d6fa26d0adaec6c910115be34fe7a5a5f402c14fMark Andrews<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews<!--
33d0a7767d53cb366039fd0ac4f63cf8a9c351b0Tinderbox User - Copyright (C) 2012, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
9b20c5d7ff43224f60c4f8049fa2e4fef9d374f0Tinderbox User -
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User - This Source Code Form is subject to the terms of the Mozilla Public
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User - License, v. 2.0. If a copy of the MPL was not distributed with this
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User - file, You can obtain one at http://mozilla.org/MPL/2.0/.
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews-->
d6fa26d0adaec6c910115be34fe7a5a5f402c14fMark Andrews<html lang="en">
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews<head>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews<title>dnssec-verify</title>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews</head>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews<a name="man.dnssec-verify"></a><div class="titlepage"></div>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <div class="refnamediv">
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews<h2>Name</h2>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <span class="application">dnssec-verify</span>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User &#8212; DNSSEC zone verification tool
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User </p>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews</div>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <div class="refsynopsisdiv">
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews<h2>Synopsis</h2>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <div class="cmdsynopsis"><p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <code class="command">dnssec-verify</code>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User [<code class="option">-V</code>]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User [<code class="option">-x</code>]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User [<code class="option">-z</code>]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User {zonefile}
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User </p></div>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User </div>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <div class="refsection">
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<a name="id-1.7"></a><h2>DESCRIPTION</h2>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <p><span class="command"><strong>dnssec-verify</strong></span>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews verifies that a zone is fully signed for each algorithm found
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews in the DNSKEY RRset for the zone, and that the NSEC / NSEC3
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews chains are complete.
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User </div>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <div class="refsection">
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<a name="id-1.8"></a><h2>OPTIONS</h2>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <div class="variablelist"><dl class="variablelist">
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dd>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <p>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews Specifies the DNS class of the zone.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User </dd>
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User<dd>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <p>
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User Specifies the cryptographic hardware to use, when applicable.
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <p>
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User When BIND is built with OpenSSL PKCS#11 support, this defaults
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User to the string "pkcs11", which identifies an OpenSSL engine
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User that can drive a cryptographic accelerator or hardware service
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User module. When BIND is built with native PKCS#11 cryptography
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User (--enable-native-pkcs11), it defaults to the path of the PKCS#11
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User provider library specified via "--with-pkcs11".
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User </dd>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dd>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <p>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews The format of the input zone file.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User Possible formats are <span class="command"><strong>"text"</strong></span> (default)
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User and <span class="command"><strong>"raw"</strong></span>.
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews This option is primarily intended to be used for dynamic
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews signed zones so that the dumped zone file in a non-text
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews format containing updates can be verified independently.
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews The use of this option does not make much sense for
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews non-dynamic zones.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User </dd>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dd>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <p>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews The zone origin. If not specified, the name of the zone file
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews is assumed to be the origin.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User </dd>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dd>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <p>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews Sets the debugging level.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User </dd>
6f1205897504b8f50b1785975482c995888dd630Tinderbox User<dt><span class="term">-V</span></dt>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dd>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <p>
6f1205897504b8f50b1785975482c995888dd630Tinderbox User Prints version information.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User </dd>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews<dt><span class="term">-x</span></dt>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dd>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <p>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews Only verify that the DNSKEY RRset is signed with key-signing
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews keys. Without this flag, it is assumed that the DNSKEY RRset
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews will be signed by all active keys. When this flag is set,
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews it will not be an error if the DNSKEY RRset is not signed
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews by zone-signing keys. This corresponds to the <code class="option">-x</code>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User option in <span class="command"><strong>dnssec-signzone</strong></span>.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User </dd>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews<dt><span class="term">-z</span></dt>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews<dd>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <p>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews Ignore the KSK flag on the keys when determining whether
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews the zone if correctly signed. Without this flag it is
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews assumed that there will be a non-revoked, self-signed
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews DNSKEY with the KSK flag set for each algorithm and
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews that RRsets other than DNSKEY RRset will be signed with
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews a different DNSKEY without the KSK flag set.
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <p>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews With this flag set, we only require that for each algorithm,
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews there will be at least one non-revoked, self-signed DNSKEY,
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews regardless of the KSK flag state, and that other RRsets
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews will be signed by a non-revoked key for the same algorithm
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews that includes the self-signed key; the same key may be used
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews for both purposes. This corresponds to the <code class="option">-z</code>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User option in <span class="command"><strong>dnssec-signzone</strong></span>.
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User </dd>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews<dt><span class="term">zonefile</span></dt>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dd>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <p>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews The file containing the zone to be signed.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User </dd>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews</dl></div>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User </div>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <div class="refsection">
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<a name="id-1.9"></a><h2>SEE ALSO</h2>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <span class="citerefentry">
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <span class="refentrytitle">dnssec-signzone</span>(8)
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User </span>,
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews <em class="citetitle">RFC 4033</em>.
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User </div>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews</div></body>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews</html>