bin/dnssec/dnssec-verify.docbook

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<!--
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater - Copyright (C) 2012, 2014-2016  Internet Systems Consortium, Inc. ("ISC")
75c0816e8295e180f4bc7f10db3d0d880383bc1cMark Andrews -
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - This Source Code Form is subject to the terms of the Mozilla Public
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - License, v. 2.0. If a copy of the MPL was not distributed with this
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - file, You can obtain one at http://mozilla.org/MPL/2.0/.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein-->
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<!-- Converted by db4-upgrade version 1.0 -->
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-verify">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein  <info>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    <date>2014-01-15</date>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein  </info>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein  <refentryinfo>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    <corpname>ISC</corpname>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    <corpauthor>Internet Systems Consortium, Inc.</corpauthor>
9c6a5d1f22f972232d7a9fd5c5fa64f10bacbdffAutomatic Updater  </refentryinfo>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein  <refmeta>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    <refentrytitle><application>dnssec-verify</application></refentrytitle>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein   <manvolnum>8</manvolnum>
e21a2904f02a03fa06b6db04d348f65fe9c67b2bMark Andrews    <refmiscinfo>BIND9</refmiscinfo>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein  </refmeta>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein  <refnamediv>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    <refname><application>dnssec-verify</application></refname>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    <refpurpose>DNSSEC zone verification tool</refpurpose>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein  </refnamediv>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein  <docinfo>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    <copyright>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <year>2012</year>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <year>2014</year>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <year>2015</year>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <year>2016</year>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </copyright>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein  </docinfo>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein  <refsynopsisdiv>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    <cmdsynopsis sepchar=" ">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <command>dnssec-verify</command>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <arg choice="opt" rep="norepeat"><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <arg choice="opt" rep="norepeat"><option>-I <replaceable class="parameter">input-format</replaceable></option></arg>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <arg choice="opt" rep="norepeat"><option>-o <replaceable class="parameter">origin</replaceable></option></arg>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <arg choice="opt" rep="norepeat"><option>-V</option></arg>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <arg choice="opt" rep="norepeat"><option>-x</option></arg>
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater      <arg choice="opt" rep="norepeat"><option>-z</option></arg>
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater      <arg choice="req" rep="norepeat">zonefile</arg>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </cmdsynopsis>
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater  </refsynopsisdiv>
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein  <refsection><info><title>DESCRIPTION</title></info>
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater
58d9e9169e7ab4355a0b0bfc13bc616bc5247dfeAutomatic Updater    <para><command>dnssec-verify</command>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      verifies that a zone is fully signed for each algorithm found
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      in the DNSKEY RRset for the zone, and that the NSEC / NSEC3
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      chains are complete.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </para>
9c6a5d1f22f972232d7a9fd5c5fa64f10bacbdffAutomatic Updater  </refsection>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews  <refsection><info><title>OPTIONS</title></info>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    <variablelist>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <term>-c <replaceable class="parameter">class</replaceable></term>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <listitem>
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater          <para>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            Specifies the DNS class of the zone.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          </para>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </listitem>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      </varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <term>-E <replaceable class="parameter">engine</replaceable></term>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <listitem>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <para>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            Specifies the cryptographic hardware to use, when applicable.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          </para>
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson          <para>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce            When BIND is built with OpenSSL PKCS#11 support, this defaults
8e245ec21beee31a780de9b89ba1e8bb2b9f4c9aAndreas Gustafsson            to the string "pkcs11", which identifies an OpenSSL engine
727f5b8846457a33d06f515a10a7e1aa849ddf18Andreas Gustafsson            that can drive a cryptographic accelerator or hardware service
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce            module.  When BIND is built with native PKCS#11 cryptography
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce            (--enable-native-pkcs11), it defaults to the path of the PKCS#11
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce            provider library specified via "--with-pkcs11".
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce          </para>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce        </listitem>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce      </varlistentry>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <term>-I <replaceable class="parameter">input-format</replaceable></term>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <listitem>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <para>
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater            The format of the input zone file.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        Possible formats are <command>"text"</command> (default)
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        and <command>"raw"</command>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        This option is primarily intended to be used for dynamic
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            signed zones so that the dumped zone file in a non-text
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            format containing updates can be verified independently.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        The use of this option does not make much sense for
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        non-dynamic zones.
8e245ec21beee31a780de9b89ba1e8bb2b9f4c9aAndreas Gustafsson          </para>
575e532437cf7f203707765e21767db92fa1e480Mark Andrews        </listitem>
8e245ec21beee31a780de9b89ba1e8bb2b9f4c9aAndreas Gustafsson      </varlistentry>
8e245ec21beee31a780de9b89ba1e8bb2b9f4c9aAndreas Gustafsson
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce      <varlistentry>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce        <term>-o <replaceable class="parameter">origin</replaceable></term>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce        <listitem>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce          <para>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce            The zone origin.  If not specified, the name of the zone file
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce            is assumed to be the origin.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce          </para>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce        </listitem>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce      </varlistentry>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce      <varlistentry>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce        <term>-v <replaceable class="parameter">level</replaceable></term>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce        <listitem>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce          <para>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce            Sets the debugging level.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce          </para>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce        </listitem>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce      </varlistentry>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce      <varlistentry>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce    <term>-V</term>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce        <listitem>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce      <para>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce        Prints version information.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce      </para>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </listitem>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      </varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <term>-x</term>
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater        <listitem>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <para>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            Only verify that the DNSKEY RRset is signed with key-signing
1224c3b69b3d18f7127aa042644936af25a2d679Mark Andrews            keys.  Without this flag, it is assumed that the DNSKEY RRset
1224c3b69b3d18f7127aa042644936af25a2d679Mark Andrews            will be signed by all active keys.  When this flag is set,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            it will not be an error if the DNSKEY RRset is not signed
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            by zone-signing keys.  This corresponds to the <option>-x</option>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            option in <command>dnssec-signzone</command>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          </para>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </listitem>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      </varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    <term>-z</term>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    <listitem>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <para>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        Ignore the KSK flag on the keys when determining whether
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            the zone if correctly signed.  Without this flag it is
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        assumed that there will be a non-revoked, self-signed
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        DNSKEY with the KSK flag set for each algorithm and
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        that RRsets other than DNSKEY RRset will be signed with
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            a different DNSKEY without the KSK flag set.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      </para>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <para>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        With this flag set, we only require that for each algorithm,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            there will be at least one non-revoked, self-signed DNSKEY,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            regardless of the KSK flag state, and that other RRsets
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        will be signed by a non-revoked key for the same algorithm
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            that includes the self-signed key; the same key may be used
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            for both purposes.  This corresponds to the <option>-z</option>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            option in <command>dnssec-signzone</command>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      </para>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </listitem>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      </varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <term>zonefile</term>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <listitem>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          <para>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            The file containing the zone to be signed.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          </para>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        </listitem>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      </varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </variablelist>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein  </refsection>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein  <refsection><info><title>SEE ALSO</title></info>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    <para>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <citerefentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        <refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      </citerefentry>,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <citetitle>RFC 4033</citetitle>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </para>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein  </refsection>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</refentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein