bin/dnssec/dnssec-verify.docbook

	dnssec-verify.docbook revision 42782931073786f98d3d0a617351db40066949a4
1N/A<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
1N/A               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
1N/A           [<!ENTITY mdash "&#8212;">]>
1N/A<!--
1N/A - Copyright (C) 2012, 2014  Internet Systems Consortium, Inc. ("ISC")
1N/A -
1N/A - Permission to use, copy, modify, and/or distribute this software for any
1N/A - purpose with or without fee is hereby granted, provided that the above
1N/A - copyright notice and this permission notice appear in all copies.
1N/A -
1N/A - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
1N/A - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
1N/A - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
1N/A - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
1N/A - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
1N/A - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
1N/A - PERFORMANCE OF THIS SOFTWARE.
1N/A-->
1N/A
1N/A<refentry id="man.dnssec-verify">
1N/A  <refentryinfo>
1N/A    <date>January 15, 2014</date>
1N/A  </refentryinfo>
1N/A
1N/A  <refmeta>
1N/A    <refentrytitle><application>dnssec-verify</application></refentrytitle>
1N/A   <manvolnum>8</manvolnum>
1N/A    <refmiscinfo>BIND9</refmiscinfo>
1N/A  </refmeta>
1N/A
1N/A  <refnamediv>
1N/A    <refname><application>dnssec-verify</application></refname>
1N/A    <refpurpose>DNSSEC zone verification tool</refpurpose>
1N/A  </refnamediv>
1N/A
1N/A  <docinfo>
1N/A    <copyright>
1N/A      <year>2012</year>
1N/A      <year>2014</year>
1N/A      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
1N/A    </copyright>
1N/A  </docinfo>
1N/A
1N/A  <refsynopsisdiv>
1N/A    <cmdsynopsis>
1N/A      <command>dnssec-verify</command>
1N/A      <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
1N/A      <arg><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
1N/A      <arg><option>-I <replaceable class="parameter">input-format</replaceable></option></arg>
1N/A      <arg><option>-o <replaceable class="parameter">origin</replaceable></option></arg>
1N/A      <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
1N/A      <arg><option>-V</option></arg>
1N/A      <arg><option>-x</option></arg>
1N/A      <arg><option>-z</option></arg>
1N/A      <arg choice="req">zonefile</arg>
1N/A    </cmdsynopsis>
1N/A  </refsynopsisdiv>
1N/A
1N/A  <refsect1>
1N/A    <title>DESCRIPTION</title>
1N/A    <para><command>dnssec-verify</command>
1N/A      verifies that a zone is fully signed for each algorithm found
1N/A      in the DNSKEY RRset for the zone, and that the NSEC / NSEC3
1N/A      chains are complete.
1N/A    </para>
1N/A  </refsect1>
1N/A
1N/A  <refsect1>
1N/A    <title>OPTIONS</title>
1N/A
1N/A    <variablelist>
1N/A      <varlistentry>
1N/A        <term>-c <replaceable class="parameter">class</replaceable></term>
1N/A        <listitem>
1N/A          <para>
1N/A            Specifies the DNS class of the zone.
1N/A          </para>
1N/A        </listitem>
1N/A      </varlistentry>
1N/A
1N/A      <varlistentry>
1N/A        <term>-E <replaceable class="parameter">engine</replaceable></term>
1N/A        <listitem>
1N/A          <para>
1N/A            Specifies the cryptographic hardware to use, when applicable.
1N/A          </para>
1N/A          <para>
1N/A            When BIND is built with OpenSSL PKCS#11 support, this defaults
1N/A            to the string "pkcs11", which identifies an OpenSSL engine
1N/A            that can drive a cryptographic accelerator or hardware service
1N/A            module.  When BIND is built with native PKCS#11 cryptography
1N/A            (--enable-native-pkcs11), it defaults to the path of the PKCS#11
1N/A            provider library specified via "--with-pkcs11".
1N/A          </para>
1N/A        </listitem>
1N/A      </varlistentry>
1N/A
1N/A      <varlistentry>
1N/A        <term>-I <replaceable class="parameter">input-format</replaceable></term>
1N/A        <listitem>
1N/A          <para>
1N/A            The format of the input zone file.
1N/A        Possible formats are <command>"text"</command> (default)
1N/A        and <command>"raw"</command>.
1N/A        This option is primarily intended to be used for dynamic
1N/A            signed zones so that the dumped zone file in a non-text
1N/A            format containing updates can be verified independently.
1N/A        The use of this option does not make much sense for
1N/A        non-dynamic zones.
1N/A          </para>
1N/A        </listitem>
1N/A      </varlistentry>
1N/A
1N/A      <varlistentry>
1N/A        <term>-o <replaceable class="parameter">origin</replaceable></term>
1N/A        <listitem>
1N/A          <para>
1N/A            The zone origin.  If not specified, the name of the zone file
1N/A            is assumed to be the origin.
1N/A          </para>
1N/A        </listitem>
1N/A      </varlistentry>
1N/A
1N/A      <varlistentry>
1N/A        <term>-v <replaceable class="parameter">level</replaceable></term>
1N/A        <listitem>
1N/A          <para>
1N/A            Sets the debugging level.
1N/A          </para>
1N/A        </listitem>
1N/A      </varlistentry>
1N/A
1N/A      <varlistentry>
1N/A    <term>-V</term>
1N/A        <listitem>
1N/A      <para>
1N/A        Prints version information.
1N/A      </para>
1N/A        </listitem>
1N/A      </varlistentry>
1N/A
1N/A      <varlistentry>
1N/A        <term>-x</term>
1N/A        <listitem>
1N/A          <para>
1N/A            Only verify that the DNSKEY RRset is signed with key-signing
1N/A            keys.  Without this flag, it is assumed that the DNSKEY RRset
1N/A            will be signed by all active keys.  When this flag is set,
1N/A            it will not be an error if the DNSKEY RRset is not signed
1N/A            by zone-signing keys.  This corresponds to the <option>-x</option>
1N/A            option in <command>dnssec-signzone</command>.
1N/A          </para>
1N/A        </listitem>
1N/A      </varlistentry>
1N/A
1N/A      <varlistentry>
1N/A    <term>-z</term>
    <listitem>
      <para>
        Ignore the KSK flag on the keys when determining whether
            the zone if correctly signed.  Without this flag it is
        assumed that there will be a non-revoked, self-signed
        DNSKEY with the KSK flag set for each algorithm and
        that RRsets other than DNSKEY RRset will be signed with
            a different DNSKEY without the KSK flag set.
      </para>
      <para>
        With this flag set, we only require that for each algorithm,
            there will be at least one non-revoked, self-signed DNSKEY,
            regardless of the KSK flag state, and that other RRsets
        will be signed by a non-revoked key for the same algorithm
            that includes the self-signed key; the same key may be used
            for both purposes.  This corresponds to the <option>-z</option>
            option in <command>dnssec-signzone</command>.
      </para>
    </listitem>
      </varlistentry>

      <varlistentry>
        <term>zonefile</term>
        <listitem>
          <para>
            The file containing the zone to be signed.
          </para>
        </listitem>
      </varlistentry>

    </variablelist>
  </refsect1>

  <refsect1>
    <title>SEE ALSO</title>
    <para>
      <citerefentry>
        <refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
      </citerefentry>,
      <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
      <citetitle>RFC 4033</citetitle>.
    </para>
  </refsect1>

  <refsect1>
    <title>AUTHOR</title>
    <para><corpauthor>Internet Systems Consortium</corpauthor>
    </para>
  </refsect1>

</refentry><!--
 - Local variables:
 - mode: sgml
 - End:
-->