bin/dnssec/dnssec-verify.docbook

	dnssec-verify.docbook revision 19c7b1a0293498a3e36692c59646ed6e15ffc8d0
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<!--
52c1cac19a87d591152634a1de44a0311383b359Automatic Updater - Copyright (C) 2012, 2014, 2015  Internet Systems Consortium, Inc. ("ISC")
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont -
4a14ce5ba00ab7bc55c99ffdcf59c7a4ab902721Automatic Updater - Permission to use, copy, modify, and/or distribute this software for any
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont - purpose with or without fee is hereby granted, provided that the above
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont - copyright notice and this permission notice appear in all copies.
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont -
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont - PERFORMANCE OF THIS SOFTWARE.
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont-->
8e821eea5f57ac47a94305aa7ab0c3570d92a311Automatic Updater
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<!-- Converted by db4-upgrade version 1.0 -->
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-verify">
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont  <info>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont    <date>2014-01-15</date>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont  </info>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont  <refentryinfo>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont    <corpname>ISC</corpname>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont    <corpauthor>Internet Systems Consortium, Inc.</corpauthor>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont  </refentryinfo>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont  <refmeta>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont    <refentrytitle><application>dnssec-verify</application></refentrytitle>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont   <manvolnum>8</manvolnum>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont    <refmiscinfo>BIND9</refmiscinfo>
2a6d4c9948b3f4f31311bd799d114585a30419a9Automatic Updater  </refmeta>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont  <refnamediv>
2a6d4c9948b3f4f31311bd799d114585a30419a9Automatic Updater    <refname><application>dnssec-verify</application></refname>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont    <refpurpose>DNSSEC zone verification tool</refpurpose>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont  </refnamediv>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont  <docinfo>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont    <copyright>
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater      <year>2012</year>
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater      <year>2014</year>
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater      <year>2015</year>
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater    </copyright>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont  </docinfo>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont
2a6d4c9948b3f4f31311bd799d114585a30419a9Automatic Updater  <refsynopsisdiv>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont    <cmdsynopsis sepchar=" ">
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont      <command>dnssec-verify</command>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont      <arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont      <arg choice="opt" rep="norepeat"><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont      <arg choice="opt" rep="norepeat"><option>-I <replaceable class="parameter">input-format</replaceable></option></arg>
8e821eea5f57ac47a94305aa7ab0c3570d92a311Automatic Updater      <arg choice="opt" rep="norepeat"><option>-o <replaceable class="parameter">origin</replaceable></option></arg>
8e821eea5f57ac47a94305aa7ab0c3570d92a311Automatic Updater      <arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
731cc132f22dbc9e0ecd7035dce314a61076d31bAutomatic Updater      <arg choice="opt" rep="norepeat"><option>-V</option></arg>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont      <arg choice="opt" rep="norepeat"><option>-x</option></arg>
2a6d4c9948b3f4f31311bd799d114585a30419a9Automatic Updater      <arg choice="opt" rep="norepeat"><option>-z</option></arg>
2a6d4c9948b3f4f31311bd799d114585a30419a9Automatic Updater      <arg choice="req" rep="norepeat">zonefile</arg>
2a6d4c9948b3f4f31311bd799d114585a30419a9Automatic Updater    </cmdsynopsis>
8e821eea5f57ac47a94305aa7ab0c3570d92a311Automatic Updater  </refsynopsisdiv>
8e821eea5f57ac47a94305aa7ab0c3570d92a311Automatic Updater
8e821eea5f57ac47a94305aa7ab0c3570d92a311Automatic Updater  <refsection><info><title>DESCRIPTION</title></info>
2a6d4c9948b3f4f31311bd799d114585a30419a9Automatic Updater
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont    <para><command>dnssec-verify</command>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont      verifies that a zone is fully signed for each algorithm found
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont      in the DNSKEY RRset for the zone, and that the NSEC / NSEC3
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont      chains are complete.
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont    </para>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont  </refsection>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont  <refsection><info><title>OPTIONS</title></info>
2a6d4c9948b3f4f31311bd799d114585a30419a9Automatic Updater
2a6d4c9948b3f4f31311bd799d114585a30419a9Automatic Updater
2a6d4c9948b3f4f31311bd799d114585a30419a9Automatic Updater    <variablelist>
2a6d4c9948b3f4f31311bd799d114585a30419a9Automatic Updater      <varlistentry>
2a6d4c9948b3f4f31311bd799d114585a30419a9Automatic Updater        <term>-c <replaceable class="parameter">class</replaceable></term>
2a6d4c9948b3f4f31311bd799d114585a30419a9Automatic Updater        <listitem>
2a6d4c9948b3f4f31311bd799d114585a30419a9Automatic Updater          <para>
8ec3c085233cedb22b05da36e2773c8f357a7e45Automatic Updater            Specifies the DNS class of the zone.
8ec3c085233cedb22b05da36e2773c8f357a7e45Automatic Updater          </para>
8ec3c085233cedb22b05da36e2773c8f357a7e45Automatic Updater        </listitem>
2a6d4c9948b3f4f31311bd799d114585a30419a9Automatic Updater      </varlistentry>
8ec3c085233cedb22b05da36e2773c8f357a7e45Automatic Updater
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont      <varlistentry>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont        <term>-E <replaceable class="parameter">engine</replaceable></term>
2a6d4c9948b3f4f31311bd799d114585a30419a9Automatic Updater        <listitem>
2a6d4c9948b3f4f31311bd799d114585a30419a9Automatic Updater          <para>
2a6d4c9948b3f4f31311bd799d114585a30419a9Automatic Updater            Specifies the cryptographic hardware to use, when applicable.
