pdnsutil

Synopsis

pdnsutil [OPTION]… COMMAND

Description

pdnsutil (formerly pdnssec) is a powerful command that is the operator-friendly gateway into DNSSEC and zone management for PowerDNS. Behind the scenes, pdnsutil manipulates a PowerDNS backend database, which also means that for many databases, pdnsutil can be run remotely, and can configure key material on different servers.

Options

-h, --help Show summary of options
-v, --verbose Be more verbose
-f, --force Force an action
-q, --quiet Be quiet
--config-name <NAME>
 Virtual configuration name
--config-dir <DIR>
 Location of pdns.conf. Default is /etc/powerdns.

Commands

There are many available commands. Most commands follow the pattern pdnsutil <object> <action> [arguments...], where <object> is a noun and <action> is a verb; a few commands which do not apply to any particular object kind use only the verb.

AUTOPRIMARY COMMANDS

autoprimary add IP NAMESERVER [ACCOUNT]

Add a autoprimary entry into the backend. This enables receiving zone updates from other servers.

autoprimary list

List all autoprimaries.

autoprimary remove IP NAMESERVER

Remove an autoprimary from backend. Not supported by BIND backend.

CATALOG ZONE COMMANDS

catalog list-members CATALOG

List all members of catalog zone CATALOG

catalog set ZONE [CATALOG]

Change the catalog of ZONE to CATALOG. If CATALOG is omitted, removes ZONE from the catalog it is in.

ZONE METADATA COMMANDS

metadata add ZONE KIND VALUE [VALUE]…

Append VALUE to the existing KIND metadata for ZONE. Will return an error if KIND does not support multiple values, use metadata set for these values.

metadata get ZONE [KIND]…

Get zone metadata. If no KIND given, lists all known.

metadata set ZONE KIND [VALUE]…

Set zone metadata KIND for ZONE to VALUE, replacing all existing values of KIND. An omitted value clears it.

NETWORK COMMANDS

network list

List all defined networks with their chosen views.

network set NET [VIEW]

Set the VIEW for a the NET network, or delete if no VIEW argument.

ZONE RECORD COMMANDS

In these commands, the rrset object name may also be written as record.

rrset add ZONE NAME TYPE [TTL] CONTENT

Add one or more records of NAME and TYPE to ZONE with CONTENT and optional TTL. If TTL is not set, the configured default-ttl will be used. NAME must be absolute.

rrset delete ZONE NAME TYPE

Delete named RRSET from zone. NAME must be absolute.

rrset hash ZONE RNAME

This convenience command hashes the name RNAME according to the NSEC3 settings of ZONE. Refuses to hash for zones with no NSEC3 settings.

rrset replace ZONE NAME TYPE [TTL] CONTENT [CONTENT…]

Replace existing NAME in zone ZONE with a new set.

VIEWS COMMANDS

views add-zone VIEW ZONE..VARIANT

Add the given ZONE VARIANT to a VIEW.

views del-zone VIEW ZONE..VARIANT

Remove a ZONE VARIANT from a VIEW.

views list VIEW

List all zones within VIEW.

views list-all

List all view names.

ZONE MANIPULATION COMMANDS

zone check ZONE

Check zone ZONE for correctness.

zone check-all [exit-on-error]

Check all zones for correctness, aborting upon finding the first error in any zone if “exit-on-error” is specified.

zone clear ZONE

Clear the records in zone ZONE, but leave actual zone and settings unchanged

zone create ZONE

Create an empty zone named ZONE.

zone delete ZONE

Delete the zone named ZONE.

zone edit ZONE

Opens ZONE in zonefile format (regardless of backend it was loaded from) in the editor set in the environment variable EDITOR. if EDITOR is empty, pdnsutil falls back to using editor.

zone increase-serial ZONE

Increases the SOA-serial by 1. Uses SOA-EDIT.

zone list ZONE

Show all records for ZONE.

zone list-all KIND

List all active zone names of the given KIND (primary, secondary, native, producer, consumer), or all if none given. Passing –verbose or -v will also include disabled or empty zones.

zone load ZONE FILE

Load records for ZONE from FILE. If ZONE already exists, all records are overwritten, this operation is atomic. If ZONE doesn’t exist, it is created.

zone set-account ZONE ACCOUNT

Change the account (owner) of ZONE to ACCOUNT.

zone set-kind ZONE KIND

Change the kind of ZONE to KIND (primary, secondary, native, producer, consumer).

zone set-option ZONE [producer | consumer] [coo | unique | group] VALUE [VALUE …]

Set or remove an option for ZONE. Providing an empty value removes an option.

zone set-options-json ZONE JSONFILE

Change the options of ZONE to the contents of JSONFILE.

zone zonemd-verify-file ZONE FILE

Validate ZONEMD for ZONE read from FILE.

