DDDCTL(8) System Manager's Manual DDDCTL(8)

dddctlcontrol and manage delphinusdnsd

dddctl command [arg ...]

The dddctl utility is used to control, manage and sign delphinusdnsd (zone files)

The commands are as follows:

zonename zonefile
Convert a delphinusdns.conf(5) zonefile to BIND format with the specified zonename domain name.
[-cn] [configfile]
Test the entire config, alternatively you can test a delphinusdns.conf(5) config file by specifying such a file. In case of configured rzones, when there is no .repl file in /var/delphinusdnsd/replicant/ it will pull the replicant file via a socket, unless the [-n] flag has been specified.
provides an in-binary help. Alternatively you can specify a subcommand to provide help for. Ie. dddctl help sign.
[-DINTZ] [-@ server] [-C cookie] [-P port] [-p file] [-Q server] [-y keyname:password]
performs rudamentary query operations on a DNS server.
use the DO bit, to get DNSSEC answers.
indent output.
provide no cookie.
use TCP instead of UDP.
output in delphinusdnsd zonefile format.
queries the specified server (in IPv4 IP).
add the specific cookie (must be 24 bytes long and in hexadecimal).
query on the specified port.
output/pipe to the specified file.
queries the specified server (is synonymous with -@).
Use a TSIG keyname and password. The keyname is plaintext in a DNS name format , the password is in BASE64. This differs from dig in that the leading HMAC type is omitted because it's always type 'hmac-sha256'.
[-KMXZ] [-a algorithm] [-B bits] [-e seconds] [-I iterations] [-i inputfile] [-k KSK] [-m mask] [-n zonename] [-o output] [-R keyword] [-S pid] [-s salt] [-t ttl] [-x serial] [-z ZSK]
performs signing operations on a zonefile for DNSSEC operations.
create a new KSK key.
add a ZONEMD RR to the zone (Will not work with already present ZONEMD's). Please see the zonemd command, for what algorithms are used. A DNSSEC signed zone can be integrity checked with the zonemd command.
update serial to YYYYMMDD01.
create a new ZSK key.
use algorithm (integer).
use number of bits (integer).
expiry in seconds.
use (integer) NSEC3 iterations.
use the inputfile of unsigned zone.
use provided KSK key-signing keyname.
run the following masked functions (used for debug).
run for zonename zone.
output to file, may be '-' for stdout.
chooses a roll-over method. Current keywords are 'prep' and 'double' for Pre Publication Rollover Method or Double-Signature Rollover method respectively. Default is 'prep'.
sign with this pid ('KSK' or 'ZSK' if used in conjunction with [-ZK]).
salt for NSEC3 (in hexadecimal).
time-to-live for DNSKEY's.
update serial in SOA to serial.
use provided ZSK zone-signing keyname.
hostname [-k keyfile] [-t ttl]
produces an SSHFP output on stdout in delphinusdnsd(8) format.
[-f configfile] [-I identstring] [-s path]
starts delphinusdnsd(8) with an optional configfile and control socket path.
[-I identstring] [-s path]
stops delphinusdnsd with optional control socket path.
[-I identstring] [-s path]
restarts delphinusdnsd with optional control socket path.
[-c] [-n zonename] [-o outfile] file
message digests (SIMPLE scheme, algorithm SHA386) a non-DNSSEC zonefile.
checks a zonefile wether an embedded ZONEMD matches.
specifies an optional output file, otherwise stdout.

To create a ZSK and a KSK key the first time one may do:

dddctl sign -Z -K -n delphinusdns.org

To sign a delphinusdns zone the first time one may do:

dddctl sign -Z -K -a 13 -B 2048 -n delphinusdns.org -i delphinusdns.org.zone -o delphinusdns.org.zone.signed

Please see the delphinusdns.org website for more examples.

delphinusdnsd(8) delphinusdns.conf(5)

default configfile
replicant zone files pulled via AXFR
default dddctl control socket

On Linux, with a replicant zone set up in the configfile, a dddctl configtest will error out (at least on the Raspberry Pi), the first time. Subsequent configtests should state OK, so check for this. I haven't found the bug for this yet. Another bug is that dddctl query will not sanitize input from the net. This could be used to change characteristics of the terminal with means of escape codes.

Peter J. Philipp <pbug44@delphinusdns.org>

August 20, 2022 OpenBSD 7.2