0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews - Copyright (C) 2012, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews - This Source Code Form is subject to the terms of the Mozilla Public
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews - License, v. 2.0. If a copy of the MPL was not distributed with this
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews - file, You can obtain one at http://mozilla.org/MPL/2.0/.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<!-- Converted by db4-upgrade version 1.0 -->
83a28ca274521e15086fc39febde507bcc4e145eMark Andrews<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-verify">
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews <refentryinfo>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <corpauthor>Internet Systems Consortium, Inc.</corpauthor>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews </refentryinfo>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews <refentrytitle><application>dnssec-verify</application></refentrytitle>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews <refnamediv>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews <refname><application>dnssec-verify</application></refname>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews <refpurpose>DNSSEC zone verification tool</refpurpose>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews </refnamediv>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews </copyright>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews <refsynopsisdiv>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg choice="opt" rep="norepeat"><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg choice="opt" rep="norepeat"><option>-I <replaceable class="parameter">input-format</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg choice="opt" rep="norepeat"><option>-o <replaceable class="parameter">origin</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg choice="opt" rep="norepeat"><option>-V</option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg choice="opt" rep="norepeat"><option>-x</option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg choice="opt" rep="norepeat"><option>-z</option></arg>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews </cmdsynopsis>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews </refsynopsisdiv>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <refsection><info><title>DESCRIPTION</title></info>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews verifies that a zone is fully signed for each algorithm found
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews in the DNSKEY RRset for the zone, and that the NSEC / NSEC3
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews chains are complete.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt </refsection>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews <variablelist>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews <varlistentry>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews <term>-c <replaceable class="parameter">class</replaceable></term>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews Specifies the DNS class of the zone.
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews </varlistentry>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt <varlistentry>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt <term>-E <replaceable class="parameter">engine</replaceable></term>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt Specifies the cryptographic hardware to use, when applicable.
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt When BIND is built with OpenSSL PKCS#11 support, this defaults
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt to the string "pkcs11", which identifies an OpenSSL engine
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt that can drive a cryptographic accelerator or hardware service
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt module. When BIND is built with native PKCS#11 cryptography
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt (--enable-native-pkcs11), it defaults to the path of the PKCS#11
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt provider library specified via "--with-pkcs11".
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt </varlistentry>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews <varlistentry>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews <term>-I <replaceable class="parameter">input-format</replaceable></term>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews The format of the input zone file.
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews Possible formats are <command>"text"</command> (default)
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews This option is primarily intended to be used for dynamic
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews signed zones so that the dumped zone file in a non-text
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews format containing updates can be verified independently.
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews The use of this option does not make much sense for
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews non-dynamic zones.
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews </varlistentry>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews <varlistentry>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews <term>-o <replaceable class="parameter">origin</replaceable></term>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews The zone origin. If not specified, the name of the zone file
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews is assumed to be the origin.
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews </varlistentry>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews <varlistentry>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews <term>-v <replaceable class="parameter">level</replaceable></term>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews Sets the debugging level.
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews </varlistentry>
42782931073786f98d3d0a617351db40066949a4Mukund Sivaraman <varlistentry>
42782931073786f98d3d0a617351db40066949a4Mukund Sivaraman Prints version information.
42782931073786f98d3d0a617351db40066949a4Mukund Sivaraman </varlistentry>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews <varlistentry>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews Only verify that the DNSKEY RRset is signed with key-signing
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews keys. Without this flag, it is assumed that the DNSKEY RRset
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews will be signed by all active keys. When this flag is set,
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews it will not be an error if the DNSKEY RRset is not signed
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews by zone-signing keys. This corresponds to the <option>-x</option>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews </varlistentry>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews <varlistentry>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews Ignore the KSK flag on the keys when determining whether
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews the zone if correctly signed. Without this flag it is
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews assumed that there will be a non-revoked, self-signed
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews DNSKEY with the KSK flag set for each algorithm and
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews that RRsets other than DNSKEY RRset will be signed with
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews a different DNSKEY without the KSK flag set.
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews With this flag set, we only require that for each algorithm,
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews there will be at least one non-revoked, self-signed DNSKEY,
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews regardless of the KSK flag state, and that other RRsets
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews will be signed by a non-revoked key for the same algorithm
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews that includes the self-signed key; the same key may be used
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews for both purposes. This corresponds to the <option>-z</option>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews </varlistentry>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews <varlistentry>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews The file containing the zone to be signed.
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews </varlistentry>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews </variablelist>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt </refsection>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews <citerefentry>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews <refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews </citerefentry>,
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt </refsection>