Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help 
PDNSUTIL(1)		 PowerDNS Authoritative	Server		   PDNSUTIL(1)

NAME
       pdnsutil	- PowerDNS record and DNSSEC command and control

SYNOPSIS
       pdnsutil	[OPTION]... COMMAND

DESCRIPTION
       pdnsutil	 (formerly  pdnssec)  is a powerful command that is the	opera-
       tor-friendly gateway into DNSSEC	and zone management for	PowerDNS.  Be-
       hind the	scenes,	pdnsutil  manipulates  a  PowerDNS  backend  database,
       which also means	that for many databases, pdnsutil can be run remotely,
       and can configure key material on different servers.

OPTIONS
       -h, --help
	      Show summary of options

       -v, --verbose
	      Be more verbose

       -f, --force
	      Force an action

       -q, --quiet
	      Be quiet

       --config-name <NAME>
	      Virtual configuration name

       --config-dir <DIR>
	      Location of pdns.conf. Default is	/etc/powerdns.

COMMANDS
       There  are  many	 available  commands. Most commands follow the pattern
       pdnsutil	<object> <action> [arguments...], where	<object> is a noun and
       <action>	is a verb; a few commands which	do not apply to	any particular
       object kind use only the	verb.

AUTOPRIMARY COMMANDS
       autoprimary add IP NAMESERVER [ACCOUNT]
	  Add a	autoprimary entry into the  backend.  This  enables  receiving
	  zone updates from other servers.

       autoprimary list
	  List all autoprimaries.

       autoprimary remove IP NAMESERVER
	  Remove an autoprimary	from backend. Not supported by BIND backend.

CATALOG	ZONE COMMANDS
       catalog list-members CATALOG
	  List all members of catalog zone CATALOG"

       catalog set ZONE	[CATALOG]
	  Change  the  catalog	of ZONE	to CATALOG. If CATALOG is omitted, re-
	  moves	ZONE from the catalog it is in.

ZONE METADATA COMMANDS
       metadata	add ZONE KIND VALUE [VALUE]...
	  Append VALUE to the existing KIND metadata for ZONE.	Will return an
	  error	if KIND	does not support multiple values, use metadata set for
	  these	values.

       metadata	get ZONE [KIND]...
	  Get zone metadata. If	no KIND	given, lists all known.

       metadata	set ZONE KIND [VALUE]...
	  Set zone metadata KIND for ZONE to  VALUE,  replacing	 all  existing
	  values of KIND. An omitted value clears it.

NETWORK	COMMANDS
       network list
	  List all defined networks with their chosen views.

       network set NET [VIEW]
	  Set the VIEW for a the NET network, or delete	if no VIEW argument.

ZONE RECORD COMMANDS
       In these	commands, the rrset object name	may also be written as record.

       rrset add ZONE NAME TYPE	[TTL] CONTENT
	  Add  one  or	more records of	NAME and TYPE to ZONE with CONTENT and
	  optional TTL.	If TTL is not set, the configured default-ttl will  be
	  used.	 NAME must be absolute.

       rrset delete ZONE NAME TYPE
	  Delete named RRSET from zone.	 NAME must be absolute.

       rrset hash ZONE RNAME
	  This	convenience  command  hashes  the  name	RNAME according	to the
	  NSEC3	settings of ZONE. Refuses to hash for zones with no NSEC3 set-
	  tings.

       rrset replace ZONE NAME TYPE [TTL] CONTENT [CONTENT...]
	  Replace existing NAME	in zone	ZONE with a new	set.

TSIG RELATED COMMANDS
       These commands manipulate TSIG key information in  the  database.  Some
       commands	require	an ALGORITHM, which can	be any of the following:

        hmac-md5

        hmac-sha1

        hmac-sha224

        hmac-sha256

        hmac-sha384

        hmac-sha512

       tsigkey activate	ZONE NAME {primary,secondary,producer,consumer}
	  Enable  TSIG	authenticated  AXFR  using the key NAME	for zone ZONE.
	  This sets the	TSIG-ALLOW-AXFR	(primary/producer) or AXFR-MASTER-TSIG
	  (secondary/consumer) zone metadata.

       tsigkey deactivate ZONE NAME {primary,secondary,producer,consumer}
	  Disable TSIG authenticated AXFR using	the key	NAME for zone ZONE.

       tsigkey delete NAME
	  Delete the TSIG key NAME. Warning: this  does	 not  deactivate  said
	  key.

       tsigkey generate	NAME ALGORITHM
	  Generate new TSIG key	with name NAME and the specified algorithm.

       tsigkey import NAME ALGORITHM KEY
	  Import KEY of	the specified algorithm	as NAME.

       tsigkey list
	  Show a list of all configured	TSIG keys.

