1PDNSUTIL(1) PowerDNS Authoritative Server PDNSUTIL(1)
2
6 pdnsutil - PowerDNS record and DNSSEC command and control
7
9 pdnsutil [OPTION]... COMMAND
10
12 pdnsutil (formerly pdnssec) is a powerful command that is the opera‐
13 tor-friendly gateway into DNSSEC and zone management for PowerDNS. Be‐
14 hind the scenes, pdnsutil manipulates a PowerDNS backend database,
15 which also means that for many databases, pdnsutil can be run remotely,
16 and can configure key material on different servers.
17
19 -h, --help
20 Show summary of options
21 -v, --verbose
23 Be more verbose.
24 --force
26 Force an action
27 --config-name <NAME>
29 Virtual configuration name
30 --config-dir <DIR>
32 Location of pdns.conf. Default is /etc/powerdns.
33
35 There are many available commands, this section splits them up into
36 their respective uses
37
39 Several commands manipulate the DNSSEC keys and options for zones. Some
40 of these commands require an ALGORITHM to be set. The following algo‐
41 rithms are supported:
42 • rsasha1
44 • rsasha1-nsec3-sha1
46 • rsasha256
48 • rsasha512
50 • ecdsa256
52 • ecdsa384
54 • ed25519
56 • ed448
58 activate-zone-key ZONE KEY-ID
60 Activate a key with id KEY-ID within a zone called ZONE.
61 add-zone-key ZONE [KSK,ZSK] [active,inactive] [published,unpublished]
63 KEYBITS ALGORITHM
64 Create a new key for zone ZONE, and make it a KSK or a ZSK (de‐
65 fault), with the specified algorithm. The key is inactive by de‐
66 fault, set it to active to immediately use it to sign ZONE. The
67 key is published in the zone by default, set it to unpublished
68 to keep it from being returned in a DNSKEY query, which is use‐
69 ful for algorithm rollovers. Prints the id of the added key.
70 create-bind-db FILE
72 Create DNSSEC database (sqlite3) at FILE for the BIND backend.
73 Remember to set bind-dnssec-db=*FILE* in your pdns.conf.
74 deactivate-zone-key ZONE KEY-ID
76 Deactivate a key with id KEY-ID within a zone called ZONE.
77 disable-dnssec ZONE
79 Deactivate all keys and unset PRESIGNED in ZONE.
80 export-zone-dnskey ZONE KEY-ID
82 Export to standard output DNSKEY and DS of key with key id
83 KEY-ID within zone called ZONE.
84 export-zone-ds ZONE
86 Export to standard output all KSK DS records for ZONE.
87 export-zone-key ZONE KEY-ID
89 Export to standard output full (private) key with key id KEY-ID
90 within zone called ZONE. The format used is compatible with BIND
91 and NSD/LDNS.
92 export-zone-key-pem ZONE KEY-ID
94 Export to standard output full (private) key with key id KEY-ID
95 within zone called ZONE in the PEM file format. The format is
96 compatible with many non-DNS software products.
97 generate-zone-key {KSK,ZSK} [ALGORITHM] [KEYBITS]
99 Generate a ZSK or KSK to stdout with specified algorithm and
100 bits and print it on STDOUT. If ALGORITHM is not set, ECDSA256
101 is used. If KEYBITS is not set, an appropriate keysize is se‐
102 lected for ALGORITHM. Each ECC-based algorithm supports only one
103 valid KEYBITS value: For ECDSA256 and ED25519, it is 256; for
104 ECDSA384, it is 384; and for ED448, it is 456.
105 import-zone-key ZONE FILE {KSK,ZSK}
107 Import from FILE a full (private) key for the zone called ZONE.
108 The format used is compatible with BIND and NSD/LDNS. KSK or ZSK
109 specifies the flags this key should have on import. Prints the
110 id of the added key.
111 import-zone-key-pem ZONE FILE ALGORITHM {KSK,**ZSK**}
113 Import from PEM FILE a full (private) key for the zone called
114 ZONE with a specified ALGORITHM. The format used is compatible
115 with many non-DNS software products. KSK or ZSK specifies the
116 flags this key should have on import. Prints the id of the added
117 key.
118 publish-zone-key ZONE KEY-ID
120 Publish the key with id KEY-ID within a zone called ZONE.
121 remove-zone-key ZONE KEY-ID
123 Remove a key with id KEY-ID from a zone called ZONE.
124 set-nsec3 ZONE ['HASH-ALGORITHM FLAGS ITERATIONS SALT'] [narrow]
126 Sets NSEC3 parameters for this zone. The quoted parameters are 4
127 values that are used for the the NSEC3PARAM record and decide
128 how NSEC3 records are created. The NSEC3 parameters must be
129 quoted on the command line. HASH-ALGORITHM must be 1 (SHA-1).
