Host names and the MNAME of a SOA records are NEVER
terminated with a '.' in PowerDNS storage! If a trailing '.' is present
it will inevitably cause problems, problems that may be hard to debug.
- Use ``pdnsutil zone check`` to validate your zone data.
+ Use ``pdnsutil zone check`` (or ``pdnsutil check-zone`` prior to version
+ 5.0) to validate your zone data.
.. note::
Whenever the storage format is mentioned, this relates only to the way
pdnsutil zone create example.com
-Records can now be added using ``pdnsutil rrset add`` or ``pdnsutil zone edit``.
+or, prior to version 5.0::
+
+ pdnsutil create-zone example.com
+
+Records can now be added using ``pdnsutil rrset add`` or ``pdnsutil zone edit``
+(respectively ``pdnsutil add-record`` and ``pdnsutil edit-zone`` prior to
+version 5.0).
Secondary operation
^^^^^^^^^^^^^^^^^^^
pdnsutil zone create-secondary example.com 198.51.100.6
+or, prior to version 5.0::
+
+ pdnsutil create-secondary-zone example.com 198.51.100.6
+
And wait a while for PowerDNS to pick up the addition - which happens
within one minute (this is determined by the
:ref:`setting-xfr-cycle-interval`
pdnsutil zone create secondary example.com 198.51.100.6 2001:0DB8:15:4AF::4
pdnsutil zone create secondary example.net 198.51.100.20:5301 '[2001:0DB8:11:6E::4]:54'
+or, prior to version 5.0::
+
+ pdnsutil create-secondary-zone example.com 198.51.100.6 2001:0DB8:15:4AF::4
+ pdnsutil create-secondary-zone example.net 198.51.100.20:5301 '[2001:0DB8:11:6E::4]:54'
+
Autoprimary operation
^^^^^^^^^^^^^^^^^^^^^
pdnsutil autoprimary add 203.0.113.53 autosecondary.example.com internal
+or, prior to version 5.0::
+
+ pdnsutil add-autoprimary 203.0.113.53 autosecondary.example.com internal
+
From now on, valid notifies from 203.0.113.53 for which the zone lists an NS record
containing 'autosecondary.example.com' will lead to the provisioning of a
secondary domain under the account 'internal'. See :ref:`autoprimary-operation`
pdnsutil zone create example.com
pdnsutil zone set-kind example.com MASTER
+or, prior to version 5.0::
+
+ pdnsutil create-zone example.com
+ pdnsutil set-kind example.com MASTER
+
.. _generic-sql-disabled-data:
Disabled data
Two additional fields in the 'records' table are important: 'auth' and
'ordername'. These fields are set correctly on an incoming zone
-transfer, and also by running ``pdnsutil zone rectify``.
+transfer, and also by running ``pdnsutil zone rectify`` (``pdnsutil
+rectify-zone`` prior to version 5.0).
The 'auth' field should be set to '1' for data for which the zone itself
is authoritative, which includes the SOA record and its own NS records.
In 'NSEC3' non-narrow mode, the ordername should contain a lowercase
base32hex encoded representation of the salted & iterated hash of the
-full record name. ``pdnsutil rrset hash zone record`` can be used
-to calculate this hash.
+full record name. ``pdnsutil rrset hash zone record`` (``pdnsutil
+hash-zone-record zone record`` prior to version 5.0) can be used to calculate
+this hash.
In addition, PowerDNS fully supports empty non-terminals. If you have a
zone example.com, and a host a.b.c.example.com in it, rectify-zone (and
DNSSEC queries
^^^^^^^^^^^^^^
-These queries are used by e.g. ``pdnsutil zone rectify``. Make sure to
+These queries are used by e.g. ``pdnsutil zone rectify`` (``pdnsutil
+rectify-zone`` prior to version 5.0). Make sure to
read :ref:`rules-for-filling-out-dnssec-fields`
if you wish to calculate ordername and auth without using pdns-rectify.
Direct backend commands
^^^^^^^^^^^^^^^^^^^^^^^
-With abi-version 5 you can use :doc:`backend-cmd <../dnssec/pdnsutil>` for
+With abi-version 5 you can use :doc:`backend-cmd <../manpages/pdnsutil.1>` for
executing commands on your backend. PowerDNS will use the following
query/answer format:
~~~~~~~~~~~~~
This method is similar to :ref:`remote-lookup`, but also returns disabled
-records. It allows for an extra optional parameter, ``include_disabled`` which,
+records. It allows for an extra optional parameter, ``include_disabled`` which,
if present and set to false, will only return non-disabled records (in which
case, the behaviour is equivalent to the ``lookup`` method.)
{"qtype":"MX", "qname":"example.com", "content":"10 mx1.example.com.", "ttl": 60},
{"qtype":"A", "qname":"www.example.com", "content":"203.0.113.2", "ttl": 60},
{"qtype":"A", "qname":"ns1.example.com", "content":"192.0.2.2", "ttl": 60},
- {"qtype":"A", "qname":"mx1.example.com", "content":"192.0.2.3", "ttl": 60}
+ {"qtype":"A", "qname":"mx1.example.com", "content":"192.0.2.3", "ttl": 60}
]}
Example HTTP/RPC
.. code-block:: http
PATCH /dnsapi/setdomainmetadata/example.com/PRESIGNED HTTP/1.1
- Content-Type: application/x-www-form-urlencoded
+ Content-Type: application/x-www-form-urlencoded
Content-Length: 12
value[]=YES&
``feedEnts``
~~~~~~~~~~~~
-This method is used by ``pdnsutil zone rectify`` to populate missing
+This method is used by ``pdnsutil zone rectify`` (``pdnsutil rectify-zone``
+prior to version 5.0) to populate missing
non-terminals. This is used when you have, say, record like
_sip._upd.example.com, but no _udp.example.com. PowerDNS requires
that there exists a non-terminal in between, and this instructs you to
~~~~~~~~~~~~~~~~~~~~
Can be used to send arbitrary commands to your backend using
-:doc:`../dnssec/pdnsutil`.
+:doc:`../manpages/pdnsutil.1`.
- Mandatory: no
- Parameters: query
.. code-block:: json
- {
+ {
"method": "lookup",
"parameters": {
- "qname": "example.com",
+ "qname": "example.com",
"qtype": "SOA",
"zone_id": "-1"
}
.. code-block:: json
{
- "result":
- [
+ "result":
+ [
{ "qtype": "SOA",
- "qname": "example.com",
+ "qname": "example.com",
"content": "dns1.icann.org. hostmaster.icann.org. 2012080849 7200 3600 1209600 3600",
"ttl": 3600,
"domain_id": -1
pdnsutil zone load catalog.example ZONEFILE
pdnsutil zone set-kind catalog.example producer
+or, prior to version 5.0:
+
+.. code-block:: shell
+
+ pdnsutil load-zone catalog.example ZONEFILE
+ pdnsutil set-kind catalog.example producer
+
Creating producer zones is supported in the :doc:`API <http-api/zone>`, using type ``PRODUCER``.
