bin/dnssec/dnssec-verify.html

	dnssec-verify.html revision 5347c0fcb04eaea19d9f39795646239f487c6207
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews<!--
33d0a7767d53cb366039fd0ac4f63cf8a9c351b0Tinderbox User - Copyright (C) 2012, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
9b20c5d7ff43224f60c4f8049fa2e4fef9d374f0Tinderbox User -
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User - This Source Code Form is subject to the terms of the Mozilla Public
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User - License, v. 2.0. If a copy of the MPL was not distributed with this
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User - file, You can obtain one at http://mozilla.org/MPL/2.0/.
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews-->
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews<html>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews<head>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews<title>dnssec-verify</title>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews</head>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews<a name="man.dnssec-verify"></a><div class="titlepage"></div>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<div class="refnamediv">
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews<h2>Name</h2>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<p><span class="application">dnssec-verify</span> &#8212; DNSSEC zone verification tool</p>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews</div>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<div class="refsynopsisdiv">
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews<h2>Synopsis</h2>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<div class="cmdsynopsis"><p><code class="command">dnssec-verify</code>  [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-x</code>] [<code class="option">-z</code>] {zonefile}</p></div>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User</div>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<div class="refsection">
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<a name="id-1.7"></a><h2>DESCRIPTION</h2>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<p><span class="command"><strong>dnssec-verify</strong></span>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews      verifies that a zone is fully signed for each algorithm found
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews      in the DNSKEY RRset for the zone, and that the NSEC / NSEC3
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews      chains are complete.
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews    </p>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User</div>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<div class="refsection">
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<a name="id-1.8"></a><h2>OPTIONS</h2>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<div class="variablelist"><dl class="variablelist">
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<dd><p>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews            Specifies the DNS class of the zone.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User          </p></dd>
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User<dd>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<p>
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User            Specifies the cryptographic hardware to use, when applicable.
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User          </p>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<p>
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User            When BIND is built with OpenSSL PKCS#11 support, this defaults
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User            to the string "pkcs11", which identifies an OpenSSL engine
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User            that can drive a cryptographic accelerator or hardware service
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User            module.  When BIND is built with native PKCS#11 cryptography
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User            (--enable-native-pkcs11), it defaults to the path of the PKCS#11
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User            provider library specified via "--with-pkcs11".
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User          </p>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User</dd>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<dd><p>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews            The format of the input zone file.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User        Possible formats are <span class="command"><strong>"text"</strong></span> (default)
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User        and <span class="command"><strong>"raw"</strong></span>.
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews        This option is primarily intended to be used for dynamic
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews            signed zones so that the dumped zone file in a non-text
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews            format containing updates can be verified independently.
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews        The use of this option does not make much sense for
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews        non-dynamic zones.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User          </p></dd>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<dd><p>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews            The zone origin.  If not specified, the name of the zone file
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews            is assumed to be the origin.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User          </p></dd>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<dd><p>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews            Sets the debugging level.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User          </p></dd>
6f1205897504b8f50b1785975482c995888dd630Tinderbox User<dt><span class="term">-V</span></dt>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<dd><p>
6f1205897504b8f50b1785975482c995888dd630Tinderbox User        Prints version information.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User      </p></dd>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews<dt><span class="term">-x</span></dt>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<dd><p>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews            Only verify that the DNSKEY RRset is signed with key-signing
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews            keys.  Without this flag, it is assumed that the DNSKEY RRset
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews            will be signed by all active keys.  When this flag is set,
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews            it will not be an error if the DNSKEY RRset is not signed
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews            by zone-signing keys.  This corresponds to the <code class="option">-x</code>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User            option in <span class="command"><strong>dnssec-signzone</strong></span>.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User          </p></dd>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews<dt><span class="term">-z</span></dt>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews<dd>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<p>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews        Ignore the KSK flag on the keys when determining whether
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews            the zone if correctly signed.  Without this flag it is
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews        assumed that there will be a non-revoked, self-signed
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews        DNSKEY with the KSK flag set for each algorithm and
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews        that RRsets other than DNSKEY RRset will be signed with
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews            a different DNSKEY without the KSK flag set.
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews      </p>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<p>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews        With this flag set, we only require that for each algorithm,
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews            there will be at least one non-revoked, self-signed DNSKEY,
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews            regardless of the KSK flag state, and that other RRsets
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews        will be signed by a non-revoked key for the same algorithm
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews            that includes the self-signed key; the same key may be used
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews            for both purposes.  This corresponds to the <code class="option">-z</code>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User            option in <span class="command"><strong>dnssec-signzone</strong></span>.
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews      </p>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User</dd>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews<dt><span class="term">zonefile</span></dt>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<dd><p>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews            The file containing the zone to be signed.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User          </p></dd>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews</dl></div>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User</div>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<div class="refsection">
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<a name="id-1.9"></a><h2>SEE ALSO</h2>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<p>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User      <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews      <em class="citetitle">RFC 4033</em>.
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews    </p>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User</div>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews</div></body>
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews</html>