Per zone settings: Domain Metadata

Each served zone can have “metadata”. Such metadata determines how this zone behaves in certain circumstances.


When multiple backends are in use, domain metadata is only retrieved from and written to the first DNSSEC-capable or metadata-capable backend, no matter where the related zones live.

For the BIND backend, this information is either stored in the bind-dnssec-db or the hybrid database, depending on your settings.

For the implementation in non-sql backends, please review your backend’s documentation.

Apart from raw SQL statements, setting domain metadata can be done with pdnsutil set-meta and retrieving metadata is done with pdnsutil get-meta.

The following options can only be read (not written to) via the HTTP API metadata endpoint.


The option SOA-EDIT-API cannot be written or read via the HTTP API metadata endpoint.


Per-zone AXFR ACLs can be stored in the domainmetadata table.

Each ACL specifies one subnet (v4 or v6), or the magical value ‘AUTO-NS’ that tries to allow all potential slaves in.


pdnsutil set-meta ALLOW-AXFR-FROM AUTO-NS 2001:db8::/48

Each ACL has its own row in the database:

sql> select id from domains where name='';
sql> insert into domainmetadata (domain_id, kind, content) values (7,'ALLOW-AXFR-FROM','AUTO-NS');
sql> insert into domainmetadata (domain_id, kind, content) values (7,'ALLOW-AXFR-FROM','2001:db8::/48');

To disallow all IP’s, except those explicitly allowed by domainmetadata records, add allow-axfr-ips= to pdns.conf.


New in version 4.1.0.

This metadata item controls whether or not a zone is fully rectified on changes to the contents of a zone made through the API.

When the API-RECTIFY value is “1”, the zone will be rectified on changes. Any other value means that it will not be rectified. If this is not set at all, rectifying of the zone depends on the config variable default-api-rectify.


The IP address to use as a source address for sending AXFR and IXFR requests.


See the documentation on Dynamic DNS update.


When notifying this domain, also notify this nameserver (can occur multiple times). The nameserver may contain an optional port number. e.g.:

pdnsutil set-meta ALSO-NOTIFY
pdnsutil set-meta ALLOW-AXFR-FROM 2001:db8:53::1


Use this named TSIG key to retrieve this zone from its master, see Provisioning signed notification and AXFR requests.


Changed in version 4.3.1: GSS support was removed

Changed in version 4.7.0: GSS support was added back

Allow this GSS principal to perform AXFR retrieval. Most commonly it is host/something@REALM, DNS/something@REALM or user@REALM. (See GSS-TSIG support).


Use this principal for accepting GSS context. (See GSS-TSIG support).


If set to 1, attempt IXFR when retrieving zone updates. Otherwise IXFR is not attempted.


Script to be used to edit incoming AXFRs, see Modifying a slave zone using a script. This value will override the lua-axfr-script setting. Use ‘NONE’ to remove a global script.


Set to “1” to tell PowerDNS this zone operates in NSEC3 ‘narrow’ mode. See set-nsec3 for pdnsutil.


NSEC3 parameters of a DNSSEC zone. Will be used to synthesize the NSEC3PARAM record. If present, NSEC3 is used, if not present, zones default to NSEC. See set-nsec3 in pdnsutil. Example content: “1 0 0 -“.


This zone carries DNSSEC RRSIGs (signatures), and is presigned. PowerDNS sets this flag automatically upon incoming zone transfers (AXFR) if it detects DNSSEC records in the zone. However, if you import a presigned zone using zone2sql or pdnsutil load-zone you must explicitly set the zone to be PRESIGNED. Note that PowerDNS will not be able to correctly serve the zone if the imported data is bogus or incomplete. Also see set-presigned in pdnsutil.

If a zone is presigned, the content of the metadata must be “1” (without the quotes). Any other value will not signal presignedness.


Whether to publish CDNSKEY and/or CDS records as defined in RFC 7344.

To publish CDNSKEY records of the KSKs for the zone, set PUBLISH-CDNSKEY to 1.

To publish CDS records for the KSKs in the zone, set PUBLISH-CDS to a comma- separated list of signature algorithm numbers.

This metadata can also be set using the pdnsutil commands set-publish-cdnskey and set-publish-cds. For an example for an RFC 7344 key rollover, see the KSK Rollover using CDS & CDNSKEY Key Rollover.

Global defaults for these values can be set via default-publish-cdnskey and default-publish-cds.


New in version 4.3.0.

If set to 1, will make PowerDNS renotify the slaves after an AXFR is received from a master. Any other value means that no renotifies are done. If not set at all, action will depend on the slave-renotify setting.


When serving this zone, modify the SOA serial number in one of several ways. Mostly useful to get slaves to re-transfer a zone regularly to get fresh RRSIGs. See the DNSSEC documentation for more information.


On changes to the contents of a zone made through the API, the SOA record will be edited according to the SOA-EDIT-API rules. These rules are the same as the SOA-EDIT-DNSUPDATE rules. If not set during zone creation, a SOA-EDIT-API metadata record is created and set to DEFAULT. If this record is removed from the backend, the default behaviour is to not do any SOA editing based on this setting. This is different from setting DEFAULT.


Allow these named TSIG keys to AXFR this zone, see Provisioning signed notification and AXFR requests.


This setting allows you to set the TSIG key required to do an Dynamic DNS Update (RFC 2136). If GSS-TSIG is enabled, you can put kerberos principals here as well.

Extra metadata

Through the API and on the pdnsutil set-meta commandline, metadata unused by PowerDNS can be added. It is mandatory to prefix this extra metadata with “X-” and the name of the external application; the API will only allow this metadata if it starts with “X-“.