DDDCTL(8) System Manager's Manual DDDCTL(8)

dddctlcontrol and manage delphinusdnsd

dddctl command [arg ...]

The dddctl utility is used to control, manage and sign delphinusdnsd (zone files)

The commands are as follows:

zonename zonefile
Convert a delphinusdns.conf(5) zonefile to BIND format with the specified zonename domain name.
[-cn] [configfile]
Test the entire config, alternatively you can test a delphinusdns.conf(5) config file by specifying such a file. In case of configured rzones, when there is no .repl file in /var/delphinusdnsd/replicant/ it will pull the replicant file via a socket, unless the [-n] flag has been specified.
[command]
provides an in-binary help. Alternatively you can specify a subcommand to provide help for. Ie. dddctl help sign.
[-DITZ] [-@ server] [-P port] [-p file] [-Q server] [-y keyname:password]
performs rudamentary query operations on a DNS server.
use the DO bit, to get DNSSEC answers.
indent output.
use TCP instead of UDP.
output in delphinusdnsd zonefile format.
server
queries the specified server (in IPv4 IP).
port
query on the specified port.
file
output/pipe to the specified file.
server
queries the specified server (is synonymous with -@).
keyname:password
Use a TSIG keyname and password. The keyname is plaintext in a DNS name format , the password is in BASE64. This differs from dig in that the leading HMAC type is omitted because it's always type 'hmac-sha256'.
[-KXZ] [-a algorithm] [-B bits] [-e seconds] [-I iterations] [-i inputfile] [-k KSK] [-m mask] [-n zonename] [-o output] [-R keyword] [-S pid] [-s salt] [-t ttl] [-x serial] [-z ZSK]
performs signing operations on a zonefile for DNSSEC operations.
create a new KSK key.
update serial to YYYYMMDD01.
create a new ZSK key.
algorithm
use algorithm (integer).
bits
use number of bits (integer).
seconds
expiry in seconds.
iterations
use (integer) NSEC3 iterations.
inputfile
use the inputfile of unsigned zone.
KSK
use provided KSK key-signing keyname.
mask
run the following masked functions (used for debug).
zonename
run for zonename zone.
output
output to file, may be '-' for stdout.
keyword
chooses a roll-over method. Current keywords are 'prep' and 'double' for Pre Publication Rollover Method or Double-Signature Rollover method respectively. Default is 'prep'.
pid
sign with this pid ('KSK' or 'ZSK' if used in conjunction with [-ZK]).
salt
salt for NSEC3 (in hexadecimal).
ttl
time-to-live for DNSKEY's.
serial
update serial in SOA to serial.
ZSK
use provided ZSK zone-signing keyname.
hostname [-k keyfile] [-t ttl]
produces an SSHFP output on stdout in delphinusdnsd(8) format.
[-f configfile] [-s path]
starts delphinusdnsd(8) with an optional configfile and control socket path.
[-s path]
stops delphinusdnsd with optional control socket path.
[-s path]
restarts delphinusdnsd with optional control socket path.

To create a ZSK and a KSK key the first time one may do:

dddctl sign -Z -K -n delphinusdns.org

To sign a delphinusdns zone the first time one may do:

dddctl sign -Z -K -a 13 -B 2048 -n delphinusdns.org -i delphinusdns.org.zone -o delphinusdns.org.zone.signed

Please see the https://delphinusdns.org website for more examples.

delphinusdnsd(8) delphinusdns.conf(5)

/var/delphinusdnsd/etc/delphinusdns.conf
default configfile
/var/delphinusdnsd/replicant/
replicant zone files pulled via AXFR
/var/run/delphinusdnsd.sock
default dddctl control socket

On Linux, with a replicant zone set up in the configfile, a dddctl configtest will error out (at least on the Raspberry Pi), the first time. Subsequent configtests should state OK, so check for this. I haven't found the bug for this yet. Another bug is that dddctl query will not sanitize input from the net. This could be used to change characteristics of the terminal with means of escape codes.

Peter J. Philipp <petphi@delphinusdns.org>

October 9, 2020 OpenBSD 6.7