Assigning members to a producer zone
pdnsutil catalog set example.com catalog.example
pdnsutil zone set-kind example.com primary
+or, prior to version 5.0:
+
+.. code-block:: shell
+
+ pdnsutil set-catalog example.com catalog.example
+ pdnsutil set-kind example.com primary
+
Setting catalog values is supported in the :doc:`API <http-api/zone>`, by setting the ``catalog`` property in the zone properties.
Setting the catalog to an empty ``""`` removes the member zone from the catalog it is in.
pdnsutil zone set-option example.com producer coo other-catalog.example
pdnsutil zone set-option example.com producer group pdns-group-x pdns-group-y
+or, prior to version 5.0:
+
+.. code-block:: shell
+
+ pdnsutil set-option example.com producer coo other-catalog.example
+ pdnsutil set-option example.com producer group pdns-group-x pdns-group-y
+
There is also an option to set a specific <unique-N> value for a zone. This is done by setting a the ``unique`` value.
This is used to signal a state reset to the consumer.
The value for ``unique`` is a single DNS label.
pdnsutil --config-dir=. --config-name=gmysql zone set-option test.com producer unique 123
+or, prior to version 5.0:
+
+.. code-block:: shell
+
+ pdnsutil --config-dir=. --config-name=gmysql set-option test.com producer unique 123
+
Setting options is not yet supported in the API.
Setting up a consumer zone
pdnsutil zone create-secondary catalog.example 192.0.2.42
pdnsutil zone set-kind catalog.example consumer
+or, prior to version 5.0:
+
+.. code-block:: shell
+
+ pdnsutil create-secondary-zone catalog.example 192.0.2.42
+ pdnsutil set-kind catalog.example consumer
+
Creating consumer zones is supported in the :doc:`API <http-api/zone>`, using type ``CONSUMER``.
New member zones on the consumer adopt their primaries from the consumer zone.
pdnsutil zone change-primary catalog.example 192.0.2.45
pdns_control retrieve catalog.example
+or, prior to version 5.0:
+
+.. code-block:: shell
+
+ pdnsutil change-secondary-zone-primary catalog.example 192.0.2.45
+ pdns_control retrieve catalog.example
+
This will update the primary server contact details in each zone
included in the catalog zone.
It is easy to (mis)configure DNSSEC in such a way that your domain
will not operate reliably, or even, at all. We advise operators to stick
-to the keying defaults of ``pdnsutil zone secure``.
+to the keying defaults of ``pdnsutil zone secure`` (``pdnsutil secure-zone``
+prior to version 5.0).
.. note::
GOST may be more widely available in Russia, because it might
$ pdnsutil zone secure powerdnssec.org
+or, prior to version 5.0:
+
+.. code-block:: shell
+
+ $ pdnsutil secure-zone powerdnssec.org
+
Alternatively, PowerDNS can serve pre-signed zones, without knowledge of
private keys.
.. warning::
Once the relevant ``backend-dnssec`` switch has been set,
stricter rules apply for filling out the database! The short version is:
- run ``pdnsutil zone rectify-all``, even those not secured with DNSSEC!
+ run ``pdnsutil zone rectify-all`` (``pdnsutil rectify-all-zones`` prior to
+ version 5.0), even those not secured with DNSSEC!
For more information, see the :ref:`generic-sql-handling-dnssec-signed-zones`.
To deliver a correctly signed zone with the :ref:`dnssec-pdnsutil-dnssec-defaults`, invoke:
pdnsutil zone secure ZONE
+or, prior to version 5.0:
+
+.. code-block:: shell
+
+ pdnsutil secure-zone ZONE
+
To view the DS records for this zone (to transfer to the parent zone),
run:
pdnsutil zone show ZONE
+or, prior to version 5.0:
+
+.. code-block:: shell
+
+ pdnsutil show-zone ZONE
+
For a more traditional setup with a KSK and a ZSK, use the following
sequence of commands:
pdnsutil zone add-key ZONE zsk 1024 active rsasha256
pdnsutil zone add-key ZONE zsk 1024 inactive rsasha256
+or, prior to version 5.0:
+
+.. code-block:: shell
+
+ pdnsutil add-zone-key ZONE ksk 2048 active rsasha256
+ pdnsutil add-zone-key ZONE zsk 1024 active rsasha256
+ pdnsutil add-zone-key ZONE zsk 1024 inactive rsasha256
+
This will add a 2048-bit RSA Key Signing Key and two 1024-bit RSA Zone
Signing Keys. One of the ZSKs is inactive and can be rolled to if
needed.
possibly via OpenDNSSEC, ldns-sign or dnssec-sign.
PowerDNS needs to know if a zone should receive DNSSEC processing. To
-configure, run ``pdnsutil zone set-presigned ZONE``.
+configure, run ``pdnsutil zone set-presigned ZONE`` (``pdnsutil set-presigned
+ZONE`` prior to version 5.0).
If you import presigned zones into your database, please do not import
the NSEC or NSEC3 records. PowerDNS will synthesize these itself.
.. warning::
Right now, you will also need to configure NSEC/NSEC3 settings
- for pre-signed zones using ``pdnsutil zone set-nsec3``. Default is NSEC, in
+ for pre-signed zones using ``pdnsutil zone set-nsec3`` (``pdnsutil set-nsec3``
+ prior to version 5.0). Default is NSEC, in
which case no further configuration is necessary.
From existing DNSSEC non-PowerDNS setups, live signing
pdnsutil zone import-key ZONE FILENAME ksk
+or, prior to version 5.0:
+
+.. code-block:: shell
+
+ pdnsutil import-zone-key ZONE FILENAME ksk
+
replace ``ksk`` with ``zsk`` for a Zone Signing Key.
If all keys are imported using this tool, a zone will serve mostly
when serving data from this zone.
As part of the zone retrieval, the equivalent of
-``pdnsutil zone rectify`` is run to make sure that all DNSSEC-related
-fields are set correctly in the backend.
+``pdnsutil zone rectify`` (``pdnsutil rectify-zone`` prior to version 5.0) is
+run to make sure that all DNSSEC-related fields are set correctly in the
+backend.
Signed AXFR
-----------
.. note::
This SQLite database is different from the database used for the regular :doc:`SQLite 3 backend <../backends/generic-sqlite3>`.
-After this, you can use ``pdnsutil zone secure`` and all other pdnsutil
-commands on your BIND zones without trouble.
+After this, you can use ``pdnsutil zone secure`` (``pdnsutil secure-zone`` prior
+to version 5.0) and all other :doc:`pdnsutil <../manpages/pdnsutil.1>` commands on
+your BIND zones without trouble.
