SQL  commands,  other  backends  may  take  different
340              things. Be careful!
341
342       bench-db [FILE]
343              Perform a benchmark of the backend-database.  FILE can be a file
344              with a list, one per line, of zone names to use  for  this.   If
345              FILE is not specified, powerdns.com is used.
346

OTHER TOOLS

348       ipencrypt IP-ADDRESS password
349              Encrypt an IP address according to the 'ipcipher' standard
350
351       ipdecrypt IP-ADDRESS password
352              Decrypt an IP address according to the 'ipcipher' standard
353

SEE ALSO

355       pdns_server (1), pdns_control (1)
356

AUTHOR

358       PowerDNS.COM BV
359
361       2001-2022, PowerDNS.COM BV
362
363
364
365
366                                 Apr 12, 2022                      PDNSUTIL(1)
Impressum