1PDNSUTIL(1) PowerDNS Authoritative Server PDNSUTIL(1)
2
6 pdnsutil - PowerDNS record and DNSSEC command and control
7
9 pdnsutil [OPTION]... COMMAND
10
12 pdnsutil (formerly pdnssec) is a powerful command that is the opera‐
13 tor-friendly gateway into DNSSEC and zone management for PowerDNS. Be‐
14 hind the scenes, pdnsutil manipulates a PowerDNS backend database,
15 which also means that for many databases, pdnsutil can be run remotely,
16 and can configure key material on different servers.
17
19 -h, --help
20 Show summary of options
21 -v, --verbose
23 Be more verbose.
24 --force
26 Force an action
27 --config-name <NAME>
29 Virtual configuration name
30 --config-dir <DIR>
32 Location of pdns.conf. Default is /etc/powerdns.
33
35 There are many available commands, this section splits them up into
36 their respective uses
37
39 Several commands manipulate the DNSSEC keys and options for zones. Some
40 of these commands require an ALGORITHM to be set. The following algo‐
41 rithms are supported:
42 • rsasha1
44 • rsasha1-nsec3-sha1
46 • rsasha256
48 • rsasha512
50 • ecdsa256
52 • ecdsa384
54 • ed25519
56 • ed448
58 activate-zone-key ZONE KEY-ID
60 Activate a key with id KEY-ID within a zone called ZONE.
61 add-zone-key ZONE [KSK,ZSK] [active,inactive] [published,unpublished]
63 KEYBITS ALGORITHM
64 Create a new key for zone ZONE, and make it a KSK or a ZSK (de‐
65 fault), with the specified algorithm. The key is inactive by de‐
66 fault, set it to active to immediately use it to sign ZONE. The
67 key is published in the zone by default, set it to unpublished
68 to keep it from being returned in a DNSKEY query, which is use‐
69 ful for algorithm rollovers. Prints the id of the added key.
70 create-bind-db FILE
72 Create DNSSEC database (sqlite3) at FILE for the BIND backend.
73 Remember to set bind-dnssec-db=*FILE* in your pdns.conf.
74 deactivate-zone-key ZONE KEY-ID
76 Deactivate a key with id KEY-ID within a zone called ZONE.
77 disable-dnssec ZONE
79 Deactivate all keys and unset PRESIGNED in ZONE.
80 export-zone-dnskey ZONE KEY-ID
82 Export to standard output DNSKEY and DS of key with key id
83 KEY-ID within zone called ZONE.
84 export-zone-ds ZONE
86 Export to standard output all KSK DS records for ZONE.
87 export-zone-key ZONE KEY-ID
89 Export to standard output full (private) key with key id KEY-ID
90 within zone called ZONE. The format used is compatible with BIND
91 and NSD/LDNS.
92 generate-zone-key {KSK,ZSK} [ALGORITHM] [KEYBITS]
94 Generate a ZSK or KSK to stdout with specified algorithm and
95 bits and print it on STDOUT. If ALGORITHM is not set, ECDSA256
96 is used. If KEYBITS is not set, an appropriate keysize is se‐
97 lected for ALGORITHM. Each ECC-based algorithm supports only one
98 valid KEYBITS value: For ECDSA256 and ED25519, it is 256; for
99 ECDSA384, it is 384; and for ED448, it is 456.
100 import-zone-key ZONE FILE {KSK,ZSK}
102 Import from FILE a full (private) key for zone called ZONE. The
103 format used is compatible with BIND and NSD/LDNS. KSK or ZSK
104 specifies the flags this key should have on import. Prints the
105 id of the added key.
106 publish-zone-key ZONE KEY-ID
108 Publish the key with id KEY-ID within a zone called ZONE.
109 remove-zone-key ZONE KEY-ID
111 Remove a key with id KEY-ID from a zone called ZONE.
112 set-nsec3 ZONE ['HASH-ALGORITHM FLAGS ITERATIONS SALT'] [narrow]
114 Sets NSEC3 parameters for this zone. The quoted parameters are 4
115 values that are used for the the NSEC3PARAM record and decide
116 how NSEC3 records are created. The NSEC3 parameters must be
117 quoted on the command line. HASH-ALGORITHM must be 1 (SHA-1).
