NAME
dddctl
—
control and manage
delphinusdnsd
SYNOPSIS
dddctl |
command [arg ...] |
DESCRIPTION
The dddctl
utility is used to control,
manage and sign delphinusdnsd (zone files)
The commands are as follows:
bindfile
zonename zonefile- Convert a delphinusdns.conf(5) zonefile to BIND format with the specified zonename domain name.
configtest
[-cn
] [configfile]- Test the entire config, alternatively you can test a
delphinusdns.conf(5) config file by specifying such a file. In case
of configured rzones, when there is no .repl file in
/var/delphinusdnsd/replicant/ it will pull the replicant file via a
socket, unless the [
-n
] flag has been specified. help
[command]- provides an in-binary help. Alternatively you can specify a subcommand to
provide help for. Ie.
dddctl
help sign. query
[-DINTZ
] [-@
server] [-C
cookie] [-P
port] [-p
file] [-Q
server] [-y
keyname:password]- performs rudamentary query operations on a DNS server.
-D
- use the DO bit, to get DNSSEC answers.
-I
- indent output.
-N
- provide no cookie.
-T
- use TCP instead of UDP.
-Z
- output in delphinusdnsd zonefile format.
-@
server- queries the specified server (in IPv4 IP).
-C
cookie- add the specific cookie (must be 24 bytes long and in hexadecimal).
-P
port- query on the specified port.
-p
file- output/pipe to the specified file.
-Q
server- queries the specified server (is synonymous with -@).
-y
keyname:password- Use a TSIG keyname and password. The keyname is plaintext in a DNS name format , the password is in BASE64. This differs from dig in that the leading HMAC type is omitted because it's always type 'hmac-sha256'.
sign
[-KMXZ
] [-a
algorithm] [-B
bits] [-e
seconds] [-I
iterations] [-i
inputfile] [-k
KSK] [-m
mask] [-n
zonename] [-o
output] [-R
keyword] [-S
pid] [-s
salt] [-t
ttl] [-x
serial] [-z
ZSK]- performs signing operations on a zonefile for DNSSEC operations.
-K
- create a new KSK key.
-M
- add a ZONEMD RR to the zone (Will not work with already present ZONEMD's). Please see the zonemd command, for what algorithms are used. A DNSSEC signed zone can be integrity checked with the zonemd command.
-X
- update serial to YYYYMMDD01.
-Z
- create a new ZSK key.
-a
algorithm- use algorithm (integer).
-B
bits- use number of bits (integer).
-e
seconds- expiry in seconds.
-I
iterations- use (integer) NSEC3 iterations.
-i
inputfile- use the inputfile of unsigned zone.
-k
KSK- use provided KSK key-signing keyname.
-m
mask- run the following masked functions (used for debug).
-n
zonename- run for zonename zone.
-o
output- output to file, may be '-' for stdout.
-R
keyword- chooses a roll-over method. Current keywords are 'prep' and 'double' for Pre Publication Rollover Method or Double-Signature Rollover method respectively. Default is 'prep'.
-S
pid- sign with this pid ('KSK' or 'ZSK' if used in conjunction with [-ZK]).
-s
salt- salt for NSEC3 (in hexadecimal).
-t
ttl- time-to-live for DNSKEY's.
-x
serial- update serial in SOA to serial.
-z
ZSK- use provided ZSK zone-signing keyname.
sshfp
hostname [-k keyfile] [-t ttl]- produces an SSHFP output on stdout in delphinusdnsd(8) format.
start
[-f configfile] [-I identstring] [-s path]- starts delphinusdnsd(8) with an optional configfile and control socket path.
stop
[-I identstring] [-s path]- stops delphinusdnsd with optional control socket path.
restart
[-I identstring] [-s path]- restarts delphinusdnsd with optional control socket path.
zonemd
[-c] [-n zonename] [-o outfile] file- message digests (SIMPLE scheme, algorithm SHA386) a non-DNSSEC zonefile.
-c
- checks a zonefile wether an embedded ZONEMD matches.
-o
outfile- specifies an optional output file, otherwise stdout.
EXAMPLES
To create a ZSK and a KSK key the first time one may do:
dddctl sign -Z -K -n delphinusdns.org
To sign a delphinusdns zone the first time one may do:
dddctl sign -Z -K -a 13 -B 2048 -n delphinusdns.org -i delphinusdns.org.zone -o delphinusdns.org.zone.signed
Please see the delphinusdns.org website for more examples.
SEE ALSO
FILES
- /var/delphinusdnsd/etc/delphinusdns.conf
- default configfile
- /var/delphinusdnsd/replicant/
- replicant zone files pulled via AXFR
- /var/run/delphinusdnsd.sock
- default
dddctl
control socket
BUGS
On Linux, with a replicant zone set up in the configfile, a
dddctl
configtest will error out (at least on the
Raspberry Pi), the first time. Subsequent configtests should state OK, so
check for this. I haven't found the bug for this yet. Another bug is that
dddctl query will not sanitize input from the net. This could be used to
change characteristics of the terminal with means of escape codes.
AUTHORS
Peter J. Philipp <pbug44@delphinusdns.org>