doc/arm/man.dnssec-verify.html

	man.dnssec-verify.html revision 1700442a7751c2bbdafe2d039cebbd8316496957
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt<!--
431a83fb29482c5170b3e4026e59bb14849a6707Tinderbox User - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt - Copyright (C) 2000-2003 Internet Software Consortium.
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt -
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt - Permission to use, copy, modify, and/or distribute this software for any
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt - purpose with or without fee is hereby granted, provided that the above
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt - copyright notice and this permission notice appear in all copies.
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt -
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt - PERFORMANCE OF THIS SOFTWARE.
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt-->
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt<html>
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt<head>
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt<title>dnssec-verify</title>
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt<link rel="prev" href="man.dnssec-signzone.html" title="dnssec-signzone">
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt<link rel="next" href="man.lwresd.html" title="lwresd">
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt</head>
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt<div class="navheader">
dcf426e9b546d4bcc0681904551752af43c1bcd6Evan Hunt<table width="100%" summary="Navigation header">
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt<tr><th colspan="3" align="center"><span class="application">dnssec-verify</span></th></tr>
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt<tr>
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt<td width="20%" align="left">
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt<a accesskey="p" href="man.dnssec-signzone.html">Prev</a>�</td>
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt<th width="60%" align="center">Manual pages</th>
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt<td width="20%" align="right">�<a accesskey="n" href="man.lwresd.html">Next</a>
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt</td>
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt</tr>
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt</table>
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt<hr>
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt</div>
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt<div class="refentry">
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt<a name="man.dnssec-verify"></a><div class="titlepage"></div>
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt<div class="refnamediv">
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt<h2>Name</h2>
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt<p><span class="application">dnssec-verify</span> &#8212; DNSSEC zone verification tool</p>
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt</div>
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt<div class="refsynopsisdiv">
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt<h2>Synopsis</h2>
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt<div class="cmdsynopsis"><p><code class="command">dnssec-verify</code>  [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-x</code>] [<code class="option">-z</code>] {zonefile}</p></div>
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt</div>
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt<div class="refsection">
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt<a name="id-1.14.14.7"></a><h2>DESCRIPTION</h2>
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt<p><span class="command"><strong>dnssec-verify</strong></span>
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt      verifies that a zone is fully signed for each algorithm found
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt      in the DNSKEY RRset for the zone, and that the NSEC / NSEC3
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt      chains are complete.
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt    </p>
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt</div>
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt<div class="refsection">
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt<a name="id-1.14.14.8"></a><h2>OPTIONS</h2>
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt<div class="variablelist"><dl class="variablelist">
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt<dd><p>
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt            Specifies the DNS class of the zone.
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt          </p></dd>
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt<dd>
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt<p>
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt            Specifies the cryptographic hardware to use, when applicable.
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt          </p>
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt<p>
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt            When BIND is built with OpenSSL PKCS#11 support, this defaults
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt            to the string "pkcs11", which identifies an OpenSSL engine
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt            that can drive a cryptographic accelerator or hardware service
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt            module.  When BIND is built with native PKCS#11 cryptography
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt            (--enable-native-pkcs11), it defaults to the path of the PKCS#11
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt            provider library specified via "--with-pkcs11".
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt          </p>
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt</dd>
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt<dd><p>
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt            The format of the input zone file.
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt        Possible formats are <span class="command"><strong>"text"</strong></span> (default)
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt        and <span class="command"><strong>"raw"</strong></span>.
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt        This option is primarily intended to be used for dynamic
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt            signed zones so that the dumped zone file in a non-text
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt            format containing updates can be verified independently.
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt        The use of this option does not make much sense for
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt        non-dynamic zones.
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt          </p></dd>
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt<dd><p>
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt            The zone origin.  If not specified, the name of the zone file
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt            is assumed to be the origin.
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt          </p></dd>
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt<dd><p>
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt            Sets the debugging level.
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt          </p></dd>
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt<dt><span class="term">-V</span></dt>
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt<dd><p>
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt        Prints version information.
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt      </p></dd>
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt<dt><span class="term">-x</span></dt>
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt<dd><p>
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt            Only verify that the DNSKEY RRset is signed with key-signing
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt            keys.  Without this flag, it is assumed that the DNSKEY RRset
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt            will be signed by all active keys.  When this flag is set,
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt            it will not be an error if the DNSKEY RRset is not signed
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt            by zone-signing keys.  This corresponds to the <code class="option">-x</code>
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt            option in <span class="command"><strong>dnssec-signzone</strong></span>.
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt          </p></dd>
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt<dt><span class="term">-z</span></dt>
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt<dd>
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt<p>
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt        Ignore the KSK flag on the keys when determining whether
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt            the zone if correctly signed.  Without this flag it is
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt        assumed that there will be a non-revoked, self-signed
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt        DNSKEY with the KSK flag set for each algorithm and
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt        that RRsets other than DNSKEY RRset will be signed with
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt            a different DNSKEY without the KSK flag set.
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt      </p>
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt<p>
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt        With this flag set, we only require that for each algorithm,
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt            there will be at least one non-revoked, self-signed DNSKEY,
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt            regardless of the KSK flag state, and that other RRsets
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt        will be signed by a non-revoked key for the same algorithm
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt            that includes the self-signed key; the same key may be used
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt            for both purposes.  This corresponds to the <code class="option">-z</code>
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt            option in <span class="command"><strong>dnssec-signzone</strong></span>.
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt      </p>
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt</dd>
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt<dt><span class="term">zonefile</span></dt>
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt<dd><p>
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt            The file containing the zone to be signed.
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt          </p></dd>
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt</dl></div>
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt</div>
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt<div class="refsection">
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt<a name="id-1.14.14.9"></a><h2>SEE ALSO</h2>
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt<p>
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt      <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt      <em class="citetitle">RFC 4033</em>.
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt    </p>
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt</div>
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt</div>
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt<div class="navfooter">
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt<hr>
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt<table width="100%" summary="Navigation footer">
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt<tr>
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt<td width="40%" align="left">
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt<a accesskey="p" href="man.dnssec-signzone.html">Prev</a>�</td>
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt<td width="40%" align="right">�<a accesskey="n" href="man.lwresd.html">Next</a>
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt</td>
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt</tr>
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt<tr>
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt<td width="40%" align="left" valign="top">
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt<span class="application">dnssec-signzone</span>�</td>
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt<td width="40%" align="right" valign="top">�<span class="application">lwresd</span>
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt</td>
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt</tr>
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt</table>
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt</div>
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.0b2</p>
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt</body>
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt</html>
a6d43d18b1f6164fd144b2fa25ea57f5566b3bf9Evan Hunt