doc/arm/man.dnssec-verify.html

	man.dnssec-verify.html revision 53f41dd99da107af4e4e1e673d9c19a185463b24
60405de4d8688d96dd05157c28db3ade5c9bc234kz<!--
60405de4d8688d96dd05157c28db3ade5c9bc234kz - Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
60405de4d8688d96dd05157c28db3ade5c9bc234kz - Copyright (C) 2000-2003 Internet Software Consortium.
60405de4d8688d96dd05157c28db3ade5c9bc234kz -
60405de4d8688d96dd05157c28db3ade5c9bc234kz - Permission to use, copy, modify, and/or distribute this software for any
60405de4d8688d96dd05157c28db3ade5c9bc234kz - purpose with or without fee is hereby granted, provided that the above
60405de4d8688d96dd05157c28db3ade5c9bc234kz - copyright notice and this permission notice appear in all copies.
60405de4d8688d96dd05157c28db3ade5c9bc234kz -
60405de4d8688d96dd05157c28db3ade5c9bc234kz - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
60405de4d8688d96dd05157c28db3ade5c9bc234kz - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
60405de4d8688d96dd05157c28db3ade5c9bc234kz - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
60405de4d8688d96dd05157c28db3ade5c9bc234kz - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
60405de4d8688d96dd05157c28db3ade5c9bc234kz - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
60405de4d8688d96dd05157c28db3ade5c9bc234kz - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
60405de4d8688d96dd05157c28db3ade5c9bc234kz - PERFORMANCE OF THIS SOFTWARE.
60405de4d8688d96dd05157c28db3ade5c9bc234kz-->
60405de4d8688d96dd05157c28db3ade5c9bc234kz<!-- $Id$ -->
60405de4d8688d96dd05157c28db3ade5c9bc234kz<html>
60405de4d8688d96dd05157c28db3ade5c9bc234kz<head>
60405de4d8688d96dd05157c28db3ade5c9bc234kz<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
60405de4d8688d96dd05157c28db3ade5c9bc234kz<title>dnssec-verify</title>
60405de4d8688d96dd05157c28db3ade5c9bc234kz<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
60405de4d8688d96dd05157c28db3ade5c9bc234kz<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
60405de4d8688d96dd05157c28db3ade5c9bc234kz<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
60405de4d8688d96dd05157c28db3ade5c9bc234kz<link rel="prev" href="man.dnssec-signzone.html" title="dnssec-signzone">
60405de4d8688d96dd05157c28db3ade5c9bc234kz<link rel="next" href="man.named-checkconf.html" title="named-checkconf">
60405de4d8688d96dd05157c28db3ade5c9bc234kz</head>
60405de4d8688d96dd05157c28db3ade5c9bc234kz<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
60405de4d8688d96dd05157c28db3ade5c9bc234kz<div class="navheader">
60405de4d8688d96dd05157c28db3ade5c9bc234kz<table width="100%" summary="Navigation header">
60405de4d8688d96dd05157c28db3ade5c9bc234kz<tr><th colspan="3" align="center"><span class="application">dnssec-verify</span></th></tr>
60405de4d8688d96dd05157c28db3ade5c9bc234kz<tr>
60405de4d8688d96dd05157c28db3ade5c9bc234kz<td width="20%" align="left">
60405de4d8688d96dd05157c28db3ade5c9bc234kz<a accesskey="p" href="man.dnssec-signzone.html">Prev</a>�</td>
60405de4d8688d96dd05157c28db3ade5c9bc234kz<th width="60%" align="center">Manual pages</th>
60405de4d8688d96dd05157c28db3ade5c9bc234kz<td width="20%" align="right">�<a accesskey="n" href="man.named-checkconf.html">Next</a>
60405de4d8688d96dd05157c28db3ade5c9bc234kz</td>
