'pdnssec' is a powerful command that is the operator-friendly gateway into PowerDNSSEC configuration. Behind the scenes, 'pdnssec' manipulates a PowerDNS backend database, which also means that for many databases, 'pdnssec' can be run remotely, and can configure key material on different servers.
The following pdnssec commands are available:
Activate a key with id KEY-ID within a zone called ZONE.
Create a new key for zone ZONE, and make it a KSK or a ZSK, with the specified algorithm.
Check a zone for DNSSEC correctness. Main goals is to check if the auth flag is set correctly.
Check all zones for DNSSEC correctness. Added in 3.1.
Deactivate a key with id KEY-ID within a zone called ZONE.
Export to standard output DNSKEY and DS of key with key id KEY-ID within zone called ZONE.
Export to standard output full (private) key with key id KEY-ID within zone called ZONE. The format used is compatible with BIND and NSD/LDNS.
This convenience command hashes the name 'recordname' according to the NSEC3 settings of ZONE. Refuses to hash for zones with no NSEC3 settings.
Import from 'filename' a full (private) key for zone called ZONE. The format used is compatible with BIND and NSD/LDNS. KSK or ZSK specifies the flags this key should have on import.
Import from 'filename' a full (private) key in PEM format for zone called ZONE, and assign it an algorithm number. KSK or ZSK specifies the flags this key should have on import. The format used is compatible with 'openssl genrsa', which is also called PEM.
Calculates the 'ordername' and 'auth' fields for a zone called ZONE so they comply with DNSSEC settings. Can be used to fix up migrated data. Can always safely be run, it does no harm. Multiple zones can be supplied.
Do a rectify-zone for all the zones. Be careful when running this. Only bind and gmysql backends are supported. Added in 3.1.
Remove a key with id KEY-ID from a zone called ZONE.
Configures a zone called ZONE with reasonable DNSSEC settings. You should manually run 'rectify-zone' afterwards.
Sets NSEC3 parameters for this zone. A sample command line is: "pdnssec set-nsec3 powerdnssec.org '1 1 1 ab' narrow". The NSEC3 parameters must be quoted on the command line.
![]() | Warning |
---|---|
If running in RSASHA1 mode (algorithm 5 or 7), switching from NSEC to NSEC3 will require a DS update at the parent zone! |
The NSEC3 fields are: 'algorithm flags iterations salt'. Both 'algorithm' and 'flags' should be 1 for PowerDNS operation.
Switches zone to presigned operation, utilizing in-zone RRSIGs.
Shows all DNSSEC related settings of a zone called ZONE.
Converts a zone to NSEC operations.
![]() | Warning |
---|---|
If running in RSASHA1 mode (algorithm 5 or 7), switching from NSEC to NSEC3 will require a DS update at the parent zone! |
Disables presigned operation for ZONE.