VIEWS COMMANDS
       views add-zone VIEW ZONE..VARIANT
	  Add the given	ZONE VARIANT to	a VIEW.

       views del-zone VIEW ZONE..VARIANT
	  Remove a ZONE	VARIANT	from a VIEW.

       views list VIEW
	  List all zones within	VIEW.

       views list-all
	  List all view	names.

ZONE MANIPULATION COMMANDS
       zone check ZONE
	  Check	zone ZONE for correctness.

       zone check-all [exit-on-error]
	  Check	all zones for correctness, aborting upon finding the first er-
	  ror in any zone if "exit-on-error" is	specified.

       zone clear ZONE
	  Clear	 the  records in zone ZONE, but	leave actual zone and settings
	  unchanged

       zone create ZONE
	  Create an empty zone named ZONE.

       zone delete ZONE
	  Delete the zone named	ZONE.

       zone edit ZONE
	  Opens	ZONE in	zonefile format	(regardless of backend it  was	loaded
	  from)	 in the	editor set in the environment variable EDITOR. if EDI-
	  TOR is empty,	pdnsutil falls back to using editor.

       zone increase-serial ZONE
	  Increases the	SOA-serial by 1. Uses SOA-EDIT.

       zone list ZONE
	  Show all records for ZONE.

       zone list-all KIND
	  List all active zone names of	the given  KIND	 (primary,  secondary,
	  native, producer, consumer), or all if none given. Passing --verbose
	  or -v	will also include disabled or empty zones.

       zone load ZONE FILE
	  Load records for ZONE	from FILE. If ZONE already exists, all records
	  are overwritten, this	operation is atomic. If	ZONE doesn't exist, it
	  is created.

       zone set-account	ZONE ACCOUNT
	  Change the account (owner) of	ZONE to	ACCOUNT.

       zone set-kind ZONE KIND
	  Change  the  kind  of	ZONE to	KIND (primary, secondary, native, pro-
	  ducer, consumer).

       zone set-option ZONE [producer |	consumer] [coo | unique	| group] VALUE
       [VALUE ...]
	  Set or remove	an option for ZONE. Providing an empty	value  removes
	  an option.

       zone set-options-json ZONE JSONFILE
	  Change the options of	ZONE to	the contents of	JSONFILE.

       zone zonemd-verify-file ZONE FILE
	  Validate ZONEMD for ZONE read	from FILE.

SECONDARY ZONE COMMANDS
       zone change-primary ZONE	PRIMARY	[PRIMARY]...
	  Change  the  primaries for secondary zone ZONE to new	primaries PRI-
	  MARY.	All PRIMARYs need to to	be space-separated IP  addresses  with
	  an optional port.

       zone create-secondary ZONE PRIMARY [PRIMARY]...
	  Create  a new	secondary zone ZONE with primaries PRIMARY. All	PRIMA-
	  RYs need to to be space-separated  IP	 addresses  with  an  optional
	  port.

DNSSEC-RELATED COMMANDS
       Several commands	manipulate the DNSSEC keys and options for zones. Some
       of  these  commands require an ALGORITHM	to be set. The following algo-
       rithms are supported:

        rsasha1

        rsasha1-nsec3-sha1

        rsasha256

        rsasha512

        ecdsa256

        ecdsa384

        ed25519

        ed448

       NOTE:
	  ed25519 and ed448 algorithms will  only  be  available  if  adequate
	  cryptographic	libraries have been available while compiling PowerDNS
	  on your particular system.

       In  addition  to	 the  algorithm, some commands below may ask for a key
       size in bits. The key size may be omitted for the ECC algorithms, which
       support only one	valid size per algorithm; for ECDSA256 and ED25519, it
       is 256; for ECDSA384, it	is 384;	and for	ED448, it is...	456.

       zone dnssec-disable ZONE
	  Deactivate all keys and unset	PRESIGNED in ZONE.

       zone export-dnskey ZONE KEY_ID
	  Export DNSKEY	and DS of key with key id KEY_ID within	zone  ZONE  to
	  standard output.

       zone export-ds ZONE
	  Export all KSK DS records for	ZONE to	standard output.

       zone list-keys [ZONE]
	  List	DNSSEC	information  for  all  keys  or	for ZONE only. Passing
	  --verbose or -v will also include the	keys  for  disabled  or	 empty
	  zones.

