.\" Man page generated from reStructuredText.
.
.
.nr rst2man-indent-level 0
.
.de1 rstReportMargin
\\$1 \\n[an-margin]
level \\n[rst2man-indent-level]
level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
-
\\n[rst2man-indent0]
\\n[rst2man-indent1]
\\n[rst2man-indent2]
..
.de1 INDENT
.\" .rstReportMargin pre:
. RS \\$1
. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
. nr rst2man-indent-level +1
.\" .rstReportMargin post:
..
.de UNINDENT
. RE
.\" indent \\n[an-margin]
.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
.nr rst2man-indent-level -1
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
.TH "PDNSUTIL" "1" "Feb 19, 2026" "" "PowerDNS Authoritative Server"
.SH NAME
pdnsutil \- PowerDNS record and DNSSEC command and control
.SH SYNOPSIS
.sp
\fBpdnsutil\fP [OPTION]... \fICOMMAND\fP
.SH DESCRIPTION
.sp
\fBpdnsutil\fP (formerly \fBpdnssec\fP) is a powerful command that is the
operator\-friendly gateway into DNSSEC and zone management for PowerDNS.
Behind the scenes, \fBpdnsutil\fP manipulates a PowerDNS backend database,
which also means that for many databases, \fBpdnsutil\fP can be run
remotely, and can configure key material on different servers.
.SH OPTIONS
.INDENT 0.0
.TP
.B  \-h\fP,\fB  \-\-help
Show summary of options
.TP
.B  \-v\fP,\fB  \-\-verbose
Be more verbose
.TP
.B  \-f\fP,\fB  \-\-force
Force an action
.TP
.B  \-q\fP,\fB  \-\-quiet
Be quiet
.TP
.BI \-\-config\-name \ <NAME>
Virtual configuration name
.TP
.BI \-\-config\-dir \ <DIR>
Location of pdns.conf. Default is /etc/powerdns.
.UNINDENT
.SH COMMANDS
.sp
There are many available commands. Most commands follow the pattern
\fBpdnsutil <object> <action> [arguments...]\fP, where \fB<object>\fP is a noun and \fB<action>\fP is a verb; a few commands which do not apply to any particular object
kind use only the verb.
.SH AUTOPRIMARY COMMANDS
.sp
autoprimary add \fIIP\fP \fINAMESERVER\fP [\fIACCOUNT\fP]
.INDENT 0.0
.INDENT 3.5
Add a autoprimary entry into the backend. This enables receiving zone
updates from other servers.
.UNINDENT
.UNINDENT
.sp
autoprimary list
.INDENT 0.0
.INDENT 3.5
List all autoprimaries.
.UNINDENT
.UNINDENT
.sp
autoprimary remove \fIIP\fP \fINAMESERVER\fP
.INDENT 0.0
.INDENT 3.5
Remove an autoprimary from backend. Not supported by BIND backend.
.UNINDENT
.UNINDENT
.SH CATALOG ZONE COMMANDS
.sp
catalog list\-members \fICATALOG\fP
.INDENT 0.0
.INDENT 3.5
List all members of catalog zone \fICATALOG\fP"
.UNINDENT
.UNINDENT
.sp
catalog set \fIZONE\fP [\fICATALOG\fP]
.INDENT 0.0
.INDENT 3.5
Change the catalog of \fIZONE\fP to \fICATALOG\fP\&. If \fICATALOG\fP is omitted,
removes \fIZONE\fP from the catalog it is in.
.UNINDENT
.UNINDENT
.SH ZONE METADATA COMMANDS
.sp
metadata add \fIZONE\fP \fIKIND\fP \fIVALUE\fP [\fIVALUE\fP]...
.INDENT 0.0
.INDENT 3.5
Append \fIVALUE\fP to the existing \fIKIND\fP metadata for \fIZONE\fP\&.
Will return an error if \fIKIND\fP does not support multiple values, use
\fBmetadata set\fP for these values.
.UNINDENT
.UNINDENT
.sp
metadata get \fIZONE\fP [\fIKIND\fP]...
.INDENT 0.0
.INDENT 3.5
Get zone metadata. If no \fIKIND\fP given, lists all known.
.UNINDENT
.UNINDENT
.sp
metadata set \fIZONE\fP \fIKIND\fP [\fIVALUE\fP]...
.INDENT 0.0
.INDENT 3.5
Set zone metadata \fIKIND\fP for \fIZONE\fP to \fIVALUE\fP, replacing all existing
values of \fIKIND\fP\&. An omitted value clears it.
