From: Miod Vallat Date: Wed, 16 Jul 2025 14:20:47 +0000 (+0200) Subject: Still mention the old pdnsutil syntax when applicable. X-Git-Tag: rec-5.4.0-alpha0~14^2~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1d25857299d53249f7a36b35e01607c0f8b38860;p=thirdparty%2Fpdns.git Still mention the old pdnsutil syntax when applicable. Signed-off-by: Miod Vallat --- diff --git a/docs/appendices/types.rst b/docs/appendices/types.rst index 6747785592..a48f2bfc99 100644 --- a/docs/appendices/types.rst +++ b/docs/appendices/types.rst @@ -9,7 +9,8 @@ grouped. Host names and the MNAME of a SOA records are NEVER terminated with a '.' in PowerDNS storage! If a trailing '.' is present it will inevitably cause problems, problems that may be hard to debug. - Use ``pdnsutil zone check`` to validate your zone data. + Use ``pdnsutil zone check`` (or ``pdnsutil check-zone`` prior to version + 5.0) to validate your zone data. .. note:: Whenever the storage format is mentioned, this relates only to the way diff --git a/docs/backends/generic-sql.rst b/docs/backends/generic-sql.rst index 08f9460b18..c2cea298ee 100644 --- a/docs/backends/generic-sql.rst +++ b/docs/backends/generic-sql.rst @@ -27,7 +27,13 @@ To add a domain, issue the following:: pdnsutil zone create example.com -Records can now be added using ``pdnsutil rrset add`` or ``pdnsutil zone edit``. +or, prior to version 5.0:: + + pdnsutil create-zone example.com + +Records can now be added using ``pdnsutil rrset add`` or ``pdnsutil zone edit`` +(respectively ``pdnsutil add-record`` and ``pdnsutil edit-zone`` prior to +version 5.0). Secondary operation ^^^^^^^^^^^^^^^^^^^ @@ -37,6 +43,10 @@ These backends are fully secondary capable. To become a secondary of the pdnsutil zone create-secondary example.com 198.51.100.6 +or, prior to version 5.0:: + + pdnsutil create-secondary-zone example.com 198.51.100.6 + And wait a while for PowerDNS to pick up the addition - which happens within one minute (this is determined by the :ref:`setting-xfr-cycle-interval` @@ -67,6 +77,11 @@ PowerDNS has support for multiple primaries per zone, and also port numbers for pdnsutil zone create secondary example.com 198.51.100.6 2001:0DB8:15:4AF::4 pdnsutil zone create secondary example.net 198.51.100.20:5301 '[2001:0DB8:11:6E::4]:54' +or, prior to version 5.0:: + + pdnsutil create-secondary-zone example.com 198.51.100.6 2001:0DB8:15:4AF::4 + pdnsutil create-secondary-zone example.net 198.51.100.20:5301 '[2001:0DB8:11:6E::4]:54' + Autoprimary operation ^^^^^^^^^^^^^^^^^^^^^ @@ -75,6 +90,10 @@ installation as 'autosecondary.example.com', issue the following:: pdnsutil autoprimary add 203.0.113.53 autosecondary.example.com internal +or, prior to version 5.0:: + + pdnsutil add-autoprimary 203.0.113.53 autosecondary.example.com internal + From now on, valid notifies from 203.0.113.53 for which the zone lists an NS record containing 'autosecondary.example.com' will lead to the provisioning of a secondary domain under the account 'internal'. See :ref:`autoprimary-operation` @@ -91,6 +110,11 @@ primary operation instead of the default native replication, issue:: pdnsutil zone create example.com pdnsutil zone set-kind example.com MASTER +or, prior to version 5.0:: + + pdnsutil create-zone example.com + pdnsutil set-kind example.com MASTER + .. _generic-sql-disabled-data: Disabled data @@ -127,7 +151,8 @@ Rules for filling out DNSSEC fields Two additional fields in the 'records' table are important: 'auth' and 'ordername'. These fields are set correctly on an incoming zone -transfer, and also by running ``pdnsutil zone rectify``. +transfer, and also by running ``pdnsutil zone rectify`` (``pdnsutil +rectify-zone`` prior to version 5.0). The 'auth' field should be set to '1' for data for which the zone itself is authoritative, which includes the SOA record and its own NS records. @@ -152,8 +177,9 @@ www' as its ordername. In 'NSEC3' non-narrow mode, the ordername should contain a lowercase base32hex encoded representation of the salted & iterated hash of the -full record name. ``pdnsutil rrset hash zone record`` can be used -to calculate this hash. +full record name. ``pdnsutil rrset hash zone record`` (``pdnsutil +hash-zone-record zone record`` prior to version 5.0) can be used to calculate +this hash. In addition, PowerDNS fully supports empty non-terminals. If you have a zone example.com, and a host a.b.c.example.com in it, rectify-zone (and @@ -227,7 +253,8 @@ is! DNSSEC queries ^^^^^^^^^^^^^^ -These queries are used by e.g. ``pdnsutil zone rectify``. Make sure to +These queries are used by e.g. ``pdnsutil zone rectify`` (``pdnsutil +rectify-zone`` prior to version 5.0). Make sure to read :ref:`rules-for-filling-out-dnssec-fields` if you wish to calculate ordername and auth without using pdns-rectify. diff --git a/docs/backends/pipe.rst b/docs/backends/pipe.rst index e0c0090f65..beac6130af 100644 --- a/docs/backends/pipe.rst +++ b/docs/backends/pipe.rst @@ -291,7 +291,7 @@ values. The default value for scopebits is 0. The default for auth is 1 Direct backend commands ^^^^^^^^^^^^^^^^^^^^^^^ -With abi-version 5 you can use :doc:`backend-cmd <../dnssec/pdnsutil>` for +With abi-version 5 you can use :doc:`backend-cmd <../manpages/pdnsutil.1>` for executing commands on your backend. PowerDNS will use the following query/answer format: diff --git a/docs/backends/remote.rst b/docs/backends/remote.rst index 3263ffad52..054cd37c3f 100644 --- a/docs/backends/remote.rst +++ b/docs/backends/remote.rst @@ -243,7 +243,7 @@ Response: ~~~~~~~~~~~~~ This method is similar to :ref:`remote-lookup`, but also returns disabled -records. It allows for an extra optional parameter, ``include_disabled`` which, +records. It allows for an extra optional parameter, ``include_disabled`` which, if present and set to false, will only return non-disabled records (in which case, the behaviour is equivalent to the ``lookup`` method.) @@ -285,7 +285,7 @@ Response (split into lines for ease of reading) {"qtype":"MX", "qname":"example.com", "content":"10 mx1.example.com.", "ttl": 60}, {"qtype":"A", "qname":"www.example.com", "content":"203.0.113.2", "ttl": 60}, {"qtype":"A", "qname":"ns1.example.com", "content":"192.0.2.2", "ttl": 60}, - {"qtype":"A", "qname":"mx1.example.com", "content":"192.0.2.3", "ttl": 60} + {"qtype":"A", "qname":"mx1.example.com", "content":"192.0.2.3", "ttl": 60} ]} Example HTTP/RPC @@ -473,7 +473,7 @@ Query: .. code-block:: http PATCH /dnsapi/setdomainmetadata/example.com/PRESIGNED HTTP/1.1 - Content-Type: application/x-www-form-urlencoded + Content-Type: application/x-www-form-urlencoded Content-Length: 12 value[]=YES& @@ -1217,7 +1217,8 @@ Response: ``feedEnts`` ~~~~~~~~~~~~ -This method is used by ``pdnsutil zone rectify`` to populate missing +This method