118 Setting FLAGS to 1 enables NSEC3 opt-out operation. Only do this
119 if you know you need it. For ITERATIONS, please consult RFC
120 5155, section 10.3. And be aware that a high number might over‐
121 load validating resolvers and that a limit can be set with
122 max-nsec3-iterations in pdns.conf. The SALT is a hexadecimal
123 string encoding the bits for the salt, or - to use no salt. Set‐
124 ting narrow will make PowerDNS send out "white lies" (RFC 7129)
125 about the next secure record to prevent zone enumeration. In‐
126 stead of looking it up in the database, it will send out the
127 hash + 1 as the next secure record. Narrow mode requires online
128 signing capabilities by the nameserver and therefore zone trans‐
129 fers are denied. If only the zone is provided as argument, the
130 4-parameter quoted string defaults to '1 0 0 -'. A sample com‐
131 mandline is: pdnsutil set-nsec3 powerdnssec.org '1 1 1 ab' nar‐
132 row. WARNING: If running in RSASHA1 mode (algorithm 5 or 7),
133 switching from NSEC to NSEC3 will require a DS update in the
134 parent zone.
135 unpublish-zone-key ZONE KEY-ID
137 Unpublish the key with id KEY-ID within a zone called ZONE.
138 unset-nsec3 ZONE
140 Converts ZONE to NSEC operations. WARNING: If running in RSASHA1
141 mode (algorithm 5 or 7), switching from NSEC to NSEC3 will re‐
142 quire a DS update at the parent zone!
143 set-publish-cds ZONE [DIGESTALGOS]
145 Set ZONE to respond to queries for its CDS records. the optional
146 argument DIGESTALGOS should be a comma-separated list of DS al‐
147 gorithms to use. By default, this is 2 (SHA-256). 0 will publish
148 a CDS with a DNSSEC delete algorithm.
149 set-publish-cdnskey ZONE [delete]
151 Set ZONE to publish CDNSKEY records. Add 'delete' to publish a
152 CDNSKEY with a DNSSEC delete algorithm.
153 unset-publish-cds ZONE
155 Set ZONE to stop responding to queries for its CDS records.
156 unset-publish-cdnskey ZONE
158 Set ZONE to stop publishing CDNSKEY records.
159
161 These commands manipulate TSIG key information in the database. Some
162 commands require an ALGORITHM, the following are available:
163 • hmac-md5
165 • hmac-sha1
167 • hmac-sha224
169 • hmac-sha256
171 • hmac-sha384
173 • hmac-sha512
175 activate-tsig-key ZONE NAME {primary,secondary}
177 Enable TSIG authenticated AXFR using the key NAME for zone ZONE.
178 This sets the TSIG-ALLOW-AXFR (primary) or AXFR-MASTER-TSIG
179 (secondary) zone metadata.
180 deactivate-tsig-key ZONE NAME {primary,secondary}
182 Disable TSIG authenticated AXFR using the key NAME for zone
183 ZONE.
184 delete-tsig-key NAME
186 Delete the TSIG key NAME. Warning, this does not deactivate said
187 key.
188 generate-tsig-key NAME ALGORITHM
190 Generate new TSIG key with name NAME and the specified algo‐
191 rithm.
192 import-tsig-key NAME ALGORITHM KEY
194 Import KEY of the specified algorithm as NAME.
195 list-tsig-keys
197 Show a list of all configured TSIG keys.
198
200 add-record ZONE NAME TYPE [TTL] CONTENT
201 Add one or more records of NAME and TYPE to ZONE with CONTENT
202 and optional TTL. If TTL is not set, default will be used.
203 add-autoprimary IP NAMESERVER [ACCOUNT]
205 Add a autoprimary entry into the backend. This enables receiving
206 zone updates from other servers.
207 remove-autoprimary IP NAMESERVER
209 Remove an autoprimary from backend. Not supported by BIND back‐
210 end.
211 list-autoprimaries
213 List all autoprimaries.
214 create-zone ZONE
216 Create an empty zone named ZONE.
217 create-secondary-zone ZONE PRIMARY [PRIMARY]..
219 Create a new secondary zone ZONE with primaries PRIMARY. All
220 PRIMARYs need to to be space-separated IP addresses with an op‐
221 tional port.
222 change-secondary-zone-primary ZONE PRIMARY [PRIMARY]..
224 Change the primaries for secondary zone ZONE to new primaries
225 PRIMARY. All PRIMARYs need to to be space-separated IP addresses
226 with an optional port.
