man.dnssec-verify.html revision d6fa26d0adaec6c910115be34fe7a5a5f402c14f
5cd4555ad444fd391002ae32450572054369fd42Rob Austein<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein - Copyright (C) 2000-2015 Internet Systems Consortium, Inc. ("ISC")
d60212e03fbef1d3dd7f7eb05c0545cc373cb9fcAutomatic Updater - This Source Code Form is subject to the terms of the Mozilla Public
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - License, v. 2.0. If a copy of the MPL was not distributed with this
51eba00c8f281eda4daac725c0c7d1373a93a5aaAndreas Gustafsson - file, You can obtain one at http://mozilla.org/MPL/2.0/.
51eba00c8f281eda4daac725c0c7d1373a93a5aaAndreas Gustafsson<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews<link rel="prev" href="man.dnssec-signzone.html" title="dnssec-signzone">
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews<link rel="next" href="man.lwresd.html" title="lwresd">
51eba00c8f281eda4daac725c0c7d1373a93a5aaAndreas Gustafsson<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
d60212e03fbef1d3dd7f7eb05c0545cc373cb9fcAutomatic Updater<table width="100%" summary="Navigation header">
b5ad6dfea4cc3e7d1d322ac99f1e5a31096837c4Mark Andrews<tr><th colspan="3" align="center"><span class="application">dnssec-verify</span></th></tr>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<a accesskey="p" href="man.dnssec-signzone.html">Prev</a>�</td>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<td width="20%" align="right">�<a accesskey="n" href="man.lwresd.html">Next</a>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<a name="man.dnssec-verify"></a><div class="titlepage"></div>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<p><span class="application">dnssec-verify</span> — DNSSEC zone verification tool</p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<div class="cmdsynopsis"><p><code class="command">dnssec-verify</code> [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-x</code>] [<code class="option">-z</code>] {zonefile}</p></div>
f052a01ff268cdbbf3e6f600b06d02ed8573badfAutomatic Updater<a name="id-1.14.17.7"></a><h2>DESCRIPTION</h2>
d60212e03fbef1d3dd7f7eb05c0545cc373cb9fcAutomatic Updater<p><span class="command"><strong>dnssec-verify</strong></span>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein verifies that a zone is fully signed for each algorithm found
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein in the DNSKEY RRset for the zone, and that the NSEC / NSEC3
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein chains are complete.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<div class="variablelist"><dl class="variablelist">
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Specifies the DNS class of the zone.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Specifies the cryptographic hardware to use, when applicable.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein When BIND is built with OpenSSL PKCS#11 support, this defaults
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein to the string "pkcs11", which identifies an OpenSSL engine
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein that can drive a cryptographic accelerator or hardware service
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein module. When BIND is built with native PKCS#11 cryptography
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein (--enable-native-pkcs11), it defaults to the path of the PKCS#11
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein provider library specified via "--with-pkcs11".
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein The format of the input zone file.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Possible formats are <span class="command"><strong>"text"</strong></span> (default)
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein and <span class="command"><strong>"raw"</strong></span>.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein This option is primarily intended to be used for dynamic
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein signed zones so that the dumped zone file in a non-text
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein format containing updates can be verified independently.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein The use of this option does not make much sense for
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein non-dynamic zones.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein The zone origin. If not specified, the name of the zone file
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein is assumed to be the origin.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Sets the debugging level.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Prints version information.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Only verify that the DNSKEY RRset is signed with key-signing
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein keys. Without this flag, it is assumed that the DNSKEY RRset
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein will be signed by all active keys. When this flag is set,
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein it will not be an error if the DNSKEY RRset is not signed
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein by zone-signing keys. This corresponds to the <code class="option">-x</code>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein option in <span class="command"><strong>dnssec-signzone</strong></span>.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Ignore the KSK flag on the keys when determining whether
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein the zone if correctly signed. Without this flag it is
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein assumed that there will be a non-revoked, self-signed
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein DNSKEY with the KSK flag set for each algorithm and
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein that RRsets other than DNSKEY RRset will be signed with
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein a different DNSKEY without the KSK flag set.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein With this flag set, we only require that for each algorithm,
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein there will be at least one non-revoked, self-signed DNSKEY,
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein regardless of the KSK flag state, and that other RRsets
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein will be signed by a non-revoked key for the same algorithm
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein that includes the self-signed key; the same key may be used
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein for both purposes. This corresponds to the <code class="option">-z</code>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein option in <span class="command"><strong>dnssec-signzone</strong></span>.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein The file containing the zone to be signed.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<a accesskey="p" href="man.dnssec-signzone.html">Prev</a>�</td>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<td width="40%" align="right">�<a accesskey="n" href="man.lwresd.html">Next</a>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<span class="application">dnssec-signzone</span>�</td>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<td width="40%" align="right" valign="top">�<span class="application">lwresd</span>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.0rc1</p>