Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
PDNSUTIL(1)		 PowerDNS Authoritative	Server		   PDNSUTIL(1)

NAME
       pdnsutil	- PowerDNS record and DNSSEC command and control

SYNOPSIS
       pdnsutil	[OPTION]... COMMAND

DESCRIPTION
       pdnsutil	 (formerly  pdnssec)  is a powerful command that is the	opera-
       tor-friendly gateway into DNSSEC	and zone management for	PowerDNS.  Be-
       hind  the  scenes,  pdnsutil  manipulates  a PowerDNS backend database,
       which also means	that for many databases, pdnsutil can be run remotely,
       and can configure key material on different servers.

OPTIONS
       -h, --help
	      Show summary of options

       -v, --verbose
	      Be more verbose.

       --force
	      Force an action

       --config-name _NAME_
	      Virtual configuration name

       --config-dir _DIR_
	      Location of pdns.conf. Default is	/etc/powerdns.

COMMANDS
       There  are  many	 available  commands, this section splits them up into
       their respective	uses

DNSSEC RELATED COMMANDS
       Several commands	manipulate the DNSSEC keys and options for zones. Some
       of  these  commands require an ALGORITHM	to be set. The following algo-
       rithms are supported:

       o rsasha1

       o rsasha1-nsec3-sha1

       o rsasha256

       o rsasha512

       o ecdsa256

       o ecdsa384

       o ed25519

       o ed448

       activate-zone-key ZONE KEY-ID
	      Activate a key with id KEY-ID within a zone called ZONE.

       add-zone-key ZONE {KSK,ZSK}  [active,inactive]  [published,unpublished]
       KEYBITS ALGORITHM
	      Create a new key for zone	ZONE, and make it a KSK	or a ZSK, with
	      the specified algorithm. The key is inactive by default, set  it
	      to  active  to  immediately use it to sign ZONE. The key is pub-
	      lished in	the zone by default, set it to unpublished to keep  it
	      from being returned in a DNSKEY query, which is useful for algo-
	      rithm rollovers. Prints the id of	the added key.

       create-bind-db FILE
	      Create DNSSEC database (sqlite3) at FILE for the	BIND  backend.
	      Remember to set bind-dnssec-db=*FILE* in your pdns.conf.

       deactivate-zone-key ZONE	KEY-ID
	      Deactivate a key with id KEY-ID within a zone called ZONE.

       disable-dnssec ZONE
	      Deactivate all keys and unset PRESIGNED in ZONE.

       export-zone-dnskey ZONE KEY-ID
	      Export  to  standard  output  DNSKEY  and	 DS of key with	key id
	      KEY-ID within zone called	ZONE.

       export-zone-ds ZONE
	      Export to	standard output	all KSK	DS records for ZONE.

       export-zone-key ZONE KEY-ID
	      Export to	standard output	full (private) key with	key id	KEY-ID
	      within zone called ZONE. The format used is compatible with BIND
	      and NSD/LDNS.

       generate-zone-key {KSK,ZSK} [ALGORITHM] [KEYBITS]
	      Generate a ZSK or	KSK to stdout  with  specified	algorithm  and
	      bits  and	 print it on STDOUT. If	ALGORITHM is not set, ECDSA256
	      is used. If KEYBITS is not set, an appropriate  keysize  is  se-
	      lected for ALGORITHM. Each ECC-based algorithm supports only one
	      valid KEYBITS value: For ECDSA256	and ED25519, it	 is  256;  for
	      ECDSA384,	it is 384; and for ED448, it is	456.

       import-zone-key ZONE FILE {KSK,ZSK}
	      Import  from FILE	a full (private) key for zone called ZONE. The
	      format used is compatible	with BIND and  NSD/LDNS.  KSK  or  ZSK
	      specifies	 the  flags this key should have on import. Prints the
	      id of the	added key.

       publish-zone-key	ZONE KEY-ID
	      Publish the key with id KEY-ID within a zone called ZONE.

       remove-zone-key ZONE KEY-ID
	      Remove a key with	id KEY-ID from a zone called ZONE.

