pdnsutil - PowerDNS record and DNSSEC command and control

       PowerDNS.COM BV

       There are many available commands, this section splits them up into their respective uses

       PowerDNS.COM BV

                                                  Feb 06, 2025                                       PDNSUTIL(1)

backend-cmdBACKENDCMD[CMD...]
              Send a text command to a backend for execution.  GSQL  backends  will  take  SQL  commands,  other
              backends may take different things. Be careful!

       bench-db[FILE]
              Perform  a  benchmark  of  the backend-database.  FILE can be a file with a list, one per line, of
              zone names to use for this.  If FILE is not specified, powerdns.com is used.

pdnsutil  (formerly  pdnssec) is a powerful command that is the operator-friendly gateway into DNSSEC and
       zone management for PowerDNS.  Behind the scenes, pdnsutil manipulates a PowerDNS backend database, which
       also means that for many databases, pdnsutil can be run remotely,  and  can  configure  key  material  on
       different servers.

       Several  commands  manipulate  the  DNSSEC  keys and options for zones. Some of these commands require an
       ALGORITHM to be set. The following algorithms are supported:

       • rsasha1

       • rsasha1-nsec3-sha1

       • rsasha256

       • rsasha512

       • ecdsa256

       • ecdsa384

       • ed25519

       • ed448

       activate-zone-keyZONEKEY-ID
              Activate a key with id KEY-ID within a zone called ZONE.

       add-zone-key ZONE [KSK,ZSK] [active,inactive] [published,unpublished] KEYBITSALGORITHM
              Create a new key for zone ZONE, and make  it  a  KSK  or  a  ZSK  (default),  with  the  specified
              algorithm.  The  key  is inactive by default, set it to active to immediately use it to sign ZONE.
              The key is published in the zone by default, set it to unpublished to keep it from being  returned
              in a DNSKEY query, which is useful for algorithm rollovers. Prints the id of the added key.

       create-bind-dbFILE
              Create   DNSSEC   database   (sqlite3)   at   FILE   for   the  BIND  backend.   Remember  to  set
              bind-dnssec-db=*FILE* in your pdns.conf.

       deactivate-zone-keyZONEKEY-ID
              Deactivate a key with id KEY-ID within a zone called ZONE.

       disable-dnssecZONE
              Deactivate all keys and unset PRESIGNED in ZONE.

       export-zone-dnskeyZONEKEY-ID
              Export to standard output DNSKEY and DS of key with key id KEY-ID within zone called ZONE.

       export-zone-dsZONE
              Export to standard output all KSK DS records for ZONE.

       export-zone-keyZONEKEY-ID
              Export to standard output full (private) key with key id  KEY-ID  within  zone  called  ZONE.  The
              format used is compatible with BIND and NSD/LDNS.

       export-zone-key-pemZONEKEY-ID
              Export to standard output full (private) key with key id KEY-ID within zone called ZONE in the PEM
              file format. The format is compatible with many non-DNS software products.

       generate-zone-key {KSK,ZSK} [ALGORITHM] [KEYBITS]
              Generate  a  ZSK  or  KSK  to  stdout with specified algorithm and bits and print it on STDOUT. If
              ALGORITHM is not set, ECDSA256 is used. If KEYBITS is not set, an appropriate keysize is  selected
              for  ALGORITHM.  Each  ECC-based algorithm supports only one valid KEYBITS value: For ECDSA256 and
              ED25519, it is 256; for ECDSA384, it is 384; and for ED448, it is 456.

       import-zone-key ZONEFILE {KSK,ZSK}
              Import from FILE a full (private) key for the zone called ZONE. The format used is compatible with
              BIND and NSD/LDNS. KSK or ZSK specifies the flags this key should have on import. Prints the id of
              the added key.

       import-zone-key-pem ZONEFILEALGORITHM {KSK,**ZSK**}
              Import from PEM FILE a full (private) key for the zone called ZONE with a specified ALGORITHM. The
              format used is compatible with many non-DNS software products. KSK or ZSK specifies the flags this
              key should have on import. Prints the id of the added key.

       publish-zone-keyZONEKEY-ID
              Publish the key with id KEY-ID within a zone called ZONE.

       remove-zone-keyZONEKEY-ID
              Remove a key with id KEY-ID from a zone called ZONE.

