man.dnssec-verify.html revision 48cbc7cd1eb8e7620dce2b5cda587bbd3a459d59
47feede6777f217fb2e2dff71635da04898e0077nd<!--
47feede6777f217fb2e2dff71635da04898e0077nd - Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
fd9abdda70912b99b24e3bf1a38f26fde908a74cnd - Copyright (C) 2000-2003 Internet Software Consortium.
fd9abdda70912b99b24e3bf1a38f26fde908a74cnd -
fd9abdda70912b99b24e3bf1a38f26fde908a74cnd - Permission to use, copy, modify, and/or distribute this software for any
47feede6777f217fb2e2dff71635da04898e0077nd - purpose with or without fee is hereby granted, provided that the above
47feede6777f217fb2e2dff71635da04898e0077nd - copyright notice and this permission notice appear in all copies.
47feede6777f217fb2e2dff71635da04898e0077nd -
47feede6777f217fb2e2dff71635da04898e0077nd - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
96ad5d81ee4a2cc66a4ae19893efc8aa6d06fae7jailletc - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
47feede6777f217fb2e2dff71635da04898e0077nd - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
47feede6777f217fb2e2dff71635da04898e0077nd - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
d29d9ab4614ff992b0e8de6e2b88d52b6f1f153erbowen - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
2e545ce2450a9953665f701bb05350f0d3f26275nd - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
d29d9ab4614ff992b0e8de6e2b88d52b6f1f153erbowen - PERFORMANCE OF THIS SOFTWARE.
d29d9ab4614ff992b0e8de6e2b88d52b6f1f153erbowen-->
47feede6777f217fb2e2dff71635da04898e0077nd<!-- $Id$ -->
47feede6777f217fb2e2dff71635da04898e0077nd<html>
47feede6777f217fb2e2dff71635da04898e0077nd<head>
af33a4994ae2ff15bc67d19ff1a7feb906745bf8rbowen<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
3f08db06526d6901aa08c110b5bc7dde6bc39905nd<title>dnssec-verify</title>
47feede6777f217fb2e2dff71635da04898e0077nd<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
47feede6777f217fb2e2dff71635da04898e0077nd<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
47feede6777f217fb2e2dff71635da04898e0077nd<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
3f08db06526d6901aa08c110b5bc7dde6bc39905nd<link rel="prev" href="man.dnssec-signzone.html" title="dnssec-signzone">
47feede6777f217fb2e2dff71635da04898e0077nd<link rel="next" href="man.named-checkconf.html" title="named-checkconf">
47feede6777f217fb2e2dff71635da04898e0077nd</head>
47feede6777f217fb2e2dff71635da04898e0077nd<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
f086b4b402fa9a2fefc7dda85de2a3cc1cd0a654rjung<div class="navheader">
47feede6777f217fb2e2dff71635da04898e0077nd<table width="100%" summary="Navigation header">
864d6d55a72bdb982ebabbc95cf8f051c43fa6ddrbowen<tr><th colspan="3" align="center"><span class="application">dnssec-verify</span></th></tr>
707c2713ba8f1aa11c1f22f69d3ec73522054b9fcovener<tr>
47feede6777f217fb2e2dff71635da04898e0077nd<td width="20%" align="left">
707c2713ba8f1aa11c1f22f69d3ec73522054b9fcovener<a accesskey="p" href="man.dnssec-signzone.html">Prev</a>�</td>
707c2713ba8f1aa11c1f22f69d3ec73522054b9fcovener<th width="60%" align="center">Manual pages</th>
47feede6777f217fb2e2dff71635da04898e0077nd<td width="20%" align="right">�<a accesskey="n" href="man.named-checkconf.html">Next</a>
47feede6777f217fb2e2dff71635da04898e0077nd</td>
a99c5d4cc3cab6a62b04d52000dbc22ce1fa2d94coar</tr>
707c2713ba8f1aa11c1f22f69d3ec73522054b9fcovener</table>
707c2713ba8f1aa11c1f22f69d3ec73522054b9fcovener<hr>
707c2713ba8f1aa11c1f22f69d3ec73522054b9fcovener</div>
707c2713ba8f1aa11c1f22f69d3ec73522054b9fcovener<div class="refentry" lang="en">
b43f840409794ed298e8634f6284741f193b6c4ftakashi<a name="man.dnssec-verify"></a><div class="titlepage"></div>
a99c5d4cc3cab6a62b04d52000dbc22ce1fa2d94coar<div class="refnamediv">
a99c5d4cc3cab6a62b04d52000dbc22ce1fa2d94coar<h2>Name</h2>
b43f840409794ed298e8634f6284741f193b6c4ftakashi<p><span class="application">dnssec-verify</span> &#8212; DNSSEC zone verification tool</p>
b43f840409794ed298e8634f6284741f193b6c4ftakashi</div>
b43f840409794ed298e8634f6284741f193b6c4ftakashi<div class="refsynopsisdiv">
b43f840409794ed298e8634f6284741f193b6c4ftakashi<h2>Synopsis</h2>
b43f840409794ed298e8634f6284741f193b6c4ftakashi<div class="cmdsynopsis"><p><code class="command">dnssec-verify</code> [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-x</code>] [<code class="option">-z</code>] {zonefile}</p></div>
b43f840409794ed298e8634f6284741f193b6c4ftakashi</div>
b43f840409794ed298e8634f6284741f193b6c4ftakashi<div class="refsect1" lang="en">
b43f840409794ed298e8634f6284741f193b6c4ftakashi<a name="id2620213"></a><h2>DESCRIPTION</h2>
b43f840409794ed298e8634f6284741f193b6c4ftakashi<p><span><strong class="command">dnssec-verify</strong></span>
47feede6777f217fb2e2dff71635da04898e0077nd verifies that a zone is fully signed for each algorithm found
c44eeebd065e2c8cd028016b45c58afb480aaf8fdruggeri in the DNSKEY RRset for the zone, and that the NSEC / NSEC3
c44eeebd065e2c8cd028016b45c58afb480aaf8fdruggeri chains are complete.
