1PDNSUTIL(1) PowerDNS Authoritative Server PDNSUTIL(1)
2
6 pdnsutil - PowerDNS record and DNSSEC command and control
7
9 pdnsutil [OPTION]... COMMAND
10
12 pdnsutil (formerly pdnssec) is a powerful command that is the opera‐
13 tor-friendly gateway into DNSSEC and zone management for PowerDNS. Be‐
14 hind the scenes, pdnsutil manipulates a PowerDNS backend database,
15 which also means that for many databases, pdnsutil can be run remotely,
16 and can configure key material on different servers.
17
19 -h, --help
20 Show summary of options
21 -v, --verbose
23 Be more verbose.
24 --force
26 Force an action
27 --config-name <NAME>
29 Virtual configuration name
30 --config-dir <DIR>
32 Location of pdns.conf. Default is /etc/powerdns.
33
35 There are many available commands, this section splits them up into
36 their respective uses
37
39 Several commands manipulate the DNSSEC keys and options for zones. Some
40 of these commands require an ALGORITHM to be set. The following algo‐
41 rithms are supported:
42 • rsasha1
44 • rsasha1-nsec3-sha1
46 • rsasha256
48 • rsasha512
50 • ecdsa256
52 • ecdsa384
54 • ed25519
56 • ed448
58 activate-zone-key ZONE KEY-ID
60 Activate a key with id KEY-ID within a zone called ZONE.
61 add-zone-key ZONE [KSK,ZSK] [active,inactive] [published,unpublished]
63 KEYBITS ALGORITHM
64 Create a new key for zone ZONE, and make it a KSK or a ZSK (de‐
65 fault), with the specified algorithm. The key is inactive by de‐
66 fault, set it to active to immediately use it to sign ZONE. The
67 key is published in the zone by default, set it to unpublished
68 to keep it from being returned in a DNSKEY query, which is use‐
69 ful for algorithm rollovers. Prints the id of the added key.
70 create-bind-db FILE
72 Create DNSSEC database (sqlite3) at FILE for the BIND backend.
73 Remember to set bind-dnssec-db=*FILE* in your pdns.conf.
74 deactivate-zone-key ZONE KEY-ID
76 Deactivate a key with id KEY-ID within a zone called ZONE.
77 disable-dnssec ZONE
79 Deactivate all keys and unset PRESIGNED in ZONE.
80 export-zone-dnskey ZONE KEY-ID
82 Export to standard output DNSKEY and DS of key with key id
83 KEY-ID within zone called ZONE.
84 export-zone-ds ZONE
86 Export to standard output all KSK DS records for ZONE.
87 export-zone-key ZONE KEY-ID
89 Export to standard output full (private) key with key id KEY-ID
90 within zone called ZONE. The format used is compatible with BIND
91 and NSD/LDNS.
92 export-zone-key-pem ZONE KEY-ID
94 Export to standard output full (private) key with key id KEY-ID
95 within zone called ZONE in the PEM file format. The format is
96 compatible with many non-DNS software products.
97 generate-zone-key {KSK,ZSK} [ALGORITHM] [KEYBITS]
99 Generate a ZSK or KSK to stdout with specified algorithm and
100 bits and print it on STDOUT. If ALGORITHM is not set, ECDSA256
101 is used. If KEYBITS is not set, an appropriate keysize is se‐
102 lected for ALGORITHM. Each ECC-based algorithm supports only one
103 valid KEYBITS value: For ECDSA256 and ED25519, it is 256; for
104 ECDSA384, it is 384; and for ED448, it is 456.
105 import-zone-key ZONE FILE {KSK,ZSK}
107 Import from FILE a full (private) key for the zone called ZONE.
108 The format used is compatible with BIND and NSD/LDNS. KSK or ZSK
109 specifies the flags this key should have on import. Prints the
110 id of the added key.
111 import-zone-key-pem ZONE FILE ALGORITHM {KSK,**ZSK**}
113 Import from PEM FILE a full (private) key for the zone called
114 ZONE with a specified ALGORITHM. The format used is compatible
115 with many non-DNS software products. KSK or ZSK specifies the
116 flags this key should have on import. Prints the id of the added
117 key.