.. _dnssec-modes-hybrid-bind:
As automation is not very widespread, DS publication often needs to occur
manually as follows:
-1. utilize ``pdnsutil zone show`` to display DS and DNSKEY parameters,
+1. utilize ``pdnsutil zone show`` (``pdnsutil show-zone`` prior to version 5.0)
+ to display DS and DNSKEY parameters,
2. transfer these parameters securely to your parent.
Some parents accept DS format, while some accept DNSKEY (and use it to derive
pdnsutil zone dnssec-disable ZONE
+or, prior to version 5.0:
+
+.. code-block:: shell
+
+ pdnsutil disable-dnssec ZONE
+
.. warning::
Going insecure with a zone that has a DS record in the
parent zone will make the zone BOGUS. Make sure the parent zone removes
pdnsutil zone set-nsec3 example.net '1 0 0 -'
+or, prior to version 5.0:
+
+.. code-block:: shell
+
+ pdnsutil set-nsec3 example.net '1 0 0 -'
+
The quoted part is the content of the NSEC3PARAM records, as defined in
:rfc:`RFC 5155 <5155#section-4>`, in order:
pdnsutil zone unset-nsec3 ZONE
+or, prior to version 5.0:
+
+.. code-block:: shell
+
+ pdnsutil unset-nsec3 ZONE
+
.. warning::
Don't change from NSEC to NSEC3 (or the other way around)
for zones with algorithm 5 (RSASHA1), 6 (DSA-NSEC3-SHA1) or 7
DNSSEC Defaults
---------------
-Since version 4.0, when securing a zone using ``pdnsutil zone secure``,
+Since version 4.0, when securing a zone using ``pdnsutil zone secure``
+(``pdnsutil secure-zone`` prior to version 5.0),
a single ECDSA (algorithm 13, ECDSAP256SHA256) key is generated that is
used as CSK. Before 4.0, 3 RSA (algorithm 8) keys were generated, one as
the KSK and two ZSKs. As all keys are online in the database, it made no
pdnsutil zone show example.com
+ or, prior to version 5.0::
+
+ pdnsutil show-zone example.com
+
SoftHSM2 with forwarding
------------------------
pdnsutil zone show zone
+ or, prior to version 5.0::
+
+ pdnsutil show-zone zone
+
- Note that the physical token is pretty slow, so you have to use it as
hidden primary. It has been observed to produce about 1.5 signatures/second.
pdnsutil metadata set example.org ALLOW-DNSUPDATE-FROM 198.51.100.0/8 203.0.113.2/32
+or, prior to version 5.0::
+
+ pdnsutil set-meta example.org ALLOW-DNSUPDATE-FROM 198.51.100.0/8 203.0.113.2/32
+
.. _metadata-tsig-allow-dnsupdate:
TSIG-ALLOW-DNSUPDATE
$ pdnsutil tsigkey list | grep test
test. hmac-sha512. [base64-encoded key]
+or, prior to version 5.0::
+
+ $ pdnsutil generate-tsig-key test hmac-sha512
+ Create new TSIG key test hmac-sha512 [base64-encoded key]
+
+ $ pdnsutil list-tsig-keys | grep test
+ test. hmac-sha512. [base64-encoded key]
+
This adds the key with the name `test` to the zone's metadata. Note, the
-keys need to be added separately with `metadata add`, not as a comma or
-space-separated list::
+keys need to be added separately, not as a comma or space-separated list::
$ pdnsutil metadata add example.org TSIG-ALLOW-DNSUPDATE test
Set 'example.org' meta TSIG-ALLOW-DNSUPDATE = test
$ pdnsutil metadata get example.org TSIG-ALLOW-DNSUPDATE
TSIG-ALLOW-DNSUPDATE = test
+or, prior to version 5.0::
+
+ $ pdnsutil add-meta example.org TSIG-ALLOW-DNSUPDATE test
+ Set 'example.org' meta TSIG-ALLOW-DNSUPDATE = test
+
+ $ pdnsutil get-meta example.org TSIG-ALLOW-DNSUPDATE
+ TSIG-ALLOW-DNSUPDATE = test
+
This is an example of using the new `test` TSIG key with the :program:`nsupdate`
command (see the manpage for :program:`nsupdate` for full details)::
pdnsutil metadata set example.org FORWARD-DNSUPDATE 'yes'
+or, prior to version 5.0::
+
+ pdnsutil set-meta example.org FORWARD-DNSUPDATE 'yes'
+
The existence of the entry (even with an empty value) enables the forwarding.
This domain-specific setting is only useful when the configuration
option :ref:`setting-forward-dnsupdate` is set to 'no', as that will disable it
pdnsutil metadata set example.org NOTIFY-DNSUPDATE 1
+or, prior to version 5.0::
+
+ pdnsutil set-meta example.org NOTIFY-DNSUPDATE 1
+
.. _metadata-soa-edit-dnsupdate:
SOA-EDIT-DNSUPDATE
pdnsutil metadata set example.org SOA-EDIT-DNSUPDATE INCREASE
+or, prior to version 5.0::
+
+ pdnsutil set-meta example.org SOA-EDIT-DNSUPDATE INCREASE
+
This will make the SOA Serial increase by one, for every successful
update.
per zone (including the appropriate reverse zone), via the
domainmetadata table.
-::
+.. code-block:: shell
pdnsutil metadata set example.org ALLOW-DNSUPDATE-FROM 127.0.0.1
pdnsutil metadata set 1.168.192.in-addr.arpa ALLOW-DNSUPDATE-FROM 127.0.0.1
+or, prior to version 5.0:
+
+.. code-block:: shell
+
+ pdnsutil set-meta example.org ALLOW-DNSUPDATE-FROM 127.0.0.1
+ pdnsutil set-meta 1.168.192.in-addr.arpa ALLOW-DNSUPDATE-FROM 127.0.0.1
+
This gives the ip '127.0.0.1' access to send update messages. Make sure
you use the ip address of the machine that runs **dhcpd**.
Another thing we want to do, is add TSIG security. This can only be done
via the domainmetadata table:
-::
+.. code-block:: shell
pdnsutil tsigkey import dhcpdupdate hmac-md5 FYhvwsW1ZtFZqWzsMpqhbg==
pdnsutil metadata set example.org TSIG-ALLOW-DNSUPDATE dhcpdupdate
pdnsutil metadata set 1.168.192.in-addr.arpa TSIG-ALLOW-DNSUPDATE dhcpdupdate
+or, prior to version 5.0:
+
+.. code-block:: shell
+
+ pdnsutil import-tsig-key dhcpdupdate hmac-md5 FYhvwsW1ZtFZqWzsMpqhbg==
+ pdnsutil set-meta example.org TSIG-ALLOW-DNSUPDATE dhcpdupdate
+ pdnsutil set-meta 1.168.192.in-addr.arpa TSIG-ALLOW-DNSUPDATE dhcpdupdate
+
This will:
1. Add the 'dhcpdupdate' key to our PowerDNS installation
documentation.