.UNINDENT
.UNINDENT
.SH NETWORK COMMANDS
.sp
network list
.INDENT 0.0
.INDENT 3.5
List all defined networks with their chosen views.
.UNINDENT
.UNINDENT
.sp
network set \fINET\fP [\fIVIEW\fP]
.INDENT 0.0
.INDENT 3.5
Set the \fIVIEW\fP for a the \fINET\fP network, or delete if no \fIVIEW\fP argument.
.UNINDENT
.UNINDENT
.SH ZONE RECORD COMMANDS
.sp
In these commands, the \fBrrset\fP object name may also be written as \fBrecord\fP\&.
.sp
rrset add \fIZONE\fP \fINAME\fP \fITYPE\fP [\fITTL\fP] \fICONTENT\fP
.INDENT 0.0
.INDENT 3.5
Add one or more records of \fINAME\fP and \fITYPE\fP to \fIZONE\fP with \fICONTENT\fP
and optional \fITTL\fP\&. If \fITTL\fP is not set, the configured \fIdefault\-ttl\fP will be used.
\fINAME\fP must be absolute.
.UNINDENT
.UNINDENT
.sp
rrset delete \fIZONE\fP \fINAME\fP \fITYPE\fP
.INDENT 0.0
.INDENT 3.5
Delete named RRSET from zone.
\fINAME\fP must be absolute.
.UNINDENT
.UNINDENT
.sp
rrset hash \fIZONE\fP \fIRNAME\fP
.INDENT 0.0
.INDENT 3.5
This convenience command hashes the name \fIRNAME\fP according to the
NSEC3 settings of \fIZONE\fP\&. Refuses to hash for zones with no NSEC3
settings.
.UNINDENT
.UNINDENT
.sp
rrset replace \fIZONE\fP \fINAME\fP \fITYPE\fP [\fITTL\fP] \fICONTENT\fP [\fICONTENT\fP\&...]
.INDENT 0.0
.INDENT 3.5
Replace existing \fINAME\fP in zone \fIZONE\fP with a new set.
.UNINDENT
.UNINDENT
.SH TSIG RELATED COMMANDS
.sp
These commands manipulate TSIG key information in the database. Some
commands require an \fIALGORITHM\fP, which can be any of the following:
.INDENT 0.0
.IP \(bu 2
hmac\-md5
.IP \(bu 2
hmac\-sha1
.IP \(bu 2
hmac\-sha224
.IP \(bu 2
hmac\-sha256
.IP \(bu 2
hmac\-sha384
.IP \(bu 2
hmac\-sha512
.UNINDENT
.sp
tsigkey activate \fIZONE\fP \fINAME\fP {\fBprimary\fP,\fBsecondary\fP,\fBproducer\fP,\fBconsumer\fP}
.INDENT 0.0
.INDENT 3.5
Enable TSIG authenticated AXFR using the key \fINAME\fP for zone \fIZONE\fP\&.
This sets the \fBTSIG\-ALLOW\-AXFR\fP (primary/producer) or \fBAXFR\-MASTER\-TSIG\fP
(secondary/consumer) zone metadata.
.UNINDENT
.UNINDENT
.sp
tsigkey deactivate \fIZONE\fP \fINAME\fP {\fBprimary\fP,\fBsecondary\fP,\fBproducer\fP,\fBconsumer\fP}
.INDENT 0.0
.INDENT 3.5
Disable TSIG authenticated AXFR using the key \fINAME\fP for zone
\fIZONE\fP\&.
.UNINDENT
.UNINDENT
.sp
tsigkey delete \fINAME\fP
.INDENT 0.0
.INDENT 3.5
Delete the TSIG key \fINAME\fP\&. Warning: this does not deactivate said key.
.UNINDENT
.UNINDENT
.sp
tsigkey generate \fINAME\fP \fIALGORITHM\fP
.INDENT 0.0
.INDENT 3.5
Generate new TSIG key with name \fINAME\fP and the specified algorithm.
.UNINDENT
.UNINDENT
.sp
tsigkey import \fINAME\fP \fIALGORITHM\fP \fIKEY\fP
.INDENT 0.0
.INDENT 3.5
Import \fIKEY\fP of the specified algorithm as \fINAME\fP\&.
.UNINDENT
.UNINDENT
.sp
tsigkey list
.INDENT 0.0
.INDENT 3.5
Show a list of all configured TSIG keys.
