File: pdnsutil.1

package info (click to toggle)
pdns 4.4.1-1
  • links: PTS, VCS
  • area: main
  • in suites: bullseye
  • size: 8,856 kB
  • sloc: cpp: 78,652; sh: 5,405; makefile: 2,096; sql: 822; ruby: 598; yacc: 228; ansic: 208; lex: 130; perl: 48; python: 4
file content (377 lines) | stat: -rw-r--r-- 13,593 bytes parent folder | download | duplicates (2)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
.\" Man page generated from reStructuredText.
.
.TH "PDNSUTIL" "1" "Feb 06, 2021" "" "PowerDNS Authoritative Server"
.SH NAME
pdnsutil \- PowerDNS record and DNSSEC command and control
.
.nr rst2man-indent-level 0
.
.de1 rstReportMargin
\\$1 \\n[an-margin]
level \\n[rst2man-indent-level]
level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
-
\\n[rst2man-indent0]
\\n[rst2man-indent1]
\\n[rst2man-indent2]
..
.de1 INDENT
.\" .rstReportMargin pre:
. RS \\$1
. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
. nr rst2man-indent-level +1
.\" .rstReportMargin post:
..
.de UNINDENT
. RE
.\" indent \\n[an-margin]
.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
.nr rst2man-indent-level -1
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
.SH SYNOPSIS
.sp
pdnsutil [OPTION]... \fICOMMAND\fP
.SH DESCRIPTION
.sp
\fBpdnsutil\fP (formerly pdnssec) is a powerful command that is the
operator\-friendly gateway into DNSSEC and zone management for PowerDNS.
Behind the scenes, \fBpdnsutil\fP manipulates a PowerDNS backend database,
which also means that for many databases, \fBpdnsutil\fP can be run
remotely, and can configure key material on different servers.
.SH OPTIONS
.INDENT 0.0
.TP
.B \-h\fP,\fB  \-\-help
Show summary of options
.TP
.B \-v\fP,\fB  \-\-verbose
Be more verbose.
.TP
.B \-\-force
Force an action
.TP
.BI \-\-config\-name \ <NAME>
Virtual configuration name
.TP
.BI \-\-config\-dir \ <DIR>
Location of pdns.conf. Default is /etc/powerdns.
.UNINDENT
.SH COMMANDS
.sp
There are many available commands, this section splits them up into
their respective uses
.SH DNSSEC RELATED COMMANDS
.sp
Several commands manipulate the DNSSEC keys and options for zones. Some
of these commands require an \fIALGORITHM\fP to be set. The following
algorithms are supported:
.INDENT 0.0
.IP \(bu 2
rsasha1
.IP \(bu 2
rsasha1\-nsec3\-sha1
.IP \(bu 2
rsasha256
.IP \(bu 2
rsasha512
.IP \(bu 2
ecdsa256
.IP \(bu 2
ecdsa384
.IP \(bu 2
ed25519
.IP \(bu 2
ed448
.UNINDENT
.INDENT 0.0
.TP
.B activate\-zone\-key \fIZONE\fP \fIKEY\-ID\fP
Activate a key with id \fIKEY\-ID\fP within a zone called \fIZONE\fP\&.
.TP
add\-zone\-key \fIZONE\fP {\fBKSK\fP,\fBZSK\fP} [\fBactive\fP,\fBinactive\fP] [\fBpublished\fP,\fBunpublished\fP] \fIKEYBITS\fP \fIALGORITHM\fP
Create a new key for zone \fIZONE\fP, and make it a KSK or a ZSK, with
the specified algorithm. The key is inactive by default, set it to
\fBactive\fP to immediately use it to sign \fIZONE\fP\&. The key is published
in the zone by default, set it to \fBunpublished\fP to keep it from
being returned in a DNSKEY query, which is useful for algorithm
rollovers. Prints the id of the added key.
.TP
.B create\-bind\-db \fIFILE\fP
Create DNSSEC database (sqlite3) at \fIFILE\fP for the BIND backend.
Remember to set \fBbind\-dnssec\-db=*FILE*\fP in your \fBpdns.conf\fP\&.
.TP
.B deactivate\-zone\-key \fIZONE\fP \fIKEY\-ID\fP
Deactivate a key with id KEY\-ID within a zone called \fIZONE\fP\&.
.TP
.B disable\-dnssec \fIZONE\fP
Deactivate all keys and unset PRESIGNED in \fIZONE\fP\&.
.TP
.B export\-zone\-dnskey \fIZONE\fP \fIKEY\-ID\fP
Export to standard output DNSKEY and DS of key with key id \fIKEY\-ID\fP
within zone called \fIZONE\fP\&.
