Contents

Previous topic

Servers

Next topic

Cryptokeys

This Page

  1. Docs
  2. Built-in Webserver and HTTP API
  3. Zones

Zones

Manipulating zones is the primary use of the API.

Zone Endpoints

GET /servers/{server_id}/zones

List all Zones in a server

Parameters:
  • server_id (string) – The id of the server to retrieve
Query Parameters:
 
  • zone (string) – When set to the name of a zone, only this zone is returned. If no zone with that name exists, the response is an empty array. This can e.g. be used to check if a zone exists in the database without having to guess/encode the zone’s id or to check if a zone exists.
  • dnssec (boolean) – “true” (default) or “false”, whether to include the “dnssec” and ”edited_serial” fields in the Zone objects. Setting this to ”false” will make the query a lot faster.
Status Codes:
POST /servers/{server_id}/zones

Creates a new domain, returns the Zone on creation.

Parameters:
  • server_id (string) – The id of the server to retrieve
Query Parameters:
 
  • rrsets (boolean) – “true” (default) or “false”, whether to include the “rrsets” in the response Zone object.
Status Codes:
GET /servers/{server_id}/zones/{zone_id}

zone managed by a server

Parameters:
  • server_id (string) – The id of the server to retrieve
  • zone_id (string) – The id of the zone to retrieve
Query Parameters:
 
  • rrsets (boolean) – “true” (default) or “false”, whether to include the “rrsets” in the response Zone object.
  • rrset_name (string) – Limit output to RRsets for this name.
  • rrset_type (string) – Limit output to the RRset of this type. Can only be used together with rrset_name.
Status Codes:
DELETE /servers/{server_id}/zones/{zone_id}

Deletes this zone, all attached metadata and rrsets.

Parameters:
  • server_id (string) – The id of the server to retrieve
  • zone_id (string) – The id of the zone to retrieve
Status Codes:
PATCH /servers/{server_id}/zones/{zone_id}

Creates/modifies/deletes RRsets present in the payload and their comments. Returns 204 No Content on success.

Parameters:
  • server_id (string) – The id of the server to retrieve
  • zone_id (string) –
Status Codes:
PUT /servers/{server_id}/zones/{zone_id}

Modifies basic zone data.

The only fields in the zone structure which can be modified are: kind, masters, catalog, account, soa_edit, soa_edit_api, api_rectify, dnssec, and nsec3param. All other fields are ignored.

Parameters:
  • server_id (string) – The id of the server to retrieve
  • zone_id (string) –
Status Codes:
PUT /servers/{server_id}/zones/{zone_id}/axfr-retrieve

Retrieve slave zone from its master.

Fails when zone kind is not Slave, or slave is disabled in the configuration. Clients MUST NOT send a body.

Parameters:
  • server_id (string) – The id of the server to retrieve
  • zone_id (string) – The id of the zone to retrieve
Status Codes:
PUT /servers/{server_id}/zones/{zone_id}/notify

Send a DNS NOTIFY to all slaves.

Fails when zone kind is not Master or Slave, or master and slave are disabled in the configuration. Only works for Slave if renotify is on. Clients MUST NOT send a body.

Parameters:
  • server_id (string) – The id of the server to retrieve
  • zone_id (string) – The id of the zone to retrieve
Status Codes:
GET /servers/{server_id}/zones/{zone_id}/export

Returns the zone in AXFR format.

Parameters:
  • server_id (string) – The id of the server to retrieve
  • zone_id (string) – The id of the zone to retrieve
Status Codes:
PUT /servers/{server_id}/zones/{zone_id}/rectify

Rectify the zone data.

This does not take into account the API-RECTIFY metadata. Fails on slave zones and zones that do not have DNSSEC.

Parameters:
  • server_id (string) – The id of the server to retrieve
  • zone_id (string) – The id of the zone to retrieve
Status Codes:

Objects

A Zone object represents an authoritative DNS Zone.

A Resource Record Set (below as “RRset”) are all records for a given name and type.

Comments are per-RRset.

Zone

This represents an authoritative DNS Zone.