Apart from raw SQL statements, setting domain metadata can be done with
-``pdnsutil metadata set`` and retrieving metadata is done with ``pdnsutil metadata get``.
+``pdnsutil metadata set`` and retrieving metadata with ``pdnsutil metadata get``
+(respectively ``pdnsutil set-meta`` and ``pdnsutil get-meta`` prior to version
+5.0).
The following options can only be read (not written to) via the HTTP API metadata endpoint.
pdnsutil metadata set powerdns.org ALLOW-AXFR-FROM AUTO-NS 2001:db8::/48
+or, prior to version 5.0:
+
+.. code-block:: shell
+
+ pdnsutil set-meta powerdns.org ALLOW-AXFR-FROM AUTO-NS 2001:db8::/48
+
+
Each ACL has its own row in the database:
::
pdnsutil metadata set powerdns.org ALSO-NOTIFY 192.0.2.1:5300
pdnsutil metadata set powerdns.org ALLOW-AXFR-FROM 2001:db8:53::1
+or, prior to version 5.0:
+
+.. code-block:: shell
+
+ pdnsutil set-meta powerdns.org ALSO-NOTIFY 192.0.2.1:5300
+ pdnsutil set-meta powerdns.org ALLOW-AXFR-FROM 2001:db8:53::1
API-RECTIFY
-----------
-----------
Set to "1" to tell PowerDNS this zone operates in NSEC3 'narrow' mode.
-See ``zone set-nsec3`` for :doc:`pdnsutil <dnssec/pdnsutil>`.
+See ``zone set-nsec3`` in :doc:`pdnsutil <manpages/pdnsutil.1>`.
NSEC3PARAM
----------
NSEC3 parameters of a DNSSEC zone. Will be used to synthesize the
NSEC3PARAM record. If present, NSEC3 is used, if not present, zones
-default to NSEC. See ``zone set-nsec3`` in :doc:`pdnsutil <dnssec/pdnsutil>`.
+default to NSEC. See ``zone set-nsec3`` in :doc:`pdnsutil <manpages/pdnsutil.1>`.
Example content: "1 0 0 -".
.. _metadata-presigned:
zone using ``zone2sql`` or ``pdnsutil zone load`` you must explicitly
set the zone to be ``PRESIGNED``. Note that PowerDNS will not be able to
correctly serve the zone if the imported data is bogus or incomplete.
-Also see ``zone set-presigned`` in :doc:`pdnsutil <dnssec/pdnsutil>`.
+Also see ``zone set-presigned`` in :doc:`pdnsutil <manpages/pdnsutil.1>`.
If a zone is presigned, the content of the metadata must be "1" (without
the quotes). Any other value will not signal presignedness.
numbers <https://www.iana.org/assignments/ds-rr-types/ds-rr-types.xhtml#ds-rr-types-1>`__.
This metadata can also be set using the
-:doc:`pdnsutil <dnssec/pdnsutil>` commands ``zone set-publish-cdnskey``
+:doc:`pdnsutil <manpages/pdnsutil.1>` commands ``zone set-publish-cdnskey``
and ``zone set-publish-cds``. For an example for an :rfc:`7344` key rollover,
see the :doc:`guides/kskrollcdnskey`.
.. warning::
For every mutation to your zone (so, every step except updating DS in the parent), make sure that your serial is bumped, so your secondaries pick up the changes too.
- If you are using AXFR replication, this usually is as simple as ``pdnsutil zone increase-serial example.com``
+ If you are using AXFR replication, this usually is as simple as ``pdnsutil
+ zone increase-serial example.com`` (``pdnsutil increase-serial example.com``
+ prior to version 5.0)
Phase: initial
--------------
pdnsutil zone add-key example.com KSK active unpublished ecdsa384
pdnsutil zone add-key example.com ZSK active unpublished ecdsa384
+or, prior to version 5.0:
+
+.. code-block:: shell
+
+ pdnsutil add-zone-key example.com KSK active unpublished ecdsa384
+ pdnsutil add-zone-key example.com ZSK active unpublished ecdsa384
+
Note the key IDs that ``zone add-key`` reports.
-You can also retrieve these later with ``pdnsutil zone show example.com``.
+You can also retrieve these later with ``pdnsutil zone show example.com``
+(``pdnsutil show-zone example.com`` prior to version 5.0).
After this, PowerDNS will sign all records in the zone with both the old and new ZSKs, and the DNSKEY set will be signed by both KSKs.
pdnsutil zone publish-key example.com 3
pdnsutil zone publish-key example.com 4
-Replace ``3`` and ``4`` with the key IDs gathered in the previous step, or find them in ``pdnsutil zone show example.com``.
+or, prior to version 5.0:
+
+.. code-block:: shell
+
+ pdnsutil publish-zone-key example.com 3
+ pdnsutil publish-zone-key example.com 4
+
+Replace ``3`` and ``4`` with the key IDs gathered in the previous step, or find
+them in the ``pdnsutil zone show`` output (``pdnsutil show-zone`` prior to
+version 5.0).
PowerDNS will now publish the new DNSKEYs that have already been used for signing for a while.
The old DNSKEYs remain published, and active for signing, for now.
This means that a DS for either the old or new algorithm is sufficient for validation.
We can now switch the DS - there is no need to have DSes for both algorithms in the parent zone.
-Using ``pdnsutil zone show example.com`` or ``pdnsutil zone export-ds example.com``, extract the new DNSKEYs or new DSes, depending on what the parent zone operator takes as input.
+Using ``pdnsutil zone show example.com`` or ``pdnsutil zone export-ds
+example.com`` (``pdnsutil show-zone example.com`` or ``pdnsutil export-zone-ds
+example.com`` prior to version 5.0), extract the new DNSKEYs or new DSes,
+depending on what the parent zone operator takes as input.
Note that these commands print DNSKEYs and/or DSes for both the old and the new algorithm.
Check the DS TTL at the parent, for example: ``dig DS example.com @c.gtld-servers.net`` for a delegation from ``.com``.
pdnsutil zone unpublish-key example.com 1
pdnsutil zone unpublish-key example.com 2
+or, prior to version 5.0:
+
+.. code-block:: shell
+
+ pdnsutil unpublish-zone-key example.com 1
+ pdnsutil unpublish-zone-key example.com 2
+
Replace ``1`` and ``2`` with the IDs of the old keys.
Please check that your secondaries now only show the new set of keys when queried with ``dig DNSKEY example.com @...``.
pdnsutil zone deactivate-key example.com 1
pdnsutil zone deactivate-key example.com 2
+or, prior to version 5.0:
+
+.. code-block:: shell
+
+ pdnsutil deactivate-zone-key example.com 1
+ pdnsutil deactivate-zone-key example.com 2
+
Alternatively, you can use ``zone remove-key`` to remove all traces of the old keys.