60405de4d8688d96dd05157c28db3ade5c9bc234kz</tr>
60405de4d8688d96dd05157c28db3ade5c9bc234kz</table>
60405de4d8688d96dd05157c28db3ade5c9bc234kz<hr>
60405de4d8688d96dd05157c28db3ade5c9bc234kz</div>
60405de4d8688d96dd05157c28db3ade5c9bc234kz<div class="refentry" lang="en">
60405de4d8688d96dd05157c28db3ade5c9bc234kz<a name="man.dnssec-verify"></a><div class="titlepage"></div>
60405de4d8688d96dd05157c28db3ade5c9bc234kz<div class="refnamediv">
60405de4d8688d96dd05157c28db3ade5c9bc234kz<h2>Name</h2>
60405de4d8688d96dd05157c28db3ade5c9bc234kz<p><span class="application">dnssec-verify</span> &#8212; DNSSEC zone verification tool</p>
60405de4d8688d96dd05157c28db3ade5c9bc234kz</div>
60405de4d8688d96dd05157c28db3ade5c9bc234kz<div class="refsynopsisdiv">
60405de4d8688d96dd05157c28db3ade5c9bc234kz<h2>Synopsis</h2>
60405de4d8688d96dd05157c28db3ade5c9bc234kz<div class="cmdsynopsis"><p><code class="command">dnssec-verify</code>  [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-x</code>] [<code class="option">-z</code>] {zonefile}</p></div>
60405de4d8688d96dd05157c28db3ade5c9bc234kz</div>
60405de4d8688d96dd05157c28db3ade5c9bc234kz<div class="refsect1" lang="en">
60405de4d8688d96dd05157c28db3ade5c9bc234kz<a name="id2622664"></a><h2>DESCRIPTION</h2>
60405de4d8688d96dd05157c28db3ade5c9bc234kz<p><span><strong class="command">dnssec-verify</strong></span>
60405de4d8688d96dd05157c28db3ade5c9bc234kz      verifies that a zone is fully signed for each algorithm found
60405de4d8688d96dd05157c28db3ade5c9bc234kz      in the DNSKEY RRset for the zone, and that the NSEC / NSEC3
60405de4d8688d96dd05157c28db3ade5c9bc234kz      chains are complete.
60405de4d8688d96dd05157c28db3ade5c9bc234kz    </p>
60405de4d8688d96dd05157c28db3ade5c9bc234kz</div>
60405de4d8688d96dd05157c28db3ade5c9bc234kz<div class="refsect1" lang="en">
60405de4d8688d96dd05157c28db3ade5c9bc234kz<a name="id2622678"></a><h2>OPTIONS</h2>
60405de4d8688d96dd05157c28db3ade5c9bc234kz<div class="variablelist"><dl>
60405de4d8688d96dd05157c28db3ade5c9bc234kz<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
60405de4d8688d96dd05157c28db3ade5c9bc234kz<dd><p>
60405de4d8688d96dd05157c28db3ade5c9bc234kz            Specifies the DNS class of the zone.
60405de4d8688d96dd05157c28db3ade5c9bc234kz          </p></dd>
60405de4d8688d96dd05157c28db3ade5c9bc234kz<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
60405de4d8688d96dd05157c28db3ade5c9bc234kz<dd><p>
60405de4d8688d96dd05157c28db3ade5c9bc234kz            The format of the input zone file.
60405de4d8688d96dd05157c28db3ade5c9bc234kz        Possible formats are <span><strong class="command">"text"</strong></span> (default)
60405de4d8688d96dd05157c28db3ade5c9bc234kz        and <span><strong class="command">"raw"</strong></span>.
60405de4d8688d96dd05157c28db3ade5c9bc234kz        This option is primarily intended to be used for dynamic
60405de4d8688d96dd05157c28db3ade5c9bc234kz            signed zones so that the dumped zone file in a non-text
60405de4d8688d96dd05157c28db3ade5c9bc234kz            format containing updates can be verified independently.
60405de4d8688d96dd05157c28db3ade5c9bc234kz        The use of this option does not make much sense for
60405de4d8688d96dd05157c28db3ade5c9bc234kz        non-dynamic zones.
