<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>5. 'pdnssec' for PowerDNSSEC command & control</title><link rel="stylesheet" href="docbook.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.75.2" /><link rel="home" href="index.html" title="PowerDNS manual" /><link rel="up" href="powerdnssec-auth.html" title="Chapter 12. Serving authoritative DNSSEC data" /><link rel="prev" href="powerdnssec.html" title="4. Records, Keys, signatures, hashes within PowerDNSSEC in online signing mode" /><link rel="next" href="dnssec-advice-precautions.html" title="6. DNSSEC advice & precautions" /></head><body><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">5. 'pdnssec' for PowerDNSSEC command & control</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="powerdnssec.html">Prev</a> </td><th width="60%" align="center">Chapter 12. Serving authoritative DNSSEC data</th><td width="20%" align="right"> <a accesskey="n" href="dnssec-advice-precautions.html">Next</a></td></tr></table><hr /></div><div class="section" title="5. 'pdnssec' for PowerDNSSEC command & control"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="pdnssec"></a>5. 'pdnssec' for PowerDNSSEC command & control</h2></div></div></div><p>
'pdnssec' is a powerful command that is the operator-friendly gateway into PowerDNSSEC configuration. Behind the scenes,
'pdnssec' manipulates a PowerDNS backend database, which also means that for many databases, 'pdnssec' can be run remotely,
and can configure key material on different servers.
</p><p>
The following pdnssec commands are available:</p><p>
</p><div class="variablelist"><dl><dt><span class="term">activate-zone-key ZONE KEY-ID</span></dt><dd><p>
Activate a key with id KEY-ID within a zone called ZONE.
</p></dd><dt><span class="term">add-zone-key ZONE [ksk|zsk] [bits] [rsasha1|rsasha256|rsasha512|gost|ecdsa256|ecdsa384]</span></dt><dd><p>
Create a new key for zone ZONE, and make it a KSK or a ZSK, with the specified algorithm.
</p></dd><dt><span class="term">check-zone ZONE</span></dt><dd><p>
Check a zone for DNSSEC correctness. Main goals is to check if the auth flag is set correctly.
</p></dd><dt><span class="term">check-all-zones</span></dt><dd><p>
Check all zones for DNSSEC correctness. Added in 3.1.
</p></dd><dt><span class="term">deactivate-zone-key ZONE KEY-ID</span></dt><dd><p>
Deactivate a key with id KEY-ID within a zone called ZONE.
</p></dd><dt><span class="term">export-zone-dnskey ZONE KEY-ID</span></dt><dd><p>
Export to standard output DNSKEY and DS of key with key id KEY-ID within zone called ZONE.
</p></dd><dt><span class="term">export-zone-key ZONE KEY-ID</span></dt><dd><p>
Export to standard output full (private) key with key id KEY-ID within zone called ZONE. The format
used is compatible with BIND and NSD/LDNS.
</p></dd><dt><span class="term">hash-zone-record ZONE RECORDNAME</span></dt><dd><p>
This convenience command hashes the name 'recordname' according to the NSEC3 settings of ZONE.
Refuses to hash for zones with no NSEC3 settings.
</p></dd><dt><span class="term">import-zone-key ZONE filename [ksk|zsk]</span></dt><dd><p>
Import from 'filename' a full (private) key for zone called ZONE. The format
used is compatible with BIND and NSD/LDNS. KSK or ZSK specifies the flags this
key should have on import.
</p></dd><dt><span class="term">import-zone-key-pem ZONE filename algorithm [ksk|zsk]</span></dt><dd><p>
Import from 'filename' a full (private) key in PEM format for zone called ZONE, and
assign it an algorithm number. KSK or ZSK specifies the flags this
key should have on import. The format used is compatible with 'openssl genrsa',
which is also called PEM.
</p></dd><dt><span class="term">rectify-zone ZONE [ZONE ..]</span></dt><dd><p>
Calculates the 'ordername' and 'auth' fields for a zone called ZONE so they comply with DNSSEC settings.
Can be used to fix up migrated data. Can always safely be run, it does no harm. Multiple zones can be supplied.
</p></dd><dt><span class="term">rectify-all-zones</span></dt><dd><p>
Do a rectify-zone for all the zones. Be careful when running this. Only
bind and gmysql backends are supported. Added in 3.1.
</p></dd><dt><span class="term">remove-zone-key ZONE KEY-ID</span></dt><dd><p>
Remove a key with id KEY-ID from a zone called ZONE.
</p></dd><dt><span class="term">secure-zone ZONE</span></dt><dd><p>
Configures a zone called ZONE with reasonable DNSSEC settings. You should manually run 'rectify-zone' afterwards.
</p></dd><dt><span class="term">set-nsec3 ZONE 'parameters' [narrow]</span></dt><dd><p>
Sets NSEC3 parameters for this zone. A sample command line is: "pdnssec set-nsec3 powerdnssec.org '1 1 1 ab' narrow".
The NSEC3 parameters must be quoted on the command line.
</p><div class="warning" title="Warning" style="margin-left: 0.5in; margin-right: 0.5in;"><table border="0" summary="Warning"><tr><td rowspan="2" align="center" valign="top" width="25"><img alt="[Warning]" src="warning.png" /></td><th align="left">Warning</th></tr><tr><td align="left" valign="top"><p>If running in RSASHA1 mode (algorithm 5 or 7), switching from NSEC to NSEC3 will require a DS update at the parent zone! </p></td></tr></table></div><p>
The NSEC3 fields are: 'algorithm flags iterations salt'. Both 'algorithm' and 'flags' should be 1 for PowerDNS
operation.
</p></dd><dt><span class="term">set-presigned ZONE</span></dt><dd><p>
Switches zone to presigned operation, utilizing in-zone RRSIGs.
</p></dd><dt><span class="term">show-zone ZONE</span></dt><dd><p>
Shows all DNSSEC related settings of a zone called ZONE.
</p></dd><dt><span class="term">unset-nsec3 ZONE</span></dt><dd><p>
Converts a zone to NSEC operations.
</p><div class="warning" title="Warning" style="margin-left: 0.5in; margin-right: 0.5in;"><table border="0" summary="Warning"><tr><td rowspan="2" align="center" valign="top" width="25"><img alt="[Warning]" src="warning.png" /></td><th align="left">Warning</th></tr><tr><td align="left" valign="top"><p>If running in RSASHA1 mode (algorithm 5 or 7), switching from NSEC to NSEC3 will require a DS update at the parent zone! </p></td></tr></table></div><p>
</p></dd><dt><span class="term">unset-presigned ZONE</span></dt><dd><p>
Disables presigned operation for ZONE.
</p></dd></dl></div><p>
</p></div><div class="navfooter"><hr /><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="powerdnssec.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="powerdnssec-auth.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="dnssec-advice-precautions.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">4. Records, Keys, signatures, hashes within PowerDNSSEC in online signing mode </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> 6. DNSSEC advice & precautions</td></tr></table></div></body></html>