is used by ``pdnsutil zone rectify`` (``pdnsutil rectify-zone`` +prior to version 5.0) to populate missing non-terminals. This is used when you have, say, record like _sip._upd.example.com, but no _udp.example.com. PowerDNS requires that there exists a non-terminal in between, and this instructs you to @@ -1498,7 +1499,7 @@ Response: ~~~~~~~~~~~~~~~~~~~~ Can be used to send arbitrary commands to your backend using -:doc:`../dnssec/pdnsutil`. +:doc:`../manpages/pdnsutil.1`. - Mandatory: no - Parameters: query @@ -1767,10 +1768,10 @@ Query: .. code-block:: json - { + { "method": "lookup", "parameters": { - "qname": "example.com", + "qname": "example.com", "qtype": "SOA", "zone_id": "-1" } @@ -1781,10 +1782,10 @@ Reply: .. code-block:: json { - "result": - [ + "result": + [ { "qtype": "SOA", - "qname": "example.com", + "qname": "example.com", "content": "dns1.icann.org. hostmaster.icann.org. 2012080849 7200 3600 1209600 3600", "ttl": 3600, "domain_id": -1 diff --git a/docs/catalog.rst b/docs/catalog.rst index 66bbd07804..fcdac45183 100644 --- a/docs/catalog.rst +++ b/docs/catalog.rst @@ -92,6 +92,13 @@ Create a producer zone: pdnsutil zone load catalog.example ZONEFILE pdnsutil zone set-kind catalog.example producer +or, prior to version 5.0: + +.. code-block:: shell + + pdnsutil load-zone catalog.example ZONEFILE + pdnsutil set-kind catalog.example producer + Creating producer zones is supported in the :doc:`API `, using type ``PRODUCER``. Assigning members to a producer zone @@ -105,6 +112,13 @@ In the example below ``example.com`` is the member and ``catalog.example`` is th pdnsutil catalog set example.com catalog.example pdnsutil zone set-kind example.com primary +or, prior to version 5.0: + +.. code-block:: shell + + pdnsutil set-catalog example.com catalog.example + pdnsutil set-kind example.com primary + Setting catalog values is supported in the :doc:`API `, by setting the ``catalog`` property in the zone properties. Setting the catalog to an empty ``""`` removes the member zone from the catalog it is in. @@ -119,6 +133,13 @@ PowerDNS currently supports the following properties: pdnsutil zone set-option example.com producer coo other-catalog.example pdnsutil zone set-option example.com producer group pdns-group-x pdns-group-y +or, prior to version 5.0: + +.. code-block:: shell + + pdnsutil set-option example.com producer coo other-catalog.example + pdnsutil set-option example.com producer group pdns-group-x pdns-group-y + There is also an option to set a specific value for a zone. This is done by setting a the ``unique`` value. This is used to signal a state reset to the consumer. The value for ``unique`` is a single DNS label. @@ -127,6 +148,12 @@ The value for ``unique`` is a single DNS label. pdnsutil --config-dir=. --config-name=gmysql zone set-option test.com producer unique 123 +or, prior to version 5.0: + +.. code-block:: shell + + pdnsutil --config-dir=. --config-name=gmysql set-option test.com producer unique 123 + Setting options is not yet supported in the API. Setting up a consumer zone @@ -140,6 +167,13 @@ The only difference is the type, which is now set to CONSUMER. pdnsutil zone create-secondary catalog.example 192.0.2.42 pdnsutil zone set-kind catalog.example consumer +or, prior to version 5.0: + +.. code-block:: shell + + pdnsutil create-secondary-zone catalog.example 192.0.2.42 + pdnsutil set-kind catalog.example consumer + Creating consumer zones is supported in the :doc:`API `, using type ``CONSUMER``. New member zones on the consumer adopt their primaries from the consumer zone. @@ -157,5 +191,12 @@ server in order to fully apply the changes. pdnsutil zone change-primary catalog.example 192.0.2.45 pdns_control retrieve catalog.example +or, prior to version 5.0: + +.. code-block:: shell + + pdnsutil change-secondary-zone-primary catalog.example 192.0.2.45 + pdns_control retrieve catalog.example + This will update the primary server contact details in each zone included in the catalog zone. diff --git a/docs/dnssec/advice.rst b/docs/dnssec/advice.rst index 5d1c4867e4..8030023522 100644 --- a/docs/dnssec/advice.rst +++ b/docs/dnssec/advice.rst @@ -6,7 +6,8 @@ bewildering array of settings that can be configured. It is easy to (mis)configure DNSSEC in such a way that your domain will not operate reliably, or even, at all. We advise operators to stick -to the keying defaults of ``pdnsutil zone secure``. +to the keying defaults of ``pdnsutil zone secure`` (``pdnsutil secure-zone`` +prior to version 5.0). .. note:: GOST may be more widely available in Russia, because it might diff --git a/docs/dnssec/index.rst b/docs/dnssec/index.rst index 625a081518..cfe987a2a8 100644 --- a/docs/dnssec/index.rst +++ b/docs/dnssec/index.rst @@ -23,6 +23,12 @@ As an example, securing an existing zone can be as simple as: $ pdnsutil zone secure powerdnssec.org +or, prior to version 5.0: + +.. code-block:: shell + + $ pdnsutil secure-zone powerdnssec.org + Alternatively, PowerDNS can serve pre-signed zones, without knowledge of private keys. diff --git a/docs/dnssec/migration.rst b/docs/dnssec/migration.rst index b4e549a744..c6f0790589 100644 --- a/docs/dnssec/migration.rst +++ b/docs/dnssec/migration.rst @@ -19,7 +19,8 @@ all the changes in database schemas as shown in the :doc:`upgrade documentation .. warning:: Once the relevant ``backend-dnssec`` switch has been set, stricter rules apply for filling out the database! The short version is: - run ``pdnsutil zone rectify-all``, even those not secured with DNSSEC! + run ``pdnsutil zone rectify-all`` (``pdnsutil rectify-all-zones`` prior to + version 5.0), even those not secured with DNSSEC! For more information, see the :ref:`generic-sql-handling-dnssec-signed-zones`. To deliver a correctly signed zone with the :ref:`dnssec-pdnsutil-dnssec-defaults`, invoke: @@ -28,6 +29,12 @@ To deliver a correctly signed zone with the :ref:`dnssec-pdnsutil-dnssec-default pdnsutil zone secure ZONE +or, prior to version 5.0: + +.. code-block:: shell + + pdnsutil secure-zone ZONE + To view the DS records for this zone (to transfer to the parent zone), run: @@ -35,6 +42,12 @@ run: pdnsutil zone show ZONE +or, prior to version 5.0: + +.. code-block:: shell + + pdnsutil show-zone ZONE + For a more traditional setup with a KSK and a ZSK, use the following sequence of commands: @@ -44,6 +57,14 @@ sequence of commands: pdnsutil zone add-key ZONE zsk 1024 active rsasha256 pdnsutil zone add-key ZONE zsk 1024 inactive rsasha256 +or, prior to version 5.0: + +.. code-block:: shell + + pdnsutil add-zone-key ZONE ksk 2048 active rsasha256 + pdnsutil add-zone-key ZONE zsk 1024 active rsasha256 + pdnsutil add-zone-key ZONE zsk 1024 inactive rsasha256 + This will add a 2048-bit RSA Key Signing Key and two 1024-bit RSA Zone Signing