227 check-all-zones
229 Check all zones for correctness.
230 check-zone ZONE
232 Check zone ZONE for correctness.
233 clear-zone ZONE
235 Clear the records in zone ZONE, but leave actual zone and set‐
236 tings unchanged
237 delete-rrset ZONE NAME TYPE
239 Delete named RRSET from zone.
240 delete-zone ZONE:
242 Delete the zone named ZONE.
243 edit-zone ZONE
245 Opens ZONE in zonefile format (regardless of backend it was
246 loaded from) in the editor set in the environment variable EDI‐
247 TOR. if EDITOR is empty, pdnsutil falls back to using editor.
248 get-meta ZONE [ATTRIBUTE]...
250 Get zone metadata. If no ATTRIBUTE given, lists all known.
251 hash-password [WORK-FACTOR]
253 This convenience command asks for a password and returns a
254 hashed and salted version, for use as a webserver password or
255 api key. An optional scrypt work factor can be specified, in
256 power of two, otherwise it defaults to 1024.
257 hash-zone-record ZONE RNAME
259 This convenience command hashes the name RNAME according to the
260 NSEC3 settings of ZONE. Refuses to hash for zones with no NSEC3
261 settings.
262 increase-serial ZONE
264 Increases the SOA-serial by 1. Uses SOA-EDIT.
265 list-keys [ZONE]
267 List DNSSEC information for all keys or for ZONE. --verbose or
268 -v will also include the keys for disabled or empty zones.
269 list-all-zones:
271 List all active zone names. --verbose or -v will also include
272 disabled or empty zones.
273 list-zone ZONE
275 Show all records for ZONE.
276 load-zone ZONE FILE
278 Load records for ZONE from FILE. If ZONE already exists, all
279 records are overwritten, this operation is atomic. If ZONE
280 doesn't exist, it is created.
281 rectify-zone ZONE
283 Calculates the 'ordername' and 'auth' fields for a zone called
284 ZONE so they comply with DNSSEC settings. Can be used to fix up
285 migrated data. Can always safely be run, it does no harm.
286 rectify-all-zones
288 Calculates the 'ordername' and 'auth' fields for all zones so
289 they comply with DNSSEC settings. Can be used to fix up migrated
290 data. Can always safely be run, it does no harm.
291 replace-rrset ZONE NAME TYPE [TTL] CONTENT [CONTENT..]
293 Replace existing NAME in zone ZONE with a new set.
294 secure-zone ZONE
296 Configures a zone called ZONE with reasonable DNSSEC settings.
297 You should manually run 'pdnsutil rectify-zone' afterwards.
298 secure-all-zones [increase-serial]
300 Configures all zones that are not currently signed with reason‐
301 able DNSSEC settings. Setting increase-serial will increase the
302 serial of those zones too. You should manually run 'pdnsutil
303 rectify-all-zones' afterwards.
304 set-kind ZONE KIND
306 Change the kind of ZONE to KIND (primary, secondary, native).
307 set-account ZONE ACCOUNT
309 Change the account (owner) of ZONE to ACCOUNT.
310 add-meta ZONE ATTRIBUTE VALUE [VALUE]...
312 Append VALUE to the existing ATTRIBUTE metadata for ZONE. Will
313 return an error if ATTRIBUTE does not support multiple values,
314 use set-meta for these values.
315 set-meta ZONE ATTRIBUTE [VALUE]...
317 Set zonemetadata ATTRIBUTE for ZONE to VALUE. An empty value
318 clears it.
319 set-presigned ZONE
321 Switches ZONE to presigned operation, utilizing in-zone RRSIGs.
322 show-zone ZONE
324 Shows all DNSSEC related settings of a zone called ZONE.
325 test-schema ZONE
327 Test database schema, this creates the zone ZONE
328 unset-presigned ZONE
330 Disables presigned operation for ZONE.
331 raw-lua-from-content TYPE CONTENT
333 Display record contents in a form suitable for dnsdist's
334 SpoofRawAction.
335
337 backend-cmd BACKEND CMD [CMD..]
338 Send a text command to a backend for execution. GSQL backends
339 will take SQL commands, other backends may take different
340 things. Be careful!
341 bench-db [FILE]
343 Perform a benchmark of the backend-database. FILE can be a file
344 with a list, one per line, of zone names to use for this. If
345 FILE is not specified, powerdns.com is used.
346
348 ipencrypt IP-ADDRESS password
349 Encrypt an IP address according to the 'ipcipher' standard
350 ipdecrypt IP-ADDRESS password
352 Decrypt an IP address according to the 'ipcipher' standard
353
355 pdns_server (1), pdns_control (1)
356
358 PowerDNS.COM BV
359
361 2001-2022, PowerDNS.COM BV
362 Apr 12, 2022 PDNSUTIL(1)