Conclusion
New rrset:
www.example.com. 3005 IN A 192.0.2.1
+or, prior to version 5.0::
+
+ $ sudo -u pdns pdnsutil create-zone example.com ns1.example.com
+ Creating empty zone 'example.com'
+ Also adding one NS record
+ $ sudo -u pdns pdnsutil add-record example.com example.com MX '25 mail.example.com'
+ New rrset:
+ example.com. 3005 IN MX 25 mail.example.com
+ $ sudo -u pdns pdnsutil add-record example.com www.example.com A 192.0.2.1
+ New rrset:
+ www.example.com. 3005 IN A 192.0.2.1
+
This should be done as the ``pdns`` user (or root), as sqlite3 requires write access to the directory of the database file.
.. note::
If this is not the output you get, remove ``+short`` to see the full output so you can find out what went wrong.
The first problem could be that PowerDNS has a :ref:`packet-cache` and a :ref:`query-cache` for performance reasons.
-If you see old, or no, data right after changing records, wait for :ref:`setting-cache-ttl`,
+If you see old, or no, data right after changing records, wait for :ref:`setting-cache-ttl`,
:ref:`setting-negquery-cache-ttl`, :ref:`setting-query-cache-ttl`, or :ref:`setting-zone-cache-refresh-interval`
to expire before testing.
-Now, run ``pdnsutil zone edit example.com`` and try to add a few more records, and query them with dig to make sure they work.
+Now, run ``pdnsutil zone edit example.com`` (or ``pdnsutil edit-zone
+example.com`` prior to version 5.0) and try to add a few more records, and query
+them with dig to make sure they work.
You now have a working database driven nameserver!
.. warning::
For every mutation to your zone make sure that your serial is bumped, so your secondaries pick up the changes too.
- If you are using AXFR replication, this usually is as simple as ``pdnsutil zone increase-serial example.com``
+ If you are using AXFR replication, this usually is as simple as ``pdnsutil
+ zone increase-serial example.com`` (``pdnsutil increase-serial example.com``
+ prior to version 5.0)
Phase: Initial
--------------
pdnsutil zone show example.com
+or, prior to version 5.0:
+
+.. code-block:: shell
+
+ pdnsutil show-zone example.com
+
To create a new **active** and **published** KSK with the same algorithm for the zone, run something like:
.. code-block:: shell
pdnsutil zone add-key example.com ksk active published ALGORITHM
-Please note down the key ID that ``zone add-key`` reports. You can also retrieve it later with ``pdnsutil zone show example.com``.
+or, prior to version 5.0:
+
+.. code-block:: shell
+
+ pdnsutil add-zone-key example.com ksk active published ALGORITHM
+
+Please note down the key ID that ``zone add-key`` reports. You can also retrieve
+it later with ``pdnsutil zone show example.com`` (``pdnsutil show-zone
+example.com`` prior to version 5.0).
After this the DNSKEY set will be signed by both KSKs.
This means that a DS for either old or new KSK is sufficient for validation.
We can now switch the DS record in the parent zone - there is no need to have DSes for both KSKs in the parent zone.
-Using ``pdnsutil zone show example.com`` or ``pdnsutil zone export-ds example.com``, extract the DNSKEY or DS for new KSK, depending on what the parent zone operator takes as input.
+Using ``pdnsutil zone show example.com`` or ``pdnsutil zone export-ds
+example.com`` (respectively ``pdnsutil show-zone example.com`` and ``pdnsutil
+export-zone-ds example.com`` prior to version 5.0), extract the DNSKEY or DS for
+new KSK, depending on what the parent zone operator takes as input.
Note that these commands print DNSKEYs and/or DSes for both the old and the new KSK.
Check the DS TTL at the parent, for example: ``dig DS example.com @c.gtld-servers.net`` for a delegation from ``.com``.
.. code-block:: shell
pdnsutil zone remove-key example.com OLD_KSK_ID
-
+
+or, prior to version 5.0:
+
+.. code-block:: shell
+
+ pdnsutil remove-zone-key example.com OLD_KSK_ID
+
Please check that your secondaries now only show the new set of keys when queried with ``dig DNSKEY example.com @...``.
Conclusion
=============================================
If the upstream registry supports :rfc:`7344` key rollovers you can use
-several :doc:`pdnsutil <../dnssec/pdnsutil>` commands to do this
+several :doc:`pdnsutil <../manpages/pdnsutil.1>` commands to do this
rollover. This HowTo follows the rollover example from the RFCs
:rfc:`Appendix B <7344#appendix-B>`.
We assume the zone name is example.com and is already DNSSEC signed.
-Start by adding a new KSK to the zone:
-``pdnsutil zone add-key example.com ksk 2048 inactive``. The "inactive"
+Start by adding a new KSK to the zone::
+
+ pdnsutil zone add-key example.com ksk 2048 inactive
+
+or, prior to version 5.0::
+
+ pdnsutil add-zone-key example.com ksk 2048 inactive
+
+The "inactive"
means that the key is not used to sign any ZSK records. This limits the
size of ``ANY`` and DNSKEY responses.
-Publish the CDS records: ``pdnsutil zone set-publish-cds example.com``, these
-records will tell the parent zone to update its DS records. Now wait for
+Publish the CDS records::
+
+ pdnsutil zone set-publish-cds example.com
+
+or, prior to version 5.0::
+
+ pdnsutil set-publish-cds example.com
+
+These records will tell the parent zone to update its DS records. Now wait for
the DS records to be updated in the parent zone.
Once the DS records are updated, do the actual key-rollover:
-``pdnsutil zone activate-key example.com new-key-id`` and
-``pdnsutil zone deactivate-key example.com old-key-id``. You can get the
+
+.. code-block:: shell
+
+ pdnsutil zone activate-key example.com new-key-id
+ pdnsutil zone deactivate-key example.com old-key-id
+
+or, prior to version 5.0:
+
+.. code-block:: shell
+
+ pdnsutil activate-zone-key example.com new-key-id
+ pdnsutil deactivate-zone-key example.com old-key-id
+
+You can get the
``new-key-id`` and ``old-key-id`` by listing them through
-``pdnsutil zone show example.com``.
+``pdnsutil zone show example.com`` (``pdnsutil show-zone example.com`` prior to
+version 5.0).
After the rollover, wait *at least* until the TTL on the DNSKEY records
have expired so validating resolvers won't mark the zone as BOGUS. When
-the wait is over, delete the old key from the zone:
-``pdnsutil zone remove-key example.com old-key-id``. This updates the
-CDS records to reflect only the new key.
+the wait is over, delete the old key from the zone::
+
+ pdnsutil zone remove-key example.com old-key-id
+
+or, prior to version 5.0::
+
+ pdnsutil remove-zone-key example.com old-key-id
+
+This updates the CDS records to reflect only the new key.