Object Properties:
 
  • id (string) – Opaque zone id (string), assigned by the server, should not be interpreted by the application. Guaranteed to be safe for embedding in URLs.
  • name (string) – Name of the zone (e.g. “example.com.”) MUST have a trailing dot
  • type (string) – Set to “Zone”
  • url (string) – API endpoint for this zone
  • kind (string) – Zone kind, one of “Native”, “Master”, “Slave”, “Producer”, “Consumer”
  • rrsets ([RRSet]) – RRSets in this zone (for zones/{zone_id} endpoint only; omitted during GET on the …/zones list endpoint)
  • serial (integer) – The SOA serial number
  • notified_serial (integer) – The SOA serial notifications have been sent out for
  • edited_serial (integer) – The SOA serial as seen in query responses. Calculated using the SOA-EDIT metadata, default-soa-edit and default-soa-edit-signed settings
  • masters ([string]) – List of IP addresses configured as a master for this zone (“Slave” type zones only)
  • dnssec (boolean) – Whether or not this zone is DNSSEC signed (inferred from presigned being true XOR presence of at least one cryptokey with active being true)
  • nsec3param (string) – The NSEC3PARAM record
  • nsec3narrow (boolean) – Whether or not the zone uses NSEC3 narrow
  • presigned (boolean) – Whether or not the zone is pre-signed
  • soa_edit (string) – The SOA-EDIT metadata item
  • soa_edit_api (string) – The SOA-EDIT-API metadata item
  • api_rectify (boolean) – Whether or not the zone will be rectified on data changes via the API
  • zone (string) – MAY contain a BIND-style zone file when creating a zone
  • catalog (string) – The catalog this zone is a member of
  • account (string) – MAY be set. Its value is defined by local policy
  • nameservers ([string]) – MAY be sent in client bodies during creation, and MUST NOT be sent by the server. Simple list of strings of nameserver names, including the trailing dot. Not required for slave zones.
  • master_tsig_key_ids ([string]) – The id of the TSIG keys used for master operation in this zone
  • slave_tsig_key_ids ([string]) – The id of the TSIG keys used for slave operation in this zone
RRSet

This represents a Resource Record Set (all records with the same name and type).

Object Properties:
 
  • name (string) – Name for record set (e.g. “www.powerdns.com.”)
  • type (string) – Type of this record (e.g. “A”, “PTR”, “MX”)
  • ttl (integer) – DNS TTL of the records, in seconds. MUST NOT be included when changetype is set to “DELETE”.
  • changetype (string) – MUST be added when updating the RRSet. Must be REPLACE or DELETE. With DELETE, all existing RRs matching name and type will be deleted, including all comments. With REPLACE: when records is present, all existing RRs matching name and type will be deleted, and then new records given in records will be created. If no records are left, any existing comments will be deleted as well. When comments is present, all existing comments for the RRs matching name and type will be deleted, and then new comments given in comments will be created.
  • records ([Record]) – All records in this RRSet. When updating Records, this is the list of new records (replacing the old ones). Must be empty when changetype is set to DELETE. An empty list results in deletion of all records (and comments).
  • comments ([Comment]) – List of Comment. Must be empty when changetype is set to DELETE. An empty list results in deletion of all comments. modified_at is optional and defaults to the current server time.
Record

The RREntry object represents a single record.

Object Properties:
 
  • content (string) – The content of this record
  • disabled (boolean) – Whether or not this record is disabled. When unset, the record is not disabled
Comment

A comment about an RRSet.

Object Properties:
 
  • content (string) – The actual comment
  • account (string) – Name of an account that added the comment
  • modified_at (integer) – Timestamp of the last change to the comment

Note

Switching dnssec to true (from false) sets up DNSSEC signing based on the other flags, this includes running the equivalent of secure-zone and rectify-zone (if api_rectify is set to true). This also applies to newly created zones. If presigned is true, no DNSSEC changes will be made to the zone or cryptokeys.

Note

notified_serial, serial MUST NOT be sent in client bodies.

Changes made through the Zones API will always yield valid zone data, as the API will reject records with wrong data.

DNSSEC-enabled zones should be rectified after changing the zone data. This can be done by the API automatically after a change when the API-RECTIFY metadata is set. When creating or updating a zone, the “api_rectify” field of the Zone can be set to true to enable this behaviour.

Backends might implement additional features (by coincidence or not). These things are not supported through the API.

When creating a slave zone, it is recommended to not set any of nameservers, rrsets or zone.

