bin/dnssec/dnssec-verify.html

	dnssec-verify.html revision 33d0a7767d53cb366039fd0ac4f63cf8a9c351b0
d6fa26d0adaec6c910115be34fe7a5a5f402c14fMark Andrews<!--
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - Copyright (C) 2012, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User -
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - Permission to use, copy, modify, and/or distribute this software for any
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User - purpose with or without fee is hereby granted, provided that the above
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User - copyright notice and this permission notice appear in all copies.
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User -
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
d6fa26d0adaec6c910115be34fe7a5a5f402c14fMark Andrews - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt - PERFORMANCE OF THIS SOFTWARE.
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User-->
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<html>
9b469e3c59015b1a4899c9d8395168126fe094fdAutomatic Updater<head>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<title>dnssec-verify</title>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews</head>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<a name="man.dnssec-verify"></a><div class="titlepage"></div>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<div class="refnamediv">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<h2>Name</h2>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<p><span class="application">dnssec-verify</span> &#8212; DNSSEC zone verification tool</p>
9b469e3c59015b1a4899c9d8395168126fe094fdAutomatic Updater</div>
9b469e3c59015b1a4899c9d8395168126fe094fdAutomatic Updater<div class="refsynopsisdiv">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<h2>Synopsis</h2>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<div class="cmdsynopsis"><p><code class="command">dnssec-verify</code>  [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-x</code>] [<code class="option">-z</code>] {zonefile}</p></div>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews</div>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<div class="refsection">
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<a name="id-1.7"></a><h2>DESCRIPTION</h2>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<p><span class="command"><strong>dnssec-verify</strong></span>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User      verifies that a zone is fully signed for each algorithm found
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews      in the DNSKEY RRset for the zone, and that the NSEC / NSEC3
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User      chains are complete.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews    </p>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User</div>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<div class="refsection">
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<a name="id-1.8"></a><h2>OPTIONS</h2>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<div class="variablelist"><dl class="variablelist">
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
7e71f05d8643aca84914437c900cb716444507e4Tinderbox User<dd><p>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User            Specifies the DNS class of the zone.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews          </p></dd>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dd>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            Specifies the cryptographic hardware to use, when applicable.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          </p>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            When BIND is built with OpenSSL PKCS#11 support, this defaults
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews            to the string "pkcs11", which identifies an OpenSSL engine
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews            that can drive a cryptographic accelerator or hardware service
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            module.  When BIND is built with native PKCS#11 cryptography
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews            (--enable-native-pkcs11), it defaults to the path of the PKCS#11
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User            provider library specified via "--with-pkcs11".
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User          </p>
7e71f05d8643aca84914437c900cb716444507e4Tinderbox User</dd>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dd><p>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews            The format of the input zone file.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User        Possible formats are <span class="command"><strong>"text"</strong></span> (default)
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        and <span class="command"><strong>"raw"</strong></span>.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews        This option is primarily intended to be used for dynamic
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews            signed zones so that the dumped zone file in a non-text
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews            format containing updates can be verified independently.
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews        The use of this option does not make much sense for
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews        non-dynamic zones.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          </p></dd>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dd><p>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews            The zone origin.  If not specified, the name of the zone file
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            is assumed to be the origin.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          </p></dd>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dd><p>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User            Sets the debugging level.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          </p></dd>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="term">-V</span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dd><p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        Prints version information.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews      </p></dd>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="term">-x</span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dd><p>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User            Only verify that the DNSKEY RRset is signed with key-signing
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews            keys.  Without this flag, it is assumed that the DNSKEY RRset
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            will be signed by all active keys.  When this flag is set,
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews            it will not be an error if the DNSKEY RRset is not signed
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            by zone-signing keys.  This corresponds to the <code class="option">-x</code>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews            option in <span class="command"><strong>dnssec-signzone</strong></span>.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          </p></dd>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="term">-z</span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dd>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<p>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews        Ignore the KSK flag on the keys when determining whether
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User            the zone if correctly signed.  Without this flag it is
b2f07642fd712c8fda81a116bcdde229ab291f33Tinderbox User        assumed that there will be a non-revoked, self-signed
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User        DNSKEY with the KSK flag set for each algorithm and
b2f07642fd712c8fda81a116bcdde229ab291f33Tinderbox User        that RRsets other than DNSKEY RRset will be signed with
b2f07642fd712c8fda81a116bcdde229ab291f33Tinderbox User            a different DNSKEY without the KSK flag set.
281ed127e3ed6c7e07792c19c3bc4562f71cfa90Tinderbox User      </p>
281ed127e3ed6c7e07792c19c3bc4562f71cfa90Tinderbox User<p>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User        With this flag set, we only require that for each algorithm,
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews            there will be at least one non-revoked, self-signed DNSKEY,
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User            regardless of the KSK flag state, and that other RRsets
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews        will be signed by a non-revoked key for the same algorithm
b2f07642fd712c8fda81a116bcdde229ab291f33Tinderbox User            that includes the self-signed key; the same key may be used
b2f07642fd712c8fda81a116bcdde229ab291f33Tinderbox User            for both purposes.  This corresponds to the <code class="option">-z</code>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User            option in <span class="command"><strong>dnssec-signzone</strong></span>.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews      </p>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User</dd>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="term">zonefile</span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dd><p>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User            The file containing the zone to be signed.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews          </p></dd>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User</dl></div>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews</div>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<div class="refsection">
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<a name="id-1.9"></a><h2>SEE ALSO</h2>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<p>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User      <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews      <em class="citetitle">RFC 4033</em>.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews    </p>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User</div>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews</div></body>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User</html>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt