dnssec-verify.docbook revision ba751492fcc4f161a18b983d4f018a1a52938cb9
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews [<!ENTITY mdash "—">]>
da5d53fb1401f5e17a77373af32d865489aa04a8Tinderbox User - Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC")
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews - Permission to use, copy, modify, and/or distribute this software for any
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews - purpose with or without fee is hereby granted, provided that the above
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews - copyright notice and this permission notice appear in all copies.
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews - PERFORMANCE OF THIS SOFTWARE.
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews<!-- $Id: dnssec-verify.docbook,v 1.52 2011/12/22 07:32:40 each Exp $ -->
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews <refentryinfo>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews </refentryinfo>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews <refentrytitle><application>dnssec-verify</application></refentrytitle>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews <refnamediv>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews <refname><application>dnssec-verify</application></refname>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews <refpurpose>DNSSEC zone verification tool</refpurpose>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews </refnamediv>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews </copyright>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews <refsynopsisdiv>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews <cmdsynopsis>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews <arg><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews <arg><option>-I <replaceable class="parameter">input-format</replaceable></option></arg>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews <arg><option>-o <replaceable class="parameter">origin</replaceable></option></arg>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews </cmdsynopsis>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews </refsynopsisdiv>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews verifies that a zone is fully signed for each algorithm found
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews in the DNSKEY RRset for the zone, and that the NSEC / NSEC3
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews chains are complete.
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews <variablelist>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews <varlistentry>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews <term>-c <replaceable class="parameter">class</replaceable></term>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews Specifies the DNS class of the zone.
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews </varlistentry>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt <varlistentry>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt <term>-E <replaceable class="parameter">engine</replaceable></term>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt Specifies the cryptographic hardware to use, when applicable.
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt When BIND is built with OpenSSL PKCS#11 support, this defaults
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt to the string "pkcs11", which identifies an OpenSSL engine
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt that can drive a cryptographic accelerator or hardware service
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt module. When BIND is built with native PKCS#11 cryptography
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt (--enable-native-pkcs11), it defaults to the path of the PKCS#11
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt provider library specified via "--with-pkcs11".
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt </varlistentry>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews <varlistentry>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews <term>-I <replaceable class="parameter">input-format</replaceable></term>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews The format of the input zone file.
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews Possible formats are <command>"text"</command> (default)
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews This option is primarily intended to be used for dynamic
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews signed zones so that the dumped zone file in a non-text
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews format containing updates can be verified independently.
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews The use of this option does not make much sense for
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews non-dynamic zones.
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews </varlistentry>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews <varlistentry>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews <term>-o <replaceable class="parameter">origin</replaceable></term>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews The zone origin. If not specified, the name of the zone file
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews is assumed to be the origin.
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews </varlistentry>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews <varlistentry>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews <term>-v <replaceable class="parameter">level</replaceable></term>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews Sets the debugging level.
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews </varlistentry>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews <varlistentry>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews Only verify that the DNSKEY RRset is signed with key-signing
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews keys. Without this flag, it is assumed that the DNSKEY RRset
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews will be signed by all active keys. When this flag is set,
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews it will not be an error if the DNSKEY RRset is not signed
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews by zone-signing keys. This corresponds to the <option>-x</option>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews </varlistentry>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews <varlistentry>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews Ignore the KSK flag on the keys when determining whether
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews the zone if correctly signed. Without this flag it is
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews assumed that there will be a non-revoked, self-signed
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews DNSKEY with the KSK flag set for each algorithm and
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews that RRsets other than DNSKEY RRset will be signed with
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews a different DNSKEY without the KSK flag set.
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews With this flag set, we only require that for each algorithm,
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews there will be at least one non-revoked, self-signed DNSKEY,
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews regardless of the KSK flag state, and that other RRsets
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews will be signed by a non-revoked key for the same algorithm
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews that includes the self-signed key; the same key may be used
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews for both purposes. This corresponds to the <option>-z</option>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews </varlistentry>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews <varlistentry>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews The file containing the zone to be signed.
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews </varlistentry>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews </variablelist>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews <citerefentry>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews <refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews </citerefentry>,
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews <para><corpauthor>Internet Systems Consortium</corpauthor>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews - Local variables:
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews - mode: sgml