.TP
.B export\-zone\-ds \fIZONE\fP
Export to standard output all KSK DS records for \fIZONE\fP\&.
.TP
.B export\-zone\-key \fIZONE\fP \fIKEY\-ID\fP
Export to standard output full (private) key with key id \fIKEY\-ID\fP
within zone called \fIZONE\fP\&. The format used is compatible with BIND
and NSD/LDNS.
.TP
generate\-zone\-key {\fBKSK\fP,\fBZSK\fP} [\fIALGORITHM\fP] [\fIKEYBITS\fP]
Generate a ZSK or KSK to stdout with specified algorithm and bits
and print it on STDOUT. If \fIALGORITHM\fP is not set, ECDSA256 is
used. If \fIKEYBITS\fP is not set, an appropriate keysize is selected
for \fIALGORITHM\fP\&. Each ECC\-based algorithm supports only one valid
\fIKEYBITS\fP value: For ECDSA256 and ED25519, it is 256; for ECDSA384,
it is 384; and for ED448, it is 456.
.TP
import\-zone\-key \fIZONE\fP \fIFILE\fP {\fBKSK\fP,\fBZSK\fP}
Import from \fIFILE\fP a full (private) key for zone called \fIZONE\fP\&. The
format used is compatible with BIND and NSD/LDNS. \fBKSK\fP or \fBZSK\fP
specifies the flags this key should have on import. Prints the id of
the added key.
.TP
.B publish\-zone\-key \fIZONE\fP \fIKEY\-ID\fP
Publish the key with id \fIKEY\-ID\fP within a zone called \fIZONE\fP\&.
.TP
.B remove\-zone\-key \fIZONE\fP \fIKEY\-ID\fP
Remove a key with id \fIKEY\-ID\fP from a zone called \fIZONE\fP\&.
.TP
set\-nsec3 \fIZONE\fP [\(aq\fIHASH\-ALGORITHM\fP \fIFLAGS\fP \fIITERATIONS\fP \fISALT\fP\(aq] [\fBnarrow\fP]
Sets NSEC3 parameters for this zone. The quoted parameters are 4
values that are used for the the NSEC3PARAM record and decide how
NSEC3 records are created. The NSEC3 parameters must be quoted on
the command line. \fIHASH\-ALGORITHM\fP must be 1 (SHA\-1). Setting
\fIFLAGS\fP to 1 enables NSEC3 opt\-out operation. Only do this if you
know you need it. For \fIITERATIONS\fP, please consult RFC 5155, section
10.3. And be aware that a high number might overload validating
resolvers and that a limit can be set with \fBmax\-nsec3\-iterations\fP
in \fBpdns.conf\fP\&. The \fISALT\fP is a hexadecimal string encoding the bits
for the salt, or \- to use no salt. Setting \fBnarrow\fP will make PowerDNS
send out "white lies" (RFC 7129) about the next secure record to
prevent zone enumeration. Instead of looking it up in the database,
it will send out the hash + 1 as the next secure record. Narrow mode
requires online signing capabilities by the nameserver and therefore
zone transfers are denied. If only the zone is provided as argument,
the 4\-parameter quoted string defaults to \fB\(aq1 0 1 ab\(aq\fP\&. A sample
commandline is: \fBpdnsutil set\-nsec3 powerdnssec.org \(aq1 1 1 ab\(aq narrow\fP\&.
\fBWARNING\fP: If running in RSASHA1 mode (algorithm 5 or 7), switching
from NSEC to NSEC3 will require a DS update in the parent zone.
.TP
.B unpublish\-zone\-key \fIZONE\fP \fIKEY\-ID\fP
Unpublish the key with id \fIKEY\-ID\fP within a zone called \fIZONE\fP\&.
.TP
.B unset\-nsec3 \fIZONE\fP
Converts \fIZONE\fP to NSEC operations. \fBWARNING\fP: If running in
RSASHA1 mode (algorithm 5 or 7), switching from NSEC to NSEC3 will
require a DS update at the parent zone!
.TP
.B set\-publish\-cds \fIZONE\fP [\fIDIGESTALGOS\fP]
Set \fIZONE\fP to respond to queries for its CDS records. the optional
argument \fIDIGESTALGOS\fP should be a comma\-separated list of DS
algorithms to use. By default, this is 2 (SHA\-256). 0 will publish a
CDS with a DNSSEC delete algorithm.
.TP
set\-publish\-cdnskey \fIZONE\fP [\fBdelete\fP]
Set \fIZONE\fP to publish CDNSKEY records. Add \(aqdelete\(aq to publish a CDNSKEY
with a DNSSEC delete algorithm.
