doc/arm/man.dnssec-verify.html

	man.dnssec-verify.html revision 3afd0ff6628df1e7e20161e4afa99469a1195a5b
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<!--
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews - Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews - Copyright (C) 2000-2003 Internet Software Consortium.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews -
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews - Permission to use, copy, modify, and/or distribute this software for any
0e9dcd548051a8ec34744bfa18b4e09fea742a39Andreas Gustafsson - purpose with or without fee is hereby granted, provided that the above
c13b8351b4dfb18806af4eb3c0fea240d83d1f82Andreas Gustafsson - copyright notice and this permission notice appear in all copies.
c13b8351b4dfb18806af4eb3c0fea240d83d1f82Andreas Gustafsson -
0e9dcd548051a8ec34744bfa18b4e09fea742a39Andreas Gustafsson - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
0e9dcd548051a8ec34744bfa18b4e09fea742a39Andreas Gustafsson - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
c13b8351b4dfb18806af4eb3c0fea240d83d1f82Andreas Gustafsson - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
0e9dcd548051a8ec34744bfa18b4e09fea742a39Andreas Gustafsson - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
dd977047669f15fe3ea1a977871d7678cebf5082Andreas Gustafsson - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
dd977047669f15fe3ea1a977871d7678cebf5082Andreas Gustafsson - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
dd977047669f15fe3ea1a977871d7678cebf5082Andreas Gustafsson - PERFORMANCE OF THIS SOFTWARE.
dd977047669f15fe3ea1a977871d7678cebf5082Andreas Gustafsson-->
dd977047669f15fe3ea1a977871d7678cebf5082Andreas Gustafsson<!-- $Id$ -->
a185ac41ac0627ec711d13bf6fdd8a830b753060Andreas Gustafsson<html>
1928be262ca25485f4d7f0f6473fc5cafa0c3905Andreas Gustafsson<head>
dd977047669f15fe3ea1a977871d7678cebf5082Andreas Gustafsson<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
dd977047669f15fe3ea1a977871d7678cebf5082Andreas Gustafsson<title>dnssec-verify</title>
55e5c51e661e23e24573db84114a3837817745c9Evan Hunt<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
87708bde16713bc02ff2598f4a82f98c699a2f2dMark Andrews<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
b947e1a521c6931f787d6d1b3604d5b138170c3dMukund Sivaraman<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
dd977047669f15fe3ea1a977871d7678cebf5082Andreas Gustafsson<link rel="prev" href="man.dnssec-signzone.html" title="dnssec-signzone">
ca44fe49bec16436cd95ace0af2e244f2096b284Brian Wellington<link rel="next" href="man.named-checkconf.html" title="named-checkconf">
dd977047669f15fe3ea1a977871d7678cebf5082Andreas Gustafsson</head>
dd977047669f15fe3ea1a977871d7678cebf5082Andreas Gustafsson<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
1928be262ca25485f4d7f0f6473fc5cafa0c3905Andreas Gustafsson<div class="navheader">
a185ac41ac0627ec711d13bf6fdd8a830b753060Andreas Gustafsson<table width="100%" summary="Navigation header">
0e9dcd548051a8ec34744bfa18b4e09fea742a39Andreas Gustafsson<tr><th colspan="3" align="center"><span class="application">dnssec-verify</span></th></tr>
e9918d6a9df388b971a4805844165dd3fc3a88caAndreas Gustafsson<tr>
0e9dcd548051a8ec34744bfa18b4e09fea742a39Andreas Gustafsson<td width="20%" align="left">
0e9dcd548051a8ec34744bfa18b4e09fea742a39Andreas Gustafsson<a accesskey="p" href="man.dnssec-signzone.html">Prev</a>�</td>
0e9dcd548051a8ec34744bfa18b4e09fea742a39Andreas Gustafsson<th width="60%" align="center">Manual pages</th>
0e9dcd548051a8ec34744bfa18b4e09fea742a39Andreas Gustafsson<td width="20%" align="right">�<a accesskey="n" href="man.named-checkconf.html">Next</a>
0e9dcd548051a8ec34744bfa18b4e09fea742a39Andreas Gustafsson</td>
0e9dcd548051a8ec34744bfa18b4e09fea742a39Andreas Gustafsson</tr>
0d50da49baa7d2d39146d46789d88053af5b1b50Michael Sawyer</table>
0d50da49baa7d2d39146d46789d88053af5b1b50Michael Sawyer<hr>
0e9dcd548051a8ec34744bfa18b4e09fea742a39Andreas Gustafsson</div>
0e9dcd548051a8ec34744bfa18b4e09fea742a39Andreas Gustafsson<div class="refentry" lang="en">
0e9dcd548051a8ec34744bfa18b4e09fea742a39Andreas Gustafsson<a name="man.dnssec-verify"></a><div class="titlepage"></div>
0e9dcd548051a8ec34744bfa18b4e09fea742a39Andreas Gustafsson<div class="refnamediv">
e1e635578dedd17313312031be2759285c7c8e17Andreas Gustafsson<h2>Name</h2>
0e9dcd548051a8ec34744bfa18b4e09fea742a39Andreas Gustafsson<p><span class="application">dnssec-verify</span> &#8212; DNSSEC zone verification tool</p>
17be07ab818846dffb79e898da888a29c919bb02Mark Andrews</div>
17be07ab818846dffb79e898da888a29c919bb02Mark Andrews<div class="refsynopsisdiv">
17be07ab818846dffb79e898da888a29c919bb02Mark Andrews<h2>Synopsis</h2>
17be07ab818846dffb79e898da888a29c919bb02Mark Andrews<div class="cmdsynopsis"><p><code class="command">dnssec-verify</code>  [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-x</code>] [<code class="option">-z</code>] {zonefile}</p></div>
17be07ab818846dffb79e898da888a29c919bb02Mark Andrews</div>
17be07ab818846dffb79e898da888a29c919bb02Mark Andrews<div class="refsect1" lang="en">
17be07ab818846dffb79e898da888a29c919bb02Mark Andrews<a name="id2622340"></a><h2>DESCRIPTION</h2>
7beeb415ca3f1b230d35a8d385d99d2901cf9ff9Andreas Gustafsson<p><span><strong class="command">dnssec-verify</strong></span>
7beeb415ca3f1b230d35a8d385d99d2901cf9ff9Andreas Gustafsson      verifies that a zone is fully signed for each algorithm found
0e9dcd548051a8ec34744bfa18b4e09fea742a39Andreas Gustafsson      in the DNSKEY RRset for the zone, and that the NSEC / NSEC3
7beeb415ca3f1b230d35a8d385d99d2901cf9ff9Andreas Gustafsson      chains are complete.