c44eeebd065e2c8cd028016b45c58afb480aaf8fdruggeri </p>
c44eeebd065e2c8cd028016b45c58afb480aaf8fdruggeri</div>
47feede6777f217fb2e2dff71635da04898e0077nd<div class="refsect1" lang="en">
47feede6777f217fb2e2dff71635da04898e0077nd<a name="id2620227"></a><h2>OPTIONS</h2>
47feede6777f217fb2e2dff71635da04898e0077nd<div class="variablelist"><dl>
c44eeebd065e2c8cd028016b45c58afb480aaf8fdruggeri<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
b43f840409794ed298e8634f6284741f193b6c4ftakashi<dd><p>
b43f840409794ed298e8634f6284741f193b6c4ftakashi Specifies the DNS class of the zone.
b43f840409794ed298e8634f6284741f193b6c4ftakashi </p></dd>
b43f840409794ed298e8634f6284741f193b6c4ftakashi<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
b43f840409794ed298e8634f6284741f193b6c4ftakashi<dd><p>
b43f840409794ed298e8634f6284741f193b6c4ftakashi The format of the input zone file.
b43f840409794ed298e8634f6284741f193b6c4ftakashi Possible formats are <span><strong class="command">"text"</strong></span> (default)
4645afc7dbc233218e8f05053ee2aa1751d94fc4humbedooh and <span><strong class="command">"raw"</strong></span>.
b43f840409794ed298e8634f6284741f193b6c4ftakashi This option is primarily intended to be used for dynamic
b43f840409794ed298e8634f6284741f193b6c4ftakashi signed zones so that the dumped zone file in a non-text
a99c5d4cc3cab6a62b04d52000dbc22ce1fa2d94coar format containing updates can be verified independently.
b43f840409794ed298e8634f6284741f193b6c4ftakashi The use of this option does not make much sense for
b43f840409794ed298e8634f6284741f193b6c4ftakashi non-dynamic zones.
b43f840409794ed298e8634f6284741f193b6c4ftakashi </p></dd>
b43f840409794ed298e8634f6284741f193b6c4ftakashi<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
b43f840409794ed298e8634f6284741f193b6c4ftakashi<dd><p>
b43f840409794ed298e8634f6284741f193b6c4ftakashi The zone origin. If not specified, the name of the zone file
b43f840409794ed298e8634f6284741f193b6c4ftakashi is assumed to be the origin.
b43f840409794ed298e8634f6284741f193b6c4ftakashi </p></dd>
47feede6777f217fb2e2dff71635da04898e0077nd<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
1f1b6bf13313fdd14a45e52e553d3ff28689b717coar<dd><p>
1f1b6bf13313fdd14a45e52e553d3ff28689b717coar Sets the debugging level.
1f1b6bf13313fdd14a45e52e553d3ff28689b717coar </p></dd>
1f1b6bf13313fdd14a45e52e553d3ff28689b717coar<dt><span class="term">-x</span></dt>
1f1b6bf13313fdd14a45e52e553d3ff28689b717coar<dd><p>
1f1b6bf13313fdd14a45e52e553d3ff28689b717coar Only verify that the DNSKEY RRset is signed with key-signing
1f1b6bf13313fdd14a45e52e553d3ff28689b717coar keys. Without this flag, it is assumed that the DNSKEY RRset
1f1b6bf13313fdd14a45e52e553d3ff28689b717coar will be signed by all active keys. When this flag is set,
1f1b6bf13313fdd14a45e52e553d3ff28689b717coar it will not be an error if the DNSKEY RRset is not signed
1f1b6bf13313fdd14a45e52e553d3ff28689b717coar by zone-signing keys. This corresponds to the <code class="option">-x</code>
1f1b6bf13313fdd14a45e52e553d3ff28689b717coar option in <span><strong class="command">dnssec-signzone</strong></span>.
