1472N/A - Copyright (C) 2012, 2014, 2015 Internet Systems Consortium, Inc. ("ISC") 0N/A - Permission to use, copy, modify, and/or distribute this software for any 0N/A - purpose with or without fee is hereby granted, provided that the above 0N/A - copyright notice and this permission notice appear in all copies. 0N/A - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH 0N/A - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 0N/A - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, 0N/A - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 0N/A - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE 0N/A - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 0N/A - PERFORMANCE OF THIS SOFTWARE. 0N/A<!-- Converted by db4-upgrade version 1.0 --> 0N/A <
corpname>ISC</
corpname>
0N/A <
corpauthor>Internet Systems Consortium, Inc.</
corpauthor>
0N/A <
refentrytitle><
application>dnssec-verify</
application></
refentrytitle>
0N/A <
manvolnum>8</
manvolnum>
0N/A <
refmiscinfo>BIND9</
refmiscinfo>
0N/A <
refname><
application>dnssec-verify</
application></
refname>
0N/A <
refpurpose>DNSSEC zone verification tool</
refpurpose>
0N/A <
holder>Internet Systems Consortium, Inc. ("ISC")</
holder>
0N/A <
cmdsynopsis sepchar=" ">
0N/A <
command>dnssec-verify</
command>
0N/A <
arg choice="opt" rep="norepeat"><
option>-c <
replaceable class="parameter">class</
replaceable></
option></
arg>
0N/A <
arg choice="opt" rep="norepeat"><
option>-E <
replaceable class="parameter">engine</
replaceable></
option></
arg>
0N/A <
arg choice="opt" rep="norepeat"><
option>-I <
replaceable class="parameter">input-format</
replaceable></
option></
arg>
0N/A <
arg choice="opt" rep="norepeat"><
option>-o <
replaceable class="parameter">origin</
replaceable></
option></
arg>
0N/A <
arg choice="opt" rep="norepeat"><
option>-v <
replaceable class="parameter">level</
replaceable></
option></
arg>
0N/A <
arg choice="opt" rep="norepeat"><
option>-V</
option></
arg>
0N/A <
arg choice="opt" rep="norepeat"><
option>-x</
option></
arg>
0N/A <
arg choice="opt" rep="norepeat"><
option>-z</
option></
arg>
0N/A <
arg choice="req" rep="norepeat">zonefile</
arg>
0N/A <
refsection><
info><
title>DESCRIPTION</
title></
info>
2742N/A <
para><
command>dnssec-verify</
command>
0N/A verifies that a zone is fully signed for each algorithm found
0N/A in the DNSKEY RRset for the zone, and that the NSEC / NSEC3
0N/A chains are complete.
0N/A <
refsection><
info><
title>OPTIONS</
title></
info>
0N/A <
term>-c <
replaceable class="parameter">class</
replaceable></
term>
0N/A Specifies the DNS class of the zone.
0N/A <
term>-E <
replaceable class="parameter">engine</
replaceable></
term>
2742N/A Specifies the cryptographic hardware to use, when applicable.
2742N/A When BIND is built with OpenSSL PKCS#11 support, this defaults
2742N/A to the string "pkcs11", which identifies an OpenSSL engine
2742N/A that can drive a cryptographic accelerator or hardware service
0N/A module. When BIND is built with native PKCS#11 cryptography
0N/A (--enable-native-pkcs11), it defaults to the path of the PKCS#11
2742N/A provider library specified via "--with-pkcs11".
0N/A <
term>-I <
replaceable class="parameter">input-format</
replaceable></
term>
0N/A The format of the input zone file.
0N/A Possible formats are <
command>"text"</
command> (default)
0N/A and <
command>"raw"</
command>.
0N/A This option is primarily intended to be used for dynamic
0N/A signed zones so that the dumped zone file in a non-text
2742N/A format containing updates can be verified independently.
0N/A The use of this option does not make much sense for
0N/A <
term>-o <
replaceable class="parameter">origin</
replaceable></
term>
0N/A The zone origin. If not specified, the name of the zone file
0N/A is assumed to be the origin.
0N/A <
term>-v <
replaceable class="parameter">level</
replaceable></
term>
0N/A Sets the debugging level.
0N/A Prints version information.
0N/A Only verify that the DNSKEY RRset is signed with key-signing
0N/A keys. Without this flag, it is assumed that the DNSKEY RRset
0N/A will be signed by all active keys. When this flag is set,
0N/A it will not be an error if the DNSKEY RRset is not signed
0N/A by zone-signing keys. This corresponds to the <
option>-x</
option>
2742N/A option in <
command>dnssec-signzone</
command>.
0N/A Ignore the KSK flag on the keys when determining whether
0N/A the zone if correctly signed. Without this flag it is
2742N/A assumed that there will be a non-revoked, self-signed
0N/A DNSKEY with the KSK flag set for each algorithm and
0N/A that RRsets other than DNSKEY RRset will be signed with
0N/A a different DNSKEY without the KSK flag set.
0N/A With this flag set, we only require that for each algorithm,
0N/A there will be at least one non-revoked, self-signed DNSKEY,
0N/A regardless of the KSK flag state, and that other RRsets
0N/A will be signed by a non-revoked key for the same algorithm
0N/A that includes the self-signed key; the same key may be used
0N/A for both purposes. This corresponds to the <
option>-z</
option>
0N/A option in <
command>dnssec-signzone</
command>.
0N/A <
term>zonefile</
term>
0N/A The file containing the zone to be signed.
0N/A <
refsection><
info><
title>SEE ALSO</
title></
info>
0N/A <
refentrytitle>dnssec-signzone</
refentrytitle><
manvolnum>8</
manvolnum>
0N/A <
citetitle>BIND 9 Administrator Reference Manual</
citetitle>,
0N/A <
citetitle>RFC 4033</
citetitle>.