.UNINDENT
.UNINDENT
.SH VIEWS COMMANDS
.sp
views add\-zone \fIVIEW\fP \fIZONE..VARIANT\fP
.INDENT 0.0
.INDENT 3.5
Add the given \fIZONE\fP \fIVARIANT\fP to a \fIVIEW\fP\&.
.UNINDENT
.UNINDENT
.sp
views del\-zone \fIVIEW\fP \fIZONE..VARIANT\fP
.INDENT 0.0
.INDENT 3.5
Remove a \fIZONE\fP \fIVARIANT\fP from a \fIVIEW\fP\&.
.UNINDENT
.UNINDENT
.sp
views list \fIVIEW\fP
.INDENT 0.0
.INDENT 3.5
List all zones within \fIVIEW\fP\&.
.UNINDENT
.UNINDENT
.sp
views list\-all
.INDENT 0.0
.INDENT 3.5
List all view names.
.UNINDENT
.UNINDENT
.SH ZONE MANIPULATION COMMANDS
.sp
zone check \fIZONE\fP
.INDENT 0.0
.INDENT 3.5
Check zone \fIZONE\fP for correctness.
.UNINDENT
.UNINDENT
.sp
zone check\-all [exit\-on\-error]
.INDENT 0.0
.INDENT 3.5
Check all zones for correctness, aborting upon finding the first error
in any zone if "exit\-on\-error" is specified.
.UNINDENT
.UNINDENT
.sp
zone clear \fIZONE\fP
.INDENT 0.0
.INDENT 3.5
Clear the records in zone \fIZONE\fP, but leave actual zone and
settings unchanged
.UNINDENT
.UNINDENT
.sp
zone create \fIZONE\fP
.INDENT 0.0
.INDENT 3.5
Create an empty zone named \fIZONE\fP\&.
.UNINDENT
.UNINDENT
.sp
zone delete \fIZONE\fP
.INDENT 0.0
.INDENT 3.5
Delete the zone named \fIZONE\fP\&.
.UNINDENT
.UNINDENT
.sp
zone edit \fIZONE\fP
.INDENT 0.0
.INDENT 3.5
Opens \fIZONE\fP in zonefile format (regardless of backend it was loaded
from) in the editor set in the environment variable \fBEDITOR\fP\&. if
\fBEDITOR\fP is empty, \fIpdnsutil\fP falls back to using \fIeditor\fP\&.
.UNINDENT
.UNINDENT
.sp
zone increase\-serial \fIZONE\fP
.INDENT 0.0
.INDENT 3.5
Increases the SOA\-serial by 1. Uses SOA\-EDIT.
.UNINDENT
.UNINDENT
.sp
zone list \fIZONE\fP
.INDENT 0.0
.INDENT 3.5
Show all records for \fIZONE\fP\&.
.UNINDENT
.UNINDENT
.sp
zone list\-all \fIKIND\fP
.INDENT 0.0
.INDENT 3.5
List all active zone names of the given \fIKIND\fP (primary, secondary,
native, producer, consumer), or all if none given. Passing \-\-verbose or
\-v will also include disabled or empty zones.
.UNINDENT
.UNINDENT
.sp
zone load \fIZONE\fP \fIFILE\fP
.INDENT 0.0
.INDENT 3.5
Load records for \fIZONE\fP from \fIFILE\fP\&. If \fIZONE\fP already exists, all
records are overwritten, this operation is atomic. If \fIZONE\fP doesn\(aqt
exist, it is created.
.UNINDENT
.UNINDENT
.sp
zone set\-account \fIZONE\fP \fIACCOUNT\fP
.INDENT 0.0
.INDENT 3.5
Change the account (owner) of \fIZONE\fP to \fIACCOUNT\fP\&.
.UNINDENT
.UNINDENT
.sp
zone set\-kind \fIZONE\fP \fIKIND\fP
.INDENT 0.0
.INDENT 3.5
Change the kind of \fIZONE\fP to \fIKIND\fP (primary, secondary, native, producer,
consumer).
.UNINDENT
.UNINDENT
.sp
zone set\-option \fIZONE\fP [\fIproducer\fP | \fIconsumer\fP] [\fIcoo\fP | \fIunique\fP | \fIgroup\fP] \fIVALUE\fP [\fIVALUE\fP ...]
