pdnssec(8)
PowerDNSSEC command and control
SYNOPSIS
pdnssec [options] command
DESCRIPTION
pdnssec is a powerful command that is the operator-friendly gateway into PowerDNSSEC configuration. Behind the scenes, pdnssec manipulates a PowerDNS backend database, which also means that for many databases, pdnssec can be run remotely, and can configure key material on different servers.
OPTIONS
A summary of options is included below.
- -h [ --help ]
-
Show summary of options.
- -v [ --verbose ]
-
Be more verbose.
- --force
-
force an action
- --config-name arg
-
Virtual configuration name
- --config-dir arg (=/etc/powerdns)
-
Location of pdns.conf
- --commands arg
-
Commands given as an argument
COMMANDS
- activate-zone-key ZONE KEY-ID
-
Activate a key with id KEY-ID within a zone called ZONE.
- add-zone-key ZONE [zsk|ksk] [bits] [rsasha1|rsasha256|rsasha512|gost|ecdsa256|ecdsa384]
-
Create a new key for zone ZONE, and make it a KSK or a ZSK, with the specified algorithm.
- check-zone ZONE
-
Check a zone for correctness
- deactivate-zone-key ZONE KEY-ID
-
Deactivate a key with id KEY-ID within a zone called ZONE.
- disable-dnssec ZONE
-
Deactivate all keys and unset PRESIGNED in ZONE
- export-zone-dnskey ZONE KEY-ID
-
Export to standard output DNSKEY and DS of key with key id KEY-ID within zone called ZONE.
- export-zone-key ZONE KEY-ID
-
Export to standard output full (private) key with key id KEY-ID within zone called ZONE. The format used is compatible with BIND and NSD/LDNS.
- hash-zone-record ZONE RNAME
-
This convenience command hashes the name 'recordname' according to the NSEC3 settings of ZONE. Refuses to hash for zones with no NSEC3 settings.
- import-zone-key ZONE FILE [ksk|zsk]
-
Import from 'filename' a full (private) key for zone called ZONE. The format used is compatible with BIND and NSD/LDNS. KSK or ZSK specifies the flags this key should have on import.
- rectify-zone ZONE
-
Calculates the 'ordername' and 'auth' fields for a zone called ZONE so they comply with DNSSEC settings. Can be used to fix up migrated data. Can always safely be run, it does no harm.
- remove-zone-key ZONE KEY-ID
-
Remove a key with id KEY-ID from a zone called ZONE.
- secure-zone ZONE
-
Configures a zone called ZONE with reasonable DNSSEC settings. You should manually run 'pdnssec rectify-zone' afterwards.
- set-nsec3 ZONE 'params' [narrow]
-
Sets NSEC3 parameters for this zone. A sample commandline is: "pdnssec set-nsec3 powerdnssec.org '1 1 1 ab' narrow". The NSEC3 parameters must be quoted on the command line.
WARNING:
If running in RSASHA1 mode (algorithm 5 or 7), switching from NSEC to NSEC3 will require a DS update at the parent zone!
- set-presigned ZONE
-
Switches zone to presigned operation, utilizing in-zone RRSIGs.
- show-zone ZONE
-
Shows all DNSSEC related settings of a zone called ZONE.
- unset-nsec3 ZONE
-
Converts a zone to NSEC operations.
WARNING:
If running in RSASHA1 mode (algorithm 5 or 7), switching from NSEC to NSEC3 will require a DS update at the parent zone!
- unset-presigned ZONE
-
Disables presigned operation for ZONE.
AUTHOR
This manual page was written by Matthijs Möhlmann <
[email protected]> for the Debian Project (but may be used by others)