.TP
.B unset\-publish\-cds \fIZONE\fP
Set \fIZONE\fP to stop responding to queries for its CDS records.
.TP
.B unset\-publish\-cdnskey \fIZONE\fP
Set \fIZONE\fP to stop publishing CDNSKEY records.
.UNINDENT
.SH TSIG RELATED COMMANDS
.sp
These commands manipulate TSIG key information in the database. Some
commands require an \fIALGORITHM\fP, the following are available:
.INDENT 0.0
.IP \(bu 2
hmac\-md5
.IP \(bu 2
hmac\-sha1
.IP \(bu 2
hmac\-sha224
.IP \(bu 2
hmac\-sha256
.IP \(bu 2
hmac\-sha384
.IP \(bu 2
hmac\-sha512
.UNINDENT
.INDENT 0.0
.TP
activate\-tsig\-key \fIZONE\fP \fINAME\fP {\fBmaster\fP,\fBslave\fP}
Enable TSIG authenticated AXFR using the key \fINAME\fP for zone \fIZONE\fP\&.
This sets the \fBTSIG\-ALLOW\-AXFR\fP (master) or \fBAXFR\-MASTER\-TSIG\fP
(slave) zone metadata.
.TP
deactivate\-tsig\-key \fIZONE\fP \fINAME\fP {\fBmaster\fP,\fBslave\fP}
Disable TSIG authenticated AXFR using the key \fINAME\fP for zone
\fIZONE\fP\&.
.TP
.B delete\-tsig\-key \fINAME\fP
Delete the TSIG key \fINAME\fP\&. Warning, this does not deactivate said
key.
.TP
.B generate\-tsig\-key \fINAME\fP \fIALGORITHM\fP
Generate new TSIG key with name \fINAME\fP and the specified algorithm.
.TP
.B import\-tsig\-key \fINAME\fP \fIALGORITHM\fP \fIKEY\fP
Import \fIKEY\fP of the specified algorithm as \fINAME\fP\&.
.TP
.B list\-tsig\-keys
Show a list of all configured TSIG keys.
.UNINDENT
.SH ZONE MANIPULATION COMMANDS
.INDENT 0.0
.TP
.B add\-record \fIZONE\fP \fINAME\fP \fITYPE\fP [\fITTL\fP] \fICONTENT\fP
Add one or more records of \fINAME\fP and \fITYPE\fP to \fIZONE\fP with \fICONTENT\fP
and optional \fITTL\fP\&. If \fITTL\fP is not set, default will be used.
.TP
.B add\-supermaster \fIIP\fP \fINAMESERVER\fP [\fIACCOUNT\fP]
Add a supermaster entry into the backend. This enables receiving zone updates from other servers.
.TP
.B create\-zone \fIZONE\fP
Create an empty zone named \fIZONE\fP\&.
.TP
.B create\-slave\-zone \fIZONE\fP \fIMASTER\fP [\fIMASTER\fP]..
Create a new slave zone \fIZONE\fP with masters \fIMASTER\fP\&. All \fIMASTER\fPs
need to to be space\-separated IP addresses with an optional port.
.TP
.B change\-slave\-zone\-master \fIZONE\fP \fIMASTER\fP [\fIMASTER\fP]..
Change the masters for slave zone \fIZONE\fP to new masters \fIMASTER\fP\&. All
\fIMASTER\fPs need to to be space\-separated IP addresses with an optional port.
.TP
.B check\-all\-zones
Check all zones for correctness.
.TP
.B check\-zone \fIZONE\fP
Check zone \fIZONE\fP for correctness.
.TP
.B clear\-zone \fIZONE\fP
Clear the records in zone \fIZONE\fP, but leave actual domain and
settings unchanged
.TP
.B delete\-rrset \fIZONE\fP \fINAME\fP \fITYPE\fP
Delete named RRSET from zone.
.TP
.B delete\-zone \fIZONE\fP:
Delete the zone named \fIZONE\fP\&.
.TP
.B edit\-zone \fIZONE\fP
Opens \fIZONE\fP in zonefile format (regardless of backend it was loaded
from) in the editor set in the environment variable \fBEDITOR\fP\&. if
\fBEDITOR\fP is empty, \fIpdnsutil\fP falls back to using \fIeditor\fP\&.
.TP
.B get\-meta \fIZONE\fP [\fIATTRIBUTE\fP]...
Get zone metadata. If no \fIATTRIBUTE\fP given, lists all known.
.TP
.B hash\-zone\-record \fIZONE\fP \fIRNAME\fP
This convenience command hashes the name \fIRNAME\fP according to the
NSEC3 settings of \fIZONE\fP\&. Refuses to hash for zones with no NSEC3
settings.