.INDENT 0.0
.INDENT 3.5
Set or remove an option for \fIZONE\fP\&. Providing an empty value removes
an option.
.UNINDENT
.UNINDENT
.sp
zone set\-options\-json \fIZONE\fP \fIJSONFILE\fP
.INDENT 0.0
.INDENT 3.5
Change the options of \fIZONE\fP to the contents of \fIJSONFILE\fP\&.
.UNINDENT
.UNINDENT
.sp
zone zonemd\-verify\-file \fIZONE\fP \fIFILE\fP
.INDENT 0.0
.INDENT 3.5
Validate ZONEMD for \fIZONE\fP read from \fIFILE\fP\&.
.UNINDENT
.UNINDENT
.SH SECONDARY ZONE COMMANDS
.sp
zone change\-primary \fIZONE\fP \fIPRIMARY\fP [\fIPRIMARY\fP]...
.INDENT 0.0
.INDENT 3.5
Change the primaries for secondary zone \fIZONE\fP to new primaries \fIPRIMARY\fP\&. All
\fIPRIMARY\fPs need to to be space\-separated IP addresses with an optional port.
.UNINDENT
.UNINDENT
.sp
zone create\-secondary \fIZONE\fP \fIPRIMARY\fP [\fIPRIMARY\fP]...
.INDENT 0.0
.INDENT 3.5
Create a new secondary zone \fIZONE\fP with primaries \fIPRIMARY\fP\&. All \fIPRIMARY\fPs
need to to be space\-separated IP addresses with an optional port.
.UNINDENT
.UNINDENT
.SH DNSSEC-RELATED COMMANDS
.sp
Several commands manipulate the DNSSEC keys and options for zones. Some
of these commands require an \fIALGORITHM\fP to be set. The following
algorithms are supported:
.INDENT 0.0
.IP \(bu 2
rsasha1
.IP \(bu 2
rsasha1\-nsec3\-sha1
.IP \(bu 2
rsasha256
.IP \(bu 2
rsasha512
.IP \(bu 2
ecdsa256
.IP \(bu 2
ecdsa384
.IP \(bu 2
ed25519
.IP \(bu 2
ed448
.UNINDENT
.sp
\fBNOTE:\fP
.INDENT 0.0
.INDENT 3.5
ed25519 and ed448 algorithms will only be available if adequate cryptographic
libraries have been available while compiling PowerDNS on your particular
system.
.UNINDENT
.UNINDENT
.sp
In addition to the algorithm, some commands below may ask for a key size in
bits. The key size may be omitted for the ECC algorithms, which support only
one valid size per algorithm; for ECDSA256 and ED25519, it is 256;
for ECDSA384, it is 384; and for ED448, it is... 456.
.sp
zone dnssec\-disable \fIZONE\fP
.INDENT 0.0
.INDENT 3.5
Deactivate all keys and unset PRESIGNED in \fIZONE\fP\&.
.UNINDENT
.UNINDENT
.sp
zone export\-dnskey \fIZONE\fP \fIKEY_ID\fP
.INDENT 0.0
.INDENT 3.5
Export DNSKEY and DS of key with key id \fIKEY_ID\fP within zone \fIZONE\fP to
standard output.
.UNINDENT
.UNINDENT
.sp
zone export\-ds \fIZONE\fP
.INDENT 0.0
.INDENT 3.5
Export all KSK DS records for \fIZONE\fP to standard output.
.UNINDENT
.UNINDENT
.sp
zone list\-keys [\fIZONE\fP]
.INDENT 0.0
.INDENT 3.5
List DNSSEC information for all keys or for \fIZONE\fP only. Passing
\-\-verbose or \-v will also include the keys for disabled or empty zones.
.UNINDENT
.UNINDENT
.sp
zone rectify \fIZONE\fP
.INDENT 0.0
.INDENT 3.5
Calculates the \(aqordername\(aq and \(aqauth\(aq fields for a zone called
\fIZONE\fP so they comply with DNSSEC settings. Can be used to fix up
migrated data.
.UNINDENT
.UNINDENT
.sp
zone rectify\-all
.INDENT 0.0
.INDENT 3.5
Calculates the \(aqordername\(aq and \(aqauth\(aq fields for all zones so they
comply with DNSSEC settings. Can be used to fix up migrated data.
.UNINDENT
.UNINDENT
.sp
zone secure \fIZONE\fP
.INDENT 0.0
.INDENT 3.5
Configures a zone called \fIZONE\fP with reasonable DNSSEC settings. You
should manually run \(aqpdnsutil zone rectify\(aq afterwards.
