doc/arm/man.dnssec-verify.html

	man.dnssec-verify.html revision 6e6f5e3e1111680cff3ef4a4fa27923548c88f70
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<!--
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User - Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC")
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User - Copyright (C) 2000-2003 Internet Software Consortium.
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User -
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User - Permission to use, copy, modify, and/or distribute this software for any
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User - purpose with or without fee is hereby granted, provided that the above
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User - copyright notice and this permission notice appear in all copies.
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User -
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User - PERFORMANCE OF THIS SOFTWARE.
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User-->
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<!-- $Id$ -->
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<html>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<head>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<title>dnssec-verify</title>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<link rel="prev" href="man.dnssec-signzone.html" title="dnssec-signzone">
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<link rel="next" href="man.named-checkconf.html" title="named-checkconf">
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User</head>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<div class="navheader">
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<table width="100%" summary="Navigation header">
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<tr><th colspan="3" align="center"><span class="application">dnssec-verify</span></th></tr>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<tr>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<td width="20%" align="left">
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<a accesskey="p" href="man.dnssec-signzone.html">Prev</a>�</td>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<th width="60%" align="center">Manual pages</th>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<td width="20%" align="right">�<a accesskey="n" href="man.named-checkconf.html">Next</a>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User</td>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User</tr>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User</table>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<hr>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User</div>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<div class="refentry" lang="en">
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<a name="man.dnssec-verify"></a><div class="titlepage"></div>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<div class="refnamediv">
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<h2>Name</h2>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<p><span class="application">dnssec-verify</span> &#8212; DNSSEC zone verification tool</p>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User</div>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<div class="refsynopsisdiv">
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<h2>Synopsis</h2>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<div class="cmdsynopsis"><p><code class="command">dnssec-verify</code>  [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-x</code>] [<code class="option">-z</code>] {zonefile}</p></div>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User</div>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<div class="refsect1" lang="en">
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<a name="id2620620"></a><h2>DESCRIPTION</h2>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<p><span><strong class="command">dnssec-verify</strong></span>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User      verifies that a zone is fully signed for each algorithm found
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User      in the DNSKEY RRset for the zone, and that the NSEC / NSEC3
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User      chains are complete.
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User    </p>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User</div>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<div class="refsect1" lang="en">
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<a name="id2620634"></a><h2>OPTIONS</h2>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<div class="variablelist"><dl>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<dd><p>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User            Specifies the DNS class of the zone.
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User          </p></dd>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<dd><p>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User            The format of the input zone file.
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User        Possible formats are <span><strong class="command">"text"</strong></span> (default)
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User        and <span><strong class="command">"raw"</strong></span>.
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User        This option is primarily intended to be used for dynamic
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User            signed zones so that the dumped zone file in a non-text
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User            format containing updates can be verified independently.
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User        The use of this option does not make much sense for
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User        non-dynamic zones.
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User          </p></dd>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<dd><p>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User            The zone origin.  If not specified, the name of the zone file
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User            is assumed to be the origin.
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User          </p></dd>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<dd><p>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User            Sets the debugging level.
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User          </p></dd>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<dt><span class="term">-x</span></dt>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<dd><p>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User            Only verify that the DNSKEY RRset is signed with key-signing
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User            keys.  Without this flag, it is assumed that the DNSKEY RRset
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User            will be signed by all active keys.  When this flag is set,
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User            it will not be an error if the DNSKEY RRset is not signed
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User            by zone-signing keys.  This corresponds to the <code class="option">-x</code>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User            option in <span><strong class="command">dnssec-signzone</strong></span>.
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User          </p></dd>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<dt><span class="term">-z</span></dt>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<dd>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<p>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User        Ignore the KSK flag on the keys when determining whether
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User            the zone if correctly signed.  Without this flag it is
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User        assumed that there will be a non-revoked, self-signed
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User        DNSKEY with the KSK flag set for each algorithm and
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User        that RRsets other than DNSKEY RRset will be signed with
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User            a different DNSKEY without the KSK flag set.
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User      </p>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<p>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User        With this flag set, we only require that for each algorithm,
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User            there will be at least one non-revoked, self-signed DNSKEY,
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User            regardless of the KSK flag state, and that other RRsets
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User        will be signed by a non-revoked key for the same algorithm
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User            that includes the self-signed key; the same key may be used
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User            for both purposes.  This corresponds to the <code class="option">-z</code>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User            option in <span><strong class="command">dnssec-signzone</strong></span>.
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User      </p>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User</dd>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<dt><span class="term">zonefile</span></dt>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<dd><p>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User            The file containing the zone to be signed.
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User          </p></dd>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User</dl></div>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User</div>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<div class="refsect1" lang="en">
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<a name="id2620784"></a><h2>SEE ALSO</h2>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<p>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User      <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User      <em class="citetitle">RFC 4033</em>.
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User    </p>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User</div>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<div class="refsect1" lang="en">
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<a name="id2620809"></a><h2>AUTHOR</h2>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<p><span class="corpauthor">Internet Systems Consortium</span>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User    </p>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User</div>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User</div>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<div class="navfooter">
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<hr>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<table width="100%" summary="Navigation footer">
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<tr>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<td width="40%" align="left">
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<a accesskey="p" href="man.dnssec-signzone.html">Prev</a>�</td>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<td width="40%" align="right">�<a accesskey="n" href="man.named-checkconf.html">Next</a>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User</td>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User</tr>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<tr>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<td width="40%" align="left" valign="top">
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<span class="application">dnssec-signzone</span>�</td>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User<td width="40%" align="right" valign="top">�<span class="application">named-checkconf</span>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User</td>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User</tr>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User</table>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User</div>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User</body>
6e6f5e3e1111680cff3ef4a4fa27923548c88f70Tinderbox User</html>