       set-nsec3 ZONE ['HASH-ALGORITHM FLAGS ITERATIONS	SALT'] [narrow]
	      Sets NSEC3 parameters for	this zone. The quoted parameters are 4
	      values  that  are	 used for the the NSEC3PARAM record and	decide
	      how NSEC3	records	are created.  The  NSEC3  parameters  must  be
	      quoted  on  the  command line. HASH-ALGORITHM must be 1 (SHA-1).
	      Setting FLAGS to 1 enables NSEC3 opt-out operation. Only do this
	      if  you  know  you  need	it. For	ITERATIONS, please consult RFC
	      5155, section 10.3. And be aware that a high number might	 over-
	      load  validating	resolvers  and	that  a	 limit can be set with
	      max-nsec3-iterations in pdns.conf. The  SALT  is	a  hexadecimal
	      string encoding the bits for the salt, or	- to use no salt. Set-
	      ting narrow will make PowerDNS send out "white lies" (RFC	 7129)
	      about  the  next	secure record to prevent zone enumeration. In-
	      stead of looking it up in	the database, it  will	send  out  the
	      hash  + 1	as the next secure record. Narrow mode requires	online
	      signing capabilities by the nameserver and therefore zone	trans-
	      fers  are	 denied. If only the zone is provided as argument, the
	      4-parameter quoted string	defaults to '1 0 1 ab'.	A sample  com-
	      mandline	is: pdnsutil set-nsec3 powerdnssec.org '1 1 1 ab' nar-
	      row.  WARNING: If	running	in RSASHA1 mode	(algorithm  5  or  7),
	      switching	 from  NSEC  to	 NSEC3 will require a DS update	in the
	      parent zone.

       unpublish-zone-key ZONE KEY-ID
	      Unpublish	the key	with id	KEY-ID within a	zone called ZONE.

       unset-nsec3 ZONE
	      Converts ZONE to NSEC operations.	WARNING: If running in RSASHA1
	      mode  (algorithm	5 or 7), switching from	NSEC to	NSEC3 will re-
	      quire a DS update	at the parent zone!

       set-publish-cds ZONE [DIGESTALGOS]
	      Set ZONE to respond to queries for its CDS records. the optional
	      argument	DIGESTALGOS should be a	comma-separated	list of	DS al-
	      gorithms to use. By default, this	is 2 (SHA-256).	0 will publish
	      a	CDS with a DNSSEC delete algorithm.

       set-publish-cdnskey ZONE	[delete]
	      Set  ZONE	 to publish CDNSKEY records. Add 'delete' to publish a
	      CDNSKEY with a DNSSEC delete algorithm.

       unset-publish-cds ZONE
	      Set ZONE to stop responding to queries for its CDS records.

       unset-publish-cdnskey ZONE
	      Set ZONE to stop publishing CDNSKEY records.

TSIG RELATED COMMANDS
       These commands manipulate TSIG key information in  the  database.  Some
       commands	require	an ALGORITHM, the following are	available:

       o hmac-md5

       o hmac-sha1

       o hmac-sha224

       o hmac-sha256

       o hmac-sha384

       o hmac-sha512

       activate-tsig-key ZONE NAME {master,slave}
	      Enable TSIG authenticated	AXFR using the key NAME	for zone ZONE.
	      This  sets  the  TSIG-ALLOW-AXFR	(master)  or  AXFR-MASTER-TSIG
	      (slave) zone metadata.

       deactivate-tsig-key ZONE	NAME {master,slave}
	      Disable  TSIG  authenticated  AXFR  using	 the key NAME for zone
	      ZONE.

       delete-tsig-key NAME
	      Delete the TSIG key NAME.	Warning, this does not deactivate said
	      key.

       generate-tsig-key NAME ALGORITHM
	      Generate	new  TSIG  key	with name NAME and the specified algo-
	      rithm.

       import-tsig-key NAME ALGORITHM KEY
	      Import KEY of the	specified algorithm as NAME.

       list-tsig-keys
	      Show a list of all configured TSIG keys.

ZONE MANIPULATION COMMANDS
       add-record ZONE NAME TYPE [TTL] CONTENT
	      Add one or more records of NAME and TYPE to  ZONE	 with  CONTENT
	      and optional TTL.	If TTL is not set, default will	be used.

       add-supermaster IP NAMESERVER [ACCOUNT]
	      Add a supermaster	entry into the backend.	This enables receiving
	      zone updates from	other servers.

       create-zone ZONE
	      Create an	empty zone named ZONE.

       create-slave-zone ZONE MASTER [MASTER]..
	      Create a new slave zone ZONE with	masters	 MASTER.  All  MASTERs
	      need  to	to  be	space-separated	 IP addresses with an optional
	      port.

       change-slave-zone-master	ZONE MASTER [MASTER]..
	      Change the masters for slave zone	ZONE to	 new  masters  MASTER.
	      All  MASTERs  need to to be space-separated IP addresses with an
	      optional port.

       check-all-zones
	      Check all	zones for correctness.

       check-zone ZONE
	      Check zone ZONE for correctness.

       clear-zone ZONE
	      Clear the	records	in zone	ZONE, but leave	actual domain and set-
	      tings unchanged

       delete-rrset ZONE NAME TYPE
	      Delete named RRSET from zone.