.UNINDENT
.UNINDENT
.sp
zone secure\-all [\fBincrease\-serial\fP]
.INDENT 0.0
.INDENT 3.5
Configures all zones that are not currently signed with reasonable
DNSSEC settings. Setting \fBincrease\-serial\fP will increase the
serial of those zones too. You should manually run \(aqpdnsutil
zone rectify\-all\(aq afterwards.
.UNINDENT
.UNINDENT
.sp
zone set\-nsec3 \fIZONE\fP [\(aq\fIHASH\-ALGORITHM\fP \fIFLAGS\fP \fIITERATIONS\fP \fISALT\fP\(aq] [\fBnarrow\fP]
.INDENT 0.0
.INDENT 3.5
Sets NSEC3 parameters for this zone. The quoted parameters are 4
values that are used for the NSEC3PARAM record and decide how
NSEC3 records are created. The NSEC3 parameters must be quoted on
the command line. \fIHASH\-ALGORITHM\fP must be 1 (SHA\-1). Setting
\fIFLAGS\fP to 1 enables NSEC3 opt\-out operation. Only do this if you
know you need it. For \fIITERATIONS\fP, please consult
\fI\%RFC 5155\fP\&.
.sp
And be aware that a high number might overload validating
resolvers and that a limit can be set with \fBmax\-nsec3\-iterations\fP
in \fBpdns.conf\fP\&. The \fISALT\fP is a hexadecimal string encoding the bits
for the salt, or \- to use no salt.
.sp
Setting \fBnarrow\fP will make PowerDNS send out "white lies" (\fI\%RFC 7129\fP)
about the next secure record to prevent zone enumeration. Instead of
looking it up in the database, it will send out the hash + 1 as the next
secure record. Narrow mode requires online signing capabilities by the
nameserver and therefore zone transfers are denied.
.sp
If only the zone is provided as argument, the 4\-parameter quoted string
defaults to \fB\(aq1 0 0 \-\(aq\fP, as recommended by \fI\%RFC 9276\fP\&.
.sp
A sample commandline would be:
.sp
\fBpdnsutil zone set\-nsec3 powerdnssec.org \(aq1 1 1 ab\(aq narrow\fP
.sp
\fBWARNING\fP: If running in RSASHA1 mode (algorithm 5 or 7), switching
from NSEC to NSEC3 will require a DS update in the parent zone.
.UNINDENT
.UNINDENT
.sp
zone set\-presigned \fIZONE\fP
.INDENT 0.0
.INDENT 3.5
Switches \fIZONE\fP to presigned operation, utilizing in\-zone RRSIGs.
.UNINDENT
.UNINDENT
.sp
zone set\-publish\-cdnskey \fIZONE\fP [\fBdelete\fP]
.INDENT 0.0
.INDENT 3.5
Set \fIZONE\fP to publish CDNSKEY records. Add \(aqdelete\(aq to publish a CDNSKEY
with a DNSSEC delete algorithm.
.UNINDENT
.UNINDENT
.sp
zone set\-publish\-cds \fIZONE\fP [\fIDIGESTALGOS\fP]
.INDENT 0.0
.INDENT 3.5
Set \fIZONE\fP to respond to queries for its CDS records. the optional
argument \fIDIGESTALGOS\fP should be a comma\-separated list of DS
algorithms to use. By default, this is 2 (SHA\-256). 0 will publish a
CDS with a DNSSEC delete algorithm.
.UNINDENT
.UNINDENT
.sp
zone show \fIZONE\fP
.INDENT 0.0
.INDENT 3.5
Shows various details of the zone called \fIZONE\fP, including its
DNSSEC related settings.
.UNINDENT
.UNINDENT
.sp
zone unset\-nsec3 \fIZONE\fP
.INDENT 0.0
.INDENT 3.5
Converts \fIZONE\fP to NSEC operations. \fBWARNING\fP: If running in
RSASHA1 mode (algorithm 5 or 7), switching from NSEC to NSEC3 will
require a DS update at the parent zone!
.UNINDENT
.UNINDENT
.sp
zone unset\-presigned \fIZONE\fP
.INDENT 0.0
.INDENT 3.5
Disables presigned operation for \fIZONE\fP\&.
