dnssec-verify.html revision fd2597f75693a2279fdf588bd40dfe2407c42028
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - Copyright (C) 2012, 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - Permission to use, copy, modify, and/or distribute this software for any
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User - purpose with or without fee is hereby granted, provided that the above
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User - copyright notice and this permission notice appear in all copies.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
d6fa26d0adaec6c910115be34fe7a5a5f402c14fMark Andrews - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt - PERFORMANCE OF THIS SOFTWARE.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="man.dnssec-verify"></a><div class="titlepage"></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p><span class="application">dnssec-verify</span> — DNSSEC zone verification tool</p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="cmdsynopsis"><p><code class="command">dnssec-verify</code> [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-x</code>] [<code class="option">-z</code>] {zonefile}</p></div>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<p><span class="command"><strong>dnssec-verify</strong></span>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User verifies that a zone is fully signed for each algorithm found
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt in the DNSKEY RRset for the zone, and that the NSEC / NSEC3
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt chains are complete.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<div class="variablelist"><dl class="variablelist">
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
363b21045b718d06d414784c96193dc9a233e8c5Tinderbox User Specifies the DNS class of the zone.
bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Specifies the cryptographic hardware to use, when applicable.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt When BIND is built with OpenSSL PKCS#11 support, this defaults
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein to the string "pkcs11", which identifies an OpenSSL engine
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User that can drive a cryptographic accelerator or hardware service
f9ce6280cec79deb16ff6d9807aa493ff23e10d9Tinderbox User module. When BIND is built with native PKCS#11 cryptography
0b89eee6167201843c9a46b7e7c63cb1e4e09ba3Tinderbox User (--enable-native-pkcs11), it defaults to the path of the PKCS#11
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User provider library specified via "--with-pkcs11".
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User The format of the input zone file.
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User Possible formats are <span class="command"><strong>"text"</strong></span> (default)
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User and <span class="command"><strong>"raw"</strong></span>.
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User This option is primarily intended to be used for dynamic
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt signed zones so that the dumped zone file in a non-text
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User format containing updates can be verified independently.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User The use of this option does not make much sense for
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User non-dynamic zones.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt The zone origin. If not specified, the name of the zone file
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User is assumed to be the origin.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Sets the debugging level.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Prints version information.
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User Only verify that the DNSKEY RRset is signed with key-signing
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User keys. Without this flag, it is assumed that the DNSKEY RRset
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User will be signed by all active keys. When this flag is set,
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User it will not be an error if the DNSKEY RRset is not signed
363b21045b718d06d414784c96193dc9a233e8c5Tinderbox User by zone-signing keys. This corresponds to the <code class="option">-x</code>
363b21045b718d06d414784c96193dc9a233e8c5Tinderbox User option in <span class="command"><strong>dnssec-signzone</strong></span>.
363b21045b718d06d414784c96193dc9a233e8c5Tinderbox User Ignore the KSK flag on the keys when determining whether
363b21045b718d06d414784c96193dc9a233e8c5Tinderbox User the zone if correctly signed. Without this flag it is
363b21045b718d06d414784c96193dc9a233e8c5Tinderbox User assumed that there will be a non-revoked, self-signed
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User DNSKEY with the KSK flag set for each algorithm and
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User that RRsets other than DNSKEY RRset will be signed with
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User a different DNSKEY without the KSK flag set.
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User With this flag set, we only require that for each algorithm,
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User there will be at least one non-revoked, self-signed DNSKEY,
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User regardless of the KSK flag state, and that other RRsets
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User will be signed by a non-revoked key for the same algorithm
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User that includes the self-signed key; the same key may be used
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User for both purposes. This corresponds to the <code class="option">-z</code>
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User option in <span class="command"><strong>dnssec-signzone</strong></span>.
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User The file containing the zone to be signed.
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User <em class="citetitle">BIND 9 Administrator Reference Manual</em>,