118 publish-zone-key ZONE KEY-ID
120 Publish the key with id KEY-ID within a zone called ZONE.
121 remove-zone-key ZONE KEY-ID
123 Remove a key with id KEY-ID from a zone called ZONE.
124 set-nsec3 ZONE ['HASH-ALGORITHM FLAGS ITERATIONS SALT'] [narrow]
126 Sets NSEC3 parameters for this zone. The quoted parameters are 4
127 values that are used for the NSEC3PARAM record and decide how
128 NSEC3 records are created. The NSEC3 parameters must be quoted
129 on the command line. HASH-ALGORITHM must be 1 (SHA-1). Setting
130 FLAGS to 1 enables NSEC3 opt-out operation. Only do this if you
131 know you need it. For ITERATIONS, please consult RFC 5155, sec‐
132 tion 10.3. And be aware that a high number might overload vali‐
133 dating resolvers and that a limit can be set with max-nsec3-it‐
134 erations in pdns.conf. The SALT is a hexadecimal string encoding
135 the bits for the salt, or - to use no salt. Setting narrow will
136 make PowerDNS send out "white lies" (RFC 7129) about the next
137 secure record to prevent zone enumeration. Instead of looking it
138 up in the database, it will send out the hash + 1 as the next
139 secure record. Narrow mode requires online signing capabilities
140 by the nameserver and therefore zone transfers are denied. If
141 only the zone is provided as argument, the 4-parameter quoted
142 string defaults to '1 0 0 -'. A sample commandline is: pdnsutil
143 set-nsec3 powerdnssec.org '1 1 1 ab' narrow. WARNING: If run‐
144 ning in RSASHA1 mode (algorithm 5 or 7), switching from NSEC to
145 NSEC3 will require a DS update in the parent zone.
146 unpublish-zone-key ZONE KEY-ID
148 Unpublish the key with id KEY-ID within a zone called ZONE.
149 unset-nsec3 ZONE
151 Converts ZONE to NSEC operations. WARNING: If running in RSASHA1
152 mode (algorithm 5 or 7), switching from NSEC to NSEC3 will re‐
153 quire a DS update at the parent zone!
154 set-publish-cds ZONE [DIGESTALGOS]
156 Set ZONE to respond to queries for its CDS records. the optional
157 argument DIGESTALGOS should be a comma-separated list of DS al‐
158 gorithms to use. By default, this is 2 (SHA-256). 0 will publish
159 a CDS with a DNSSEC delete algorithm.
160 set-publish-cdnskey ZONE [delete]
162 Set ZONE to publish CDNSKEY records. Add 'delete' to publish a
163 CDNSKEY with a DNSSEC delete algorithm.
164 unset-publish-cds ZONE
166 Set ZONE to stop responding to queries for its CDS records.
167 unset-publish-cdnskey ZONE
169 Set ZONE to stop publishing CDNSKEY records.
170
172 These commands manipulate TSIG key information in the database. Some
173 commands require an ALGORITHM, the following are available:
174 • hmac-md5
176 • hmac-sha1
178 • hmac-sha224
180 • hmac-sha256
182 • hmac-sha384
184 • hmac-sha512
186 activate-tsig-key ZONE NAME {primary,secondary,producer,consumer}
188 Enable TSIG authenticated AXFR using the key NAME for zone ZONE.
189 This sets the TSIG-ALLOW-AXFR (primary/producer) or AXFR-MAS‐
190 TER-TSIG (secondary/consumer) zone metadata.
191 deactivate-tsig-key ZONE NAME {primary,secondary,producer,consumer}
193 Disable TSIG authenticated AXFR using the key NAME for zone
194 ZONE.
195 delete-tsig-key NAME
197 Delete the TSIG key NAME. Warning, this does not deactivate said
198 key.
199 generate-tsig-key NAME ALGORITHM
201 Generate new TSIG key with name NAME and the specified algo‐
202 rithm.
203 import-tsig-key NAME ALGORITHM KEY
205 Import KEY of the specified algorithm as NAME.
206 list-tsig-keys
208 Show a list of all configured TSIG keys.
209
211 add-record ZONE NAME TYPE [TTL] CONTENT
212 Add one or more records of NAME and TYPE to ZONE with CONTENT
213 and optional TTL. If TTL is not set, default will be used.
214 add-autoprimary IP NAMESERVER [ACCOUNT]
216 Add a autoprimary entry into the backend. This enables receiving
217 zone updates from other servers.
218 remove-autoprimary IP NAMESERVER
220 Remove an autoprimary from backend. Not supported by BIND back‐
221 end.
222 list-autoprimaries
224 List all autoprimaries.
225 create-zone ZONE
227 Create an empty zone named ZONE.
228 create-secondary-zone ZONE PRIMARY [PRIMARY]...
230 Create a new secondary zone ZONE with primaries PRIMARY. All
231 PRIMARYs need to to be space-separated IP addresses with an op‐
232 tional port.
233 change-secondary-zone-primary ZONE PRIMARY [PRIMARY]...
235 Change the primaries for secondary zone ZONE to new primaries
236 PRIMARY. All PRIMARYs need to to be space-separated IP addresses
237 with an optional port.
238 check-all-zones
240 Check all zones for correctness.
241 check-zone ZONE
243 Check zone ZONE for correctness.
244 clear-zone ZONE
246 Clear the records in zone ZONE, but leave actual zone and set‐
247 tings unchanged
248 delete-rrset ZONE NAME TYPE
250 Delete named RRSET from zone.
251 delete-zone ZONE
253 Delete the zone named ZONE.
254 edit-zone ZONE
256 Opens ZONE in zonefile format (regardless of backend it was
257 loaded from) in the editor set in the environment variable EDI‐
258 TOR. if EDITOR is empty, pdnsutil falls back to using editor.
259 get-meta ZONE [ATTRIBUTE]...
