doc/arm/man.dnssec-verify.html

d6fa26d0adaec6c910115be34fe7a5a5f402c14fMark Andrews<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<!--
71cef386fae61275b03e203825680b39fedaa8c6Tinderbox User - Copyright (C) 2000-2018 Internet Systems Consortium, Inc. ("ISC")
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User -
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User - This Source Code Form is subject to the terms of the Mozilla Public
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User - License, v. 2.0. If a copy of the MPL was not distributed with this
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User - file, You can obtain one at http://mozilla.org/MPL/2.0/.
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User-->
d6fa26d0adaec6c910115be34fe7a5a5f402c14fMark Andrews<html lang="en">
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<head>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<title>dnssec-verify</title>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<link rel="prev" href="man.dnssec-signzone.html" title="dnssec-signzone">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<link rel="next" href="man.lwresd.html" title="lwresd">
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User</head>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<div class="navheader">
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<table width="100%" summary="Navigation header">
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<tr><th colspan="3" align="center"><span class="application">dnssec-verify</span></th></tr>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<tr>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<td width="20%" align="left">
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<a accesskey="p" href="man.dnssec-signzone.html">Prev</a>�</td>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<th width="60%" align="center">Manual pages</th>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<td width="20%" align="right">�<a accesskey="n" href="man.lwresd.html">Next</a>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User</td>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User</tr>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User</table>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<hr>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User</div>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<div class="refentry">
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<a name="man.dnssec-verify"></a><div class="titlepage"></div>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User  <div class="refnamediv">
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<h2>Name</h2>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User    <span class="application">dnssec-verify</span>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User     &#8212; DNSSEC zone verification tool
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User  </p>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User</div>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User  <div class="refsynopsisdiv">
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<h2>Synopsis</h2>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User    <div class="cmdsynopsis"><p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User      <code class="command">dnssec-verify</code>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User       [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User       [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User       [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User       [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User       [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User       [<code class="option">-V</code>]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User       [<code class="option">-x</code>]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User       [<code class="option">-z</code>]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User       {zonefile}
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User    </p></div>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User  </div>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User  <div class="refsection">
7e71f05d8643aca84914437c900cb716444507e4Tinderbox User<a name="id-1.14.17.7"></a><h2>DESCRIPTION</h2>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User    <p><span class="command"><strong>dnssec-verify</strong></span>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User      verifies that a zone is fully signed for each algorithm found
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User      in the DNSKEY RRset for the zone, and that the NSEC / NSEC3
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User      chains are complete.
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User    </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User  </div>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User  <div class="refsection">
7e71f05d8643aca84914437c900cb716444507e4Tinderbox User<a name="id-1.14.17.8"></a><h2>OPTIONS</h2>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User    <div class="variablelist"><dl class="variablelist">
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dd>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User          <p>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User            Specifies the DNS class of the zone.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User          </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User        </dd>
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User<dd>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User          <p>
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User            Specifies the cryptographic hardware to use, when applicable.
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User          </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User          <p>
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User            When BIND is built with OpenSSL PKCS#11 support, this defaults
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User            to the string "pkcs11", which identifies an OpenSSL engine
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User            that can drive a cryptographic accelerator or hardware service
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User            module.  When BIND is built with native PKCS#11 cryptography
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User            (--enable-native-pkcs11), it defaults to the path of the PKCS#11
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User            provider library specified via "--with-pkcs11".
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User          </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User        </dd>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dd>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User          <p>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User            The format of the input zone file.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        Possible formats are <span class="command"><strong>"text"</strong></span> (default)
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        and <span class="command"><strong>"raw"</strong></span>.
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User        This option is primarily intended to be used for dynamic
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User            signed zones so that the dumped zone file in a non-text
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User            format containing updates can be verified independently.
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User        The use of this option does not make much sense for
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User        non-dynamic zones.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User          </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User        </dd>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dd>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User          <p>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User            The zone origin.  If not specified, the name of the zone file
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User            is assumed to be the origin.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User          </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User        </dd>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dd>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User          <p>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User            Sets the debugging level.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User          </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User        </dd>
6f1205897504b8f50b1785975482c995888dd630Tinderbox User<dt><span class="term">-V</span></dt>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dd>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User      <p>
6f1205897504b8f50b1785975482c995888dd630Tinderbox User        Prints version information.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User      </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User        </dd>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<dt><span class="term">-x</span></dt>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dd>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User          <p>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User            Only verify that the DNSKEY RRset is signed with key-signing
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User            keys.  Without this flag, it is assumed that the DNSKEY RRset
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User            will be signed by all active keys.  When this flag is set,
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User            it will not be an error if the DNSKEY RRset is not signed
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User            by zone-signing keys.  This corresponds to the <code class="option">-x</code>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            option in <span class="command"><strong>dnssec-signzone</strong></span>.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User          </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User        </dd>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<dt><span class="term">-z</span></dt>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<dd>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User      <p>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User        Ignore the KSK flag on the keys when determining whether
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User            the zone if correctly signed.  Without this flag it is
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User        assumed that there will be a non-revoked, self-signed
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User        DNSKEY with the KSK flag set for each algorithm and
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User        that RRsets other than DNSKEY RRset will be signed with
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User            a different DNSKEY without the KSK flag set.
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User      </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User      <p>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User        With this flag set, we only require that for each algorithm,
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User            there will be at least one non-revoked, self-signed DNSKEY,
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User            regardless of the KSK flag state, and that other RRsets
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User        will be signed by a non-revoked key for the same algorithm
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User            that includes the self-signed key; the same key may be used
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User            for both purposes.  This corresponds to the <code class="option">-z</code>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            option in <span class="command"><strong>dnssec-signzone</strong></span>.
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User      </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User    </dd>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<dt><span class="term">zonefile</span></dt>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dd>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User          <p>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User            The file containing the zone to be signed.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User          </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User        </dd>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User</dl></div>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User  </div>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User  <div class="refsection">
7e71f05d8643aca84914437c900cb716444507e4Tinderbox User<a name="id-1.14.17.9"></a><h2>SEE ALSO</h2>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User    <p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User      <span class="citerefentry">
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User        <span class="refentrytitle">dnssec-signzone</span>(8)
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User      </span>,
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User      <em class="citetitle">RFC 4033</em>.
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User    </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User  </div>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User</div>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<div class="navfooter">
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<hr>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<table width="100%" summary="Navigation footer">
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<tr>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<td width="40%" align="left">
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<a accesskey="p" href="man.dnssec-signzone.html">Prev</a>�</td>
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<td width="40%" align="right">�<a accesskey="n" href="man.lwresd.html">Next</a>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User</td>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User</tr>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<tr>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<td width="40%" align="left" valign="top">
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<span class="application">dnssec-signzone</span>�</td>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<td width="40%" align="right" valign="top">�<span class="application">lwresd</span>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User</td>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User</tr>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User</table>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User</div>
c313914d0e66b20969215e519bbf2ab4ecf39512Tinderbox User<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.3 (Extended Support Version)</p>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User</body>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User</html>