0e9dcd548051a8ec34744bfa18b4e09fea742a39Andreas Gustafsson    </p>
0e9dcd548051a8ec34744bfa18b4e09fea742a39Andreas Gustafsson</div>
a185ac41ac0627ec711d13bf6fdd8a830b753060Andreas Gustafsson<div class="refsect1" lang="en">
a185ac41ac0627ec711d13bf6fdd8a830b753060Andreas Gustafsson<a name="id2622354"></a><h2>OPTIONS</h2>
0e9dcd548051a8ec34744bfa18b4e09fea742a39Andreas Gustafsson<div class="variablelist"><dl>
7beeb415ca3f1b230d35a8d385d99d2901cf9ff9Andreas Gustafsson<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
7beeb415ca3f1b230d35a8d385d99d2901cf9ff9Andreas Gustafsson<dd><p>
5a505fc4c2e99842052d9409790c7da0b5663bceMukund Sivaraman            Specifies the DNS class of the zone.
5a505fc4c2e99842052d9409790c7da0b5663bceMukund Sivaraman          </p></dd>
5a505fc4c2e99842052d9409790c7da0b5663bceMukund Sivaraman<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
10dd5f62f27b050c0e51d85cbd97e2f5925eb9acMukund Sivaraman<dd><p>
10dd5f62f27b050c0e51d85cbd97e2f5925eb9acMukund Sivaraman            The format of the input zone file.
10dd5f62f27b050c0e51d85cbd97e2f5925eb9acMukund Sivaraman        Possible formats are <span><strong class="command">"text"</strong></span> (default)
        and <span><strong class="command">"raw"</strong></span>.
        This option is primarily intended to be used for dynamic
            signed zones so that the dumped zone file in a non-text
            format containing updates can be verified independently.
        The use of this option does not make much sense for
        non-dynamic zones.
          </p></dd>
<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
<dd><p>
            The zone origin.  If not specified, the name of the zone file
            is assumed to be the origin.
          </p></dd>
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
<dd><p>
            Sets the debugging level.
          </p></dd>
<dt><span class="term">-x</span></dt>
<dd><p>
            Only verify that the DNSKEY RRset is signed with key-signing
            keys.  Without this flag, it is assumed that the DNSKEY RRset
            will be signed by all active keys.  When this flag is set,
            it will not be an error if the DNSKEY RRset is not signed
            by zone-signing keys.  This corresponds to the <code class="option">-x</code>
            option in <span><strong class="command">dnssec-signzone</strong></span>.
          </p></dd>
<dt><span class="term">-z</span></dt>
<dd>
<p>
        Ignore the KSK flag on the keys when determining whether
            the zone if correctly signed.  Without this flag it is
        assumed that there will be a non-revoked, self-signed
        DNSKEY with the KSK flag set for each algorithm and
        that RRsets other than DNSKEY RRset will be signed with
            a different DNSKEY without the KSK flag set.
      </p>
<p>
        With this flag set, we only require that for each algorithm,
            there will be at least one non-revoked, self-signed DNSKEY,
            regardless of the KSK flag state, and that other RRsets
        will be signed by a non-revoked key for the same algorithm
            that includes the self-signed key; the same key may be used
            for both purposes.  This corresponds to the <code class="option">-z</code>
            option in <span><strong class="command">dnssec-signzone</strong></span>.
      </p>
</dd>
<dt><span class="term">zonefile</span></dt>
<dd><p>
            The file containing the zone to be signed.
          </p></dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2622571"></a><h2>SEE ALSO</h2>
<p>
      <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
      <em class="citetitle">RFC 4033</em>.
    </p>
</div>
<div class="refsect1" lang="en">
<a name="id2622597"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
    </p>
</div>
</div>
<div class="navfooter">
<hr>
<table width="100%" summary="Navigation footer">
<tr>
<td width="40%" align="left">
<a accesskey="p" href="man.dnssec-signzone.html">Prev</a>�</td>
<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
<td width="40%" align="right">�<a accesskey="n" href="man.named-checkconf.html">Next</a>
</td>
</tr>
<tr>
<td width="40%" align="left" valign="top">
<span class="application">dnssec-signzone</span>�</td>
<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
<td width="40%" align="right" valign="top">�<span class="application">named-checkconf</span>
</td>
</tr>
</table>
</div>
</body>
</html>