261 Get zone metadata. If no ATTRIBUTE given, lists all known.
262 hash-password [WORK-FACTOR]
264 This convenience command asks for a password and returns a
265 hashed and salted version, for use as a webserver password or
266 api key. An optional scrypt work factor can be specified, in
267 power of two, otherwise it defaults to 1024.
268 hash-zone-record ZONE RNAME
270 This convenience command hashes the name RNAME according to the
271 NSEC3 settings of ZONE. Refuses to hash for zones with no NSEC3
272 settings.
273 increase-serial ZONE
275 Increases the SOA-serial by 1. Uses SOA-EDIT.
276 list-keys [ZONE]
278 List DNSSEC information for all keys or for ZONE. --verbose or
279 -v will also include the keys for disabled or empty zones.
280 list-all-zones
282 List all active zone names. --verbose or -v will also include
283 disabled or empty zones.
284 list-member-zones CATALOG
286 List all members of catalog zone CATALOG"
287 list-zone ZONE
289 Show all records for ZONE.
290 load-zone ZONE FILE
292 Load records for ZONE from FILE. If ZONE already exists, all
293 records are overwritten, this operation is atomic. If ZONE
294 doesn't exist, it is created.
295 rectify-zone ZONE
297 Calculates the 'ordername' and 'auth' fields for a zone called
298 ZONE so they comply with DNSSEC settings. Can be used to fix up
299 migrated data. Can always safely be run, it does no harm.
300 rectify-all-zones
302 Calculates the 'ordername' and 'auth' fields for all zones so
303 they comply with DNSSEC settings. Can be used to fix up migrated
304 data. Can always safely be run, it does no harm.
305 replace-rrset ZONE NAME TYPE [TTL] CONTENT [CONTENT...]
307 Replace existing NAME in zone ZONE with a new set.
308 secure-zone ZONE
310 Configures a zone called ZONE with reasonable DNSSEC settings.
311 You should manually run 'pdnsutil rectify-zone' afterwards.
312 secure-all-zones [increase-serial]
314 Configures all zones that are not currently signed with reason‐
315 able DNSSEC settings. Setting increase-serial will increase the
316 serial of those zones too. You should manually run 'pdnsutil
317 rectify-all-zones' afterwards.
318 set-kind ZONE KIND
320 Change the kind of ZONE to KIND (primary, secondary, native,
321 producer, consumer).
322 set-options-json ZONE JSON
324 Change the options of ZONE to JSON
325 set-option ZONE [producer*|*consumer] [coo*|*unique*|*group] VALUE
327 [VALUE ...]
328 Set or remove an option for ZONE. Providing an empty value re‐
329 moves an option.
330 set-catalog ZONE CATALOG
332 Change the catalog of ZONE to CATALOG
333 set-account ZONE ACCOUNT
335 Change the account (owner) of ZONE to ACCOUNT.
336 add-meta ZONE ATTRIBUTE VALUE [VALUE]...
338 Append VALUE to the existing ATTRIBUTE metadata for ZONE. Will
339 return an error if ATTRIBUTE does not support multiple values,
340 use set-meta for these values.
341 set-meta ZONE ATTRIBUTE [VALUE]...
343 Set zonemetadata ATTRIBUTE for ZONE to VALUE. An empty value
344 clears it.
345 set-presigned ZONE
347 Switches ZONE to presigned operation, utilizing in-zone RRSIGs.
348 show-zone ZONE
350 Shows all DNSSEC related settings of a zone called ZONE.
351 test-schema ZONE
353 Test database schema, this creates the zone ZONE
354 unset-presigned ZONE
356 Disables presigned operation for ZONE.
357 raw-lua-from-content TYPE CONTENT
359 Display record contents in a form suitable for dnsdist's
360 SpoofRawAction.
361 zonemd-verify-file ZONE FILE
363 Validate ZONEMD for ZONE read from FILE.
364
366 backend-cmd BACKEND CMD [CMD...]
367 Send a text command to a backend for execution. GSQL backends
368 will take SQL commands, other backends may take different
369 things. Be careful!
370 bench-db [FILE]
372 Perform a benchmark of the backend-database. FILE can be a file
373 with a list, one per line, of zone names to use for this. If
374 FILE is not specified, powerdns.com is used.
375
377 b2b-migrate OLD NEW
378 Migrate data from one backend to another. Needs launch=OLD,NEW
379 in the configuration.
380 ipencrypt IP-ADDRESS password
382 Encrypt an IP address according to the 'ipcipher' standard
383 ipdecrypt IP-ADDRESS password
385 Decrypt an IP address according to the 'ipcipher' standard
386
388 pdns_server (1), pdns_control (1)
389
391 PowerDNS.COM BV
392
394 2001-2023, PowerDNS.COM BV
395 Oct 05, 2023 PDNSUTIL(1)