NAME¶
pdnssec - PowerDNSSEC command and control
SYNOPSIS¶
pdnssec [options] command
DESCRIPTION¶
pdnssec is a powerful command that is the operator-friendly gateway into
PowerDNSSEC configuration. Behind the scenes,
pdnssec manipulates a
PowerDNS backend database, which also means that for many databases,
pdnssec can be run remotely, and can configure key material on
different servers.
OPTIONS¶
A summary of options is included below.
- -h [ --help ]
-
Show summary of options.
- -v [ --verbose ]
-
Be more verbose.
- --force
-
force an action
- --config-name arg
-
Virtual configuration name
- --config-dir arg (=/etc/powerdns)
-
Location of pdns.conf
- --commands arg
-
Commands given as an argument
COMMANDS¶
- activate-zone-key ZONE KEY-ID
- Activate a key with id KEY-ID within a zone called
ZONE.
- add-zone-key ZONE [zsk|ksk] [bits]
[rsasha1|rsasha256|rsasha512|gost|ecdsa256|ecdsa384]
- Create a new key for zone ZONE, and make it a KSK or a ZSK,
with the specified algorithm.
- check-zone ZONE
- Check a zone for correctness
- deactivate-zone-key ZONE KEY-ID
- Deactivate a key with id KEY-ID within a zone called
ZONE.
- disable-dnssec ZONE
- Deactivate all keys and unset PRESIGNED in ZONE
- export-zone-dnskey ZONE KEY-ID
- Export to standard output DNSKEY and DS of key with key id
KEY-ID within zone called ZONE.
- export-zone-key ZONE KEY-ID
- Export to standard output full (private) key with key id
KEY-ID within zone called ZONE. The format used is compatible with BIND
and NSD/LDNS.
- hash-zone-record ZONE RNAME
- This convenience command hashes the name 'recordname'
according to the NSEC3 settings of ZONE. Refuses to hash for zones with no
NSEC3 settings.
- import-zone-key ZONE FILE [ksk|zsk]
- Import from 'filename' a full (private) key for zone called
ZONE. The format used is compatible with BIND and NSD/LDNS. KSK or ZSK
specifies the flags this key should have on import.
- rectify-zone ZONE
- Calculates the 'ordername' and 'auth' fields for a zone
called ZONE so they comply with DNSSEC settings. Can be used to fix up
migrated data. Can always safely be run, it does no harm.
- remove-zone-key ZONE KEY-ID
- Remove a key with id KEY-ID from a zone called ZONE.
- secure-zone ZONE
- Configures a zone called ZONE with reasonable DNSSEC
settings. You should manually run 'pdnssec rectify-zone' afterwards.
- set-nsec3 ZONE 'params' [narrow]
- Sets NSEC3 parameters for this zone. A sample commandline
is: "pdnssec set-nsec3 powerdnssec.org '1 1 1 ab' narrow". The
NSEC3 parameters must be quoted on the command line.
WARNING:
If running in RSASHA1 mode (algorithm 5 or 7), switching from NSEC to NSEC3
will require a DS update at the parent zone!
- set-presigned ZONE
- Switches zone to presigned operation, utilizing in-zone
RRSIGs.
- show-zone ZONE
- Shows all DNSSEC related settings of a zone called
ZONE.
- unset-nsec3 ZONE
- Converts a zone to NSEC operations.
WARNING:
If running in RSASHA1 mode (algorithm 5 or 7), switching from NSEC to NSEC3
will require a DS update at the parent zone!
- unset-presigned ZONE
- Disables presigned operation for ZONE.
AUTHOR¶
This manual page was written by Matthijs Möhlmann
<matthijs@cacholong.nl> for the Debian Project (but may be used by
others)
SEE ALSO¶
pdns_server(8),
pdns_control(8)