doc/arm/man.dnssec-verify.html

	man.dnssec-verify.html revision 0efe2893b6a53d11b84b6ac0fe4508a0e9d1dadd
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<!--
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater - Copyright (C) 2004-2014 Internet Systems Consortium, Inc. ("ISC")
75c0816e8295e180f4bc7f10db3d0d880383bc1cMark Andrews - Copyright (C) 2000-2003 Internet Software Consortium.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein -
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - Permission to use, copy, modify, and/or distribute this software for any
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - purpose with or without fee is hereby granted, provided that the above
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - copyright notice and this permission notice appear in all copies.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein -
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - PERFORMANCE OF THIS SOFTWARE.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein-->
2cbb4ab75757fbb656997a82c14ca07db37d481aAutomatic Updater<!-- $Id$ -->
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<html>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<head>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<title>dnssec-verify</title>
e21a2904f02a03fa06b6db04d348f65fe9c67b2bMark Andrews<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="prev" href="man.dnssec-signzone.html" title="dnssec-signzone">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="next" href="man.named-checkconf.html" title="named-checkconf">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</head>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="navheader">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<table width="100%" summary="Navigation header">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<tr><th colspan="3" align="center"><span class="application">dnssec-verify</span></th></tr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<tr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="20%" align="left">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a accesskey="p" href="man.dnssec-signzone.html">Prev</a>�</td>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<th width="60%" align="center">Manual pages</th>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="20%" align="right">�<a accesskey="n" href="man.named-checkconf.html">Next</a>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</td>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</tr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</table>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<hr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="refentry" lang="en">
ab8729140b1ad688ab03e1e9ce438fb1cbb49222Automatic Updater<a name="man.dnssec-verify"></a><div class="titlepage"></div>
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater<div class="refnamediv">
75c0816e8295e180f4bc7f10db3d0d880383bc1cMark Andrews<h2>Name</h2>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p><span class="application">dnssec-verify</span> &#8212; DNSSEC zone verification tool</p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="refsynopsisdiv">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<h2>Synopsis</h2>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="cmdsynopsis"><p><code class="command">dnssec-verify</code>  [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-x</code>] [<code class="option">-z</code>] {zonefile}</p></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="refsect1" lang="en">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="id2640556"></a><h2>DESCRIPTION</h2>
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater<p><span><strong class="command">dnssec-verify</strong></span>
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater      verifies that a zone is fully signed for each algorithm found
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater      in the DNSKEY RRset for the zone, and that the NSEC / NSEC3
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater      chains are complete.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </p>
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater</div>
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater<div class="refsect1" lang="en">
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater<a name="id2640570"></a><h2>OPTIONS</h2>
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater<div class="variablelist"><dl>
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater<dd><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            Specifies the DNS class of the zone.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          </p></dd>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dd>
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater<p>
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater            Specifies the cryptographic hardware to use, when applicable.
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater          </p>
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater<p>
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater            When BIND is built with OpenSSL PKCS#11 support, this defaults
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            to the string "pkcs11", which identifies an OpenSSL engine
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            that can drive a cryptographic accelerator or hardware service
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            module.  When BIND is built with native PKCS#11 cryptography
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            (--enable-native-pkcs11), it defaults to the path of the PKCS#11
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            provider library specified via "--with-pkcs11".
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater          </p>
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater</dd>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater<dd><p>
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater            The format of the input zone file.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        Possible formats are <span><strong class="command">"text"</strong></span> (default)
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater        and <span><strong class="command">"raw"</strong></span>.
58d9e9169e7ab4355a0b0bfc13bc616bc5247dfeAutomatic Updater        This option is primarily intended to be used for dynamic
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            signed zones so that the dumped zone file in a non-text
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            format containing updates can be verified independently.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        The use of this option does not make much sense for
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        non-dynamic zones.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          </p></dd>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dd><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            The zone origin.  If not specified, the name of the zone file
ca67ebfe9eef0b8f04179f7e511a19e0337a5422Automatic Updater            is assumed to be the origin.
ca67ebfe9eef0b8f04179f7e511a19e0337a5422Automatic Updater          </p></dd>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dd><p>
ca67ebfe9eef0b8f04179f7e511a19e0337a5422Automatic Updater            Sets the debugging level.