.UNINDENT
.UNINDENT
.sp
zone unset\-publish\-cdnskey \fIZONE\fP
.INDENT 0.0
.INDENT 3.5
Set \fIZONE\fP to stop publishing CDNSKEY records.
.UNINDENT
.UNINDENT
.sp
zone unset\-publish\-cds \fIZONE\fP
.INDENT 0.0
.INDENT 3.5
Set \fIZONE\fP to stop responding to queries for its CDS records.
.UNINDENT
.UNINDENT
.SH ZONE KEY COMMANDS
.sp
zone activate\-key \fIZONE\fP \fIKEY_ID\fP
.INDENT 0.0
.INDENT 3.5
Activate a key with id \fIKEY_ID\fP within a zone called \fIZONE\fP\&.
.UNINDENT
.UNINDENT
.sp
zone add\-key \fIZONE\fP [\fBKSK\fP,\fBZSK\fP] [\fBactive\fP,\fBinactive\fP] [\fBpublished\fP,\fBunpublished\fP] \fIALGORITHM\fP [\fIKEYBITS\fP]
.INDENT 0.0
.INDENT 3.5
Create a new key for zone \fIZONE\fP, and make it a KSK (default) or a ZSK, with
the specified \fIALGORITHM\fP and \fIKEYBITS\fP\&. If \fIKEYBITS\fP is omitted, the value
of setting\-default\-ksk\-size or setting\-default\-zsk\-size are
used.
.sp
The key is inactive by default, set it to \fBactive\fP to immediately use it
to sign \fIZONE\fP\&. The key is published in the zone by default, set it to
\fBunpublished\fP to keep it from being returned in a DNSKEY query, which is
useful for algorithm rollovers.
.sp
Prints the id of the added key.
.UNINDENT
.UNINDENT
.sp
zone deactivate\-key \fIZONE\fP \fIKEY_ID\fP
.INDENT 0.0
.INDENT 3.5
Deactivate a key with id KEY_ID within a zone called \fIZONE\fP\&.
.UNINDENT
.UNINDENT
.sp
zone export\-key \fIZONE\fP \fIKEY_ID\fP
.INDENT 0.0
.INDENT 3.5
Export full (private) key with key id \fIKEY_ID\fP within zone \fIZONE\fP to
standard output. The format used is compatible with BIND and NSD/LDNS.
.UNINDENT
.UNINDENT
.sp
zone export\-key\-pem \fIZONE\fP \fIKEY_ID\fP
.INDENT 0.0
.INDENT 3.5
Export full (private) key with key id \fIKEY_ID\fP within zone \fIZONE\fP to
standard output in the PEM file format. The format is compatible with
many non\-DNS software products.
.UNINDENT
.UNINDENT
.sp
zone generate\-key {\fBKSK\fP,\fBZSK\fP} [\fIALGORITHM\fP] [\fIKEYBITS\fP]
.INDENT 0.0
.INDENT 3.5
Generate a ZSK or KSK with specified algorithm and bits and print it
on standard output. If \fIALGORITHM\fP is not set, ECDSA256 is used.
If \fIKEYBITS\fP is not set, an appropriate keysize is selected
for \fIALGORITHM\fP: for RSA keys, 2048 bits for KSK and 1024 bits for ZSK;
for ECC keys, the algorithm\-required size as mentioned above.
.UNINDENT
.UNINDENT
.sp
zone import\-key \fIZONE\fP \fIFILE\fP [\fBKSK\fP,\fBZSK\fP] [\fBactive\fP,\fBinactive\fP] [\fBpublished\fP,\fBunpublished\fP]
.INDENT 0.0
.INDENT 3.5
Import from \fIFILE\fP a full (private) key for the zone \fIZONE\fP\&. The
format used is compatible with BIND and NSD/LDNS. \fBKSK\fP or \fBZSK\fP
specifies the flags this key should have on import. Defaults to KSK,
active and published. Prints the id of the added key.
.UNINDENT
.UNINDENT
.sp
zone import\-key\-pem \fIZONE\fP \fIFILE\fP \fIALGORITHM\fP {\fBKSK\fP,\fBZSK\fP}
.INDENT 0.0
.INDENT 3.5
Import from PEM \fIFILE\fP a full (private) key for the zone \fIZONE\fP with a
specified \fIALGORITHM\fP\&. The format used is compatible with many non\-DNS
software products. \fBKSK\fP or \fBZSK\fP specifies the flags this key should
have on import. Prints the id of the added key.
