PDNSSEC(8) System Manager's Manual PDNSSEC(8)NAMEpdnssec - PowerDNSSEC command and controlSYNOPSISpdnssec [options] commandDESCRIPTIONpdnssec is a powerful command that is the operator-friendly gateway into PowerDNSSEC configuration. Behind the scenes, pdnssec manipulates a PowerDNS backend database, which also means that for many databases, pdnssec can be run remotely, and can configure key material on dif- ferent servers.OPTIONSA summary of options is included below. -h [ --help ] Show summary of options. -v [ --verbose ] Be more verbose. --force force an action --config-name arg Virtual configuration name --config-dir arg (=/etc/powerdns) Location of pdns.conf --commands arg Commands given as an argumentCOMMANDSactivate-zone-key ZONE KEY-ID Activate a key with id KEY-ID within a zone called ZONE. add-zone-key ZONE [zsk|ksk] [bits] [rsasha1|rsasha256|rsasha512|gost|ecdsa256|ecdsa384] Create a new key for zone ZONE, and make it a KSK or a ZSK, with the specified algorithm. check-zone ZONE Check a zone for correctness deactivate-zone-key ZONE KEY-ID Deactivate a key with id KEY-ID within a zone called ZONE. disable-dnssec ZONE Deactivate all keys and unset PRESIGNED in ZONE export-zone-dnskey ZONE KEY-ID Export to standard output DNSKEY and DS of key with key id KEY-ID within zone called ZONE. export-zone-key ZONE KEY-ID Export to standard output full (private) key with key id KEY-ID within zone called ZONE. The format used is compatible with BIND and NSD/LDNS. hash-zone-record ZONE RNAME This convenience command hashes the name 'recordname' according to the NSEC3 settings of ZONE. Refuses to hash for zones with no NSEC3 settings. import-zone-key ZONE FILE [ksk|zsk] Import from 'filename' a full (private) key for zone called ZONE. The format used is compatible with BIND and NSD/LDNS. KSK or ZSK specifies the flags this key should have on import. rectify-zone ZONE Calculates the 'ordername' and 'auth' fields for a zone called ZONE so they comply with DNSSEC settings. Can be used to fix up migrated data. Can always safely be run, it does no harm. remove-zone-key ZONE KEY-ID Remove a key with id KEY-ID from a zone called ZONE. secure-zone ZONE Configures a zone called ZONE with reasonable DNSSEC settings. You should manually run 'pdnssec rectify-zone' afterwards. set-nsec3 ZONE 'params' [narrow] Sets NSEC3 parameters for this zone. A sample commandline is: "pdnssec set-nsec3 powerdnssec.org '1 1 1 ab' narrow". The NSEC3 parameters must be quoted on the command line. WARNING: If running in RSASHA1 mode (algorithm 5 or 7), switching from NSEC to NSEC3 will require a DS update at the parent zone! set-presigned ZONE Switches zone to presigned operation, utilizing in-zone RRSIGs. show-zone ZONE Shows all DNSSEC related settings of a zone called ZONE. unset-nsec3 ZONE Converts a zone to NSEC operations. WARNING: If running in RSASHA1 mode (algorithm 5 or 7), switching from NSEC to NSEC3 will require a DS update at the parent zone! unset-presigned ZONE Disables presigned operation for ZONE.AUTHORThis manual page was written by Matthijs Mohlmann <matthijs@cacholong.nl> for the Debian Project (but may be used by others)SEE ALSOpdns_server(8),pdns_control(8) PowerDNS November 2011 PDNSSEC(8)