pdnsutil
Synopsis
pdnsutil [OPTION]… COMMAND
Description
pdnsutil (formerly pdnssec) is a powerful command that is the
operator-friendly gateway into DNSSEC and zone management for PowerDNS.
Behind the scenes, pdnsutil manipulates a PowerDNS backend database,
which also means that for many databases, pdnsutil can be run
remotely, and can configure key material on different servers.
Options
-h, --help |
Show summary of options |
-v, --verbose |
Be more verbose. |
--force |
Force an action |
--config-name <NAME> |
| Virtual configuration name |
--config-dir <DIR> |
| Location of pdns.conf. Default is /etc/powerdns. |
Commands
There are many available commands, this section splits them up into
their respective uses.
ZONE MANIPULATION COMMANDS
- add-record ZONE NAME TYPE [TTL] CONTENT
- Add one or more records of NAME and TYPE to ZONE with CONTENT
and optional TTL. If TTL is not set, default will be used.
- add-autoprimary IP NAMESERVER [ACCOUNT]
- Add a autoprimary entry into the backend. This enables receiving zone updates from other servers.
- remove-autoprimary IP NAMESERVER
- Remove an autoprimary from backend. Not supported by BIND backend.
- list-autoprimaries
- List all autoprimaries.
- create-zone ZONE
- Create an empty zone named ZONE.
- create-secondary-zone ZONE PRIMARY [PRIMARY]…
- Create a new secondary zone ZONE with primaries PRIMARY. All PRIMARYs
need to to be space-separated IP addresses with an optional port.
- change-secondary-zone-primary ZONE PRIMARY [PRIMARY]…
- Change the primaries for secondary zone ZONE to new primaries PRIMARY. All
PRIMARYs need to to be space-separated IP addresses with an optional port.
- check-all-zones
- Check all zones for correctness.
- check-zone ZONE
- Check zone ZONE for correctness.
- clear-zone ZONE
- Clear the records in zone ZONE, but leave actual zone and
settings unchanged
- delete-rrset ZONE NAME TYPE
- Delete named RRSET from zone.
- delete-zone ZONE
- Delete the zone named ZONE.
- edit-zone ZONE
- Opens ZONE in zonefile format (regardless of backend it was loaded
from) in the editor set in the environment variable EDITOR. if
EDITOR is empty, pdnsutil falls back to using editor.
- get-meta ZONE [ATTRIBUTE]…
- Get zone metadata. If no ATTRIBUTE given, lists all known.
- hash-password [WORK-FACTOR]
- This convenience command asks for a password and returns a hashed
and salted version, for use as a webserver password or api key.
An optional scrypt work factor can be specified, in power of two,
otherwise it defaults to 1024.
- hash-zone-record ZONE RNAME
- This convenience command hashes the name RNAME according to the
NSEC3 settings of ZONE. Refuses to hash for zones with no NSEC3
settings.
- increase-serial ZONE
- Increases the SOA-serial by 1. Uses SOA-EDIT.
- list-keys [ZONE]
- List DNSSEC information for all keys or for ZONE. –verbose or -v will
also include the keys for disabled or empty zones.
- list-all-zones
- List all active zone names. –verbose or -v will also include disabled
or empty zones.
- list-member-zones CATALOG
- List all members of catalog zone CATALOG”
- list-zone ZONE
- Show all records for ZONE.
- load-zone ZONE FILE
- Load records for ZONE from FILE. If ZONE already exists, all
records are overwritten, this operation is atomic. If ZONE doesn’t
exist, it is created.
- rectify-zone ZONE
- Calculates the ‘ordername’ and ‘auth’ fields for a zone called
ZONE so they comply with DNSSEC settings. Can be used to fix up
migrated data. Can always safely be run, it does no harm.
- rectify-all-zones
- Calculates the ‘ordername’ and ‘auth’ fields for all zones so they
comply with DNSSEC settings. Can be used to fix up migrated data.
Can always safely be run, it does no harm.
- replace-rrset ZONE NAME TYPE [TTL] CONTENT [CONTENT…]
- Replace existing NAME in zone ZONE with a new set.
- secure-zone ZONE
- Configures a zone called ZONE with reasonable DNSSEC settings. You
should manually run ‘pdnsutil rectify-zone’ afterwards.
- secure-all-zones [increase-serial]
- Configures all zones that are not currently signed with reasonable
DNSSEC settings. Setting increase-serial will increase the
serial of those zones too. You should manually run ‘pdnsutil
rectify-all-zones’ afterwards.
- set-kind ZONE KIND
- Change the kind of ZONE to KIND (primary, secondary, native, producer, consumer).
- set-options-json ZONE JSON
- Change the options of ZONE to JSON
- set-option ZONE [producer*|*consumer] [coo*|*unique*|*group] VALUE [VALUE …]
- Set or remove an option for ZONE. Providing an empty value removes an option.
- set-catalog ZONE CATALOG
- Change the catalog of ZONE to CATALOG. Setting CATALOG to an empty “” removes ZONE from the catalog it is in.
- set-account ZONE ACCOUNT
- Change the account (owner) of ZONE to ACCOUNT.
- add-meta ZONE ATTRIBUTE VALUE [VALUE]…
- Append VALUE to the existing ATTRIBUTE metadata for ZONE.
Will return an error if ATTRIBUTE does not support multiple values, use
set-meta for these values.
- set-meta ZONE ATTRIBUTE [VALUE]…
- Set zonemetadata ATTRIBUTE for ZONE to VALUE. An empty value
clears it.
- set-presigned ZONE
- Switches ZONE to presigned operation, utilizing in-zone RRSIGs.
- show-zone ZONE
- Shows all DNSSEC related settings of a zone called ZONE.
- test-schema ZONE
- Test database schema, this creates the zone ZONE
- unset-presigned ZONE
- Disables presigned operation for ZONE.
- raw-lua-from-content TYPE CONTENT
- Display record contents in a form suitable for dnsdist’s SpoofRawAction.
- zonemd-verify-file ZONE FILE
- Validate ZONEMD for ZONE read from FILE.
See also
pdns_server (1), pdns_control (1)