Keys. One of the ZSKs is inactive and can be rolled to if needed. @@ -65,7 +86,8 @@ without changes. In such cases, signing happens externally to PowerDNS, possibly via OpenDNSSEC, ldns-sign or dnssec-sign. PowerDNS needs to know if a zone should receive DNSSEC processing. To -configure, run ``pdnsutil zone set-presigned ZONE``. +configure, run ``pdnsutil zone set-presigned ZONE`` (``pdnsutil set-presigned +ZONE`` prior to version 5.0). If you import presigned zones into your database, please do not import the NSEC or NSEC3 records. PowerDNS will synthesize these itself. @@ -75,7 +97,8 @@ automatically. .. warning:: Right now, you will also need to configure NSEC/NSEC3 settings - for pre-signed zones using ``pdnsutil zone set-nsec3``. Default is NSEC, in + for pre-signed zones using ``pdnsutil zone set-nsec3`` (``pdnsutil set-nsec3`` + prior to version 5.0). Default is NSEC, in which case no further configuration is necessary. From existing DNSSEC non-PowerDNS setups, live signing @@ -89,6 +112,12 @@ KSK, use pdnsutil zone import-key ZONE FILENAME ksk +or, prior to version 5.0: + +.. code-block:: shell + + pdnsutil import-zone-key ZONE FILENAME ksk + replace ``ksk`` with ``zsk`` for a Zone Signing Key. If all keys are imported using this tool, a zone will serve mostly diff --git a/docs/dnssec/modes-of-operation.rst b/docs/dnssec/modes-of-operation.rst index 178060503b..72aae06e3f 100644 --- a/docs/dnssec/modes-of-operation.rst +++ b/docs/dnssec/modes-of-operation.rst @@ -157,8 +157,9 @@ is retrieved from a primary server, this keying material will be used when serving data from this zone. As part of the zone retrieval, the equivalent of -``pdnsutil zone rectify`` is run to make sure that all DNSSEC-related -fields are set correctly in the backend. +``pdnsutil zone rectify`` (``pdnsutil rectify-zone`` prior to version 5.0) is +run to make sure that all DNSSEC-related fields are set correctly in the +backend. Signed AXFR ----------- @@ -187,8 +188,9 @@ database. Then, restart PowerDNS. .. note:: This SQLite database is different from the database used for the regular :doc:`SQLite 3 backend <../backends/generic-sqlite3>`. -After this, you can use ``pdnsutil zone secure`` and all other pdnsutil -commands on your BIND zones without trouble. +After this, you can use ``pdnsutil zone secure`` (``pdnsutil secure-zone`` prior +to version 5.0) and all other :doc:`pdnsutil <../manpages/pdnsutil.1>` commands on +your BIND zones without trouble. .. _dnssec-modes-hybrid-bind: diff --git a/docs/dnssec/operational.rst b/docs/dnssec/operational.rst index 50b9d251b9..5ce7abfb21 100644 --- a/docs/dnssec/operational.rst +++ b/docs/dnssec/operational.rst @@ -18,7 +18,8 @@ Manual As automation is not very widespread, DS publication often needs to occur manually as follows: -1. utilize ``pdnsutil zone show`` to display DS and DNSKEY parameters, +1. utilize ``pdnsutil zone show`` (``pdnsutil show-zone`` prior to version 5.0) + to display DS and DNSKEY parameters, 2. transfer these parameters securely to your parent. Some parents accept DS format, while some accept DNSKEY (and use it to derive @@ -92,6 +93,12 @@ Going insecure pdnsutil zone dnssec-disable ZONE +or, prior to version 5.0: + +.. code-block:: shell + + pdnsutil disable-dnssec ZONE + .. warning:: Going insecure with a zone that has a DS record in the parent zone will make the zone BOGUS. Make sure the parent zone removes @@ -115,6 +122,12 @@ e.g. pdnsutil zone set-nsec3 example.net '1 0 0 -' +or, prior to version 5.0: + +.. code-block:: shell + + pdnsutil set-nsec3 example.net '1 0 0 -' + The quoted part is the content of the NSEC3PARAM records, as defined in :rfc:`RFC 5155 <5155#section-4>`, in order: @@ -135,6 +148,12 @@ To convert a zone from NSEC3 to NSEC operations, run: pdnsutil zone unset-nsec3 ZONE +or, prior to version 5.0: + +.. code-block:: shell + + pdnsutil unset-nsec3 ZONE + .. warning:: Don't change from NSEC to NSEC3 (or the other way around) for zones with algorithm 5 (RSASHA1), 6 (DSA-NSEC3-SHA1) or 7 diff --git a/docs/dnssec/pdnsutil.rst b/docs/dnssec/pdnsutil.rst index 38edb0bf90..05f900d0a1 100644 --- a/docs/dnssec/pdnsutil.rst +++ b/docs/dnssec/pdnsutil.rst @@ -14,7 +14,8 @@ For a list of available commands, see the :doc:`manpage <../manpages/pdnsutil.1> DNSSEC Defaults --------------- -Since version 4.0, when securing a zone using ``pdnsutil zone secure``, +Since version 4.0, when securing a zone using ``pdnsutil zone secure`` +(``pdnsutil secure-zone`` prior to version 5.0), a single ECDSA (algorithm 13, ECDSAP256SHA256) key is generated that is used as CSK. Before 4.0, 3 RSA (algorithm 8) keys were generated, one as the KSK and two ZSKs. As all keys are online in the database, it made no diff --git a/docs/dnssec/pkcs11.rst b/docs/dnssec/pkcs11.rst index 4ea6175c0a..c6c1e64747 100644 --- a/docs/dnssec/pkcs11.rst +++ b/docs/dnssec/pkcs11.rst @@ -40,6 +40,10 @@ These instructions have been tested on Debian 10 (Buster). pdnsutil zone show example.com + or, prior to version 5.0:: + + pdnsutil show-zone example.com + SoftHSM2 with forwarding ------------------------ @@ -173,5 +177,9 @@ Smart Card token on Ubuntu 14.04. pdnsutil zone show zone + or, prior to version 5.0:: + + pdnsutil show-zone zone + - Note that the physical token is pretty slow, so you have to use it as hidden primary. It has been observed to produce about 1.5 signatures/second. diff --git a/docs/dnsupdate.rst b/docs/dnsupdate.rst index 8d1eae4a0b..949338e1eb 100644 --- a/docs/dnsupdate.rst +++ b/docs/dnsupdate.rst @@ -113,6 +113,10 @@ messages for the example.org domain:: pdnsutil metadata set example.org ALLOW-DNSUPDATE-FROM 198.51.100.0/8 203.0.113.2/32 +or, prior to version 5.0:: + + pdnsutil set-meta example.org ALLOW-DNSUPDATE-FROM 198.51.100.0/8 203.0.113.2/32 + .. _metadata-tsig-allow-dnsupdate: TSIG-ALLOW-DNSUPDATE @@ -129,9 +133,16 @@ here. Here is an example using :program:`pdnsutil` to create a key named $ pdnsutil tsigkey list | grep test test. hmac-sha512. [base64-encoded key] +or, prior to version 5.0:: + + $ pdnsutil generate-tsig-key test hmac-sha512 + Create new TSIG key test hmac-sha512 [base64-encoded key] + + $ pdnsutil list-tsig-keys | grep test + test. hmac-sha512. [base64-encoded key] + This adds the key with the name `test` to the zone's metadata. Note, the -keys need to be added separately with `metadata add`, not as a comma or -space-separated list:: +keys need to be added separately, not as a comma or space-separated list:: $ pdnsutil metadata add example.org TSIG-ALLOW-DNSUPDATE test Set 'example.org' meta TSIG-ALLOW-DNSUPDATE = test @@ -139,6 +150,14 @@ space-separated list:: $ pdnsutil metadata get example.org TSIG-ALLOW-DNSUPDATE TSIG-ALLOW-DNSUPDATE = test +or, prior to version 5.0:: + + $ pdnsutil