cascade zone

Synopsis

cascade [GLOBAL OPTIONS] zone <COMMAND>

cascade [GLOBAL OPTIONS] zone add [OPTIONS] --source <SOURCE> --policy <POLICY> <NAME>

cascade [GLOBAL OPTIONS] zone remove <NAME>

cascade [GLOBAL OPTIONS] zone list

cascade [GLOBAL OPTIONS] zone reload <NAME>

cascade [GLOBAL OPTIONS] zone approve <--unsigned|--signed> <NAME> <SERIAL>

cascade [GLOBAL OPTIONS] zone reject <--unsigned|--signed> <NAME> <SERIAL>

cascade [GLOBAL OPTIONS] zone override <--unsigned|--signed> <NAME>

cascade [GLOBAL OPTIONS] zone status [--detailed] <NAME>

cascade [GLOBAL OPTIONS] zone reset <NAME>

cascade [GLOBAL OPTIONS] zone history <NAME>

Description

Manage Cascade’s zones.

Global Options

See Cascade CLI for information about global options supported by every CLI command.

Commands

add: Add a new zone.

remove: Remove a zone.

Note

Once removed, downstream servers will no longer be able to fetch the zone!

list: List registered zones.

reload: Reload a zone.

approve: Approve a zone being reviewed.

reject: Reject a zone being reviewed.

override: Override a previous rejection of a zone review.

status: Get the status of a single zone.

reset: Reset the pipeline for a zone to get it out of a halted state.

history: Get the history of a single zone.

Options for `zone add`

--source <IP>[:<PORT>][^<TSIG_KEY_NAME>]

The zone source can be the IP address of an upstream nameserver (with or without port, defaults to port 53) or the path to a zone file locally available to the cascaded daemon.

When specifying an upstream nameserver you may also optionally specify the name of an RFC 8945 TSIG key that should be used to authenticate communication with the upstream.

Zones sourced from an upstream nameserver will be automatically updated if a new version is detected via a SOA query, either based on the zone’s SOA record timers, or in response to an RFC 1996 NOTIFY message from the upstream.

Zones can also be manualy updated via cascade reload.

For zones that have already been retrieved at least once via AXFR, subsequent refreshes will attempt to use IXFR and fallback to AXFR if IXFR is not available.

Note

When running cascade zone add from a different host than where the Cascade daemon is running, make sure that the source (whether filesystem path or IP address) is reachable by the Cascade daemon.

Note

If using a TSIG key the key must first be added to Cascade via cascade tsig add.

--policy <POLICY>

Policy to use for this zone.

Note: At present to use a HSM with a zone the HSM must exist and be configured in the policy used by the zone when the zone is added. It is not possible to change it later in this alpha version of Cascade.

--import-public-key <IMPORT_PUBLIC_KEY>

Import a public key to be included in the DNSKEY RRset.

This needs to be a file path accessible by the Cascade daemon.

--import-ksk-file <IMPORT_KSK_FILE>

Import a key pair as a KSK.

The file path needs to be the public key file of the KSK. The private key file name is derived from the public key file. Key files are not actually copied from the specified paths and must remain accessible to the server.

--import-zsk-file <IMPORT_ZSK_FILE>

Import a key pair as a ZSK.

The file path needs to be the public key file of the ZSK. The private key file name is derived from the public key file. Key files are not actually copied from the specified paths and must remain accessible to the server.

--import-csk-file <IMPORT_CSK_FILE>

Import a key pair as a CSK.

The file path needs to be the public key file of the CSK. The private key file name is derived from the public key file. Key files are not actually copied from the specified paths and must remain accessible to the server.

--import-ksk-kmip <server> <public_id> <private_id> <algorithm> <flags>: Import a KSK from an HSM.

--import-zsk-kmip <server> <public_id> <private_id> <algorithm> <flags>: Import a ZSK from an HSM.

--import-csk-kmip <server> <public_id> <private_id> <algorithm> <flags>: Import a CSK from an HSM.

-h, --help: Print the help text (short summary with -h, long help with --help).

<NAME>: The name of the zone to add.

Options for `zone remove`

<NAME>: The name of the zone to remove.

Options for `zone reload`

<NAME>: The name of the zone to reload.

Options for `zone approve`

<--unsigned|--signed>: Whether the zone to approve is at the unsigned or signed review stage.

<NAME>: The name of the zone to approve.

<SERIAL>: The serial number of the zone to approve.

Options for `zone reject`

<--unsigned|--signed>: Whether the zone to reject is at the unsigned or signed review stage.

<NAME>: The name of the zone to reject.

<SERIAL>: The serial number of the zone to reject.

Options for `zone override`

<--unsigned|--signed>: Whether the zone to override is at the unsigned or signed review stage.

<NAME>: The name of the zone to override.

Options for `zone status`

--detailed: Print detailed information about the zone, including a zone’s DNSSEC key identifiers in use, as well as the new DNSKEY records during key rolls.

<NAME>: The name of the zone to report the status of.

Options for `zone reset`

<NAME>: The name of the zone to reset the pipeline of.

cascade zone

Synopsis

Description

Global Options

Commands

Options for zone add

Options for zone remove

Options for zone reload

Options for zone approve

Options for zone reject

Options for zone override

Options for zone status

Options for zone reset

See Also