       set-nsec3 ZONE ['HASH-ALGORITHMFLAGSITERATIONSSALT'] [narrow]
              Sets NSEC3 parameters for this zone. The quoted parameters are 4 values  that  are  used  for  the
              NSEC3PARAM record and decide how NSEC3 records are created. The NSEC3 parameters must be quoted on
              the  command  line.  HASH-ALGORITHM  must  be  1 (SHA-1). Setting FLAGS to 1 enables NSEC3 opt-out
              operation. Only do this if you know you need it. For ITERATIONS, please consult RFC 5155,  section
              10.3.  And be aware that a high number might overload validating resolvers and that a limit can be
              set with max-nsec3-iterations in pdns.conf. The SALT is a hexadecimal string encoding the bits for
              the salt, or - to use no salt. Setting narrow will make PowerDNS send out "white lies" (RFC  7129)
              about  the  next  secure  record  to  prevent  zone  enumeration.  Instead of looking it up in the
              database, it will send out the hash + 1 as the next secure record.  Narrow  mode  requires  online
              signing  capabilities  by the nameserver and therefore zone transfers are denied. If only the zone
              is provided as argument, the 4-parameter quoted string defaults to '100-'. A sample commandline
              is: pdnsutilset-nsec3powerdnssec.org'111ab'narrow.  WARNING: If  running  in  RSASHA1  mode
              (algorithm 5 or 7), switching from NSEC to NSEC3 will require a DS update in the parent zone.

       unpublish-zone-keyZONEKEY-ID
              Unpublish the key with id KEY-ID within a zone called ZONE.

       unset-nsec3ZONE
              Converts  ZONE  to  NSEC  operations.  WARNING:  If  running  in  RSASHA1 mode (algorithm 5 or 7),
              switching from NSEC to NSEC3 will require a DS update at the parent zone!

       set-publish-cdsZONE[DIGESTALGOS]
              Set ZONE to respond to queries for its CDS records. the optional argument DIGESTALGOS should be  a
              comma-separated  list  of  DS algorithms to use. By default, this is 2 (SHA-256). 0 will publish a
              CDS with a DNSSEC delete algorithm.

       set-publish-cdnskey ZONE [delete]
              Set ZONE to publish CDNSKEY records. Add 'delete' to  publish  a  CDNSKEY  with  a  DNSSEC  delete
              algorithm.

       unset-publish-cdsZONE
              Set ZONE to stop responding to queries for its CDS records.

       unset-publish-cdnskeyZONE
              Set ZONE to stop publishing CDNSKEY records.

       pdnsutil - PowerDNS record and DNSSEC command and control

-h, --help
              Show summary of options

       -v, --verbose
              Be more verbose.

       --force
              Force an action

       --config-name<NAME>
              Virtual configuration name

       --config-dir<DIR>
              Location of pdns.conf. Default is /etc/powerdns.

b2b-migrateOLDNEW
              Migrate data from one backend to another.  Needs launch=OLD,NEW in the configuration.

       ipencryptIP-ADDRESSpassword
              Encrypt an IP address according to the 'ipcipher' standard

       ipdecryptIP-ADDRESSpassword
              Decrypt an IP address according to the 'ipcipher' standard

       pdns_server (1), pdns_control (1)

       pdnsutil [OPTION]... COMMAND

       These  commands  manipulate TSIG key information in the database. Some commands require an ALGORITHM, the
       following are available:

       • hmac-md5

       • hmac-sha1

       • hmac-sha224

       • hmac-sha256

       • hmac-sha384

       • hmac-sha512

       activate-tsig-key ZONENAME {primary,secondary,producer,consumer}
              Enable TSIG authenticated AXFR using the key NAME for zone ZONE.  This  sets  the  TSIG-ALLOW-AXFR
              (primary/producer) or AXFR-MASTER-TSIG (secondary/consumer) zone metadata.

       deactivate-tsig-key ZONENAME {primary,secondary,producer,consumer}
              Disable TSIG authenticated AXFR using the key NAME for zone ZONE.

       delete-tsig-keyNAME
              Delete the TSIG key NAME. Warning, this does not deactivate said key.

       generate-tsig-keyNAMEALGORITHM
              Generate new TSIG key with name NAME and the specified algorithm.

       import-tsig-keyNAMEALGORITHMKEY
              Import KEY of the specified algorithm as NAME.

       list-tsig-keys
              Show a list of all configured TSIG keys.

add-recordZONENAMETYPE[TTL]CONTENT
              Add one or more records of NAME and TYPE to ZONE with CONTENT and optional TTL. If TTL is not set,
              default will be used.

       add-autoprimaryIPNAMESERVER[ACCOUNT]
              Add a autoprimary entry into the backend. This enables receiving zone updates from other servers.

       remove-autoprimaryIPNAMESERVER
              Remove an autoprimary from backend. Not supported by BIND backend.

       list-autoprimaries
              List all autoprimaries.

       create-zoneZONE
              Create an empty zone named ZONE.

       create-secondary-zoneZONEPRIMARY[PRIMARY]...
              Create   a  new  secondary  zone  ZONE  with  primaries  PRIMARY.  All  PRIMARYs  need  to  to  be
              space-separated IP addresses with an optional port.