Wait for the parent to pick up on the CDS change. Once the upstream DS
records show only the DS records for the new KSK, you may disable
-sending out the CDS responses:
-``pdnsutil zone unset-publish-cds example.com``.
+sending out the CDS responses::
+
+ pdnsutil zone unset-publish-cds example.com
+
+or, prior to version 5.0::
-Done!
+ pdnsutil unset-publish-cds example.com
;; ADDITIONAL SECTION:
no-ipv6.example.org. 3600 IN A 192.0.2.2
-:doc:`pdnsutil <../manpages/pdnsutil.1>` checks if the autohints in SVCB and derived records can be found in the zone when using ``pdnsutil zone check``.
+:doc:`pdnsutil <../manpages/pdnsutil.1>` checks if the autohints in SVCB and derived records can be found in the zone when using ``pdnsutil zone check``
+(``pdnsutil check-zone`` prior to version 5.0).
It will emit a warning when there are no hints to be found::
[warning] HTTPS record for no-ipv6.example.org has automatic IPv6 hints, but no AAAA-record for the target at no-ipv6.example.org exists.
Phases are named after the steps in the diagram in that section.
.. warning::
-
+
The following instructions assume rollover of a key which is NOT a Secure Entry Point (SEP), please confirm this fact before proceeding any further.
After every change, use your favourite DNSSEC checker (`DNSViz <https://dnsviz.net/>`__, `VeriSign DNSSEC Analyzer <https://dnssec-debugger.verisignlabs.com/>`__, a validating resolver) to make sure no mistakes have crept in.
.. warning::
For every mutation to your zone make sure that your serial is bumped, so your secondaries pick up the changes too.
- If you are using AXFR replication, this usually is as simple as ``pdnsutil zone increase-serial example.com``
+ If you are using AXFR replication, this usually is as simple as ``pdnsutil
+ zone increase-serial example.com`` (``pdnsutil increase-serial example.com``
+ prior to version 5.0)
Phase: Initial
--------------
pdnsutil zone show example.com
+or, prior to version 5.0:
+
+.. code-block:: shell
+
+ pdnsutil show-zone example.com
+
To create a new **inactive** but **published** ZSK with the same algorithm, run something like:
.. code-block:: shell
pdnsutil zone add-key example.com zsk inactive published ALGORITHM
-Please note down the key ID that ``zone add-key`` reports. You can also retrieve it later with ``pdnsutil zone show example.com``.
+or, prior to version 5.0:
+
+.. code-block:: shell
+
+ pdnsutil add-zone-key example.com zsk inactive published ALGORITHM
+
+Please note down the key ID that ``zone add-key`` reports. You can also retrieve
+it later with ``pdnsutil zone show example.com`` (``pdnsutil show-zone
+example.com`` prior to version 5.0).
PowerDNS will now publish the new DNSKEY while the old DNSKEY remains published and active for signing.
pdnsutil zone activate-key example.com NEW-ZSK-ID
pdnsutil zone deactivate-key example.com OLD-ZSK-ID
+or, prior to version 5.0:
+
+.. code-block:: shell
+
+ pdnsutil activate-zone-key example.com NEW-ZSK-ID
+ pdnsutil deactivate-zone-key example.com OLD-ZSK-ID
+
After this, PowerDNS will sign all records in the zone with the new ZSK and remove all signatures made with the old ZSK.
Please check that your secondaries now show only the new signatures.
In your zone, check for the highest TTL you can find.
This includes the SOA TTL and the SOA MINIMUM, which affect negative caching, including NSEC/NSEC3 records.
-:ref:`The DNSKEY TTL is also taken from the SOA MINIMUM.<dnssec-ttl-notes>`
+:ref:`The DNSKEY TTL is also taken from the SOA MINIMUM.<dnssec-ttl-notes>`
Now wait for at least that long.
Depending on your setup, this will usually be between a few hours and a few days.
pdnsutil zone remove-key example.com OLD-ZSK-ID
+or, prior to version 5.0:
+
+.. code-block:: shell
+
+ pdnsutil remove-zone-key example.com OLD-ZSK-ID
+
Please check that your secondaries now show only the new DNSKEY when queried with ``dig DNSKEY example.com @...``.
Conclusion
resolvers and that a limit can be set with ``max-nsec3-iterations``
in ``pdns.conf``. The *SALT* is a hexadecimal string encoding the bits
for the salt, or - to use no salt.
-
+
Setting **narrow** will make PowerDNS send out "white lies" (:rfc:`7129`)
about the next secure record to prevent zone enumeration. Instead of
looking it up in the database, it will send out the hash + 1 as the next
secure record. Narrow mode requires online signing capabilities by the
nameserver and therefore zone transfers are denied.
-
+
If only the zone is provided as argument, the 4-parameter quoted string
defaults to ``'1 0 0 -'``, as recommended by :rfc:`9276`.
-
+
A sample commandline would be:
``pdnsutil zone set-nsec3 powerdnssec.org '1 1 1 ab' narrow``
the specified *ALGORITHM* and *KEYBITS*. If *KEYBITS* is omitted, the value
of :ref:`setting-default-ksk-size` or :ref:`setting-default-zsk-size` are
used.
-
+
The key is inactive by default, set it to **active** to immediately use it
to sign *ZONE*. The key is published in the zone by default, set it to
**unpublished** to keep it from being returned in a DNSKEY query, which is
useful for algorithm rollovers.
-
+
Prints the id of the added key.
zone deactivate-key *ZONE* *KEY_ID*
first backend that is capable of hosting it.
To import, configure the backend and run
-``pdnsutil zone load example.com /tmp/example.com.zone`` to import
+``pdnsutil zone load example.com /tmp/example.com.zone`` (``pdnsutil load-zone
+example.com /tmp/example.com.zone`` prior to version 5.0) to import
the ``example.com`` domain from the ``/tmp/example.com.zone`` file. The
zone is imported atomically (i.e. it is fully imported, or not) and any
existing records for that zone are overwritten. This include the SOA record too.
sure you properly clear **ALL** data from target backend before
retrying.
- Remove (or comment out) old backend from pdns.conf, and run
- ``pdnsutil zone rectify-all`` and ``pdnsutil zone check-all`` to
- make sure everything is OK.
+ ``pdnsutil zone rectify-all`` and ``pdnsutil zone check-all`` (respectively
+ ``pdnsutil rectify-all-zones`` and ``pdnsutil check-all-zones`` prior to
+ version 5.0) to make sure everything is OK.
- If everything is OK, then go ahead to restart your PowerDNS service.
Check logs to make sure everything went ok.
retrieval.
Finally, IXFR updates that "plug" Empty Non-Terminals do not yet remove
-ENT records. A 'pdnsutil zone rectify' may be required.
+ENT records. A ``pdnsutil zone rectify`` (``pdnsutil rectify-zone`` prior to
+version 5.0) may be required.
