dnssec-verify.html revision fd2597f75693a2279fdf588bd40dfe2407c42028
ec79b29695b183f794264bbb578c51e93d1f9b1emartin - Copyright (C) 2012, 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
b39ba1ea90cd1940dcd9e8d0f18c1ff02c187ac1jim - Permission to use, copy, modify, and/or distribute this software for any
fb8ee8b7a3a2503b95bf47685f9083e0b9834e6fminfrin - purpose with or without fee is hereby granted, provided that the above
fb8ee8b7a3a2503b95bf47685f9083e0b9834e6fminfrin - copyright notice and this permission notice appear in all copies.
fb8ee8b7a3a2503b95bf47685f9083e0b9834e6fminfrin - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
a72211e92bab814bfa28ee086ca9b2a1a6095c92chrisd - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
a72211e92bab814bfa28ee086ca9b2a1a6095c92chrisd - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
a72211e92bab814bfa28ee086ca9b2a1a6095c92chrisd - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
a72211e92bab814bfa28ee086ca9b2a1a6095c92chrisd - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
a72211e92bab814bfa28ee086ca9b2a1a6095c92chrisd - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
a72211e92bab814bfa28ee086ca9b2a1a6095c92chrisd - PERFORMANCE OF THIS SOFTWARE.
5c5e7695fc1e44bebba6b339494a2df4e69b86fcjim<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
4228aba3de67f3d9cce68f7a915d5435faa43adarpluem<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
4228aba3de67f3d9cce68f7a915d5435faa43adarpluem<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
78a20a6e7ad3a0229900ee54c7d11a65f647b663niq<a name="man.dnssec-verify"></a><div class="titlepage"></div>
9582ad6e149d28b118d4e8571101ecb6f85e0191niq<p><span class="application">dnssec-verify</span> — DNSSEC zone verification tool</p>
d56bacbfefa5aa883ce5162a115747372fc38d13chrisd<div class="cmdsynopsis"><p><code class="command">dnssec-verify</code> [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-x</code>] [<code class="option">-z</code>] {zonefile}</p></div>
e1a26e8050bf62459a7ef1c5064b714811767417rpluem<p><span class="command"><strong>dnssec-verify</strong></span>
e1a26e8050bf62459a7ef1c5064b714811767417rpluem verifies that a zone is fully signed for each algorithm found
fcee7ee83b1e48f2655c79f176d1ea7627e19937chrisd in the DNSKEY RRset for the zone, and that the NSEC / NSEC3
fcee7ee83b1e48f2655c79f176d1ea7627e19937chrisd chains are complete.
b39ba1ea90cd1940dcd9e8d0f18c1ff02c187ac1jim<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
b39ba1ea90cd1940dcd9e8d0f18c1ff02c187ac1jim Specifies the DNS class of the zone.
d64dd2fd4516c2b1b664c5e59c0628d9aff26984covener<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
ed0d39878e79220baaa50c15b79b1fdf877cb919niq Specifies the cryptographic hardware to use, when applicable.
1e911973bcb9df6701a4c16c037771ecf25ade13niq When BIND is built with OpenSSL PKCS#11 support, this defaults
1e911973bcb9df6701a4c16c037771ecf25ade13niq to the string "pkcs11", which identifies an OpenSSL engine
1e911973bcb9df6701a4c16c037771ecf25ade13niq that can drive a cryptographic accelerator or hardware service
1e911973bcb9df6701a4c16c037771ecf25ade13niq module. When BIND is built with native PKCS#11 cryptography
a55905a382027bdcc3a29248db4176527d36aa9ajim (--enable-native-pkcs11), it defaults to the path of the PKCS#11
a55905a382027bdcc3a29248db4176527d36aa9ajim provider library specified via "--with-pkcs11".
5fbd1e97905738791e7359ccbc9b02e913948d2erpluem<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
5fbd1e97905738791e7359ccbc9b02e913948d2erpluem The format of the input zone file.