       zone rectify ZONE
	  Calculates  the 'ordername' and 'auth' fields	for a zone called ZONE
	  so they comply with DNSSEC settings. Can be used to fix up  migrated
	  data.

       zone rectify-all
	  Calculates  the  'ordername' and 'auth' fields for all zones so they
	  comply with DNSSEC settings. Can be used to fix up migrated data.

       zone secure ZONE
	  Configures a zone called ZONE	with reasonable	DNSSEC	settings.  You
	  should manually run 'pdnsutil	zone rectify' afterwards.

       zone secure-all [increase-serial]
	  Configures  all  zones that are not currently	signed with reasonable
	  DNSSEC settings. Setting increase-serial will	increase the serial of
	  those	zones too. You should manually run 'pdnsutil zone rectify-all'
	  afterwards.

       zone set-nsec3 ZONE ['HASH-ALGORITHM FLAGS ITERATIONS SALT'] [narrow]
	  Sets NSEC3 parameters	for this zone. The  quoted  parameters	are  4
	  values  that are used	for the	NSEC3PARAM record and decide how NSEC3
	  records are created. The NSEC3 parameters must be quoted on the com-
	  mand line. HASH-ALGORITHM must be 1 (SHA-1). Setting FLAGS to	1  en-
	  ables	NSEC3 opt-out operation. Only do this if you know you need it.
	  For ITERATIONS, please consult RFC 5155.

	  And  be aware	that a high number might overload validating resolvers
	  and that a limit can be set with max-nsec3-iterations	in  pdns.conf.
	  The  SALT is a hexadecimal string encoding the bits for the salt, or
	  - to use no salt.

	  Setting narrow will make PowerDNS send out "white lies"  (RFC	 7129)
	  about	the next secure	record to prevent zone enumeration. Instead of
	  looking  it up in the	database, it will send out the hash + 1	as the
	  next secure record. Narrow mode requires online signing capabilities
	  by the nameserver and	therefore zone transfers are denied.

	  If only the zone is provided as  argument,  the  4-parameter	quoted
	  string defaults to '1	0 0 -',	as recommended by RFC 9276.

	  A sample commandline would be:

	  pdnsutil zone	set-nsec3 powerdnssec.org '1 1 1 ab' narrow

	  WARNING:  If	running	 in RSASHA1 mode (algorithm 5 or 7), switching
	  from NSEC to NSEC3 will require a DS update in the parent zone.

       zone set-presigned ZONE
	  Switches ZONE	to presigned operation,	utilizing in-zone RRSIGs.

       zone set-publish-cdnskey	ZONE [delete]
	  Set ZONE to publish CDNSKEY  records.	 Add  'delete'	to  publish  a
	  CDNSKEY with a DNSSEC	delete algorithm.

       zone set-publish-cds ZONE [DIGESTALGOS]
	  Set ZONE to respond to queries for its CDS records. the optional ar-
	  gument DIGESTALGOS should be a comma-separated list of DS algorithms
	  to use. By default, this is 2	(SHA-256). 0 will publish a CDS	with a
	  DNSSEC delete	algorithm.

       zone show ZONE
	  Shows	 various details of the	zone called ZONE, including its	DNSSEC
	  related settings.

       zone unset-nsec3	ZONE
	  Converts ZONE	to NSEC	operations. WARNING:  If  running  in  RSASHA1
	  mode (algorithm 5 or 7), switching from NSEC to NSEC3	will require a
	  DS update at the parent zone!

       zone unset-presigned ZONE
	  Disables presigned operation for ZONE.

       zone unset-publish-cdnskey ZONE
	  Set ZONE to stop publishing CDNSKEY records.

       zone unset-publish-cds ZONE
	  Set ZONE to stop responding to queries for its CDS records.

ZONE KEY COMMANDS
       zone activate-key ZONE KEY_ID
	  Activate a key with id KEY_ID	within a zone called ZONE.

       zone  add-key  ZONE [KSK,ZSK] [active,inactive] [published,unpublished]
       ALGORITHM [KEYBITS]
	  Create a new key for zone ZONE, and make it a	 KSK  (default)	 or  a
	  ZSK,	with  the specified ALGORITHM and KEYBITS. If KEYBITS is omit-
	  ted,	the   value   of   setting-default-ksk-size   or   setting-de-
	  fault-zsk-size are used.

	  The  key is inactive by default, set it to active to immediately use
	  it to	sign ZONE. The key is published	in the zone by default,	set it
	  to unpublished to keep it from being returned	 in  a	DNSKEY	query,
	  which	is useful for algorithm	rollovers.