add-meta example.org TSIG-ALLOW-DNSUPDATE test + Set 'example.org' meta TSIG-ALLOW-DNSUPDATE = test + + $ pdnsutil get-meta example.org TSIG-ALLOW-DNSUPDATE + TSIG-ALLOW-DNSUPDATE = test + This is an example of using the new `test` TSIG key with the :program:`nsupdate` command (see the manpage for :program:`nsupdate` for full details):: @@ -174,6 +193,10 @@ but per domain:: pdnsutil metadata set example.org FORWARD-DNSUPDATE 'yes' +or, prior to version 5.0:: + + pdnsutil set-meta example.org FORWARD-DNSUPDATE 'yes' + The existence of the entry (even with an empty value) enables the forwarding. This domain-specific setting is only useful when the configuration option :ref:`setting-forward-dnsupdate` is set to 'no', as that will disable it @@ -191,6 +214,10 @@ verification:: pdnsutil metadata set example.org NOTIFY-DNSUPDATE 1 +or, prior to version 5.0:: + + pdnsutil set-meta example.org NOTIFY-DNSUPDATE 1 + .. _metadata-soa-edit-dnsupdate: SOA-EDIT-DNSUPDATE @@ -222,6 +249,10 @@ An example:: pdnsutil metadata set example.org SOA-EDIT-DNSUPDATE INCREASE +or, prior to version 5.0:: + + pdnsutil set-meta example.org SOA-EDIT-DNSUPDATE INCREASE + This will make the SOA Serial increase by one, for every successful update. @@ -361,23 +392,38 @@ parameter. That's not very useful, so we're going to give permissions per zone (including the appropriate reverse zone), via the domainmetadata table. -:: +.. code-block:: shell pdnsutil metadata set example.org ALLOW-DNSUPDATE-FROM 127.0.0.1 pdnsutil metadata set 1.168.192.in-addr.arpa ALLOW-DNSUPDATE-FROM 127.0.0.1 +or, prior to version 5.0: + +.. code-block:: shell + + pdnsutil set-meta example.org ALLOW-DNSUPDATE-FROM 127.0.0.1 + pdnsutil set-meta 1.168.192.in-addr.arpa ALLOW-DNSUPDATE-FROM 127.0.0.1 + This gives the ip '127.0.0.1' access to send update messages. Make sure you use the ip address of the machine that runs **dhcpd**. Another thing we want to do, is add TSIG security. This can only be done via the domainmetadata table: -:: +.. code-block:: shell pdnsutil tsigkey import dhcpdupdate hmac-md5 FYhvwsW1ZtFZqWzsMpqhbg== pdnsutil metadata set example.org TSIG-ALLOW-DNSUPDATE dhcpdupdate pdnsutil metadata set 1.168.192.in-addr.arpa TSIG-ALLOW-DNSUPDATE dhcpdupdate +or, prior to version 5.0: + +.. code-block:: shell + + pdnsutil import-tsig-key dhcpdupdate hmac-md5 FYhvwsW1ZtFZqWzsMpqhbg== + pdnsutil set-meta example.org TSIG-ALLOW-DNSUPDATE dhcpdupdate + pdnsutil set-meta 1.168.192.in-addr.arpa TSIG-ALLOW-DNSUPDATE dhcpdupdate + This will: 1. Add the 'dhcpdupdate' key to our PowerDNS installation diff --git a/docs/domainmetadata.rst b/docs/domainmetadata.rst index 82ef64fd4e..090c2fbccf 100644 --- a/docs/domainmetadata.rst +++ b/docs/domainmetadata.rst @@ -15,7 +15,9 @@ For the implementation in non-sql backends, please review your backend's documentation. Apart from raw SQL statements, setting domain metadata can be done with -``pdnsutil metadata set`` and retrieving metadata is done with ``pdnsutil metadata get``. +``pdnsutil metadata set`` and retrieving metadata with ``pdnsutil metadata get`` +(respectively ``pdnsutil set-meta`` and ``pdnsutil get-meta`` prior to version +5.0). The following options can only be read (not written to) via the HTTP API metadata endpoint. @@ -48,6 +50,13 @@ Example: pdnsutil metadata set powerdns.org ALLOW-AXFR-FROM AUTO-NS 2001:db8::/48 +or, prior to version 5.0: + +.. code-block:: shell + + pdnsutil set-meta powerdns.org ALLOW-AXFR-FROM AUTO-NS 2001:db8::/48 + + Each ACL has its own row in the database: :: @@ -81,6 +90,12 @@ number. e.g.: pdnsutil metadata set powerdns.org ALSO-NOTIFY 192.0.2.1:5300 pdnsutil metadata set powerdns.org ALLOW-AXFR-FROM 2001:db8:53::1 +or, prior to version 5.0: + +.. code-block:: shell + + pdnsutil set-meta powerdns.org ALSO-NOTIFY 192.0.2.1:5300 + pdnsutil set-meta powerdns.org ALLOW-AXFR-FROM 2001:db8:53::1 API-RECTIFY ----------- @@ -150,14 +165,14 @@ NSEC3NARROW ----------- Set to "1" to tell PowerDNS this zone operates in NSEC3 'narrow' mode. -See ``zone set-nsec3`` for :doc:`pdnsutil `. +See ``zone set-nsec3`` in :doc:`pdnsutil `. NSEC3PARAM ---------- NSEC3 parameters of a DNSSEC zone. Will be used to synthesize the NSEC3PARAM record. If present, NSEC3 is used, if not present, zones -default to NSEC. See ``zone set-nsec3`` in :doc:`pdnsutil `. +default to NSEC. See ``zone set-nsec3`` in :doc:`pdnsutil `. Example content: "1 0 0 -". .. _metadata-presigned: @@ -171,7 +186,7 @@ detects DNSSEC records in the zone. However, if you import a presigned zone using ``zone2sql`` or ``pdnsutil zone load`` you must explicitly set the zone to be ``PRESIGNED``. Note that PowerDNS will not be able to correctly serve the zone if the imported data is bogus or incomplete. -Also see ``zone set-presigned`` in :doc:`pdnsutil `. +Also see ``zone set-presigned`` in :doc:`pdnsutil `. If a zone is presigned, the content of the metadata must be "1" (without the quotes). Any other value will not signal presignedness. @@ -191,7 +206,7 @@ a comma- separated list of `signature algorithm numbers `__. This metadata can also be set using the -:doc:`pdnsutil ` commands ``zone set-publish-cdnskey`` +:doc:`pdnsutil ` commands ``zone set-publish-cdnskey`` and ``zone set-publish-cds``. For an example for an :rfc:`7344` key rollover, see the :doc:`guides/kskrollcdnskey`. diff --git a/docs/guides/algoroll.rst b/docs/guides/algoroll.rst index d8b72d70c9..18baae743c 100644 --- a/docs/guides/algoroll.rst +++ b/docs/guides/algoroll.rst @@ -16,7 +16,9 @@ Please check that these bigger packets can make it out of your network without t .. warning:: For every mutation to your zone (so, every step except updating DS in the parent), make sure that your serial is bumped, so your secondaries pick up the changes too. - If you are using AXFR replication, this usually is as simple as ``pdnsutil zone increase-serial example.com`` + If you are using AXFR replication, this usually is as simple as ``pdnsutil + zone increase-serial example.com`` (``pdnsutil increase-serial example.com`` + prior to version 5.0) Phase: initial -------------- @@ -34,8 +36,16 @@ To create signatures with the new algorithm, without publishing keys, run someth pdnsutil zone add-key example.com KSK active unpublished ecdsa384 pdnsutil zone add-key example.com ZSK active unpublished ecdsa384 +or, prior to version 5.0: + +.. code-block:: shell + + pdnsutil add-zone-key example.com KSK active unpublished ecdsa384 + pdnsutil add-zone-key example.com ZSK active unpublished ecdsa384 + Note the key IDs that ``zone add-key`` reports. -You can also retrieve these later with ``pdnsutil zone show example.com``. +You can also retrieve these later with ``pdnsutil zone show example.com`` +(``pdnsutil show-zone example.com`` prior