       change-secondary-zone-primaryZONEPRIMARY[PRIMARY]...
              Change the primaries for secondary zone ZONE to new primaries PRIMARY. All PRIMARYs need to to  be
              space-separated IP addresses with an optional port.

       check-all-zones
              Check all zones for correctness.

       check-zoneZONE
              Check zone ZONE for correctness.

       clear-zoneZONE
              Clear the records in zone ZONE, but leave actual zone and settings unchanged

       delete-rrsetZONENAMETYPE
              Delete named RRSET from zone.

       delete-zoneZONE
              Delete the zone named ZONE.

       edit-zoneZONE
              Opens  ZONE in zonefile format (regardless of backend it was loaded from) in the editor set in the
              environment variable EDITOR. if EDITOR is empty, pdnsutil falls back to using editor.

       get-metaZONE[ATTRIBUTE]...
              Get zone metadata. If no ATTRIBUTE given, lists all known.

       hash-password[WORK-FACTOR]
              This convenience command asks for a password and returns a hashed and salted version, for use as a
              webserver password or api key.  An optional scrypt work factor can be specified, in power of  two,
              otherwise it defaults to 1024.

       hash-zone-recordZONERNAME
              This convenience command hashes the name RNAME according to the NSEC3 settings of ZONE. Refuses to
              hash for zones with no NSEC3 settings.

       increase-serialZONE
              Increases the SOA-serial by 1. Uses SOA-EDIT.

       list-keys[ZONE]
              List  DNSSEC  information for all keys or for ZONE. --verbose or -v will also include the keys for
              disabled or empty zones.

       list-all-zones
              List all active zone names. --verbose or -v will also include disabled or empty zones.

       list-member-zonesCATALOG
              List all members of catalog zone CATALOG"

       list-zoneZONE
              Show all records for ZONE.

       load-zoneZONEFILE
              Load records for ZONE from FILE. If  ZONE  already  exists,  all  records  are  overwritten,  this
              operation is atomic. If ZONE doesn't exist, it is created.

       rectify-zoneZONE
              Calculates  the  'ordername'  and  'auth' fields for a zone called ZONE so they comply with DNSSEC
              settings. Can be used to fix up migrated data. Can always safely be run, it does no harm.

       rectify-all-zones
              Calculates the 'ordername' and 'auth' fields for all zones so they comply  with  DNSSEC  settings.
              Can be used to fix up migrated data.  Can always safely be run, it does no harm.

       replace-rrsetZONENAMETYPE[TTL]CONTENT[CONTENT...]
              Replace existing NAME in zone ZONE with a new set.

       secure-zoneZONE
              Configures  a  zone called ZONE with reasonable DNSSEC settings. You should manually run 'pdnsutil
              rectify-zone' afterwards.

       secure-all-zones [increase-serial]
              Configures all zones that are not  currently  signed  with  reasonable  DNSSEC  settings.  Setting
              increase-serial  will  increase  the  serial of those zones too. You should manually run 'pdnsutil
              rectify-all-zones' afterwards.

       set-kindZONEKIND
              Change the kind of ZONE to KIND (primary, secondary, native, producer, consumer).

       set-options-jsonZONEJSON
              Change the options of ZONE to JSONset-optionZONE[producer*|*consumer][coo*|*unique*|*group]VALUE[VALUE...]
              Set or remove an option for ZONE. Providing an empty value removes an option.

       set-catalogZONECATALOG
              Change the catalog of ZONE to CATALOG. Setting CATALOG to  an  empty  ""  removes  ZONE  from  the
              catalog it is in.

       set-accountZONEACCOUNT
              Change the account (owner) of ZONE to ACCOUNT.

       add-metaZONEATTRIBUTEVALUE[VALUE]...
              Append  VALUE to the existing ATTRIBUTE metadata for ZONE.  Will return an error if ATTRIBUTE does
              not support multiple values, use set-meta for these values.

       set-metaZONEATTRIBUTE[VALUE]...
              Set zonemetadata ATTRIBUTE for ZONE to VALUE. An empty value clears it.

       set-presignedZONE
              Switches ZONE to presigned operation, utilizing in-zone RRSIGs.

       show-zoneZONE
              Shows all DNSSEC related settings of a zone called ZONE.

       test-schemaZONE
              Test database schema, this creates the zone ZONEunset-presignedZONE
              Disables presigned operation for ZONE.

       raw-lua-from-contentTYPECONTENT
              Display record contents in a form suitable for dnsdist's SpoofRawAction.

       zonemd-verify-fileZONEFILE
              Validate ZONEMD for ZONE read from FILE.