130 Setting FLAGS to 1 enables NSEC3 opt-out operation. Only do this
131 if you know you need it. For ITERATIONS, please consult RFC
132 5155, section 10.3. And be aware that a high number might over‐
133 load validating resolvers and that a limit can be set with
134 max-nsec3-iterations in pdns.conf. The SALT is a hexadecimal
135 string encoding the bits for the salt, or - to use no salt. Set‐
136 ting narrow will make PowerDNS send out "white lies" (RFC 7129)
137 about the next secure record to prevent zone enumeration. In‐
138 stead of looking it up in the database, it will send out the
139 hash + 1 as the next secure record. Narrow mode requires online
140 signing capabilities by the nameserver and therefore zone trans‐
141 fers are denied. If only the zone is provided as argument, the
142 4-parameter quoted string defaults to '1 0 0 -'. A sample com‐
143 mandline is: pdnsutil set-nsec3 powerdnssec.org '1 1 1 ab' nar‐
144 row. WARNING: If running in RSASHA1 mode (algorithm 5 or 7),
145 switching from NSEC to NSEC3 will require a DS update in the
146 parent zone.
147 unpublish-zone-key ZONE KEY-ID
149 Unpublish the key with id KEY-ID within a zone called ZONE.
150 unset-nsec3 ZONE
152 Converts ZONE to NSEC operations. WARNING: If running in RSASHA1
153 mode (algorithm 5 or 7), switching from NSEC to NSEC3 will re‐
154 quire a DS update at the parent zone!
155 set-publish-cds ZONE [DIGESTALGOS]
157 Set ZONE to respond to queries for its CDS records. the optional
158 argument DIGESTALGOS should be a comma-separated list of DS al‐
159 gorithms to use. By default, this is 2 (SHA-256). 0 will publish
160 a CDS with a DNSSEC delete algorithm.
161 set-publish-cdnskey ZONE [delete]
163 Set ZONE to publish CDNSKEY records. Add 'delete' to publish a
164 CDNSKEY with a DNSSEC delete algorithm.
165 unset-publish-cds ZONE
167 Set ZONE to stop responding to queries for its CDS records.
168 unset-publish-cdnskey ZONE
170 Set ZONE to stop publishing CDNSKEY records.
171
173 These commands manipulate TSIG key information in the database. Some
174 commands require an ALGORITHM, the following are available:
175 • hmac-md5
177 • hmac-sha1
179 • hmac-sha224
181 • hmac-sha256
183 • hmac-sha384
185 • hmac-sha512
187 activate-tsig-key ZONE NAME {primary,secondary,producer,consumer}
189 Enable TSIG authenticated AXFR using the key NAME for zone ZONE.
190 This sets the TSIG-ALLOW-AXFR (primary/producer) or AXFR-MAS‐
191 TER-TSIG (secondary/consumer) zone metadata.
192 deactivate-tsig-key ZONE NAME {primary,secondary,producer,consumer}
194 Disable TSIG authenticated AXFR using the key NAME for zone
195 ZONE.
196 delete-tsig-key NAME
198 Delete the TSIG key NAME. Warning, this does not deactivate said
199 key.
200 generate-tsig-key NAME ALGORITHM
202 Generate new TSIG key with name NAME and the specified algo‐
203 rithm.
204 import-tsig-key NAME ALGORITHM KEY
206 Import KEY of the specified algorithm as NAME.
207 list-tsig-keys
209 Show a list of all configured TSIG keys.
210
212 add-record ZONE NAME TYPE [TTL] CONTENT
213 Add one or more records of NAME and TYPE to ZONE with CONTENT
214 and optional TTL. If TTL is not set, default will be used.
215 add-autoprimary IP NAMESERVER [ACCOUNT]
217 Add a autoprimary entry into the backend. This enables receiving
218 zone updates from other servers.
219 remove-autoprimary IP NAMESERVER
221 Remove an autoprimary from backend. Not supported by BIND back‐
222 end.
223 list-autoprimaries
225 List all autoprimaries.
226 create-zone ZONE
228 Create an empty zone named ZONE.
229 create-secondary-zone ZONE PRIMARY [PRIMARY]..
231 Create a new secondary zone ZONE with primaries PRIMARY. All
232 PRIMARYs need to to be space-separated IP addresses with an op‐
233 tional port.
234 change-secondary-zone-primary ZONE PRIMARY [PRIMARY]..
236 Change the primaries for secondary zone ZONE to new primaries
237 PRIMARY. All PRIMARYs need to to be space-separated IP addresses
238 with an optional port.
239 check-all-zones
241 Check all zones for correctness.
242 check-zone ZONE
244 Check zone ZONE for correctness.
245 clear-zone ZONE
247 Clear the records in zone ZONE, but leave actual zone and set‐
248 tings unchanged
249 delete-rrset ZONE NAME TYPE
251 Delete named RRSET from zone.
252 delete-zone ZONE:
254 Delete the zone named ZONE.
255 edit-zone ZONE
257 Opens ZONE in zonefile format (regardless of backend it was
258 loaded from) in the editor set in the environment variable EDI‐
259 TOR. if EDITOR is empty, pdnsutil falls back to using editor.
260 get-meta ZONE [ATTRIBUTE]...
