5841N/A - Copyright (C) 2012, 2014-2016 Internet Systems Consortium, Inc. ("ISC") 5841N/A - This Source Code Form is subject to the terms of the Mozilla Public 5841N/A - License, v. 2.0. If a copy of the MPL was not distributed with this 5841N/A<
meta http-
equiv="Content-Type" content="text/html; charset=ISO-8859-1">
5841N/A<
title>dnssec-verify</
title>
5841N/A<
meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
5841N/A<
body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><
div class="refentry">
5841N/A <
span class="application">dnssec-verify</
span>
5841N/A — DNSSEC zone verification tool
5841N/A <
div class="refsynopsisdiv">
5841N/A <
div class="cmdsynopsis"><
p>
5841N/A <
code class="command">dnssec-verify</
code>
6211N/A [<
code class="option">-c <
em class="replaceable"><
code>class</
code></
em></
code>]
5841N/A [<
code class="option">-E <
em class="replaceable"><
code>engine</
code></
em></
code>]
5841N/A [<
code class="option">-I <
em class="replaceable"><
code>input-format</
code></
em></
code>]
5841N/A [<
code class="option">-o <
em class="replaceable"><
code>origin</
code></
em></
code>]
5841N/A [<
code class="option">-v <
em class="replaceable"><
code>level</
code></
em></
code>]
5841N/A [<
code class="option">-V</
code>]
5841N/A [<
code class="option">-x</
code>]
5841N/A [<
code class="option">-z</
code>]
5841N/A<
a name="id-1.7"></
a><
h2>DESCRIPTION</
h2>
5841N/A <
p><
span class="command"><
strong>dnssec-verify</
strong></
span>
5841N/A verifies that a zone is fully signed for each algorithm found
5841N/A in the DNSKEY RRset for the zone, and that the NSEC / NSEC3
5841N/A<
a name="id-1.8"></
a><
h2>OPTIONS</
h2>
5841N/A <
div class="variablelist"><
dl class="variablelist">
5841N/A<
dt><
span class="term">-c <
em class="replaceable"><
code>class</
code></
em></
span></
dt>
5841N/A Specifies the DNS class of the zone.
5841N/A<
dt><
span class="term">-E <
em class="replaceable"><
code>engine</
code></
em></
span></
dt>
5841N/A Specifies the cryptographic hardware to use, when applicable.
5841N/A When BIND is built with OpenSSL PKCS#11 support, this defaults
5841N/A to the string "pkcs11", which identifies an OpenSSL engine
5841N/A that can drive a cryptographic accelerator or hardware service
5841N/A module. When BIND is built with native PKCS#11 cryptography
5841N/A (--enable-native-pkcs11), it defaults to the path of the PKCS#11
5841N/A provider library specified via "--with-pkcs11".
5841N/A<
dt><
span class="term">-I <
em class="replaceable"><
code>input-format</
code></
em></
span></
dt>
5841N/A The format of the input zone file.
5841N/A Possible formats are <
span class="command"><
strong>"text"</
strong></
span> (default)
5841N/A and <
span class="command"><
strong>"raw"</
strong></
span>.
5841N/A This option is primarily intended to be used for dynamic
5841N/A signed zones so that the dumped zone file in a non-text
5841N/A format containing updates can be verified independently.
5841N/A The use of this option does not make much sense for
5841N/A<
dt><
span class="term">-o <
em class="replaceable"><
code>origin</
code></
em></
span></
dt>
5841N/A The zone origin. If not specified, the name of the zone file
5841N/A is assumed to be the origin.
5841N/A<
dt><
span class="term">-v <
em class="replaceable"><
code>level</
code></
em></
span></
dt>
5841N/A<
dt><
span class="term">-V</
span></
dt>
5841N/A Prints version information.
6211N/A<
dt><
span class="term">-x</
span></
dt>
5841N/A Only verify that the DNSKEY RRset is signed with key-signing
5841N/A keys. Without this flag, it is assumed that the DNSKEY RRset
5841N/A will be signed by all active keys. When this flag is set,
5841N/A it will not be an error if the DNSKEY RRset is not signed
5841N/A by zone-signing keys. This corresponds to the <
code class="option">-x</
code>
5841N/A option in <
span class="command"><
strong>dnssec-signzone</
strong></
span>.
5841N/A<
dt><
span class="term">-z</
span></
dt>
5841N/A Ignore the KSK flag on the keys when determining whether
5841N/A the zone if correctly signed. Without this flag it is
5841N/A assumed that there will be a non-revoked, self-signed
5841N/A DNSKEY with the KSK flag set for each algorithm and
5841N/A that RRsets other than DNSKEY RRset will be signed with
5841N/A a different DNSKEY without the KSK flag set.
5841N/A With this flag set, we only require that for each algorithm,
5841N/A there will be at least one non-revoked, self-signed DNSKEY,
5841N/A regardless of the KSK flag state, and that other RRsets
5841N/A will be signed by a non-revoked key for the same algorithm
5841N/A that includes the self-signed key; the same key may be used
5841N/A for both purposes. This corresponds to the <
code class="option">-z</
code>
5841N/A option in <
span class="command"><
strong>dnssec-signzone</
strong></
span>.
5841N/A<
dt><
span class="term">zonefile</
span></
dt>
5841N/A The file containing the zone to be signed.
5841N/A<
a name="id-1.9"></
a><
h2>SEE ALSO</
h2>
5841N/A <
span class="citerefentry">
5841N/A <
span class="refentrytitle">dnssec-signzone</
span>(8)
5841N/A <
em class="citetitle">BIND 9 Administrator Reference Manual</
em>,
5841N/A <
em class="citetitle">RFC 4033</
em>.