to version 5.0). After this, PowerDNS will sign all records in the zone with both the old and new ZSKs, and the DNSKEY set will be signed by both KSKs. @@ -64,7 +74,16 @@ After waiting for all records in our zone to expire from caches, we can publish pdnsutil zone publish-key example.com 3 pdnsutil zone publish-key example.com 4 -Replace ``3`` and ``4`` with the key IDs gathered in the previous step, or find them in ``pdnsutil zone show example.com``. +or, prior to version 5.0: + +.. code-block:: shell + + pdnsutil publish-zone-key example.com 3 + pdnsutil publish-zone-key example.com 4 + +Replace ``3`` and ``4`` with the key IDs gathered in the previous step, or find +them in the ``pdnsutil zone show`` output (``pdnsutil show-zone`` prior to +version 5.0). PowerDNS will now publish the new DNSKEYs that have already been used for signing for a while. The old DNSKEYs remain published, and active for signing, for now. @@ -81,7 +100,10 @@ Our zone is currently fully signed with two algorithms, and keys for both algori This means that a DS for either the old or new algorithm is sufficient for validation. We can now switch the DS - there is no need to have DSes for both algorithms in the parent zone. -Using ``pdnsutil zone show example.com`` or ``pdnsutil zone export-ds example.com``, extract the new DNSKEYs or new DSes, depending on what the parent zone operator takes as input. +Using ``pdnsutil zone show example.com`` or ``pdnsutil zone export-ds +example.com`` (``pdnsutil show-zone example.com`` or ``pdnsutil export-zone-ds +example.com`` prior to version 5.0), extract the new DNSKEYs or new DSes, +depending on what the parent zone operator takes as input. Note that these commands print DNSKEYs and/or DSes for both the old and the new algorithm. Check the DS TTL at the parent, for example: ``dig DS example.com @c.gtld-servers.net`` for a delegation from ``.com``. @@ -105,6 +127,13 @@ It is time to remove the old DNSKEYs, while keeping their signature: pdnsutil zone unpublish-key example.com 1 pdnsutil zone unpublish-key example.com 2 +or, prior to version 5.0: + +.. code-block:: shell + + pdnsutil unpublish-zone-key example.com 1 + pdnsutil unpublish-zone-key example.com 2 + Replace ``1`` and ``2`` with the IDs of the old keys. Please check that your secondaries now only show the new set of keys when queried with ``dig DNSKEY example.com @...``. @@ -123,6 +152,13 @@ This means we can now safely stop signing with the old keys: pdnsutil zone deactivate-key example.com 1 pdnsutil zone deactivate-key example.com 2 +or, prior to version 5.0: + +.. code-block:: shell + + pdnsutil deactivate-zone-key example.com 1 + pdnsutil deactivate-zone-key example.com 2 + Alternatively, you can use ``zone remove-key`` to remove all traces of the old keys. Conclusion diff --git a/docs/guides/basic-database.rst b/docs/guides/basic-database.rst index a99f347d15..92597ddcbd 100644 --- a/docs/guides/basic-database.rst +++ b/docs/guides/basic-database.rst @@ -74,6 +74,18 @@ Now, let's add a zone and some records:: New rrset: www.example.com. 3005 IN A 192.0.2.1 +or, prior to version 5.0:: + + $ sudo -u pdns pdnsutil create-zone example.com ns1.example.com + Creating empty zone 'example.com' + Also adding one NS record + $ sudo -u pdns pdnsutil add-record example.com example.com MX '25 mail.example.com' + New rrset: + example.com. 3005 IN MX 25 mail.example.com + $ sudo -u pdns pdnsutil add-record example.com www.example.com A 192.0.2.1 + New rrset: + www.example.com. 3005 IN A 192.0.2.1 + This should be done as the ``pdns`` user (or root), as sqlite3 requires write access to the directory of the database file. .. note:: @@ -91,11 +103,13 @@ If we now requery our database, ``www.example.com`` should be present:: If this is not the output you get, remove ``+short`` to see the full output so you can find out what went wrong. The first problem could be that PowerDNS has a :ref:`packet-cache` and a :ref:`query-cache` for performance reasons. -If you see old, or no, data right after changing records, wait for :ref:`setting-cache-ttl`, +If you see old, or no, data right after changing records, wait for :ref:`setting-cache-ttl`, :ref:`setting-negquery-cache-ttl`, :ref:`setting-query-cache-ttl`, or :ref:`setting-zone-cache-refresh-interval` to expire before testing. -Now, run ``pdnsutil zone edit example.com`` and try to add a few more records, and query them with dig to make sure they work. +Now, run ``pdnsutil zone edit example.com`` (or ``pdnsutil edit-zone +example.com`` prior to version 5.0) and try to add a few more records, and query +them with dig to make sure they work. You now have a working database driven nameserver! diff --git a/docs/guides/kskroll.rst b/docs/guides/kskroll.rst index 192b6ea027..17ee07af4c 100644 --- a/docs/guides/kskroll.rst +++ b/docs/guides/kskroll.rst @@ -11,7 +11,9 @@ After every change, use your favourite DNSSEC checker (`DNSViz ` commands to do this +several :doc:`pdnsutil <../manpages/pdnsutil.1>` commands to do this rollover. This HowTo follows the rollover example from the RFCs :rfc:`Appendix B <7344#appendix-B>`. We assume the zone name is example.com and is already DNSSEC signed. -Start by adding a new KSK to the zone: -``pdnsutil zone add-key example.com ksk 2048 inactive``. The "inactive" +Start by adding a new KSK to the zone:: + + pdnsutil zone add-key example.com ksk 2048 inactive + +or, prior to version 5.0:: + + pdnsutil add-zone-key example.com ksk 2048 inactive + +The "inactive" means that the key is not used to sign any ZSK records. This limits the size of ``ANY`` and DNSKEY responses. -Publish the CDS records: ``pdnsutil zone set-publish-cds example.com``, these -records will tell the parent zone to update its DS records. Now wait for +Publish the CDS records:: + + pdnsutil zone set-publish-cds example.com + +or, prior to version 5.0:: + + pdnsutil set-publish-cds example.com + +These records will tell the parent zone to update its DS records. Now wait for the DS records to be updated in the parent zone. Once the DS records are updated, do the actual key-rollover: -``pdnsutil zone activate-key example.com new-key-id`` and -``pdnsutil zone deactivate-key example.com old-key-id``. You can get the + +.. code-block:: shell + + pdnsutil zone activate-key example.com new-key-id + pdnsutil zone deactivate-key example.com old-key-id + +or, prior to version 5.0: + +.. code-block:: shell + + pdnsutil activate-zone-key example.com new-key-id + pdnsutil deactivate-zone-key example.com old-key-id + +You can get the ``new-key-id`` and ``old-key-id`` by listing them through -``pdnsutil zone show example.com``. +``pdnsutil zone show example.com`` (``pdnsutil show-zone example.com`` prior to +version 5.0). After the rollover, wait *at least* until the