doc/arm/man.dnssec-verify.html

	man.dnssec-verify.html revision 40f508f08bb887b14739f7b64e4d0a892586948f
d6fa26d0adaec6c910115be34fe7a5a5f402c14fMark Andrews<!--
fc2381b901eb162810f54a11cc512b95f55a60dfAutomatic Updater - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
71cef386fae61275b03e203825680b39fedaa8c6Tinderbox User - Copyright (C) 2000-2003 Internet Software Consortium.
bef75d63d74f58abc0f834ed271526672777ba29Automatic Updater -
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User - Permission to use, copy, modify, and/or distribute this software for any
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User - purpose with or without fee is hereby granted, provided that the above
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User - copyright notice and this permission notice appear in all copies.
fc2381b901eb162810f54a11cc512b95f55a60dfAutomatic Updater -
d6fa26d0adaec6c910115be34fe7a5a5f402c14fMark Andrews - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
fc2381b901eb162810f54a11cc512b95f55a60dfAutomatic Updater - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
fc2381b901eb162810f54a11cc512b95f55a60dfAutomatic Updater - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
fc2381b901eb162810f54a11cc512b95f55a60dfAutomatic Updater - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User - PERFORMANCE OF THIS SOFTWARE.
fc2381b901eb162810f54a11cc512b95f55a60dfAutomatic Updater-->
10b865e9187fc77cae02f106ddcc9e03eecdfe06Tinderbox User<!-- $Id$ -->
fc2381b901eb162810f54a11cc512b95f55a60dfAutomatic Updater<html>
fc2381b901eb162810f54a11cc512b95f55a60dfAutomatic Updater<head>
fc2381b901eb162810f54a11cc512b95f55a60dfAutomatic Updater<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
fc2381b901eb162810f54a11cc512b95f55a60dfAutomatic Updater<title>dnssec-verify</title>
fc2381b901eb162810f54a11cc512b95f55a60dfAutomatic Updater<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
fc2381b901eb162810f54a11cc512b95f55a60dfAutomatic Updater<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
fc2381b901eb162810f54a11cc512b95f55a60dfAutomatic Updater<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
fc2381b901eb162810f54a11cc512b95f55a60dfAutomatic Updater<link rel="prev" href="man.dnssec-signzone.html" title="dnssec-signzone">
fc2381b901eb162810f54a11cc512b95f55a60dfAutomatic Updater<link rel="next" href="man.named-checkconf.html" title="named-checkconf">
10b865e9187fc77cae02f106ddcc9e03eecdfe06Tinderbox User</head>
fc2381b901eb162810f54a11cc512b95f55a60dfAutomatic Updater<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
fc2381b901eb162810f54a11cc512b95f55a60dfAutomatic Updater<div class="navheader">
fc2381b901eb162810f54a11cc512b95f55a60dfAutomatic Updater<table width="100%" summary="Navigation header">
fc2381b901eb162810f54a11cc512b95f55a60dfAutomatic Updater<tr><th colspan="3" align="center"><span class="application">dnssec-verify</span></th></tr>
fc2381b901eb162810f54a11cc512b95f55a60dfAutomatic Updater<tr>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<td width="20%" align="left">
fc2381b901eb162810f54a11cc512b95f55a60dfAutomatic Updater<a accesskey="p" href="man.dnssec-signzone.html">Prev</a>�</td>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<th width="60%" align="center">Manual pages</th>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<td width="20%" align="right">�<a accesskey="n" href="man.named-checkconf.html">Next</a>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User</td>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User</tr>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User</table>
fc2381b901eb162810f54a11cc512b95f55a60dfAutomatic Updater<hr>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User</div>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<div class="refentry" lang="en">
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<a name="man.dnssec-verify"></a><div class="titlepage"></div>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<div class="refnamediv">
fc2381b901eb162810f54a11cc512b95f55a60dfAutomatic Updater<h2>Name</h2>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<p><span class="application">dnssec-verify</span> &#8212; DNSSEC zone verification tool</p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User</div>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<div class="refsynopsisdiv">
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<h2>Synopsis</h2>
fc2381b901eb162810f54a11cc512b95f55a60dfAutomatic Updater<div class="cmdsynopsis"><p><code class="command">dnssec-verify</code>  [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-x</code>] [<code class="option">-z</code>] {zonefile}</p></div>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User</div>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<div class="refsect1" lang="en">
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<a name="id2645095"></a><h2>DESCRIPTION</h2>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<p><span><strong class="command">dnssec-verify</strong></span>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User      verifies that a zone is fully signed for each algorithm found
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User      in the DNSKEY RRset for the zone, and that the NSEC / NSEC3
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User      chains are complete.
