man.dnssec-verify.html revision fd2597f75693a2279fdf588bd40dfe2407c42028
5cd4555ad444fd391002ae32450572054369fd42Rob Austein - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein - Copyright (C) 2000-2003 Internet Software Consortium.
c1a883f2e04d94e99c433b1f6cfd0c0338f4ed85Mark Andrews - Permission to use, copy, modify, and/or distribute this software for any
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - purpose with or without fee is hereby granted, provided that the above
51eba00c8f281eda4daac725c0c7d1373a93a5aaAndreas Gustafsson - copyright notice and this permission notice appear in all copies.
51eba00c8f281eda4daac725c0c7d1373a93a5aaAndreas Gustafsson - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
51eba00c8f281eda4daac725c0c7d1373a93a5aaAndreas Gustafsson - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
51eba00c8f281eda4daac725c0c7d1373a93a5aaAndreas Gustafsson - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - PERFORMANCE OF THIS SOFTWARE.
51eba00c8f281eda4daac725c0c7d1373a93a5aaAndreas Gustafsson<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
ec5347e2c775f027573ce5648b910361aa926c01Automatic Updater<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
b5ad6dfea4cc3e7d1d322ac99f1e5a31096837c4Mark Andrews<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
51eba00c8f281eda4daac725c0c7d1373a93a5aaAndreas Gustafsson<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<link rel="prev" href="man.dnssec-signzone.html" title="dnssec-signzone">
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<link rel="next" href="man.lwresd.html" title="lwresd">
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<tr><th colspan="3" align="center"><span class="application">dnssec-verify</span></th></tr>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<a accesskey="p" href="man.dnssec-signzone.html">Prev</a>�</td>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<td width="20%" align="right">�<a accesskey="n" href="man.lwresd.html">Next</a>
f5d30e2864e048a42c4dc1134993ae7efdb5d6c3Mark Andrews<a name="man.dnssec-verify"></a><div class="titlepage"></div>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<p><span class="application">dnssec-verify</span> — DNSSEC zone verification tool</p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<div class="cmdsynopsis"><p><code class="command">dnssec-verify</code> [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-x</code>] [<code class="option">-z</code>] {zonefile}</p></div>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<p><span class="command"><strong>dnssec-verify</strong></span>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein verifies that a zone is fully signed for each algorithm found
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein in the DNSKEY RRset for the zone, and that the NSEC / NSEC3
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein chains are complete.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<div class="variablelist"><dl class="variablelist">
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Specifies the DNS class of the zone.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Specifies the cryptographic hardware to use, when applicable.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein When BIND is built with OpenSSL PKCS#11 support, this defaults
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein to the string "pkcs11", which identifies an OpenSSL engine
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein that can drive a cryptographic accelerator or hardware service
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein module. When BIND is built with native PKCS#11 cryptography
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein (--enable-native-pkcs11), it defaults to the path of the PKCS#11
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein provider library specified via "--with-pkcs11".
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein The format of the input zone file.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Possible formats are <span class="command"><strong>"text"</strong></span> (default)
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein and <span class="command"><strong>"raw"</strong></span>.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein This option is primarily intended to be used for dynamic
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein signed zones so that the dumped zone file in a non-text
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein format containing updates can be verified independently.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein The use of this option does not make much sense for
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein non-dynamic zones.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein The zone origin. If not specified, the name of the zone file
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein is assumed to be the origin.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Sets the debugging level.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Prints version information.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Only verify that the DNSKEY RRset is signed with key-signing
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein keys. Without this flag, it is assumed that the DNSKEY RRset
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein will be signed by all active keys. When this flag is set,
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein it will not be an error if the DNSKEY RRset is not signed
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein by zone-signing keys. This corresponds to the <code class="option">-x</code>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein option in <span class="command"><strong>dnssec-signzone</strong></span>.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Ignore the KSK flag on the keys when determining whether
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein the zone if correctly signed. Without this flag it is
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein assumed that there will be a non-revoked, self-signed
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein DNSKEY with the KSK flag set for each algorithm and
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein that RRsets other than DNSKEY RRset will be signed with
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein a different DNSKEY without the KSK flag set.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein With this flag set, we only require that for each algorithm,
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein there will be at least one non-revoked, self-signed DNSKEY,
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein regardless of the KSK flag state, and that other RRsets
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein will be signed by a non-revoked key for the same algorithm
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein that includes the self-signed key; the same key may be used
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein for both purposes. This corresponds to the <code class="option">-z</code>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein option in <span class="command"><strong>dnssec-signzone</strong></span>.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein The file containing the zone to be signed.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<a accesskey="p" href="man.dnssec-signzone.html">Prev</a>�</td>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<td width="40%" align="right">�<a accesskey="n" href="man.lwresd.html">Next</a>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<span class="application">dnssec-signzone</span>�</td>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<td width="40%" align="right" valign="top">�<span class="application">lwresd</span>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.0pre-alpha</p>