.TP
.B increase\-serial \fIZONE\fP
Increases the SOA\-serial by 1. Uses SOA\-EDIT.
.TP
.B list\-keys [\fIZONE\fP]
List DNSSEC information for all keys or for \fIZONE\fP\&.
.TP
.B list\-all\-zones:
List all zone names.
.TP
.B list\-zone \fIZONE\fP
Show all records for \fIZONE\fP\&.
.TP
.B load\-zone \fIZONE\fP \fIFILE\fP
Load records for \fIZONE\fP from \fIFILE\fP\&. If \fIZONE\fP already exists, all
records are overwritten, this operation is atomic. If \fIZONE\fP doesn\(aqt
exist, it is created.
.TP
.B rectify\-zone \fIZONE\fP
Calculates the \(aqordername\(aq and \(aqauth\(aq fields for a zone called
\fIZONE\fP so they comply with DNSSEC settings. Can be used to fix up
migrated data. Can always safely be run, it does no harm.
.TP
.B rectify\-all\-zones
Calculates the \(aqordername\(aq and \(aqauth\(aq fields for all zones so they
comply with DNSSEC settings. Can be used to fix up migrated data.
Can always safely be run, it does no harm.
.TP
.B replace\-rrset \fIZONE\fP \fINAME\fP \fITYPE\fP [\fITTL\fP] \fICONTENT\fP [\fICONTENT\fP\&..]
Replace existing \fINAME\fP in zone \fIZONE\fP with a new set.
.TP
.B secure\-zone \fIZONE\fP
Configures a zone called \fIZONE\fP with reasonable DNSSEC settings. You
should manually run \(aqpdnsutil rectify\-zone\(aq afterwards.
.TP
secure\-all\-zones [\fBincrease\-serial\fP]
Configures all zones that are not currently signed with reasonable
DNSSEC settings. Setting \fBincrease\-serial\fP will increase the
serial of those zones too. You should manually run \(aqpdnsutil
rectify\-all\-zones\(aq afterwards.
.TP
.B set\-kind \fIZONE\fP \fIKIND\fP
Change the kind of \fIZONE\fP to \fIKIND\fP (master, slave, native).
.TP
.B set\-account \fIZONE\fP \fIACCOUNT\fP
Change the account (owner) of \fIZONE\fP to \fIACCOUNT\fP\&.
.TP
.B add\-meta \fIZONE\fP \fIATTRIBUTE\fP \fIVALUE\fP [\fIVALUE\fP]...
Append \fIVALUE\fP to the existing \fIATTRIBUTE\fP metadata for \fIZONE\fP\&.
Will return an error if \fIATTRIBUTE\fP does not support multiple values, use
\fBset\-meta\fP for these values.
.TP
.B set\-meta \fIZONE\fP \fIATTRIBUTE\fP [\fIVALUE\fP]...
Set domainmetadata \fIATTRIBUTE\fP for \fIZONE\fP to \fIVALUE\fP\&. An empty value
clears it.
.TP
.B set\-presigned \fIZONE\fP
Switches \fIZONE\fP to presigned operation, utilizing in\-zone RRSIGs.
.TP
.B show\-zone \fIZONE\fP
Shows all DNSSEC related settings of a zone called \fIZONE\fP\&.
.TP
.B test\-schema \fIZONE\fP
Test database schema, this creates the zone \fIZONE\fP
.TP
.B unset\-presigned \fIZONE\fP
Disables presigned operation for \fIZONE\fP\&.
.UNINDENT
.SH DEBUGGING TOOLS
.INDENT 0.0
.TP
.B backend\-cmd \fIBACKEND\fP \fICMD\fP [\fICMD..\fP]
Send a text command to a backend for execution. GSQL backends will
take SQL commands, other backends may take different things. Be
careful!
.TP
.B bench\-db [\fIFILE\fP]
Perform a benchmark of the backend\-database.
\fIFILE\fP can be a file with a list, one per line, of domain names to use for this.
If \fIFILE\fP is not specified, powerdns.com is used.
.UNINDENT
.SH OTHER TOOLS
.INDENT 0.0
.TP
.B ipencrypt \fIIP\-ADDRESS\fP password
Encrypt an IP address according to the \(aqipcipher\(aq standard
.TP
.B ipdecrypt \fIIP\-ADDRESS\fP password
Encrypt an IP address according to the \(aqipcipher\(aq standard
.UNINDENT
.SH SEE ALSO
.sp
pdns_server (1), pdns_control (1)
.SH AUTHOR
PowerDNS.COM BV
.SH COPYRIGHT
2001-2019, PowerDNS.COM BV
.\" Generated by docutils manpage writer.
.