Powerdnssec command and control
pdnssec [options] command
pdnssec is a powerful command that is the operator-friendly gateway into PowerDNSSEC configuration. Behind the scenes, pdnssec manipulates a PowerDNS backend database, which also means that for many databases, pdnssec can be run remotely, and can configure key material on different servers.
A summary of options is included below.
-h [ --help ]
Show summary of options.
-v [ --verbose ]
Be more verbose.
--force
force an action
--config-name arg
Virtual configuration name
--config-dir arg (\=/etc/powerdns)
Location of pdns.conf
--commands arg
Commands given as an argument
activate-zone-key ZONE KEY-ID
Activate a key with id KEY-ID within a zone called ZONE.
add-zone-key ZONE [zsk|ksk] [bits] [rsasha1|rsasha256|rsasha512|gost|ecdsa256|ecdsa384]
Create a new key for zone ZONE, and make it a KSK or a ZSK, with the specified algorithm.
check-zone ZONE
Check a zone for correctness
deactivate-zone-key ZONE KEY-ID
Deactivate a key with id KEY-ID within a zone called ZONE.
disable-dnssec ZONE
Deactivate all keys and unset PRESIGNED in ZONE
export-zone-dnskey ZONE KEY-ID
Export to standard output DNSKEY and DS of key with key id KEY-ID within zone called ZONE.
export-zone-key ZONE KEY-ID
Export to standard output full (private) key with key id KEY-ID within zone called ZONE. The format used is compatible with BIND and NSD/LDNS.
hash-zone-record ZONE RNAME
This convenience command hashes the name 'recordname' according to the NSEC3 settings of ZONE. Refuses to hash for zones with no NSEC3 settings.
import-zone-key ZONE FILE [ksk|zsk]
Import from 'filename' a full (private) key for zone called ZONE. The format used is compatible with BIND and NSD/LDNS. KSK or ZSK specifies the flags this key should have on import.
rectify-zone ZONE
Calculates the 'ordername' and 'auth' fields for a zone called ZONE so they comply with DNSSEC settings. Can be used to fix up migrated data. Can always safely be run, it does no harm.
remove-zone-key ZONE KEY-ID
Remove a key with id KEY-ID from a zone called ZONE.
secure-zone ZONE
Configures a zone called ZONE with reasonable DNSSEC settings. You should manually run 'pdnssec rectify-zone' afterwards.
set-nsec3 ZONE 'params' [narrow]
Sets NSEC3 parameters for this zone. A sample commandline is: "pdnssec set-nsec3 powerdnssec.org '1 1 1 ab' narrow". The NSEC3 parameters must be quoted on the command line.
WARNING:
If running in RSASHA1 mode (algorithm 5 or 7), switching from NSEC to NSEC3 will require a DS update at the parent zone!
set-presigned ZONE
Switches zone to presigned operation, utilizing in-zone RRSIGs.
show-zone ZONE
Shows all DNSSEC related settings of a zone called ZONE.
unset-nsec3 ZONE
Converts a zone to NSEC operations.
WARNING:
If running in RSASHA1 mode (algorithm 5 or 7), switching from NSEC to NSEC3 will require a DS update at the parent zone!
unset-presigned ZONE
Disables presigned operation for ZONE.
This manual page was written by Matthijs Möhlmann <[email protected]> for the Debian Project (but may be used by others)