60405de4d8688d96dd05157c28db3ade5c9bc234kz          </p></dd>
60405de4d8688d96dd05157c28db3ade5c9bc234kz<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
60405de4d8688d96dd05157c28db3ade5c9bc234kz<dd><p>
60405de4d8688d96dd05157c28db3ade5c9bc234kz            The zone origin.  If not specified, the name of the zone file
60405de4d8688d96dd05157c28db3ade5c9bc234kz            is assumed to be the origin.
60405de4d8688d96dd05157c28db3ade5c9bc234kz          </p></dd>
60405de4d8688d96dd05157c28db3ade5c9bc234kz<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
60405de4d8688d96dd05157c28db3ade5c9bc234kz<dd><p>
60405de4d8688d96dd05157c28db3ade5c9bc234kz            Sets the debugging level.
60405de4d8688d96dd05157c28db3ade5c9bc234kz          </p></dd>
60405de4d8688d96dd05157c28db3ade5c9bc234kz<dt><span class="term">-x</span></dt>
60405de4d8688d96dd05157c28db3ade5c9bc234kz<dd><p>
60405de4d8688d96dd05157c28db3ade5c9bc234kz            Only verify that the DNSKEY RRset is signed with key-signing
60405de4d8688d96dd05157c28db3ade5c9bc234kz            keys.  Without this flag, it is assumed that the DNSKEY RRset
60405de4d8688d96dd05157c28db3ade5c9bc234kz            will be signed by all active keys.  When this flag is set,
60405de4d8688d96dd05157c28db3ade5c9bc234kz            it will not be an error if the DNSKEY RRset is not signed
60405de4d8688d96dd05157c28db3ade5c9bc234kz            by zone-signing keys.  This corresponds to the <code class="option">-x</code>
60405de4d8688d96dd05157c28db3ade5c9bc234kz            option in <span><strong class="command">dnssec-signzone</strong></span>.
60405de4d8688d96dd05157c28db3ade5c9bc234kz          </p></dd>
60405de4d8688d96dd05157c28db3ade5c9bc234kz<dt><span class="term">-z</span></dt>
60405de4d8688d96dd05157c28db3ade5c9bc234kz<dd>
60405de4d8688d96dd05157c28db3ade5c9bc234kz<p>
60405de4d8688d96dd05157c28db3ade5c9bc234kz        Ignore the KSK flag on the keys when determining whether
60405de4d8688d96dd05157c28db3ade5c9bc234kz            the zone if correctly signed.  Without this flag it is
60405de4d8688d96dd05157c28db3ade5c9bc234kz        assumed that there will be a non-revoked, self-signed
60405de4d8688d96dd05157c28db3ade5c9bc234kz        DNSKEY with the KSK flag set for each algorithm and
60405de4d8688d96dd05157c28db3ade5c9bc234kz        that RRsets other than DNSKEY RRset will be signed with
60405de4d8688d96dd05157c28db3ade5c9bc234kz            a different DNSKEY without the KSK flag set.
60405de4d8688d96dd05157c28db3ade5c9bc234kz      </p>
60405de4d8688d96dd05157c28db3ade5c9bc234kz<p>
60405de4d8688d96dd05157c28db3ade5c9bc234kz        With this flag set, we only require that for each algorithm,
60405de4d8688d96dd05157c28db3ade5c9bc234kz            there will be at least one non-revoked, self-signed DNSKEY,
60405de4d8688d96dd05157c28db3ade5c9bc234kz            regardless of the KSK flag state, and that other RRsets
60405de4d8688d96dd05157c28db3ade5c9bc234kz        will be signed by a non-revoked key for the same algorithm
60405de4d8688d96dd05157c28db3ade5c9bc234kz            that includes the self-signed key; the same key may be used
60405de4d8688d96dd05157c28db3ade5c9bc234kz            for both purposes.  This corresponds to the <code class="option">-z</code>
60405de4d8688d96dd05157c28db3ade5c9bc234kz            option in <span><strong class="command">dnssec-signzone</strong></span>.