TTL on the DNSKEY records have expired so validating resolvers won't mark the zone as BOGUS. When -the wait is over, delete the old key from the zone: -``pdnsutil zone remove-key example.com old-key-id``. This updates the -CDS records to reflect only the new key. +the wait is over, delete the old key from the zone:: + + pdnsutil zone remove-key example.com old-key-id + +or, prior to version 5.0:: + + pdnsutil remove-zone-key example.com old-key-id + +This updates the CDS records to reflect only the new key. Wait for the parent to pick up on the CDS change. Once the upstream DS records show only the DS records for the new KSK, you may disable -sending out the CDS responses: -``pdnsutil zone unset-publish-cds example.com``. +sending out the CDS responses:: + + pdnsutil zone unset-publish-cds example.com + +or, prior to version 5.0:: -Done! + pdnsutil unset-publish-cds example.com diff --git a/docs/guides/svcb.rst b/docs/guides/svcb.rst index 8dbc29ed67..402d702744 100644 --- a/docs/guides/svcb.rst +++ b/docs/guides/svcb.rst @@ -78,7 +78,8 @@ In this case, the ipv6hint parameter is dropped when answering the query (and on ;; ADDITIONAL SECTION: no-ipv6.example.org. 3600 IN A 192.0.2.2 -:doc:`pdnsutil <../manpages/pdnsutil.1>` checks if the autohints in SVCB and derived records can be found in the zone when using ``pdnsutil zone check``. +:doc:`pdnsutil <../manpages/pdnsutil.1>` checks if the autohints in SVCB and derived records can be found in the zone when using ``pdnsutil zone check`` +(``pdnsutil check-zone`` prior to version 5.0). It will emit a warning when there are no hints to be found:: [warning] HTTPS record for no-ipv6.example.org has automatic IPv6 hints, but no AAAA-record for the target at no-ipv6.example.org exists. diff --git a/docs/guides/zskroll.rst b/docs/guides/zskroll.rst index f5cb72dcf8..aa0aaaa372 100644 --- a/docs/guides/zskroll.rst +++ b/docs/guides/zskroll.rst @@ -7,7 +7,7 @@ This How To describes the "Pre-Publish" approach from the above mentioned RFC, a Phases are named after the steps in the diagram in that section. .. warning:: - + The following instructions assume rollover of a key which is NOT a Secure Entry Point (SEP), please confirm this fact before proceeding any further. After every change, use your favourite DNSSEC checker (`DNSViz `__, `VeriSign DNSSEC Analyzer `__, a validating resolver) to make sure no mistakes have crept in. @@ -15,7 +15,9 @@ After every change, use your favourite DNSSEC checker (`DNSViz ` +:ref:`The DNSKEY TTL is also taken from the SOA MINIMUM.` Now wait for at least that long. Depending on your setup, this will usually be between a few hours and a few days. @@ -76,6 +99,12 @@ The last step is to remove the old DNSKEY from the zone: pdnsutil zone remove-key example.com OLD-ZSK-ID +or, prior to version 5.0: + +.. code-block:: shell + + pdnsutil remove-zone-key example.com OLD-ZSK-ID + Please check that your secondaries now show only the new DNSKEY when queried with ``dig DNSKEY example.com @...``. Conclusion diff --git a/docs/manpages/pdnsutil.1.rst b/docs/manpages/pdnsutil.1.rst index 29f9f43c5f..101604a97a 100644 --- a/docs/manpages/pdnsutil.1.rst +++ b/docs/manpages/pdnsutil.1.rst @@ -341,16 +341,16 @@ zone set-nsec3 *ZONE* ['*HASH-ALGORITHM* *FLAGS* *ITERATIONS* *SALT*'] [**narrow resolvers and that a limit can be set with ``max-nsec3-iterations`` in ``pdns.conf``. The *SALT* is a hexadecimal string encoding the bits for the salt, or - to use no salt. - + Setting **narrow** will make PowerDNS send out "white lies" (:rfc:`7129`) about the next secure record to prevent zone enumeration. Instead of looking it up in the database, it will send out the hash + 1 as the next secure record. Narrow mode requires online signing capabilities by the nameserver and therefore zone transfers are denied. - + If only the zone is provided as argument, the 4-parameter quoted string defaults to ``'1 0 0 -'``, as recommended by :rfc:`9276`. - + A sample commandline would be: ``pdnsutil zone set-nsec3 powerdnssec.org '1 1 1 ab' narrow`` @@ -410,12 +410,12 @@ zone add-key *ZONE* [**KSK**,\ **ZSK**] [**active**,\ **inactive**] [**published the specified *ALGORITHM* and *KEYBITS*. If *KEYBITS* is omitted, the value of :ref:`setting-default-ksk-size` or :ref:`setting-default-zsk-size` are used. - + The key is inactive by default, set it to **active** to immediately use it to sign *ZONE*. The key is published in the zone by default, set it to **unpublished** to keep it from being returned in a DNSKEY query, which is useful for algorithm rollovers. - + Prints the id of the added key. zone deactivate-key *ZONE* *KEY_ID* diff --git a/docs/migration.rst b/docs/migration.rst index 5f209d1e3e..b1a3ad7d26 100644 --- a/docs/migration.rst +++ b/docs/migration.rst @@ -131,7 +131,8 @@ The :doc:`pdnsutil ` tool has a first backend that is capable of hosting it. To import, configure the backend and run -``pdnsutil zone load example.com /tmp/example.com.zone`` to import +``pdnsutil zone load example.com /tmp/example.com.zone`` (``pdnsutil load-zone +example.com /tmp/example.com.zone`` prior to version 5.0) to import the ``example.com`` domain from the ``/tmp/example.com.zone`` file. The zone is imported atomically (i.e. it is fully imported, or not) and any existing records for that zone are overwritten. This include the SOA record too. @@ -175,7 +176,8 @@ Moving from source to target sure you properly clear **ALL** data from target backend before retrying. - Remove (or comment out) old backend from pdns.conf, and run - ``pdnsutil zone rectify-all`` and ``pdnsutil zone check-all`` to - make sure everything is OK. + ``pdnsutil zone rectify-all`` and ``pdnsutil zone check-all`` (respectively + ``pdnsutil rectify-all-zones`` and ``pdnsutil check-all-zones`` prior to + version 5.0) to make sure everything is OK. - If everything is OK, then go ahead to restart your PowerDNS service. Check logs to make sure everything went ok. diff --git a/docs/modes-of-operation.rst b/docs/modes-of-operation.rst index d62de1c9a3..b2b6f57b49 100644 --- a/docs/modes-of-operation.rst +++ b/docs/modes-of-operation.rst @@ -215,7 +215,8 @@ In such cases, make sure to delete the zone contents to force a fresh retrieval. Finally, IXFR updates that "plug" Empty Non-Terminals do not yet remove -ENT records. A 'pdnsutil zone rectify' may be required. +ENT records. A ``pdnsutil zone rectify`` (``pdnsutil rectify-zone`` prior to +version 5.0) may be required. PowerDNS itself is currently only able to retrieve updates via IXFR. It cannot serve IXFR updates. @@ -263,7 +264,8 @@ There is no need to fill the account name out but it does help keep track of where a domain comes from. Additionally, if a secondary selects multiple autoprimaries for a zone based on the name