ca67ebfe9eef0b8f04179f7e511a19e0337a5422Automatic Updater          </p></dd>
ca67ebfe9eef0b8f04179f7e511a19e0337a5422Automatic Updater<dt><span class="term">-x</span></dt>
ca67ebfe9eef0b8f04179f7e511a19e0337a5422Automatic Updater<dd><p>
ca67ebfe9eef0b8f04179f7e511a19e0337a5422Automatic Updater            Only verify that the DNSKEY RRset is signed with key-signing
ca67ebfe9eef0b8f04179f7e511a19e0337a5422Automatic Updater            keys.  Without this flag, it is assumed that the DNSKEY RRset
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            will be signed by all active keys.  When this flag is set,
ca67ebfe9eef0b8f04179f7e511a19e0337a5422Automatic Updater            it will not be an error if the DNSKEY RRset is not signed
ca67ebfe9eef0b8f04179f7e511a19e0337a5422Automatic Updater            by zone-signing keys.  This corresponds to the <code class="option">-x</code>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            option in <span><strong class="command">dnssec-signzone</strong></span>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          </p></dd>
ca67ebfe9eef0b8f04179f7e511a19e0337a5422Automatic Updater<dt><span class="term">-z</span></dt>
ca67ebfe9eef0b8f04179f7e511a19e0337a5422Automatic Updater<dd>
ca67ebfe9eef0b8f04179f7e511a19e0337a5422Automatic Updater<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        Ignore the KSK flag on the keys when determining whether
ca67ebfe9eef0b8f04179f7e511a19e0337a5422Automatic Updater            the zone if correctly signed.  Without this flag it is
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        assumed that there will be a non-revoked, self-signed
ca67ebfe9eef0b8f04179f7e511a19e0337a5422Automatic Updater        DNSKEY with the KSK flag set for each algorithm and
ca67ebfe9eef0b8f04179f7e511a19e0337a5422Automatic Updater        that RRsets other than DNSKEY RRset will be signed with
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            a different DNSKEY without the KSK flag set.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      </p>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        With this flag set, we only require that for each algorithm,
ca67ebfe9eef0b8f04179f7e511a19e0337a5422Automatic Updater            there will be at least one non-revoked, self-signed DNSKEY,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            regardless of the KSK flag state, and that other RRsets
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        will be signed by a non-revoked key for the same algorithm
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews            that includes the self-signed key; the same key may be used
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            for both purposes.  This corresponds to the <code class="option">-z</code>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            option in <span><strong class="command">dnssec-signzone</strong></span>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</dd>
ca67ebfe9eef0b8f04179f7e511a19e0337a5422Automatic Updater<dt><span class="term">zonefile</span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dd><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            The file containing the zone to be signed.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          </p></dd>
ca67ebfe9eef0b8f04179f7e511a19e0337a5422Automatic Updater</dl></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="refsect1" lang="en">
ca67ebfe9eef0b8f04179f7e511a19e0337a5422Automatic Updater<a name="id2642515"></a><h2>SEE ALSO</h2>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
ca67ebfe9eef0b8f04179f7e511a19e0337a5422Automatic Updater      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
ca67ebfe9eef0b8f04179f7e511a19e0337a5422Automatic Updater      <em class="citetitle">RFC 4033</em>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </p>
ca67ebfe9eef0b8f04179f7e511a19e0337a5422Automatic Updater</div>
ca67ebfe9eef0b8f04179f7e511a19e0337a5422Automatic Updater<div class="refsect1" lang="en">
ca67ebfe9eef0b8f04179f7e511a19e0337a5422Automatic Updater<a name="id2642540"></a><h2>AUTHOR</h2>
ca67ebfe9eef0b8f04179f7e511a19e0337a5422Automatic Updater<p><span class="corpauthor">Internet Systems Consortium</span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </p>
ca67ebfe9eef0b8f04179f7e511a19e0337a5422Automatic Updater</div>
ca67ebfe9eef0b8f04179f7e511a19e0337a5422Automatic Updater</div>
ca67ebfe9eef0b8f04179f7e511a19e0337a5422Automatic Updater<div class="navfooter">
ca67ebfe9eef0b8f04179f7e511a19e0337a5422Automatic Updater<hr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<table width="100%" summary="Navigation footer">
ca67ebfe9eef0b8f04179f7e511a19e0337a5422Automatic Updater<tr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="40%" align="left">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a accesskey="p" href="man.dnssec-signzone.html">Prev</a>�</td>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="40%" align="right">�<a accesskey="n" href="man.named-checkconf.html">Next</a>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</td>
a1ad6695ed6f988406cf155aa26376f84f73bcb9Automatic Updater</tr>
2cbb4ab75757fbb656997a82c14ca07db37d481aAutomatic Updater<tr>
a1ad6695ed6f988406cf155aa26376f84f73bcb9Automatic Updater<td width="40%" align="left" valign="top">
2cbb4ab75757fbb656997a82c14ca07db37d481aAutomatic Updater<span class="application">dnssec-signzone</span>�</td>
2cbb4ab75757fbb656997a82c14ca07db37d481aAutomatic Updater<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="40%" align="right" valign="top">�<span class="application">named-checkconf</span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</td>
2cbb4ab75757fbb656997a82c14ca07db37d481aAutomatic Updater</tr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</table>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>
2cbb4ab75757fbb656997a82c14ca07db37d481aAutomatic Updater</body>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</html>
2cbb4ab75757fbb656997a82c14ca07db37d481aAutomatic Updater