Starting with the PowerDNS Authoritative Server 3.0, each served zone can have "metadata". Such metadata determines how this zone behaves in certain circumstances.
![]() | Warning |
---|---|
Domain metadata is only available for DNSSEC capable backends! Make sure to enable the proper '-dnssec' setting to benefit, and to have performed the DNSSEC schema update. |
Most of these metadata items are described elsewhere in the documentation. The following settings are available:
Per-zone AXFR ACLs (see Chapter 14, AXFR ACLs).
Use this named TSIG key to retrieve this zone from its master (see Section 2, “Provisioning signed notification and AXFR requests”).
Script to be used to edit incoming AXFRs (see Section 2.2, “Modifying a slave zone using a script”).
Determines if this zone operates in NSEC3 'narrow' mode (see 'set-nsec3' in Section 5, “'pdnssec' for PowerDNSSEC command & control”).
NSEC3 parameters of a DNSSEC zone. Will be used to synthesize the NSEC3PARAM record. If present, NSEC3 is used, if not present, zones default to NSEC (see 'set-nsec3' in Section 5, “'pdnssec' for PowerDNSSEC command & control”).
This zone carries DNSSEC RRSIGs (signatures), and is presigned (see 'set-presigned' in Section 5, “'pdnssec' for PowerDNSSEC command & control”).
When serving this zone, modify the SOA serial number in one of several ways. Mostly useful to get slaves to re-transfer a zone regularly to get fresh RRSIGs.
Available modes are: INCEPTION (which sets the SOA Serial to the current two-week signing period start in seconds since the UNIX epoch), INCEPTION-WEEK (number of weeks since the epoch), INCREMENT-WEEKS (which increments the serial with the number of weeks since the epoch), EPOCH (number of seconds since the epoch). Finally, INCEPTION-EPOCH (available since 3.1) is special and sets the new SOA serial number to the maximum of the old SOA serial number, and age in seconds of the start of the current signing period.
Allow these named TSIG keys to AXFR this zone (see Section 1, “Provisioning outbound AXFR access”).