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont          </para>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont          <para>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont            When BIND is built with OpenSSL PKCS#11 support, this defaults
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont            to the string "pkcs11", which identifies an OpenSSL engine
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont            that can drive a cryptographic accelerator or hardware service
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont            module.  When BIND is built with native PKCS#11 cryptography
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont            (--enable-native-pkcs11), it defaults to the path of the PKCS#11
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont            provider library specified via "--with-pkcs11".
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater          </para>
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater        </listitem>
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater      </varlistentry>
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater      <varlistentry>
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater        <term>-I <replaceable class="parameter">input-format</replaceable></term>
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater        <listitem>
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater          <para>
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater            The format of the input zone file.
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater        Possible formats are <command>"text"</command> (default)
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater        and <command>"raw"</command>.
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont        This option is primarily intended to be used for dynamic
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont            signed zones so that the dumped zone file in a non-text
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont            format containing updates can be verified independently.
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont        The use of this option does not make much sense for
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont        non-dynamic zones.
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont          </para>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont        </listitem>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont      </varlistentry>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater      <varlistentry>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont        <term>-o <replaceable class="parameter">origin</replaceable></term>
f8e3e03cacd16ffb923a9603fca23a9e1a1fee07Automatic Updater        <listitem>
f8e3e03cacd16ffb923a9603fca23a9e1a1fee07Automatic Updater          <para>
f8e3e03cacd16ffb923a9603fca23a9e1a1fee07Automatic Updater            The zone origin.  If not specified, the name of the zone file
f8e3e03cacd16ffb923a9603fca23a9e1a1fee07Automatic Updater            is assumed to be the origin.
f8e3e03cacd16ffb923a9603fca23a9e1a1fee07Automatic Updater          </para>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont        </listitem>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont      </varlistentry>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater      <varlistentry>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont        <term>-v <replaceable class="parameter">level</replaceable></term>
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater        <listitem>
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater          <para>
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater            Sets the debugging level.
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater          </para>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont        </listitem>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont      </varlistentry>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont      <varlistentry>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont    <term>-V</term>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont        <listitem>
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater      <para>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont        Prints version information.
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont      </para>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont        </listitem>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont      </varlistentry>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont      <varlistentry>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont        <term>-x</term>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont        <listitem>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont          <para>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont            Only verify that the DNSKEY RRset is signed with key-signing
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont            keys.  Without this flag, it is assumed that the DNSKEY RRset
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont            will be signed by all active keys.  When this flag is set,
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont            it will not be an error if the DNSKEY RRset is not signed
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont            by zone-signing keys.  This corresponds to the <option>-x</option>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont            option in <command>dnssec-signzone</command>.
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont          </para>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont        </listitem>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont      </varlistentry>
8e821eea5f57ac47a94305aa7ab0c3570d92a311Automatic Updater
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater      <varlistentry>
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater    <term>-z</term>
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater    <listitem>
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater      <para>
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater        Ignore the KSK flag on the keys when determining whether
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater            the zone if correctly signed.  Without this flag it is
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater        assumed that there will be a non-revoked, self-signed
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater        DNSKEY with the KSK flag set for each algorithm and
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater        that RRsets other than DNSKEY RRset will be signed with
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater            a different DNSKEY without the KSK flag set.
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater      </para>
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater      <para>
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater        With this flag set, we only require that for each algorithm,
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater            there will be at least one non-revoked, self-signed DNSKEY,
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater            regardless of the KSK flag state, and that other RRsets
f8e3e03cacd16ffb923a9603fca23a9e1a1fee07Automatic Updater        will be signed by a non-revoked key for the same algorithm
f8e3e03cacd16ffb923a9603fca23a9e1a1fee07Automatic Updater            that includes the self-signed key; the same key may be used
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater            for both purposes.  This corresponds to the <option>-z</option>
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater            option in <command>dnssec-signzone</command>.
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater      </para>
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater    </listitem>
5a24d24c8fba3480d707c0c902379ddb36501e12Automatic Updater      </varlistentry>
f8e3e03cacd16ffb923a9603fca23a9e1a1fee07Automatic Updater
f8e3e03cacd16ffb923a9603fca23a9e1a1fee07Automatic Updater      <varlistentry>
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater        <term>zonefile</term>
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater        <listitem>
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater          <para>
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater            The file containing the zone to be signed.
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater          </para>
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater        </listitem>
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater      </varlistentry>
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater    </variablelist>
f8e3e03cacd16ffb923a9603fca23a9e1a1fee07Automatic Updater  </refsection>
f8e3e03cacd16ffb923a9603fca23a9e1a1fee07Automatic Updater
f8e3e03cacd16ffb923a9603fca23a9e1a1fee07Automatic Updater  <refsection><info><title>SEE ALSO</title></info>
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater    <para>
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater      <citerefentry>
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater        <refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
f8e3e03cacd16ffb923a9603fca23a9e1a1fee07Automatic Updater      </citerefentry>,
f8e3e03cacd16ffb923a9603fca23a9e1a1fee07Automatic Updater      <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater      <citetitle>RFC 4033</citetitle>.
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater    </para>
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater  </refsection>
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater
8e821eea5f57ac47a94305aa7ab0c3570d92a311Automatic Updater</refentry>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont