Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
PDNSUTIL(1)							   PDNSUTIL(1)

       pdnsutil	- PowerDNS dnssec command and control

       pdnsutil	[OPTION]...  COMMAND

       pdnsutil	 (formerly  pdnssec)  is a powerful command that is the	opera-
       tor-friendly gateway into DNSSEC	and zone management for	PowerDNS.  Be-
       hind  the  scenes,  pdnsutil  manipulates  a PowerDNS backend database,
       which also means	that for many databases, pdnsutil can be run remotely,
       and can configure key material on different servers.

       -h | -help
	      Show summary of options

       -v | --verbose
	      Be more verbose.

	      force an action

       --config-name NAME
	      Virtual configuration name

       --config-dir DIR
	      Location of pdns.conf.  Default is /etc/powerdns.

       There  are  many	 available  commands, this section splits them up into
       their respective	uses

       Several commands	manipulate the DNSSEC  keys  and  options  for	zones.
       Some  of	 these commands	require	an ALGORITHM to	be set.	 The following
       algorithms are supported:

       o rsasha1

       o rsasha256

       o rsasha512

       o gost

       o ecdsa256

       o ecdsa384

       activate-zone-key ZONE KEY-ID
	 Activate a key	with id	KEY-ID within a	zone called ZONE.

       add-zone-key ZONE {KSK,ZSK} [active,inactive] KEYBITS ALGORITHM
	 Create	a new key for zone ZONE, and make it a KSK or a	ZSK, with  the
	 specified  algorithm.	 The key is inactive by	default, set it	to ac-
	 tive to immediately use it to sign ZONE.

       create-bind-db FILE
	 Create	DNSSEC database	(sqlite3) at FILE for the BIND	backend.   Re-
	 member	to set bind-dnssec-db=*FILE* in	your pdns.conf.

       deactivate-zone-key ZONE	KEY-ID
	 Deactivate a key with id KEY-ID within	a zone called ZONE.

       disable-dnssec ZONE
	 Deactivate all	keys and unset PRESIGNED in ZONE.

       export-zone-dnskey ZONE KEY-ID
	 Export	 to  standard  output  DNSKEY and DS of	key with key id	KEY-ID
	 within	zone called ZONE.

       export-zone-key ZONE KEY-ID
	 Export	to standard output full	 (private)  key	 with  key  id	KEY-ID
	 within	zone called ZONE.  The format used is compatible with BIND and

       generate-zone-key {KSK,ZSK} [ALGORITHM] [KEYBITS]
	 Generate a ZSK	or KSK to stdout with specified	algorithm and bits and
	 print	it on STDOUT.  If ALGORITHM is not set,	RSASHA512 is used.  If
	 KEYBITS is not	set, an	appropriate keysize is selected	for ALGORITHM.

       import-zone-key ZONE FILE {KSK,ZSK}
	 Import	from FILE a full (private) key for zone	called ZONE.  The for-
	 mat  used is compatible with BIND and NSD/LDNS.  KSK or ZSK specifies
	 the flags this	key should have	on import.

       remove-zone-key ZONE KEY-ID
	 Remove	a key with id KEY-ID from a zone called	ZONE.

	 Sets NSEC3 parameters for this	zone.  The  quoted  parameters	are  4
	 values	 that  are  used  for the the NSEC3PARAM record	and decide how
	 NSEC3 records are created.  The NSEC3 parameters must	be  quoted  on
	 the command line.  HASH-ALGORITHM must	be 1 (SHA-1). Setting FLAGS to
	 1 enables NSEC3 opt-out operation.  Only do this if you know you need
	 it.  For  ITERATIONS,	please consult RFC 5155, section 10.3.	And be
	 aware that a high number might	 overload  validating  resolvers.  The
	 SALT is a hexadecimal string encoding the bits	for the	salt.  Setting
	 narrow	will make PowerDNS send	out "white lies" about the next	secure
	 record.   Instead  of looking it up in	the database, it will send out
	 the hash + 1 as the next secure record.
	  A sample commandline is: "pdnsutil set-nsec3 '1 1  1
	 ab'  narrow". WARNING:	If running in RSASHA1 mode (algorithm 5	or 7),
	 switching from	NSEC to	NSEC3 will require a DS	update in  the	parent

       unset-nsec3 ZONE
	 Converts  ZONE	 to  NSEC  operations.	WARNING: If running in RSASHA1
	 mode (algorithm 5 or 7), switching from NSEC to NSEC3 will require  a
	 DS update at the parent zone!

       set-publish-cds ZONE [DIGESTALGOS]
	 Set ZONE to respond to	queries	for its	CDS records.  the optional ar-
	 gument	DIGESTALGOS should be a	comma-separated	list of	DS  algorithms
	 to use.  By default, this is 1,2 (SHA1	and SHA2-256).

       set-publish-cdnskey ZONE
	 Set ZONE to publish CDNSKEY records.

       unset-publish-cds ZONE
	 Set ZONE to stop responding to	queries	for its	CDS records.

       unset-publish-cdnskey ZONE
	 Set ZONE to stop publishing CDNSKEY records.

       These  commands	manipulate TSIG	key information	in the database.  Some
       commands	require	an ALGORITHM, the following are	available:

       o hmac-md5

       o hmac-sha1

       o hmac-sha224

       o hmac-sha256

       o hmac-sha384

       o hmac-sha512

       activate-tsig-key ZONE NAME {master,slave}
	 Enable	TSIG key NAME for zone ZONE.

       deactivate-tsig-key ZONE	NAME {master,slave}
	 Disable TSIG key NAME for zone	ZONE.

       delete-tsig-key NAME
	 Delete	the TSIG key NAME.  Warning, this  does	 not  deactivate  said

       generate-tsig-key NAME ALGORITHM
	 Generate new TSIG key with name NAME and the specified	algorithm.

       create-zone ZONE
	      Create an	empty zone named ZONE.

	      Check all	zones for correctness.

       check-zone ZONE
	      Check zone ZONE for correctness.

       clear-zone ZONE
	      Clear the	records	in zone	ZONE, but leave	actual domain and set-
	      tings unchanged

       delete-zone ZONE:
	      Delete the zone named ZONE.

       edit-zone ZONE
	      Opens ZONE in zonefile format  (regardless  of  backend  it  was
	      loaded  from) in the editor set in the environment variable EDI-
	      TOR.  if EDITOR is empty,	pdnsutil falls back to using editor.

       get-meta	ZONE [ATTRIBUTE]...
	      Get zone metadata.  If no	ATTRIBUTE given, lists all known.

       hash-zone-record	ZONE RNAME
	      This convenience command hashes the name RNAME according to  the
	      NSEC3 settings of	ZONE.  Refuses to hash for zones with no NSEC3

       list-keys [ZONE]
	      List DNSSEC information for all keys or for ZONE.

	      List all zone names.

       list-zone ZONE
	      Show all records for ZONE.

       load-zone ZONE FILE
	      Load records for ZONE from FILE.	If ZONE	 already  exists,  all
	      records  are  overwritten,  this	operation  is atomic.  If ZONE
	      doesn't exist, it	is created.

       rectify-zone ZONE
	      Calculates the 'ordername' and 'auth' fields for a  zone	called
	      ZONE so they comply with DNSSEC settings.	 Can be	used to	fix up
	      migrated data.  Can always safely	be run,	it does	no harm.

       secure-zone ZONE
	      Configures a zone	called ZONE with reasonable  DNSSEC  settings.
	      You should manually run 'pdnsutil	rectify-zone' afterwards.

       set-meta	ZONE ATTRIBUTE [VALUE]
	      Set  domainmetadata ATTRIBUTE for	ZONE to	VALUE.	An empty value
	      clears it.

       set-presigned ZONE
	      Switches ZONE to presigned operation, utilizing in-zone RRSIGs.

       show-zone ZONE
	      Shows all	DNSSEC related settings	of a zone called ZONE.

       test-schema ZONE
	      Test database schema, this creates the zone ZONE

       unset-presigned ZONE
	      Disables presigned operation for ZONE.

       backend-cmd BACKEND CMD [CMD..]
	      Send a text command to a backend for execution.	GSQL  backends
	      will  take  SQL  commands,  other	 backends  may	take different
	      things.  Be careful!

       pdns_server (1),	pdns_control (1)

       Matthijs	MA<paragraph>hlmann <>.

PowerDNS DNSSEC	command	and contrNovember 2011			   PDNSUTIL(1)


Want to link to this manual page? Use this URL:

home | help