7e71f05d8643aca84914437c900cb716444507e4Tinderbox User    </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User</div>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<div class="refsect1" lang="en">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<a name="id2645109"></a><h2>OPTIONS</h2>
fc2381b901eb162810f54a11cc512b95f55a60dfAutomatic Updater<div class="variablelist"><dl>
fc2381b901eb162810f54a11cc512b95f55a60dfAutomatic Updater<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dd><p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User            Specifies the DNS class of the zone.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User          </p></dd>
7e71f05d8643aca84914437c900cb716444507e4Tinderbox User<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dd>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<p>
fc2381b901eb162810f54a11cc512b95f55a60dfAutomatic Updater            Specifies the cryptographic hardware to use, when applicable.
fc2381b901eb162810f54a11cc512b95f55a60dfAutomatic Updater          </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User            When BIND is built with OpenSSL PKCS#11 support, this defaults
fc2381b901eb162810f54a11cc512b95f55a60dfAutomatic Updater            to the string "pkcs11", which identifies an OpenSSL engine
fc2381b901eb162810f54a11cc512b95f55a60dfAutomatic Updater            that can drive a cryptographic accelerator or hardware service
fc2381b901eb162810f54a11cc512b95f55a60dfAutomatic Updater            module.  When BIND is built with native PKCS#11 cryptography
fc2381b901eb162810f54a11cc512b95f55a60dfAutomatic Updater            (--enable-native-pkcs11), it defaults to the path of the PKCS#11
fc2381b901eb162810f54a11cc512b95f55a60dfAutomatic Updater            provider library specified via "--with-pkcs11".
fc2381b901eb162810f54a11cc512b95f55a60dfAutomatic Updater          </p>
fc2381b901eb162810f54a11cc512b95f55a60dfAutomatic Updater</dd>
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
10b865e9187fc77cae02f106ddcc9e03eecdfe06Tinderbox User<dd><p>
fc2381b901eb162810f54a11cc512b95f55a60dfAutomatic Updater            The format of the input zone file.
fc2381b901eb162810f54a11cc512b95f55a60dfAutomatic Updater        Possible formats are <span><strong class="command">"text"</strong></span> (default)
fc2381b901eb162810f54a11cc512b95f55a60dfAutomatic Updater        and <span><strong class="command">"raw"</strong></span>.
fc2381b901eb162810f54a11cc512b95f55a60dfAutomatic Updater        This option is primarily intended to be used for dynamic
fc2381b901eb162810f54a11cc512b95f55a60dfAutomatic Updater            signed zones so that the dumped zone file in a non-text
fc2381b901eb162810f54a11cc512b95f55a60dfAutomatic Updater            format containing updates can be verified independently.
10b865e9187fc77cae02f106ddcc9e03eecdfe06Tinderbox User        The use of this option does not make much sense for
fc2381b901eb162810f54a11cc512b95f55a60dfAutomatic Updater        non-dynamic zones.
fc2381b901eb162810f54a11cc512b95f55a60dfAutomatic Updater          </p></dd>
fc2381b901eb162810f54a11cc512b95f55a60dfAutomatic Updater<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
fc2381b901eb162810f54a11cc512b95f55a60dfAutomatic Updater<dd><p>
c313914d0e66b20969215e519bbf2ab4ecf39512Tinderbox User            The zone origin.  If not specified, the name of the zone file
fc2381b901eb162810f54a11cc512b95f55a60dfAutomatic Updater            is assumed to be the origin.
fc2381b901eb162810f54a11cc512b95f55a60dfAutomatic Updater          </p></dd>
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
<dd><p>
            Sets the debugging level.
          </p></dd>
<dt><span class="term">-V</span></dt>
<dd><p>
        Prints version information.
      </p></dd>
<dt><span class="term">-x</span></dt>
<dd><p>
            Only verify that the DNSKEY RRset is signed with key-signing
            keys.  Without this flag, it is assumed that the DNSKEY RRset
            will be signed by all active keys.  When this flag is set,
            it will not be an error if the DNSKEY RRset is not signed
            by zone-signing keys.  This corresponds to the <code class="option">-x</code>
            option in <span><strong class="command">dnssec-signzone</strong></span>.
          </p></dd>
<dt><span class="term">-z</span></dt>
<dd>
<p>
        Ignore the KSK flag on the keys when determining whether
            the zone if correctly signed.  Without this flag it is
        assumed that there will be a non-revoked, self-signed
        DNSKEY with the KSK flag set for each algorithm and
        that RRsets other than DNSKEY RRset will be signed with
            a different DNSKEY without the KSK flag set.
      </p>
<p>
        With this flag set, we only require that for each algorithm,
            there will be at least one non-revoked, self-signed DNSKEY,
            regardless of the KSK flag state, and that other RRsets
        will be signed by a non-revoked key for the same algorithm
            that includes the self-signed key; the same key may be used
            for both purposes.  This corresponds to the <code class="option">-z</code>
            option in <span><strong class="command">dnssec-signzone</strong></span>.
      </p>
</dd>
<dt><span class="term">zonefile</span></dt>
<dd><p>
            The file containing the zone to be signed.
          </p></dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2645292"></a><h2>SEE ALSO</h2>
<p>
      <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
      <em class="citetitle">RFC 4033</em>.
    </p>
</div>
<div class="refsect1" lang="en">
<a name="id2645318"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
    </p>
</div>
</div>
<div class="navfooter">
<hr>
<table width="100%" summary="Navigation footer">
<tr>
<td width="40%" align="left">
<a accesskey="p" href="man.dnssec-signzone.html">Prev</a>�</td>
<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
<td width="40%" align="right">�<a accesskey="n" href="man.named-checkconf.html">Next</a>
</td>
</tr>
<tr>
<td width="40%" align="left" valign="top">
<span class="application">dnssec-signzone</span>�</td>
<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
<td width="40%" align="right" valign="top">�<span class="application">named-checkconf</span>
</td>
</tr>
</table>
</div>
<p style="text-align: center;">BIND 9.11.0pre-alpha</p>
</body>
</html>