'pdnssec' is a powerful command that is the operator-friendly gateway into PowerDNSSEC configuration. Behind the scenes, 'pdnssec' manipulates a PowerDNS backend database, which also means that for many databases, 'pdnssec' can be run remotely, and can configure key material on different servers.
The following pdnssec commands are available:
Activate a key with id KEY-ID within a zone called ZONE.
Create a new key for zone ZONE, and make it a KSK or a ZSK, with the specified algorithm.
Check a zone for DNSSEC correctness. Main goals is to check if the auth flag is set correctly.
Check all zones for DNSSEC correctness. Added in 3.1.
Deactivate a key with id KEY-ID within a zone called ZONE.
Export to standard output DNSKEY and DS of key with key id KEY-ID within zone called ZONE.
Export to standard output full (private) key with key id KEY-ID within zone called ZONE. The format used is compatible with BIND and NSD/LDNS.
This convenience command hashes the name 'recordname' according to the NSEC3 settings of ZONE. Refuses to hash for zones with no NSEC3 settings.
Import from 'filename' a full (private) key for zone called ZONE. The format used is compatible with BIND and NSD/LDNS. KSK or ZSK specifies the flags this key should have on import.
Import from 'filename' a full (private) key in PEM format for zone called ZONE, and assign it an algorithm number. KSK or ZSK specifies the flags this key should have on import. The format used is compatible with 'openssl genrsa', which is also called PEM.
Generate and display a zone key. Can be used when you need to generate a key for some script backend. Does not store the key.
Calculates the 'ordername' and 'auth' fields for a zone called ZONE so they comply with DNSSEC settings. Can be used to fix up migrated data. Can always safely be run, it does no harm. Multiple zones can be supplied.
Do a rectify-zone for all the zones. Be careful when running this. Only bind and gmysql backends are supported. Added in 3.1.
Remove a key with id KEY-ID from a zone called ZONE.
Configures a zone called ZONE with reasonable DNSSEC settings. You should manually run 'rectify-zone' afterwards.
Add keymaterial to all zones. You should manually run 'rectify-all-zones' afterwards. The 'increase-serial' option increases the SOA serial for new secured zones.
Sets NSEC3 parameters for this zone. A sample command line is: "pdnssec set-nsec3 powerdnssec.org '1 0 1 ab' narrow". The NSEC3 parameters must be quoted on the command line.
![]() | Warning |
---|---|
If running in RSASHA1 mode (algorithm 5 or 7), switching from NSEC to NSEC3 will require a DS update at the parent zone! |
The NSEC3 fields are: 'algorithm flags iterations salt'. For 'algorithm', currently '1' is the only supported value. Setting 'flags' to 1 enables opt-out operation. Only do this if you know you need it. The salt is hexadecimal.
Switches zone to presigned operation, utilizing in-zone RRSIGs.
Shows all DNSSEC related settings of a zone called ZONE.
Converts a zone to NSEC operations.
![]() | Warning |
---|---|
If running in RSASHA1 mode (algorithm 5 or 7), switching from NSEC to NSEC3 will require a DS update at the parent zone! |
Disables presigned operation for ZONE.
Imports a named TSIG key. Use enable/disable-tsig-key to map it to a zone.
Creates and stores a named tsig key.
Deletes a named TSIG key. WARNING! Does not unmap it from zones.
Shows all TSIG keys from all backends.
activate TSIG key for a zone. Use master on master server, slave on slave server.
Deactivate TSIG key for a zone. Use master on master server, slave on slave server.
Gets one or more meta items for domain ZONE. If no meta keys defined, it retrieves well known meta keys.
Clears or sets meta for domain ZONE. You can provide one or more value(s).