	  Prints the id	of the added key.

       zone deactivate-key ZONE	KEY_ID
	  Deactivate a key with	id KEY_ID within a zone	called ZONE.

       zone export-key ZONE KEY_ID
	  Export  full	(private)  key	with key id KEY_ID within zone ZONE to
	  standard output.  The	 format	 used  is  compatible  with  BIND  and
	  NSD/LDNS.

       zone export-key-pem ZONE	KEY_ID
	  Export  full	(private)  key	with key id KEY_ID within zone ZONE to
	  standard output in the PEM file format.  The	format	is  compatible
	  with many non-DNS software products.

       zone generate-key {KSK,ZSK} [ALGORITHM] [KEYBITS]
	  Generate a ZSK or KSK	with specified algorithm and bits and print it
	  on  standard	output.	If ALGORITHM is	not set, ECDSA256 is used.  If
	  KEYBITS is not set, an appropriate keysize  is  selected  for	 ALGO-
	  RITHM:  for  RSA  keys, 2048 bits for	KSK and	1024 bits for ZSK; for
	  ECC keys, the	algorithm-required size	as mentioned above.

       zone import-key ZONE FILE [KSK,ZSK] [active,inactive] [published,unpub-
       lished]
	  Import from FILE a full (private) key	for the	zone ZONE. The	format
	  used	is compatible with BIND	and NSD/LDNS. KSK or ZSK specifies the
	  flags	this key should	have on	import.	Defaults to  KSK,  active  and
	  published. Prints the	id of the added	key.

       zone import-key-pem ZONE	FILE ALGORITHM {KSK,ZSK}
	  Import  from	PEM FILE a full	(private) key for the zone ZONE	with a
	  specified ALGORITHM. The format used is compatible with many non-DNS
	  software products. KSK or ZSK	specifies the flags  this  key	should
	  have on import. Prints the id	of the added key.

       zone publish-key	ZONE KEY_ID
	  Publish the key with id KEY_ID within	zone ZONE.

       zone remove-key ZONE KEY_ID
	  Remove a key with id KEY_ID from zone	ZONE.

       zone unpublish-key ZONE KEY_ID
	  Unpublish the	key with id KEY_ID within zone ZONE.

OTHER/MISCELLANEOUS COMMANDS
       b2b-migrate OLD NEW
	  Migrate  data	 from one backend to another.  Needs launch=OLD,NEW in
	  the configuration.

       backend-cmd BACKEND CMD [CMD...]
	  Send a text command to a backend for execution. GSQL	backends  will
	  take	SQL  commands,	other  backends	 may take different things. Be
	  careful!

       backend-lookup BACKEND NAME [TYPE [CLIENT_IP_SUBNET]]
	  Perform a backend record lookup.

       bench-db	[FILE]
	  Perform a benchmark of the backend-database.	FILE  can  be  a  file
	  with	a  list, one per line, of zone names to	use for	this.  If FILE
	  is not specified, powerdns.com is used.

       create-bind-db FILENAME
	  Create DNSSEC	database (sqlite3) at FILENAME for the	BIND  backend.
	  Remember to set bind-dnssec-db=*FILE*	in your	pdns.conf.

       hash-password [WORK_FACTOR]
	  This convenience command reads a password (not echoed) from standard
	  input	 and  returns  a  hashed and salted version, for use as	a web-
	  server password or api key.  An optional scrypt work factor  can  be
	  specified, in	powers of two, otherwise it defaults to	1024.

       ipdecrypt IP_ADDRESS PASSPHRASE_OR_KEY [key]
	  Decrypt  an  IP address according to the 'ipcipher' standard.	If the
	  passphrase is	a base64 key, add the word "key" after it.

       ipencrypt IP_ADDRESS PASSPHRASE_OR_KEY [key]
	  Encrypt an IP	address	according to the 'ipcipher' standard.  If  the
	  passphrase is	a base64 key, add the word "key" after it.

       list-algorithms [with-backend]
	  List	all  DNSSEC  algorithms	supported, optionally also listing the
	  cryptographic	library	used if	"with-backend" is specified.

       test-schema ZONE
	  Test database	schema,	this creates the zone ZONE

       raw-lua-from-content TYPE CONTENT
	  Display record contents in a form suitable for dnsdist's SpoofRawAc-
	  tion.

SEE ALSO
       pdns_server (1),	pdns_control (1)

AUTHOR
       PowerDNS.COM BV

COPYRIGHT
       PowerDNS.COM BV

				 Oct 30, 2025			   PDNSUTIL(1)

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=pdnsutil&sektion=1&manpath=FreeBSD+Ports+15.0>

home | help