5fbd1e97905738791e7359ccbc9b02e913948d2erpluem Possible formats are <span class="command"><strong>"text"</strong></span> (default)
ca33b922ae8ad1b24a8235b656b0ac6f82915355jim and <span class="command"><strong>"raw"</strong></span>.
e74519466f1905e7a1b3d34396fbb82717153c90jim This option is primarily intended to be used for dynamic
e74519466f1905e7a1b3d34396fbb82717153c90jim signed zones so that the dumped zone file in a non-text
e74519466f1905e7a1b3d34396fbb82717153c90jim format containing updates can be verified independently.
ca33b922ae8ad1b24a8235b656b0ac6f82915355jim The use of this option does not make much sense for
ca33b922ae8ad1b24a8235b656b0ac6f82915355jim non-dynamic zones.
b842b65e0618c5535233b197f03dc917d184adb3jim<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
b842b65e0618c5535233b197f03dc917d184adb3jim The zone origin. If not specified, the name of the zone file
e47d58d5d983426584c8d16416c50f5c58070746dirkx is assumed to be the origin.
e47d58d5d983426584c8d16416c50f5c58070746dirkx<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
33aad3911b15cb5d523075f7df829274fe298a13dirkx Sets the debugging level.
433dcb1fbaae82d36634f5120bff71a04296904ddirkx Prints version information.
433dcb1fbaae82d36634f5120bff71a04296904ddirkx Only verify that the DNSKEY RRset is signed with key-signing
433dcb1fbaae82d36634f5120bff71a04296904ddirkx keys. Without this flag, it is assumed that the DNSKEY RRset
46a47c67296c52323632d5ae9d7c86bf87027a5frpluem will be signed by all active keys. When this flag is set,
46a47c67296c52323632d5ae9d7c86bf87027a5frpluem it will not be an error if the DNSKEY RRset is not signed
46a47c67296c52323632d5ae9d7c86bf87027a5frpluem by zone-signing keys. This corresponds to the <code class="option">-x</code>
edb2ad8387e30473e5be09714189441ef94d7f29rpluem option in <span class="command"><strong>dnssec-signzone</strong></span>.
56d3f6035b11f7d2074bcb8368dca5dfd12f9087jim Ignore the KSK flag on the keys when determining whether
64bf71725ee015894b1724bc0dd198e5e24424ecrpluem the zone if correctly signed. Without this flag it is
64bf71725ee015894b1724bc0dd198e5e24424ecrpluem assumed that there will be a non-revoked, self-signed
64bf71725ee015894b1724bc0dd198e5e24424ecrpluem DNSKEY with the KSK flag set for each algorithm and
d7fcc79b0bee660d71b0cccfe9bbc2765ee6420erederpj that RRsets other than DNSKEY RRset will be signed with
d7fcc79b0bee660d71b0cccfe9bbc2765ee6420erederpj a different DNSKEY without the KSK flag set.
d7fcc79b0bee660d71b0cccfe9bbc2765ee6420erederpj With this flag set, we only require that for each algorithm,
d7fcc79b0bee660d71b0cccfe9bbc2765ee6420erederpj there will be at least one non-revoked, self-signed DNSKEY,
5e48e0ef81c0736649fd7d2884837b32ed678750rpluem regardless of the KSK flag state, and that other RRsets
5e48e0ef81c0736649fd7d2884837b32ed678750rpluem will be signed by a non-revoked key for the same algorithm
5e48e0ef81c0736649fd7d2884837b32ed678750rpluem that includes the self-signed key; the same key may be used
cb9999606fbbda475b7b40e164699731521e9eb1niq for both purposes. This corresponds to the <code class="option">-z</code>
cb9999606fbbda475b7b40e164699731521e9eb1niq option in <span class="command"><strong>dnssec-signzone</strong></span>.
33159d1d1291b676697c154830134500e793e66bcovener The file containing the zone to be signed.
65cb7f00eca6689c8a89dc809359991ade1285bcwrowe <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
65cb7f00eca6689c8a89dc809359991ade1285bcwrowe <em class="citetitle">BIND 9 Administrator Reference Manual</em>,