PowerDNS itself is currently only able to retrieve updates via IXFR. It
cannot serve IXFR updates.
track of where a domain comes from.
Additionally, if a secondary selects multiple autoprimaries for a zone based on the name of the primary, it also checks that the ``account`` field is the same for all.
Adding a autoprimary can be done either directly in the database,
-or by using the 'pdnsutil autoprimary add' command.
+or by using the ``pdnsutil autoprimary add`` command (``pdnsutil
+add-autoprimary`` prior to version 5.0).
.. warning::
When a secondary receives notification while bootstrapping a new domain using autosecondary feature, it will send
What you can accomplish using a Lua script:
-- Ensure consistent values on SOA
+- Ensure consistent values on SOA
- Change incoming SOA serial number to a YYYYMMDDnn format
- Ensure consistent NS RRset
- Timestamp the zone transfer with a TXT record
pdnsutil metadata set example.com LUA-AXFR-SCRIPT /path/to/lua/script.lua
+or, prior to version 5.0::
+
+ pdnsutil set-meta example.com LUA-AXFR-SCRIPT /path/to/lua/script.lua
+
.. warning::
The Lua script must both exist and be syntactically
correct; if not, the zone transfer is not performed.
.. versionadded:: 5.0.0
-Read signatures of DNSKEY records directly from the backend.
+Read signatures of DNSKEY records directly from the backend.
If not set and the record is not presigned, DNSKEY records will be signed directly by PDNS Authoritative.
Please only use this if you are sure that you need it.
pdnsutil tsigkey import test hmac-md5 'kp4/24gyYsEzbuTVJRUMoqGFmN3LYgVDzJ/3oRSP7ys='
pdnsutil tsigkey activate powerdnssec.org test primary
+or, prior to version 5.0:
+
+.. code-block:: shell
+
+ pdnsutil import-tsig-key test hmac-md5 'kp4/24gyYsEzbuTVJRUMoqGFmN3LYgVDzJ/3oRSP7ys='
+ pdnsutil activate-tsig-key powerdnssec.org test primary
+
To ease interoperability, the equivalent configuration above in BIND
would look like this::
will keep working. However, you are advised to switch to the new command syntax,
using this conversion table:
-+-----------------------------------+--------------------------------+
-| Old syntax | New syntax |
-+===================================+================================+
-| ``activate-tsig-key`` | ``tsigkey activate`` |
-+-----------------------------------+--------------------------------+
-| ``activate-zone-key`` | ``zone activate-key`` |
-+-----------------------------------+--------------------------------+
-| ``add-autoprimary`` | ``autoprimary add`` |
-+-----------------------------------+--------------------------------+
-| ``add-meta`` | ``metadata add`` |
-+-----------------------------------+--------------------------------+
-| ``add-record`` | ``rrset add`` |
-+-----------------------------------+--------------------------------+
-| ``add-zone-key`` | ``zone add-key`` |
-+-----------------------------------+--------------------------------+
-| ``change-secondary-zone-primary`` | ``zone change-primary`` |
-+-----------------------------------+--------------------------------+
-| ``check-all-zones`` | ``zone check-all`` |
-+-----------------------------------+--------------------------------+
-| ``check-zone`` | ``zone check`` |
-+-----------------------------------+--------------------------------+
-| ``clear-zone`` | ``zone clear`` |
-+-----------------------------------+--------------------------------+
-| ``create-secondary-zone`` | ``zone create-secondary`` |
-+-----------------------------------+--------------------------------+
-| ``create-zone`` | ``zone create`` |
-+-----------------------------------+--------------------------------+
-| ``deactivate-tsig-key`` | ``tsigkey deactivate`` |
-+-----------------------------------+--------------------------------+
-| ``deactivate-zone-key`` | ``zone deactivate-key`` |
-+-----------------------------------+--------------------------------+
-| ``delete-rrset`` | ``rrset delete`` |
-+-----------------------------------+--------------------------------+
-| ``delete-tsig-key`` | ``tsigkey delete`` |
-+-----------------------------------+--------------------------------+
-| ``delete-zone`` | ``zone delete`` |
-+-----------------------------------+--------------------------------+
-| ``disable-dnssec`` | ``zone dnssec-disable`` |
-+-----------------------------------+--------------------------------+
-| ``edit-zone`` | ``zone edit`` |
-+-----------------------------------+--------------------------------+
-| ``export-zone-dnskey`` | ``zone export-dnskey`` |
-+-----------------------------------+--------------------------------+
-| ``export-zone-ds`` | ``zone export-ds`` |
-+-----------------------------------+--------------------------------+
-| ``export-zone-key`` | ``zone export-key`` |
-+-----------------------------------+--------------------------------+
-| ``export-zone-key-pem`` | ``zone export-key-pem`` |
-+-----------------------------------+--------------------------------+
-| ``generate-tsig-key`` | ``tsigkey generate`` |
-+-----------------------------------+--------------------------------+
-| ``generate-zone-key`` | ``zone generate-key`` |
-+-----------------------------------+--------------------------------+
-| ``get-meta`` | ``metadata get`` |
-+-----------------------------------+--------------------------------+
-| ``hash-zone-record`` | ``rrset hash`` |
-+-----------------------------------+--------------------------------+
-| ``import-tsig-key`` | ``tsigkey import`` |
-+-----------------------------------+--------------------------------+
-| ``import-zone-key`` | ``zone import-key`` |
-+-----------------------------------+--------------------------------+
-| ``import-zone-key-pem`` | ``zone import-key-pem`` |
-+-----------------------------------+--------------------------------+
-| ``increase-serial`` | ``zone increase-serial`` |
-+-----------------------------------+--------------------------------+
-| ``list-all-zones`` | ``zone list-all`` |
-+-----------------------------------+--------------------------------+
-| ``list-autoprimaries`` | ``autoprimary list`` |
-+-----------------------------------+--------------------------------+
-| ``list-keys`` | ``zone list-keys`` |
-+-----------------------------------+--------------------------------+
-| ``list-member-zones`` | ``catalog list-members`` |
-+-----------------------------------+--------------------------------+
-| ``list-tsig-keys`` | ``tsigkey list`` |
-+-----------------------------------+--------------------------------+