of the primary, it also checks that the ``account`` field is the same for all. Adding a autoprimary can be done either directly in the database, -or by using the 'pdnsutil autoprimary add' command. +or by using the ``pdnsutil autoprimary add`` command (``pdnsutil +add-autoprimary`` prior to version 5.0). .. warning:: When a secondary receives notification while bootstrapping a new domain using autosecondary feature, it will send @@ -288,7 +290,7 @@ the outcome of the function defines what PowerDNS does with the records. What you can accomplish using a Lua script: -- Ensure consistent values on SOA +- Ensure consistent values on SOA - Change incoming SOA serial number to a YYYYMMDDnn format - Ensure consistent NS RRset - Timestamp the zone transfer with a TXT record @@ -297,6 +299,10 @@ This script can be enabled like this:: pdnsutil metadata set example.com LUA-AXFR-SCRIPT /path/to/lua/script.lua +or, prior to version 5.0:: + + pdnsutil set-meta example.com LUA-AXFR-SCRIPT /path/to/lua/script.lua + .. warning:: The Lua script must both exist and be syntactically correct; if not, the zone transfer is not performed. diff --git a/docs/settings.rst b/docs/settings.rst index 7610766705..4545d623e8 100644 --- a/docs/settings.rst +++ b/docs/settings.rst @@ -592,7 +592,7 @@ when automatic publication is turned off. .. versionadded:: 5.0.0 -Read signatures of DNSKEY records directly from the backend. +Read signatures of DNSKEY records directly from the backend. If not set and the record is not presigned, DNSKEY records will be signed directly by PDNS Authoritative. Please only use this if you are sure that you need it. diff --git a/docs/tsig.rst b/docs/tsig.rst index 5f2d803614..27e1b6211e 100644 --- a/docs/tsig.rst +++ b/docs/tsig.rst @@ -45,6 +45,13 @@ Another way of importing and activating TSIG keys into the database is using pdnsutil tsigkey import test hmac-md5 'kp4/24gyYsEzbuTVJRUMoqGFmN3LYgVDzJ/3oRSP7ys=' pdnsutil tsigkey activate powerdnssec.org test primary +or, prior to version 5.0: + +.. code-block:: shell + + pdnsutil import-tsig-key test hmac-md5 'kp4/24gyYsEzbuTVJRUMoqGFmN3LYgVDzJ/3oRSP7ys=' + pdnsutil activate-tsig-key powerdnssec.org test primary + To ease interoperability, the equivalent configuration above in BIND would look like this:: diff --git a/docs/upgrading.rst b/docs/upgrading.rst index 68f35e6eb8..c8dd798daf 100644 --- a/docs/upgrading.rst +++ b/docs/upgrading.rst @@ -75,135 +75,137 @@ The old syntax is still recognized, so that existing scripts and finger memory will keep working. However, you are advised to switch to the new command syntax, using this conversion table: -+-----------------------------------+--------------------------------+ -| Old syntax | New syntax | -+===================================+================================+ -| ``activate-tsig-key`` | ``tsigkey activate`` | -+-----------------------------------+--------------------------------+ -| ``activate-zone-key`` | ``zone activate-key`` | -+-----------------------------------+--------------------------------+ -| ``add-autoprimary`` | ``autoprimary add`` | -+-----------------------------------+--------------------------------+ -| ``add-meta`` | ``metadata add`` | -+-----------------------------------+--------------------------------+ -| ``add-record`` | ``rrset add`` | -+-----------------------------------+--------------------------------+ -| ``add-zone-key`` | ``zone add-key`` | -+-----------------------------------+--------------------------------+ -| ``change-secondary-zone-primary`` | ``zone change-primary`` | -+-----------------------------------+--------------------------------+ -| ``check-all-zones`` | ``zone check-all`` | -+-----------------------------------+--------------------------------+ -| ``check-zone`` | ``zone check`` | -+-----------------------------------+--------------------------------+ -| ``clear-zone`` | ``zone clear`` | -+-----------------------------------+--------------------------------+ -| ``create-secondary-zone`` | ``zone create-secondary`` | -+-----------------------------------+--------------------------------+ -| ``create-zone`` | ``zone create`` | -+-----------------------------------+--------------------------------+ -| ``deactivate-tsig-key`` | ``tsigkey deactivate`` | -+-----------------------------------+--------------------------------+ -| ``deactivate-zone-key`` | ``zone deactivate-key`` | -+-----------------------------------+--------------------------------+ -| ``delete-rrset`` | ``rrset delete`` | -+-----------------------------------+--------------------------------+ -| ``delete-tsig-key`` | ``tsigkey delete`` | -+-----------------------------------+--------------------------------+ -| ``delete-zone`` | ``zone delete`` | -+-----------------------------------+--------------------------------+ -| ``disable-dnssec`` | ``zone dnssec-disable`` | -+-----------------------------------+--------------------------------+ -| ``edit-zone`` | ``zone edit`` | -+-----------------------------------+--------------------------------+ -| ``export-zone-dnskey`` | ``zone export-dnskey`` | -+-----------------------------------+--------------------------------+ -| ``export-zone-ds`` | ``zone export-ds`` | -+-----------------------------------+--------------------------------+ -| ``export-zone-key`` | ``zone export-key`` | -+-----------------------------------+--------------------------------+ -| ``export-zone-key-pem`` | ``zone export-key-pem`` | -+-----------------------------------+--------------------------------+ -| ``generate-tsig-key`` | ``tsigkey generate`` | -+-----------------------------------+--------------------------------+ -| ``generate-zone-key`` | ``zone generate-key`` | -+-----------------------------------+--------------------------------+ -| ``get-meta`` | ``metadata get`` | -+-----------------------------------+--------------------------------+ -| ``hash-zone-record`` | ``rrset hash`` | -+-----------------------------------+--------------------------------+ -| ``import-tsig-key`` | ``tsigkey import`` | -+-----------------------------------+--------------------------------+ -| ``import-zone-key`` | ``zone import-key`` | -+-----------------------------------+--------------------------------+ -| ``import-zone-key-pem`` | ``zone import-key-pem`` | -+-----------------------------------+--------------------------------+ -| ``increase-serial`` | ``zone increase-serial`` | -+-----------------------------------+--------------------------------+ -| ``list-all-zones`` | ``zone list-all`` | -+-----------------------------------+--------------------------------+ -| ``list-autoprimaries`` | ``autoprimary list`` | -+-----------------------------------+--------------------------------+ -| ``list-keys`` | ``zone