262 Get zone metadata. If no ATTRIBUTE given, lists all known.
263 hash-password [WORK-FACTOR]
265 This convenience command asks for a password and returns a
266 hashed and salted version, for use as a webserver password or
267 api key. An optional scrypt work factor can be specified, in
268 power of two, otherwise it defaults to 1024.
269 hash-zone-record ZONE RNAME
271 This convenience command hashes the name RNAME according to the
272 NSEC3 settings of ZONE. Refuses to hash for zones with no NSEC3
273 settings.
274 increase-serial ZONE
276 Increases the SOA-serial by 1. Uses SOA-EDIT.
277 list-keys [ZONE]
279 List DNSSEC information for all keys or for ZONE. --verbose or
280 -v will also include the keys for disabled or empty zones.
281 list-all-zones:
283 List all active zone names. --verbose or -v will also include
284 disabled or empty zones.
285 list-zone ZONE
287 Show all records for ZONE.
288 load-zone ZONE FILE
290 Load records for ZONE from FILE. If ZONE already exists, all
291 records are overwritten, this operation is atomic. If ZONE
292 doesn't exist, it is created.
293 rectify-zone ZONE
295 Calculates the 'ordername' and 'auth' fields for a zone called
296 ZONE so they comply with DNSSEC settings. Can be used to fix up
297 migrated data. Can always safely be run, it does no harm.
298 rectify-all-zones
300 Calculates the 'ordername' and 'auth' fields for all zones so
301 they comply with DNSSEC settings. Can be used to fix up migrated
302 data. Can always safely be run, it does no harm.
303 replace-rrset ZONE NAME TYPE [TTL] CONTENT [CONTENT..]
305 Replace existing NAME in zone ZONE with a new set.
306 secure-zone ZONE
308 Configures a zone called ZONE with reasonable DNSSEC settings.
309 You should manually run 'pdnsutil rectify-zone' afterwards.
310 secure-all-zones [increase-serial]
312 Configures all zones that are not currently signed with reason‐
313 able DNSSEC settings. Setting increase-serial will increase the
314 serial of those zones too. You should manually run 'pdnsutil
315 rectify-all-zones' afterwards.
316 set-kind ZONE KIND
318 Change the kind of ZONE to KIND (primary, secondary, native,
319 producer, consumer).
320 set-options-json ZONE JSON
322 Change the options of ZONE to JSON
323 set-option ZONE [producer*|*consumer] [coo*|*unique*|*group] VALUE
325 [VALUE ...]
326 Set or remove an option for ZONE. Providing an empty value re‐
327 moves an option.
328 set-catalog ZONE CATALOG
330 Change the catalog of ZONE to CATALOG
331 set-account ZONE ACCOUNT
333 Change the account (owner) of ZONE to ACCOUNT.
334 add-meta ZONE ATTRIBUTE VALUE [VALUE]...
336 Append VALUE to the existing ATTRIBUTE metadata for ZONE. Will
337 return an error if ATTRIBUTE does not support multiple values,
338 use set-meta for these values.
339 set-meta ZONE ATTRIBUTE [VALUE]...
341 Set zonemetadata ATTRIBUTE for ZONE to VALUE. An empty value
342 clears it.
343 set-presigned ZONE
345 Switches ZONE to presigned operation, utilizing in-zone RRSIGs.
346 show-zone ZONE
348 Shows all DNSSEC related settings of a zone called ZONE.
349 test-schema ZONE
351 Test database schema, this creates the zone ZONE
352 unset-presigned ZONE
354 Disables presigned operation for ZONE.
355 raw-lua-from-content TYPE CONTENT
357 Display record contents in a form suitable for dnsdist's
358 SpoofRawAction.
359 zonemd-verify-file ZONE FILE
361 Validate ZONEMD for ZONE read from FILE.
362
364 backend-cmd BACKEND CMD [CMD..]
365 Send a text command to a backend for execution. GSQL backends
366 will take SQL commands, other backends may take different
367 things. Be careful!
368 bench-db [FILE]
370 Perform a benchmark of the backend-database. FILE can be a file
371 with a list, one per line, of zone names to use for this. If
372 FILE is not specified, powerdns.com is used.
373
375 b2b-migrate OLD NEW
376 Migrate data from one backend to another. Needs launch=OLD,NEW
377 in the configuration.
378 ipencrypt IP-ADDRESS password
380 Encrypt an IP address according to the 'ipcipher' standard
381 ipdecrypt IP-ADDRESS password
383 Decrypt an IP address according to the 'ipcipher' standard
384
386 pdns_server (1), pdns_control (1)
387
389 PowerDNS.COM BV
390
392 2001-2022, PowerDNS.COM BV
393 Nov 01, 2022 PDNSUTIL(1)