.UNINDENT
.UNINDENT
.sp
zone publish\-key \fIZONE\fP \fIKEY_ID\fP
.INDENT 0.0
.INDENT 3.5
Publish the key with id \fIKEY_ID\fP within zone \fIZONE\fP\&.
.UNINDENT
.UNINDENT
.sp
zone remove\-key \fIZONE\fP \fIKEY_ID\fP
.INDENT 0.0
.INDENT 3.5
Remove a key with id \fIKEY_ID\fP from zone \fIZONE\fP\&.
.UNINDENT
.UNINDENT
.sp
zone unpublish\-key \fIZONE\fP \fIKEY_ID\fP
.INDENT 0.0
.INDENT 3.5
Unpublish the key with id \fIKEY_ID\fP within zone \fIZONE\fP\&.
.UNINDENT
.UNINDENT
.SH OTHER/MISCELLANEOUS COMMANDS
.sp
b2b\-migrate \fIOLD\fP \fINEW\fP
.INDENT 0.0
.INDENT 3.5
Migrate data from one backend to another.
Needs \fBlaunch=OLD,NEW\fP in the configuration.
.UNINDENT
.UNINDENT
.sp
backend\-cmd \fIBACKEND\fP \fICMD\fP [\fICMD...\fP]
.INDENT 0.0
.INDENT 3.5
Send a text command to a backend for execution. GSQL backends will
take SQL commands, other backends may take different things. Be
careful!
.UNINDENT
.UNINDENT
.sp
backend\-lookup \fIBACKEND\fP \fINAME\fP [\fITYPE\fP [\fICLIENT_IP_SUBNET\fP]]
.INDENT 0.0
.INDENT 3.5
Perform a backend record lookup.
.UNINDENT
.UNINDENT
.sp
bench\-db [\fIFILE\fP]
.INDENT 0.0
.INDENT 3.5
Perform a benchmark of the backend\-database.
\fIFILE\fP can be a file with a list, one per line, of zone names to use for this.
If \fIFILE\fP is not specified, powerdns.com is used.
.UNINDENT
.UNINDENT
.sp
create\-bind\-db \fIFILENAME\fP
.INDENT 0.0
.INDENT 3.5
Create DNSSEC database (sqlite3) at \fIFILENAME\fP for the BIND backend.
Remember to set \fBbind\-dnssec\-db=*FILE*\fP in your \fBpdns.conf\fP\&.
.UNINDENT
.UNINDENT
.sp
hash\-password [\fIWORK_FACTOR\fP]
.INDENT 0.0
.INDENT 3.5
This convenience command reads a password (not echoed) from standard
input and returns a hashed and salted version, for use as a webserver
password or api key.
An optional scrypt work factor can be specified, in powers of two,
otherwise it defaults to 1024.
.UNINDENT
.UNINDENT
.sp
ipdecrypt \fIIP_ADDRESS\fP PASSPHRASE_OR_KEY [\fBkey\fP]
.INDENT 0.0
.INDENT 3.5
Decrypt an IP address according to the \(aqipcipher\(aq standard. If the
passphrase is a base64 key, add the word "key" after it.
.UNINDENT
.UNINDENT
.sp
ipencrypt \fIIP_ADDRESS\fP PASSPHRASE_OR_KEY [\fBkey\fP]
.INDENT 0.0
.INDENT 3.5
Encrypt an IP address according to the \(aqipcipher\(aq standard. If the
passphrase is a base64 key, add the word "key" after it.
.UNINDENT
.UNINDENT
.sp
list\-algorithms [with\-backend]
.INDENT 0.0
.INDENT 3.5
List all DNSSEC algorithms supported, optionally also listing the
cryptographic library used if "with\-backend" is specified.
.UNINDENT
.UNINDENT
.sp
test\-schema \fIZONE\fP
.INDENT 0.0
.INDENT 3.5
Test database schema, this creates the zone \fIZONE\fP
.UNINDENT
.UNINDENT
.sp
raw\-lua\-from\-content \fITYPE\fP \fICONTENT\fP
.INDENT 0.0
.INDENT 3.5
Display record contents in a form suitable for dnsdist\(aqs \fISpoofRawAction\fP\&.
.UNINDENT
.UNINDENT
.SH SEE ALSO
.sp
pdns_server (1), pdns_control (1)
.SH AUTHOR
PowerDNS.COM BV
.SH COPYRIGHT
PowerDNS.COM BV
.\" Generated by docutils manpage writer.
.