SYNOPSIS

pdnssec [options] command

DESCRIPTION

pdnssec is a powerful command that is the operator-friendly gateway into PowerDNSSEC configuration. Behind the scenes, pdnssec manipulates a PowerDNS backend database, which also means that for many databases, pdnssec can be run remotely, and can configure key material on different servers.

OPTIONS

A summary of options is included below.

-h [ --help ]

Show summary of options.

-v [ --verbose ]

Be more verbose.

--force

force an action

--config-name arg

Virtual configuration name

--config-dir arg (=/etc/powerdns)

Location of pdns.conf

--commands arg

Commands given as an argument

COMMANDS

activate-zone-key ZONE KEY-ID

Activate a key with id KEY-ID within a zone called ZONE.

add-zone-key ZONE [zsk|ksk] [bits] [rsasha1|rsasha256|rsasha512|gost|ecdsa256|ecdsa384]

Create a new key for zone ZONE, and make it a KSK or a ZSK, with the specified algorithm.

check-zone ZONE

Check a zone for correctness

deactivate-zone-key ZONE KEY-ID

Deactivate a key with id KEY-ID within a zone called ZONE.

disable-dnssec ZONE

Deactivate all keys and unset PRESIGNED in ZONE

export-zone-dnskey ZONE KEY-ID

Export to standard output DNSKEY and DS of key with key id KEY-ID within zone called ZONE.

export-zone-key ZONE KEY-ID

Export to standard output full (private) key with key id KEY-ID within zone called ZONE. The format used is compatible with BIND and NSD/LDNS.

hash-zone-record ZONE RNAME

This convenience command hashes the name 'recordname' according to the NSEC3 settings of ZONE. Refuses to hash for zones with no NSEC3 settings.

import-zone-key ZONE FILE [ksk|zsk]

Import from 'filename' a full (private) key for zone called ZONE. The format used is compatible with BIND and NSD/LDNS. KSK or ZSK specifies the flags this key should have on import.

rectify-zone ZONE

Calculates the 'ordername' and 'auth' fields for a zone called ZONE so they comply with DNSSEC settings. Can be used to fix up migrated data. Can always safely be run, it does no harm.

remove-zone-key ZONE KEY-ID

Remove a key with id KEY-ID from a zone called ZONE.

secure-zone ZONE

Configures a zone called ZONE with reasonable DNSSEC settings. You should manually run 'pdnssec rectify-zone' afterwards.

set-nsec3 ZONE 'params' [narrow]

Sets NSEC3 parameters for this zone. A sample commandline is: "pdnssec set-nsec3 powerdnssec.org '1 1 1 ab' narrow". The NSEC3 parameters must be quoted on the command line.
WARNING:
If running in RSASHA1 mode (algorithm 5 or 7), switching from NSEC to NSEC3 will require a DS update at the parent zone!

set-presigned ZONE

Switches zone to presigned operation, utilizing in-zone RRSIGs.

show-zone ZONE

Shows all DNSSEC related settings of a zone called ZONE.

unset-nsec3 ZONE

Converts a zone to NSEC operations.
WARNING:
If running in RSASHA1 mode (algorithm 5 or 7), switching from NSEC to NSEC3 will require a DS update at the parent zone!

unset-presigned ZONE

Disables presigned operation for ZONE.

AUTHOR

This manual page was written by Matthijs Möhlmann <[email protected]> for the Debian Project (but may be used by others)