1f1b6bf13313fdd14a45e52e553d3ff28689b717coar </p></dd>
1f1b6bf13313fdd14a45e52e553d3ff28689b717coar<dt><span class="term">-z</span></dt>
1f1b6bf13313fdd14a45e52e553d3ff28689b717coar<dd>
1f1b6bf13313fdd14a45e52e553d3ff28689b717coar<p>
1f1b6bf13313fdd14a45e52e553d3ff28689b717coar Ignore the KSK flag on the keys when determining whether
1f1b6bf13313fdd14a45e52e553d3ff28689b717coar the zone if correctly signed. Without this flag it is
a99c5d4cc3cab6a62b04d52000dbc22ce1fa2d94coar assumed that there will be a non-revoked, self-signed
1f1b6bf13313fdd14a45e52e553d3ff28689b717coar DNSKEY with the KSK flag set for each algorithm and
47feede6777f217fb2e2dff71635da04898e0077nd that RRsets other than DNSKEY RRset will be signed with
47feede6777f217fb2e2dff71635da04898e0077nd a different DNSKEY without the KSK flag set.
47feede6777f217fb2e2dff71635da04898e0077nd </p>
f086b4b402fa9a2fefc7dda85de2a3cc1cd0a654rjung<p>
727872d18412fc021f03969b8641810d8896820bhumbedooh With this flag set, we only require that for each algorithm,
0d0ba3a410038e179b695446bb149cce6264e0abnd there will be at least one non-revoked, self-signed DNSKEY,
727872d18412fc021f03969b8641810d8896820bhumbedooh regardless of the KSK flag state, and that other RRsets
cc7e1025de9ac63bd4db6fe7f71c158b2cf09fe4humbedooh will be signed by a non-revoked key for the same algorithm
0d0ba3a410038e179b695446bb149cce6264e0abnd that includes the self-signed key; the same key may be used
cc7e1025de9ac63bd4db6fe7f71c158b2cf09fe4humbedooh for both purposes. This corresponds to the <code class="option">-z</code>
727872d18412fc021f03969b8641810d8896820bhumbedooh option in <span><strong class="command">dnssec-signzone</strong></span>.
0d0ba3a410038e179b695446bb149cce6264e0abnd </p>
0d0ba3a410038e179b695446bb149cce6264e0abnd</dd>
0d0ba3a410038e179b695446bb149cce6264e0abnd<dt><span class="term">zonefile</span></dt>
ac082aefa89416cbdc9a1836eaf3bed9698201c8humbedooh<dd><p>
0d0ba3a410038e179b695446bb149cce6264e0abnd The file containing the zone to be signed.
0d0ba3a410038e179b695446bb149cce6264e0abnd </p></dd>
0d0ba3a410038e179b695446bb149cce6264e0abnd</dl></div>
727872d18412fc021f03969b8641810d8896820bhumbedooh</div>
0d0ba3a410038e179b695446bb149cce6264e0abnd<div class="refsect1" lang="en">
0d0ba3a410038e179b695446bb149cce6264e0abnd<a name="id2620444"></a><h2>SEE ALSO</h2>
30471a4650391f57975f60bbb6e4a90be7b284bfhumbedooh<p>
205f749042ed530040a4f0080dbcb47ceae8a374rjung <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
af33a4994ae2ff15bc67d19ff1a7feb906745bf8rbowen <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
0d0ba3a410038e179b695446bb149cce6264e0abnd <em class="citetitle">RFC 4033</em>.
7fec19672a491661b2fe4b29f685bc7f4efa64d4nd </p>
7fec19672a491661b2fe4b29f685bc7f4efa64d4nd</div>
7fec19672a491661b2fe4b29f685bc7f4efa64d4nd<div class="refsect1" lang="en">
47feede6777f217fb2e2dff71635da04898e0077nd<a name="id2620470"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
</div>
<div class="navfooter">
<hr>
<table width="100%" summary="Navigation footer">
<tr>
<td width="40%" align="left">
<a accesskey="p" href="man.dnssec-signzone.html">Prev</a>�</td>
<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
<td width="40%" align="right">�<a accesskey="n" href="man.named-checkconf.html">Next</a>
</td>
</tr>
<tr>
<td width="40%" align="left" valign="top">
<span class="application">dnssec-signzone</span>�</td>
<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
<td width="40%" align="right" valign="top">�<span class="application">named-checkconf</span>
</td>
</tr>
</table>
</div>
</body>
</html>