5841N/A<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
5841N/A<!--
5841N/A - Copyright (C) 2012, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
5841N/A -
5841N/A - This Source Code Form is subject to the terms of the Mozilla Public
5841N/A - License, v. 2.0. If a copy of the MPL was not distributed with this
5841N/A - file, You can obtain one at http://mozilla.org/MPL/2.0/.
5841N/A-->
5841N/A<html lang="en">
5841N/A<head>
5841N/A<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
5841N/A<title>dnssec-verify</title>
5841N/A<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
5841N/A</head>
5841N/A<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
5841N/A<a name="man.dnssec-verify"></a><div class="titlepage"></div>
5841N/A
5841N/A
5841N/A
5841N/A
5841N/A
5841N/A <div class="refnamediv">
5841N/A<h2>Name</h2>
5841N/A<p>
5841N/A <span class="application">dnssec-verify</span>
5841N/A &#8212; DNSSEC zone verification tool
6211N/A </p>
5841N/A</div>
5841N/A
5841N/A
5841N/A
5841N/A <div class="refsynopsisdiv">
5841N/A<h2>Synopsis</h2>
5841N/A <div class="cmdsynopsis"><p>
5841N/A <code class="command">dnssec-verify</code>
6211N/A [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
5841N/A [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>]
5841N/A [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>]
5841N/A [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>]
5841N/A [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
5841N/A [<code class="option">-V</code>]
5841N/A [<code class="option">-x</code>]
5841N/A [<code class="option">-z</code>]
5841N/A {zonefile}
5841N/A </p></div>
5841N/A </div>
5841N/A
5841N/A <div class="refsection">
5841N/A<a name="id-1.7"></a><h2>DESCRIPTION</h2>
5841N/A
5841N/A <p><span class="command"><strong>dnssec-verify</strong></span>
5841N/A verifies that a zone is fully signed for each algorithm found
5841N/A in the DNSKEY RRset for the zone, and that the NSEC / NSEC3
5841N/A chains are complete.
5841N/A </p>
5841N/A </div>
5841N/A
5841N/A <div class="refsection">
5841N/A<a name="id-1.8"></a><h2>OPTIONS</h2>
5841N/A
5841N/A
5841N/A <div class="variablelist"><dl class="variablelist">
5841N/A<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
5841N/A<dd>
5841N/A <p>
5841N/A Specifies the DNS class of the zone.
5841N/A </p>
5841N/A </dd>
5841N/A<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
5841N/A<dd>
5841N/A <p>
5841N/A Specifies the cryptographic hardware to use, when applicable.
5841N/A </p>
5841N/A <p>
5841N/A When BIND is built with OpenSSL PKCS#11 support, this defaults
5841N/A to the string "pkcs11", which identifies an OpenSSL engine
5841N/A that can drive a cryptographic accelerator or hardware service
5841N/A module. When BIND is built with native PKCS#11 cryptography
5841N/A (--enable-native-pkcs11), it defaults to the path of the PKCS#11
5841N/A provider library specified via "--with-pkcs11".
5841N/A </p>
5841N/A </dd>
5841N/A<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
5841N/A<dd>
5841N/A <p>
5841N/A The format of the input zone file.
5841N/A Possible formats are <span class="command"><strong>"text"</strong></span> (default)
5841N/A and <span class="command"><strong>"raw"</strong></span>.
5841N/A This option is primarily intended to be used for dynamic
5841N/A signed zones so that the dumped zone file in a non-text
5841N/A format containing updates can be verified independently.
5841N/A The use of this option does not make much sense for
5841N/A non-dynamic zones.
5841N/A </p>
5841N/A </dd>
5841N/A<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
5841N/A<dd>
5841N/A <p>
5841N/A The zone origin. If not specified, the name of the zone file
5841N/A is assumed to be the origin.
5841N/A </p>
5841N/A </dd>
5841N/A<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
5841N/A<dd>
5841N/A <p>
5841N/A Sets the debugging level.
5841N/A </p>
5841N/A </dd>
5841N/A<dt><span class="term">-V</span></dt>
5841N/A<dd>
5841N/A <p>
5841N/A Prints version information.
5841N/A </p>
5841N/A </dd>
6211N/A<dt><span class="term">-x</span></dt>
5841N/A<dd>
5841N/A <p>
5841N/A Only verify that the DNSKEY RRset is signed with key-signing
5841N/A keys. Without this flag, it is assumed that the DNSKEY RRset
5841N/A will be signed by all active keys. When this flag is set,
5841N/A it will not be an error if the DNSKEY RRset is not signed
5841N/A by zone-signing keys. This corresponds to the <code class="option">-x</code>
5841N/A option in <span class="command"><strong>dnssec-signzone</strong></span>.
5841N/A </p>
5841N/A </dd>
5841N/A<dt><span class="term">-z</span></dt>
5841N/A<dd>
5841N/A <p>
5841N/A Ignore the KSK flag on the keys when determining whether
5841N/A the zone if correctly signed. Without this flag it is
5841N/A assumed that there will be a non-revoked, self-signed
5841N/A DNSKEY with the KSK flag set for each algorithm and
5841N/A that RRsets other than DNSKEY RRset will be signed with
5841N/A a different DNSKEY without the KSK flag set.
5841N/A </p>
5841N/A <p>
5841N/A With this flag set, we only require that for each algorithm,
5841N/A there will be at least one non-revoked, self-signed DNSKEY,
5841N/A regardless of the KSK flag state, and that other RRsets
5841N/A will be signed by a non-revoked key for the same algorithm
5841N/A that includes the self-signed key; the same key may be used
5841N/A for both purposes. This corresponds to the <code class="option">-z</code>
5841N/A option in <span class="command"><strong>dnssec-signzone</strong></span>.
5841N/A </p>
5841N/A </dd>
5841N/A<dt><span class="term">zonefile</span></dt>
5841N/A<dd>
5841N/A <p>
5841N/A The file containing the zone to be signed.
5841N/A </p>
5841N/A </dd>
5841N/A</dl></div>
5841N/A </div>
5841N/A
5841N/A <div class="refsection">
5841N/A<a name="id-1.9"></a><h2>SEE ALSO</h2>
5841N/A
5841N/A <p>
5841N/A <span class="citerefentry">
5841N/A <span class="refentrytitle">dnssec-signzone</span>(8)
5841N/A </span>,
5841N/A <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
5841N/A <em class="citetitle">RFC 4033</em>.
5841N/A </p>
5841N/A </div>
5841N/A
5841N/A</div></body>
5841N/A</html>
5841N/A