bin/dnssec/dnssec-verify.docbook

	dnssec-verify.docbook revision 19c7b1a0293498a3e36692c59646ed6e15ffc8d0
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews<!--
19c7b1a0293498a3e36692c59646ed6e15ffc8d0Tinderbox User - Copyright (C) 2012, 2014, 2015  Internet Systems Consortium, Inc. ("ISC")
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews -
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews - Permission to use, copy, modify, and/or distribute this software for any
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews - purpose with or without fee is hereby granted, provided that the above
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews - copyright notice and this permission notice appear in all copies.
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews -
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews - PERFORMANCE OF THIS SOFTWARE.
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews-->
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<!-- Converted by db4-upgrade version 1.0 -->
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-verify">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt  <info>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt    <date>2014-01-15</date>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt  </info>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews  <refentryinfo>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt    <corpname>ISC</corpname>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt    <corpauthor>Internet Systems Consortium, Inc.</corpauthor>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews  </refentryinfo>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews  <refmeta>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews    <refentrytitle><application>dnssec-verify</application></refentrytitle>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews   <manvolnum>8</manvolnum>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews    <refmiscinfo>BIND9</refmiscinfo>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews  </refmeta>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews  <refnamediv>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews    <refname><application>dnssec-verify</application></refname>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews    <refpurpose>DNSSEC zone verification tool</refpurpose>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews  </refnamediv>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews  <docinfo>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews    <copyright>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews      <year>2012</year>
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User      <year>2014</year>
19c7b1a0293498a3e36692c59646ed6e15ffc8d0Tinderbox User      <year>2015</year>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews    </copyright>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews  </docinfo>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews  <refsynopsisdiv>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt    <cmdsynopsis sepchar=" ">
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews      <command>dnssec-verify</command>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <arg choice="opt" rep="norepeat"><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <arg choice="opt" rep="norepeat"><option>-I <replaceable class="parameter">input-format</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <arg choice="opt" rep="norepeat"><option>-o <replaceable class="parameter">origin</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <arg choice="opt" rep="norepeat"><option>-V</option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <arg choice="opt" rep="norepeat"><option>-x</option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <arg choice="opt" rep="norepeat"><option>-z</option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <arg choice="req" rep="norepeat">zonefile</arg>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews    </cmdsynopsis>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews  </refsynopsisdiv>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt  <refsection><info><title>DESCRIPTION</title></info>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews    <para><command>dnssec-verify</command>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews      verifies that a zone is fully signed for each algorithm found
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews      in the DNSKEY RRset for the zone, and that the NSEC / NSEC3
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews      chains are complete.
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews    </para>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt  </refsection>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt  <refsection><info><title>OPTIONS</title></info>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews    <variablelist>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews      <varlistentry>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews        <term>-c <replaceable class="parameter">class</replaceable></term>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews        <listitem>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews          <para>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews            Specifies the DNS class of the zone.
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews          </para>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews        </listitem>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews      </varlistentry>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt      <varlistentry>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt        <term>-E <replaceable class="parameter">engine</replaceable></term>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt        <listitem>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt          <para>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt            Specifies the cryptographic hardware to use, when applicable.
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt          </para>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt          <para>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt            When BIND is built with OpenSSL PKCS#11 support, this defaults
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt            to the string "pkcs11", which identifies an OpenSSL engine
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt            that can drive a cryptographic accelerator or hardware service
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt            module.  When BIND is built with native PKCS#11 cryptography
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt            (--enable-native-pkcs11), it defaults to the path of the PKCS#11
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt            provider library specified via "--with-pkcs11".
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt          </para>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt        </listitem>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt      </varlistentry>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews      <varlistentry>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews        <term>-I <replaceable class="parameter">input-format</replaceable></term>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews        <listitem>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews          <para>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews            The format of the input zone file.
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews        Possible formats are <command>"text"</command> (default)
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews        and <command>"raw"</command>.
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews        This option is primarily intended to be used for dynamic
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews            signed zones so that the dumped zone file in a non-text
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews            format containing updates can be verified independently.
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews        The use of this option does not make much sense for
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews        non-dynamic zones.
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews          </para>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews        </listitem>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews      </varlistentry>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews      <varlistentry>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews        <term>-o <replaceable class="parameter">origin</replaceable></term>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews        <listitem>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews          <para>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews            The zone origin.  If not specified, the name of the zone file
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews            is assumed to be the origin.
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews          </para>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews        </listitem>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews      </varlistentry>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews      <varlistentry>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews        <term>-v <replaceable class="parameter">level</replaceable></term>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews        <listitem>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews          <para>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews            Sets the debugging level.
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews          </para>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews        </listitem>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews      </varlistentry>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews
42782931073786f98d3d0a617351db40066949a4Mukund Sivaraman      <varlistentry>
42782931073786f98d3d0a617351db40066949a4Mukund Sivaraman    <term>-V</term>
42782931073786f98d3d0a617351db40066949a4Mukund Sivaraman        <listitem>
42782931073786f98d3d0a617351db40066949a4Mukund Sivaraman      <para>
42782931073786f98d3d0a617351db40066949a4Mukund Sivaraman        Prints version information.
42782931073786f98d3d0a617351db40066949a4Mukund Sivaraman      </para>
42782931073786f98d3d0a617351db40066949a4Mukund Sivaraman        </listitem>
42782931073786f98d3d0a617351db40066949a4Mukund Sivaraman      </varlistentry>
42782931073786f98d3d0a617351db40066949a4Mukund Sivaraman
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews      <varlistentry>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews        <term>-x</term>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews        <listitem>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews          <para>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews            Only verify that the DNSKEY RRset is signed with key-signing
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews            keys.  Without this flag, it is assumed that the DNSKEY RRset
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews            will be signed by all active keys.  When this flag is set,
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews            it will not be an error if the DNSKEY RRset is not signed
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews            by zone-signing keys.  This corresponds to the <option>-x</option>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews            option in <command>dnssec-signzone</command>.
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews          </para>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews        </listitem>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews      </varlistentry>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews      <varlistentry>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews    <term>-z</term>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews    <listitem>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews      <para>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews        Ignore the KSK flag on the keys when determining whether
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews            the zone if correctly signed.  Without this flag it is
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews        assumed that there will be a non-revoked, self-signed
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews        DNSKEY with the KSK flag set for each algorithm and
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews        that RRsets other than DNSKEY RRset will be signed with
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews            a different DNSKEY without the KSK flag set.
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews      </para>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews      <para>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews        With this flag set, we only require that for each algorithm,
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews            there will be at least one non-revoked, self-signed DNSKEY,
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews            regardless of the KSK flag state, and that other RRsets
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews        will be signed by a non-revoked key for the same algorithm
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews            that includes the self-signed key; the same key may be used
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews            for both purposes.  This corresponds to the <option>-z</option>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews            option in <command>dnssec-signzone</command>.
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews      </para>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews    </listitem>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews      </varlistentry>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews      <varlistentry>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews        <term>zonefile</term>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews        <listitem>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews          <para>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews            The file containing the zone to be signed.
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews          </para>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews        </listitem>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews      </varlistentry>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews    </variablelist>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt  </refsection>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt  <refsection><info><title>SEE ALSO</title></info>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews    <para>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews      <citerefentry>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews        <refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews      </citerefentry>,
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews      <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews      <citetitle>RFC 4033</citetitle>.
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews    </para>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt  </refsection>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt</refentry>