       delete-zone ZONE:
	      Delete the zone named ZONE.

       edit-zone ZONE
	      Opens  ZONE  in  zonefile	 format	 (regardless of	backend	it was
	      loaded from) in the editor set in	the environment	variable  EDI-
	      TOR. if EDITOR is	empty, pdnsutil	falls back to using editor.

       get-meta	ZONE [ATTRIBUTE]...
	      Get zone metadata. If no ATTRIBUTE given,	lists all known.

       hash-zone-record	ZONE RNAME
	      This  convenience	command	hashes the name	RNAME according	to the
	      NSEC3 settings of	ZONE. Refuses to hash for zones	with no	 NSEC3
	      settings.

       increase-serial ZONE
	      Increases	the SOA-serial by 1. Uses SOA-EDIT.

       list-keys [ZONE]
	      List DNSSEC information for all keys or for ZONE.

       list-all-zones:
	      List all zone names.

       list-zone ZONE
	      Show all records for ZONE.

       load-zone ZONE FILE
	      Load  records  for  ZONE	from FILE. If ZONE already exists, all
	      records are overwritten,	this  operation	 is  atomic.  If  ZONE
	      doesn't exist, it	is created.

       rectify-zone ZONE
	      Calculates  the  'ordername' and 'auth' fields for a zone	called
	      ZONE so they comply with DNSSEC settings.	Can be used to fix  up
	      migrated data. Can always	safely be run, it does no harm.

       rectify-all-zones
	      Calculates  the  'ordername'  and	'auth' fields for all zones so
	      they comply with DNSSEC settings.	Can be used to fix up migrated
	      data.  Can always	safely be run, it does no harm.

       replace-rrset ZONE NAME TYPE [TTL] CONTENT [CONTENT..]
	      Replace existing NAME in zone ZONE with a	new set.

       secure-zone ZONE
	      Configures  a  zone called ZONE with reasonable DNSSEC settings.
	      You should manually run 'pdnsutil	rectify-zone' afterwards.

       secure-all-zones	[increase-serial]
	      Configures all zones that	are not	currently signed with  reason-
	      able  DNSSEC settings. Setting increase-serial will increase the
	      serial of	those zones too. You  should  manually	run  'pdnsutil
	      rectify-all-zones' afterwards.

       set-kind	ZONE KIND
	      Change the kind of ZONE to KIND (master, slave, native).

       set-account ZONE	ACCOUNT
	      Change the account (owner) of ZONE to ACCOUNT.

       add-meta	ZONE ATTRIBUTE VALUE [VALUE]...
	      Append  VALUE to the existing ATTRIBUTE metadata for ZONE.  Will
	      return an	error if ATTRIBUTE does	not support  multiple  values,
	      use set-meta for these values.

       set-meta	ZONE ATTRIBUTE [VALUE]...
	      Set  domainmetadata  ATTRIBUTE for ZONE to VALUE.	An empty value
	      clears it.

       set-presigned ZONE
	      Switches ZONE to presigned operation, utilizing in-zone RRSIGs.

       show-zone ZONE
	      Shows all	DNSSEC related settings	of a zone called ZONE.

       test-schema ZONE
	      Test database schema, this creates the zone ZONE

       unset-presigned ZONE
	      Disables presigned operation for ZONE.

DEBUGGING TOOLS
       backend-cmd BACKEND CMD [CMD..]
	      Send a text command to a backend for  execution.	GSQL  backends
	      will  take  SQL  commands,  other	 backends  may	take different
	      things. Be careful!

       bench-db	[FILE]
	      Perform a	benchmark of the backend-database.  FILE can be	a file
	      with  a list, one	per line, of domain names to use for this.  If
	      FILE is not specified, powerdns.com is used.

OTHER TOOLS
       ipencrypt IP-ADDRESS password
	      Encrypt an IP address according to the 'ipcipher'	standard

       ipdecrypt IP-ADDRESS password
	      Encrypt an IP address according to the 'ipcipher'	standard

SEE ALSO
       pdns_server (1),	pdns_control (1)

AUTHOR
       PowerDNS.COM BV

COPYRIGHT
       2001-2019, PowerDNS.COM BV

				 Feb 06, 2021			   PDNSUTIL(1)

NAME | SYNOPSIS | DESCRIPTION | OPTIONS | COMMANDS | DNSSEC RELATED COMMANDS | TSIG RELATED COMMANDS | ZONE MANIPULATION COMMANDS | DEBUGGING TOOLS | OTHER TOOLS | SEE ALSO | AUTHOR | COPYRIGHT

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=pdnsutil&sektion=1&manpath=FreeBSD+13.0-RELEASE+and+Ports>

home | help