Examples

Listing all zones

GET /api/v1/servers/localhost/zones HTTP/1.1
X-API-Key: secret

Will yield a response similar to this (several headers omitted):

HTTP/1.1 200 OK
Content-Type: application/json

[{"account": "", "dnssec": false, "edited_serial": 2022040504, "id": "example.org.", "kind": "Native", "last_check": 0, "masters": [], "name": "example.org.", "notified_serial": 0, "serial": 2022040504, "url": "/api/v1/servers/localhost/zones/example.org."}]

Creating new zone

POST /api/v1/servers/localhost/zones HTTP/1.1
X-API-Key: secret
Content-Type: application/json

{"name": "example.org.", "kind": "Native", "masters": [], "nameservers": ["ns1.example.org.", "ns2.example.org."]}

Will yield a response similar to this (several headers omitted):

HTTP/1.1 200 OK
Content-Type: application/json

{"account": "", "api_rectify": false, "dnssec": false, "edited_serial": 2022040501, "id": "example.org.", "kind": "Native", "last_check": 0, "master_tsig_key_ids": [], "masters": [], "name": "example.org.", "notified_serial": 0, "nsec3narrow": false, "nsec3param": "", "rrsets": [{"comments": [], "name": "example.org.", "records": [{"content": "a.misconfigured.dns.server.invalid. hostmaster.example.org. 2022040501 10800 3600 604800 3600", "disabled": false}], "ttl": 3600, "type": "SOA"}, {"comments": [], "name": "example.org.", "records": [{"content": "ns1.example.org.", "disabled": false}, {"content": "ns2.example.org.", "disabled": false}], "ttl": 3600, "type": "NS"}], "serial": 2022040501, "slave_tsig_key_ids": [], "soa_edit": "", "soa_edit_api": "DEFAULT", "url": "/api/v1/servers/localhost/zones/example.org."}

Listing a zone

GET /api/v1/servers/localhost/zones/example.org. HTTP/1.1
X-API-Key: secret

Will yield a response similar to this (several headers omitted):

HTTP/1.1 200 OK
Content-Type: application/json

{"account": "", "api_rectify": false, "dnssec": false, "edited_serial": 2022040501, "id": "example.org.", "kind": "Native", "last_check": 0, "master_tsig_key_ids": [], "masters": [], "name": "example.org.", "notified_serial": 0, "nsec3narrow": false, "nsec3param": "", "rrsets": [{"comments": [], "name": "example.org.", "records": [{"content": "a.misconfigured.dns.server.invalid. hostmaster.example.org. 2022040501 10800 3600 604800 3600", "disabled": false}], "ttl": 3600, "type": "SOA"}, {"comments": [], "name": "example.org.", "records": [{"content": "ns1.example.org.", "disabled": false}, {"content": "ns2.example.org.", "disabled": false}], "ttl": 3600, "type": "NS"}], "serial": 2022040501, "slave_tsig_key_ids": [], "soa_edit": "", "soa_edit_api": "DEFAULT", "url": "/api/v1/servers/localhost/zones/example.org."}

Deleting a zone

DELETE /api/v1/servers/localhost/zones/example.org. HTTP/1.1
X-API-Key: secret

Will yield a response similar to this (several headers omitted):

HTTP/1.1 204 No Content

Creating new RRset

PATCH /api/v1/servers/localhost/zones/example.org. HTTP/1.1
X-API-Key: secret
Content-Type: application/json

{"rrsets": [{"name": "test.example.org.", "type": "A", "ttl": 3600, "changetype": "REPLACE", "records": [{"content": "192.168.0.5", "disabled": false}]}]}

Will yield a response similar to this (several headers omitted):

HTTP/1.1 204 No Content

Deleting a RRset

PATCH /api/v1/servers/localhost/zones/example.org. HTTP/1.1
X-API-Key: secret
Content-Type: application/json

{"rrsets": [{"name": "test.example.org.", "type": "A", "changetype": "DELETE"}]}

Will yield a response similar to this (several headers omitted):

HTTP/1.1 204 No Content

Rectifying a zone

PUT /api/v1/servers/localhost/zones/example.org./rectify HTTP/1.1
X-API-Key: secret

Will yield a response similar to this (several headers omitted):

HTTP/1.1 200 OK
Content-Type: application/json

{"result": "Rectified"}
Servers
Cryptokeys
© Copyright PowerDNS.COM BV. Created using Sphinx.