-| ``list-zone`` | ``zone list`` |
-+-----------------------------------+--------------------------------+
-| ``load-zone`` | ``zone load`` |
-+-----------------------------------+--------------------------------+
-| ``publish-zone-key`` | ``zone publish-key`` |
-+-----------------------------------+--------------------------------+
-| ``rectify-all-zones`` | ``zone rectify-all`` |
-+-----------------------------------+--------------------------------+
-| ``rectify-zone`` | ``zone rectify`` |
-+-----------------------------------+--------------------------------+
-| ``remove-autoprimary`` | ``autoprimary remove`` |
-+-----------------------------------+--------------------------------+
-| ``remove-zone-key`` | ``zone remove-key`` |
-+-----------------------------------+--------------------------------+
-| ``replace-rrset`` | ``rrset replace`` |
-+-----------------------------------+--------------------------------+
-| ``secure-all-zones`` | ``zone secure-all`` |
-+-----------------------------------+--------------------------------+
-| ``secure-zone`` | ``zone secure`` |
-+-----------------------------------+--------------------------------+
-| ``set-account`` | ``zone set-account`` |
-+-----------------------------------+--------------------------------+
-| ``set-catalog`` | ``catalog set`` |
-+-----------------------------------+--------------------------------+
-| ``set-kind`` | ``zone set-kind`` |
-+-----------------------------------+--------------------------------+
-| ``set-meta`` | ``metadata set`` |
-+-----------------------------------+--------------------------------+
-| ``set-nsec3`` | ``zone set-nsec3`` |
-+-----------------------------------+--------------------------------+
-| ``set-option`` | ``zone set-option`` |
-+-----------------------------------+--------------------------------+
-| ``set-options-json`` | ``zone set-options-json`` |
-+-----------------------------------+--------------------------------+
-| ``set-presigned`` | ``zone set-presigned`` |
-+-----------------------------------+--------------------------------+
-| ``set-publish-cdnskey`` | ``zone set-publish-cdnskey`` |
-+-----------------------------------+--------------------------------+
-| ``set-publish-cds`` | ``zone set-publish-cds`` |
-+-----------------------------------+--------------------------------+
-| ``show-zone`` | ``zone show`` |
-+-----------------------------------+--------------------------------+
-| ``unpublish-zone-key`` | ``zone unpublish-key`` |
-+-----------------------------------+--------------------------------+
-| ``unset-nsec3`` | ``zone unset-nsec3`` |
-+-----------------------------------+--------------------------------+
-| ``unset-presigned`` | ``zone unset-presigned`` |
-+-----------------------------------+--------------------------------+
-| ``unset-publish-cdnskey`` | ``zone unset-publish-cdnskey`` |
-+-----------------------------------+--------------------------------+
-| ``unset-publish-cds`` | ``zone unset-publish-cds`` |
-+-----------------------------------+--------------------------------+
-| ``zonemd-verify-file`` | ``zone zonemd-verify-file`` |
-+-----------------------------------+--------------------------------+
+.. list-table:: pdnsutil syntax conversion table
+ :header-rows: 1
+
+ * - Old syntax
+ - New syntax
+ * - ``activate-tsig-key``
+ - ``tsigkey activate``
+ * - ``activate-zone-key``
+ - ``zone activate-key``
+ * - ``add-autoprimary``
+ - ``autoprimary add``
+ * - ``add-meta``
+ - ``metadata add``
+ * - ``add-record``
+ - ``rrset add``
+ * - ``add-zone-key``
+ - ``zone add-key``
+ * - ``change-secondary-zone-primary``
+ - ``zone change-primary``
+ * - ``check-all-zones``
+ - ``zone check-all``
+ * - ``check-zone``
+ - ``zone check``
+ * - ``clear-zone``
+ - ``zone clear``
+ * - ``create-secondary-zone``
+ - ``zone create-secondary``
+ * - ``create-zone``
+ - ``zone create``
+ * - ``deactivate-tsig-key``
+ - ``tsigkey deactivate``
+ * - ``deactivate-zone-key``
+ - ``zone deactivate-key``
+ * - ``delete-rrset``
+ - ``rrset delete``
+ * - ``delete-tsig-key``
+ - ``tsigkey delete``
+ * - ``delete-zone``
+ - ``zone delete``
+ * - ``disable-dnssec``
+ - ``zone dnssec-disable``
+ * - ``edit-zone``
+ - ``zone edit``
+ * - ``export-zone-dnskey``
+ - ``zone export-dnskey``
+ * - ``export-zone-ds``
+ - ``zone export-ds``
+ * - ``export-zone-key``
+ - ``zone export-key``
+ * - ``export-zone-key-pem``
+ - ``zone export-key-pem``
+ * - ``generate-tsig-key``
+ - ``tsigkey generate``
+ * - ``generate-zone-key``
+ - ``zone generate-key``
+ * - ``get-meta``
+ - ``metadata get``
+ * - ``hash-zone-record``
+ - ``rrset hash``
+ * - ``import-tsig-key``
+ - ``tsigkey import``
+ * - ``import-zone-key``
+ - ``zone import-key``
+ * - ``import-zone-key-pem``
+ - ``zone import-key-pem``
+ * - ``increase-serial``
+ - ``zone increase-serial``
+ * - ``list-all-zones``
+ - ``zone list-all``
+ * - ``list-autoprimaries``
+ - ``autoprimary list``
+ * - ``list-keys``
+ - ``zone list-keys``
+ * - ``list-member-zones``
+ - ``catalog list-members``
+ * - ``list-tsig-keys``
+ - ``tsigkey list``
+ * - ``list-zone``
+ - ``zone list``
+ * - ``load-zone``
+ - ``zone load``
+ * - ``publish-zone-key``
+ - ``zone publish-key``
+ * - ``rectify-all-zones``
+ - ``zone rectify-all``
+ * - ``rectify-zone``
+ - ``zone rectify``
+ * - ``remove-autoprimary``
+ - ``autoprimary remove``
+ * - ``remove-zone-key``
+ - ``zone remove-key``
+ * - ``replace-rrset``
+ - ``rrset replace``
+ * - ``secure-all-zones``
+ - ``zone secure-all``
+ * - ``secure-zone``
+ - ``zone secure``
+ * - ``set-account``
+ - ``zone set-account``
+ * - ``set-catalog``
+ - ``catalog set``
+ * - ``set-kind``
+ - ``zone set-kind``
+ * - ``set-meta``
+ - ``metadata set``
+ * - ``set-nsec3``
+ - ``zone set-nsec3``
+ * - ``set-option``
+ - ``zone set-option``
+ * - ``set-options-json``
+ - ``zone set-options-json``
+ * - ``set-presigned``
+ - ``zone set-presigned``
+ * - ``set-publish-cdnskey``
+ - ``zone set-publish-cdnskey``
+ * - ``set-publish-cds``
+ - ``zone set-publish-cds``
+ * - ``show-zone``
+ - ``zone show``
+ * - ``unpublish-zone-key``
+ - ``zone unpublish-key``
+ * - ``unset-nsec3``
+ - ``zone unset-nsec3``
+ * - ``unset-presigned``
+ - ``zone unset-presigned``
+ * - ``unset-publish-cdnskey``
+ - ``zone unset-publish-cdnskey``
+ * - ``unset-publish-cds``
+ - ``zone unset-publish-cds``
+ * - ``zonemd-verify-file``
+ - ``zone zonemd-verify-file``
Commands not listed above have not changed syntax.
projects / thirdparty / pdns.git / commitdiff
