DragonFly On-Line Manual Pages
PDNSSEC(8) DragonFly System Manager's Manual PDNSSEC(8)
pdnssec - PowerDNSSEC command and control
pdnssec [options] command
pdnssec is a powerful command that is the operator-friendly gateway
into PowerDNSSEC configuration. Behind the scenes, pdnssec manipulates
a PowerDNS backend database, which also means that for many databases,
pdnssec can be run remotely, and can configure key material on
different servers.
A summary of options is included below.
-h [ --help ]
Show summary of options.
-v [ --verbose ]
Be more verbose.
force an action
--config-name arg
Virtual configuration name
--config-dir arg (=/etc/powerdns)
Location of pdns.conf
--commands arg
Commands given as an argument
activate-zone-key ZONE KEY-ID
Activate a key with id KEY-ID within a zone called ZONE.
add-zone-key ZONE [zsk|ksk] [bits]
Create a new key for zone ZONE, and make it a KSK or a ZSK, with
the specified algorithm.
check-zone ZONE
Check a zone for correctness
deactivate-zone-key ZONE KEY-ID
Deactivate a key with id KEY-ID within a zone called ZONE.
disable-dnssec ZONE
Deactivate all keys and unset PRESIGNED in ZONE
export-zone-dnskey ZONE KEY-ID
Export to standard output DNSKEY and DS of key with key id KEY-
ID within zone called ZONE.
export-zone-key ZONE KEY-ID
Export to standard output full (private) key with key id KEY-ID
within zone called ZONE. The format used is compatible with BIND
hash-zone-record ZONE RNAME
This convenience command hashes the name 'recordname' according
to the NSEC3 settings of ZONE. Refuses to hash for zones with no
NSEC3 settings.
import-zone-key ZONE FILE [ksk|zsk]
Import from 'filename' a full (private) key for zone called
ZONE. The format used is compatible with BIND and NSD/LDNS. KSK
or ZSK specifies the flags this key should have on import.
rectify-zone ZONE
Calculates the 'ordername' and 'auth' fields for a zone called
ZONE so they comply with DNSSEC settings. Can be used to fix up
migrated data. Can always safely be run, it does no harm.
remove-zone-key ZONE KEY-ID
Remove a key with id KEY-ID from a zone called ZONE.
secure-zone ZONE
Configures a zone called ZONE with reasonable DNSSEC settings.
You should manually run 'pdnssec rectify-zone' afterwards.
set-nsec3 ZONE 'params' [narrow]
Sets NSEC3 parameters for this zone. A sample commandline is:
"pdnssec set-nsec3 powerdnssec.org '1 1 1 ab' narrow". The NSEC3
parameters must be quoted on the command line.
If running in RSASHA1 mode (algorithm 5 or 7), switching from
NSEC to NSEC3 will require a DS update at the parent zone!
set-presigned ZONE
Switches zone to presigned operation, utilizing in-zone RRSIGs.
show-zone ZONE
Shows all DNSSEC related settings of a zone called ZONE.
unset-nsec3 ZONE
Converts a zone to NSEC operations.
If running in RSASHA1 mode (algorithm 5 or 7), switching from
NSEC to NSEC3 will require a DS update at the parent zone!
unset-presigned ZONE
Disables presigned operation for ZONE.
This manual page was written by Matthijs Mohlmann
<matthijs@cacholong.nl> for the Debian Project (but may be used by
PowerDNS November 2011 PDNSSEC(8)