SECONDARY ZONE COMMANDS

zone change-primary ZONE PRIMARY [PRIMARY]…

Change the primaries for secondary zone ZONE to new primaries PRIMARY. All PRIMARYs need to to be space-separated IP addresses with an optional port.

zone create-secondary ZONE PRIMARY [PRIMARY]…

Create a new secondary zone ZONE with primaries PRIMARY. All PRIMARYs need to to be space-separated IP addresses with an optional port.

ZONE KEY COMMANDS

zone activate-key ZONE KEY_ID

Activate a key with id KEY_ID within a zone called ZONE.

zone add-key ZONE [KSK,ZSK] [active,inactive] [published,unpublished] ALGORITHM [KEYBITS]

Create a new key for zone ZONE, and make it a KSK (default) or a ZSK, with the specified ALGORITHM and KEYBITS. If KEYBITS is omitted, the value of default-ksk-size or default-zsk-size are used.

The key is inactive by default, set it to active to immediately use it to sign ZONE. The key is published in the zone by default, set it to unpublished to keep it from being returned in a DNSKEY query, which is useful for algorithm rollovers.

Prints the id of the added key.

zone deactivate-key ZONE KEY_ID

Deactivate a key with id KEY_ID within a zone called ZONE.

zone export-key ZONE KEY_ID

Export full (private) key with key id KEY_ID within zone ZONE to standard output. The format used is compatible with BIND and NSD/LDNS.

zone export-key-pem ZONE KEY_ID

Export full (private) key with key id KEY_ID within zone ZONE to standard output in the PEM file format. The format is compatible with many non-DNS software products.

zone generate-key {KSK,ZSK} [ALGORITHM] [KEYBITS]

Generate a ZSK or KSK with specified algorithm and bits and print it on standard output. If ALGORITHM is not set, ECDSA256 is used. If KEYBITS is not set, an appropriate keysize is selected for ALGORITHM: for RSA keys, 2048 bits for KSK and 1024 bits for ZSK; for ECC keys, the algorithm-required size as mentioned above.

zone import-key ZONE FILE [KSK,ZSK] [active,inactive] [published,unpublished]

Import from FILE a full (private) key for the zone ZONE. The format used is compatible with BIND and NSD/LDNS. KSK or ZSK specifies the flags this key should have on import. Defaults to KSK, active and published. Prints the id of the added key.

zone import-key-pem ZONE FILE ALGORITHM {KSK,ZSK}

Import from PEM FILE a full (private) key for the zone ZONE with a specified ALGORITHM. The format used is compatible with many non-DNS software products. KSK or ZSK specifies the flags this key should have on import. Prints the id of the added key.

zone publish-key ZONE KEY_ID

Publish the key with id KEY_ID within zone ZONE.

zone remove-key ZONE KEY_ID

Remove a key with id KEY_ID from zone ZONE.

zone unpublish-key ZONE KEY_ID

Unpublish the key with id KEY_ID within zone ZONE.

OTHER/MISCELLANEOUS COMMANDS

b2b-migrate OLD NEW

Migrate data from one backend to another. Needs launch=OLD,NEW in the configuration.

backend-cmd BACKEND CMD [CMD…]

Send a text command to a backend for execution. GSQL backends will take SQL commands, other backends may take different things. Be careful!

backend-lookup BACKEND NAME [TYPE [CLIENT_IP_SUBNET]]

Perform a backend record lookup.

bench-db [FILE]

Perform a benchmark of the backend-database. FILE can be a file with a list, one per line, of zone names to use for this. If FILE is not specified, powerdns.com is used.

create-bind-db FILENAME

Create DNSSEC database (sqlite3) at FILENAME for the BIND backend. Remember to set bind-dnssec-db=*FILE* in your pdns.conf.

hash-password [WORK_FACTOR]

This convenience command reads a password (not echoed) from standard input and returns a hashed and salted version, for use as a webserver password or api key. An optional scrypt work factor can be specified, in powers of two, otherwise it defaults to 1024.

ipdecrypt IP_ADDRESS PASSPHRASE_OR_KEY [key]

Decrypt an IP address according to the ‘ipcipher’ standard. If the passphrase is a base64 key, add the word “key” after it.

ipencrypt IP_ADDRESS PASSPHRASE_OR_KEY [key]

Encrypt an IP address according to the ‘ipcipher’ standard. If the passphrase is a base64 key, add the word “key” after it.

list-algorithms [with-backend]

List all DNSSEC algorithms supported, optionally also listing the cryptographic library used if “with-backend” is specified.

test-schema ZONE

Test database schema, this creates the zone ZONE

raw-lua-from-content TYPE CONTENT

Display record contents in a form suitable for dnsdist’s SpoofRawAction.

See also

pdns_server (1), pdns_control (1)