NAME

dddctl — control and manage delphinusdnsd

SYNOPSIS

DESCRIPTION

The dddctl utility is used to control, manage and sign delphinusdnsd (zone files)

The commands are as follows:

bindfile zonename zonefile

Convert a delphinusdns.conf(5) zonefile to BIND format with the specified zonename domain name.

configtest [-cn] [configfile]

Test the entire config, alternatively you can test a delphinusdns.conf(5) config file by specifying such a file. In case of configured rzones, when there is no .repl file in /var/delphinusdnsd/replicant/ it will pull the replicant file via a socket, unless the [-n] flag has been specified.

help [command]

provides an in-binary help. Alternatively you can specify a subcommand to provide help for. Ie. dddctl help sign.

query [-DINTZ] [-@ server] [-C cookie] [-P port] [-p file] [-Q server] [-y keyname:password]

performs rudamentary query operations on a DNS server.

-D

use the DO bit, to get DNSSEC answers.

-I

indent output.

-N

provide no cookie.

-T

use TCP instead of UDP.

-Z

output in delphinusdnsd zonefile format.

-@ server

queries the specified server (in IPv4 IP).

-C cookie

add the specific cookie (must be 24 bytes long and in hexadecimal).

-P port

query on the specified port.

-p file

output/pipe to the specified file.

-Q server

queries the specified server (is synonymous with -@).

-y keyname:password

Use a TSIG keyname and password. The keyname is plaintext in a DNS name format , the password is in BASE64. This differs from dig in that the leading HMAC type is omitted because it's always type 'hmac-sha256'.

sign [-KMXZ] [-a algorithm] [-B bits] [-e seconds] [-I iterations] [-i inputfile] [-k KSK] [-m mask] [-n zonename] [-o output] [-R keyword] [-S pid] [-s salt] [-t ttl] [-x serial] [-z ZSK]

performs signing operations on a zonefile for DNSSEC operations.

-K

create a new KSK key.

-M

add a ZONEMD RR to the zone (Will not work with already present ZONEMD's). Please see the zonemd command, for what algorithms are used. A DNSSEC signed zone can be integrity checked with the zonemd command.

-X

update serial to YYYYMMDD01.

-Z

create a new ZSK key.

-a algorithm

use algorithm (integer).

-B bits

use number of bits (integer).

-e seconds

expiry in seconds.

-I iterations

use (integer) NSEC3 iterations.

-i inputfile

use the inputfile of unsigned zone.

-k KSK

use provided KSK key-signing keyname.

-m mask

run the following masked functions (used for debug).

-n zonename

run for zonename zone.

-o output

output to file, may be '-' for stdout.

-R keyword

chooses a roll-over method. Current keywords are 'prep' and 'double' for Pre Publication Rollover Method or Double-Signature Rollover method respectively. Default is 'prep'.

-S pid

sign with this pid ('KSK' or 'ZSK' if used in conjunction with [-ZK]).

-s salt

salt for NSEC3 (in hexadecimal).

-t ttl

time-to-live for DNSKEY's.

-x serial

update serial in SOA to serial.

-z ZSK

use provided ZSK zone-signing keyname.

sshfp hostname [-k keyfile] [-t ttl]

produces an SSHFP output on stdout in delphinusdnsd(8) format.

start [-f configfile] [-I identstring] [-s path]

starts delphinusdnsd(8) with an optional configfile and control socket path.

stop [-I identstring] [-s path]

stops delphinusdnsd with optional control socket path.

restart [-I identstring] [-s path]

restarts delphinusdnsd with optional control socket path.

zonemd [-c] [-n zonename] [-o outfile] file

message digests (SIMPLE scheme, algorithm SHA386) a non-DNSSEC zonefile.

-c

checks a zonefile wether an embedded ZONEMD matches.

-o outfile

specifies an optional output file, otherwise stdout.

EXAMPLES

To create a ZSK and a KSK key the first time one may do:

dddctl sign -Z -K -n delphinusdns.org

To sign a delphinusdns zone the first time one may do:

dddctl sign -Z -K -a 13 -B 2048 -n delphinusdns.org -i delphinusdns.org.zone -o delphinusdns.org.zone.signed

Please see the delphinusdns.org website for more examples.

SEE ALSO

delphinusdnsd(8) delphinusdns.conf(5)

FILES

/var/delphinusdnsd/etc/delphinusdns.conf

default configfile

/var/delphinusdnsd/replicant/

replicant zone files pulled via AXFR

/var/run/delphinusdnsd.sock

default dddctl control socket

BUGS

On Linux, with a replicant zone set up in the configfile, a dddctl configtest will error out (at least on the Raspberry Pi), the first time. Subsequent configtests should state OK, so check for this. I haven't found the bug for this yet. Another bug is that dddctl query will not sanitize input from the net. This could be used to change characteristics of the terminal with means of escape codes.

AUTHORS

Peter J. Philipp <pbug44@delphinusdns.org>