list-keys`` | -+-----------------------------------+--------------------------------+ -| ``list-member-zones`` | ``catalog list-members`` | -+-----------------------------------+--------------------------------+ -| ``list-tsig-keys`` | ``tsigkey list`` | -+-----------------------------------+--------------------------------+ -| ``list-zone`` | ``zone list`` | -+-----------------------------------+--------------------------------+ -| ``load-zone`` | ``zone load`` | -+-----------------------------------+--------------------------------+ -| ``publish-zone-key`` | ``zone publish-key`` | -+-----------------------------------+--------------------------------+ -| ``rectify-all-zones`` | ``zone rectify-all`` | -+-----------------------------------+--------------------------------+ -| ``rectify-zone`` | ``zone rectify`` | -+-----------------------------------+--------------------------------+ -| ``remove-autoprimary`` | ``autoprimary remove`` | -+-----------------------------------+--------------------------------+ -| ``remove-zone-key`` | ``zone remove-key`` | -+-----------------------------------+--------------------------------+ -| ``replace-rrset`` | ``rrset replace`` | -+-----------------------------------+--------------------------------+ -| ``secure-all-zones`` | ``zone secure-all`` | -+-----------------------------------+--------------------------------+ -| ``secure-zone`` | ``zone secure`` | -+-----------------------------------+--------------------------------+ -| ``set-account`` | ``zone set-account`` | -+-----------------------------------+--------------------------------+ -| ``set-catalog`` | ``catalog set`` | -+-----------------------------------+--------------------------------+ -| ``set-kind`` | ``zone set-kind`` | -+-----------------------------------+--------------------------------+ -| ``set-meta`` | ``metadata set`` | -+-----------------------------------+--------------------------------+ -| ``set-nsec3`` | ``zone set-nsec3`` | -+-----------------------------------+--------------------------------+ -| ``set-option`` | ``zone set-option`` | -+-----------------------------------+--------------------------------+ -| ``set-options-json`` | ``zone set-options-json`` | -+-----------------------------------+--------------------------------+ -| ``set-presigned`` | ``zone set-presigned`` | -+-----------------------------------+--------------------------------+ -| ``set-publish-cdnskey`` | ``zone set-publish-cdnskey`` | -+-----------------------------------+--------------------------------+ -| ``set-publish-cds`` | ``zone set-publish-cds`` | -+-----------------------------------+--------------------------------+ -| ``show-zone`` | ``zone show`` | -+-----------------------------------+--------------------------------+ -| ``unpublish-zone-key`` | ``zone unpublish-key`` | -+-----------------------------------+--------------------------------+ -| ``unset-nsec3`` | ``zone unset-nsec3`` | -+-----------------------------------+--------------------------------+ -| ``unset-presigned`` | ``zone unset-presigned`` | -+-----------------------------------+--------------------------------+ -| ``unset-publish-cdnskey`` | ``zone unset-publish-cdnskey`` | -+-----------------------------------+--------------------------------+ -| ``unset-publish-cds`` | ``zone unset-publish-cds`` | -+-----------------------------------+--------------------------------+ -| ``zonemd-verify-file`` | ``zone zonemd-verify-file`` | -+-----------------------------------+--------------------------------+ +.. list-table:: pdnsutil syntax conversion table + :header-rows: 1 + + * - Old syntax + - New syntax + * - ``activate-tsig-key`` + - ``tsigkey activate`` + * - ``activate-zone-key`` + - ``zone activate-key`` + * - ``add-autoprimary`` + - ``autoprimary add`` + * - ``add-meta`` + - ``metadata add`` + * - ``add-record`` + - ``rrset add`` + * - ``add-zone-key`` + - ``zone add-key`` + * - ``change-secondary-zone-primary`` + - ``zone change-primary`` + * - ``check-all-zones`` + - ``zone check-all`` + * - ``check-zone`` + - ``zone check`` + * - ``clear-zone`` + - ``zone clear`` + * - ``create-secondary-zone`` + - ``zone create-secondary`` + * - ``create-zone`` + - ``zone create`` + * - ``deactivate-tsig-key`` + - ``tsigkey deactivate`` + * - ``deactivate-zone-key`` + - ``zone deactivate-key`` + * - ``delete-rrset`` + - ``rrset delete`` + * - ``delete-tsig-key`` + - ``tsigkey delete`` + * - ``delete-zone`` + - ``zone delete`` + * - ``disable-dnssec`` + - ``zone dnssec-disable`` + * - ``edit-zone`` + - ``zone edit`` + * - ``export-zone-dnskey`` + - ``zone export-dnskey`` + * - ``export-zone-ds`` + - ``zone export-ds`` + * - ``export-zone-key`` + - ``zone export-key`` + * - ``export-zone-key-pem`` + - ``zone export-key-pem`` + * - ``generate-tsig-key`` + - ``tsigkey generate`` + * - ``generate-zone-key`` + - ``zone generate-key`` + * - ``get-meta`` + - ``metadata get`` + * - ``hash-zone-record`` + - ``rrset hash`` + * - ``import-tsig-key`` + - ``tsigkey import`` + * - ``import-zone-key`` + - ``zone import-key`` + * - ``import-zone-key-pem`` + - ``zone import-key-pem`` + * - ``increase-serial`` + - ``zone increase-serial`` + * - ``list-all-zones`` + - ``zone list-all`` + * - ``list-autoprimaries`` + - ``autoprimary list`` + * - ``list-keys`` + - ``zone list-keys`` + * - ``list-member-zones`` + - ``catalog list-members`` + * - ``list-tsig-keys`` + - ``tsigkey list`` + * - ``list-zone`` + - ``zone list`` + * - ``load-zone`` + - ``zone load`` + * - ``publish-zone-key`` + - ``zone publish-key`` + * - ``rectify-all-zones`` + - ``zone rectify-all`` + * - ``rectify-zone`` + - ``zone rectify`` + * - ``remove-autoprimary`` + - ``autoprimary remove`` + * - ``remove-zone-key`` + - ``zone remove-key`` + * - ``replace-rrset`` + - ``rrset replace`` + * - ``secure-all-zones`` + - ``zone secure-all`` + * - ``secure-zone`` + - ``zone secure`` + * - ``set-account`` + - ``zone set-account`` + * - ``set-catalog`` + - ``catalog set`` + * - ``set-kind`` + - ``zone set-kind`` + * - ``set-meta`` + - ``metadata set`` + * - ``set-nsec3`` + - ``zone set-nsec3`` + * - ``set-option`` + - ``zone set-option`` + * - ``set-options-json`` + - ``zone set-options-json`` + * - ``set-presigned`` + - ``zone set-presigned`` + * - ``set-publish-cdnskey`` + - ``zone set-publish-cdnskey`` + * - ``set-publish-cds`` + - ``zone set-publish-cds`` + * - ``show-zone`` + - ``zone show`` + * - ``unpublish-zone-key`` + - ``zone unpublish-key`` + * - ``unset-nsec3`` + - ``zone unset-nsec3`` + * - ``unset-presigned`` + - ``zone unset-presigned`` + * - ``unset-publish-cdnskey`` + - ``zone unset-publish-cdnskey`` + * - ``unset-publish-cds`` + - ``zone unset-publish-cds`` + * - ``zonemd-verify-file`` + - ``zone zonemd-verify-file`` Commands not listed above have not changed syntax.