60405de4d8688d96dd05157c28db3ade5c9bc234kz      </p>
60405de4d8688d96dd05157c28db3ade5c9bc234kz</dd>
60405de4d8688d96dd05157c28db3ade5c9bc234kz<dt><span class="term">zonefile</span></dt>
60405de4d8688d96dd05157c28db3ade5c9bc234kz<dd><p>
60405de4d8688d96dd05157c28db3ade5c9bc234kz            The file containing the zone to be signed.
60405de4d8688d96dd05157c28db3ade5c9bc234kz          </p></dd>
60405de4d8688d96dd05157c28db3ade5c9bc234kz</dl></div>
60405de4d8688d96dd05157c28db3ade5c9bc234kz</div>
60405de4d8688d96dd05157c28db3ade5c9bc234kz<div class="refsect1" lang="en">
60405de4d8688d96dd05157c28db3ade5c9bc234kz<a name="id2624329"></a><h2>SEE ALSO</h2>
60405de4d8688d96dd05157c28db3ade5c9bc234kz<p>
60405de4d8688d96dd05157c28db3ade5c9bc234kz      <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
60405de4d8688d96dd05157c28db3ade5c9bc234kz      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
60405de4d8688d96dd05157c28db3ade5c9bc234kz      <em class="citetitle">RFC 4033</em>.
60405de4d8688d96dd05157c28db3ade5c9bc234kz    </p>
60405de4d8688d96dd05157c28db3ade5c9bc234kz</div>
60405de4d8688d96dd05157c28db3ade5c9bc234kz<div class="refsect1" lang="en">
60405de4d8688d96dd05157c28db3ade5c9bc234kz<a name="id2624355"></a><h2>AUTHOR</h2>
60405de4d8688d96dd05157c28db3ade5c9bc234kz<p><span class="corpauthor">Internet Systems Consortium</span>
60405de4d8688d96dd05157c28db3ade5c9bc234kz    </p>
60405de4d8688d96dd05157c28db3ade5c9bc234kz</div>
60405de4d8688d96dd05157c28db3ade5c9bc234kz</div>
60405de4d8688d96dd05157c28db3ade5c9bc234kz<div class="navfooter">
60405de4d8688d96dd05157c28db3ade5c9bc234kz<hr>
60405de4d8688d96dd05157c28db3ade5c9bc234kz<table width="100%" summary="Navigation footer">
60405de4d8688d96dd05157c28db3ade5c9bc234kz<tr>
60405de4d8688d96dd05157c28db3ade5c9bc234kz<td width="40%" align="left">
60405de4d8688d96dd05157c28db3ade5c9bc234kz<a accesskey="p" href="man.dnssec-signzone.html">Prev</a>�</td>
60405de4d8688d96dd05157c28db3ade5c9bc234kz<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
60405de4d8688d96dd05157c28db3ade5c9bc234kz<td width="40%" align="right">�<a accesskey="n" href="man.named-checkconf.html">Next</a>
60405de4d8688d96dd05157c28db3ade5c9bc234kz</td>
60405de4d8688d96dd05157c28db3ade5c9bc234kz</tr>
60405de4d8688d96dd05157c28db3ade5c9bc234kz<tr>
60405de4d8688d96dd05157c28db3ade5c9bc234kz<td width="40%" align="left" valign="top">
60405de4d8688d96dd05157c28db3ade5c9bc234kz<span class="application">dnssec-signzone</span>�</td>
60405de4d8688d96dd05157c28db3ade5c9bc234kz<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
60405de4d8688d96dd05157c28db3ade5c9bc234kz<td width="40%" align="right" valign="top">�<span class="application">named-checkconf</span>
60405de4d8688d96dd05157c28db3ade5c9bc234kz</td>
60405de4d8688d96dd05157c28db3ade5c9bc234kz</tr>
60405de4d8688d96dd05157c28db3ade5c9bc234kz</table>
60405de4d8688d96dd05157c28db3ade5c9bc234kz</div>
60405de4d8688d96dd05157c28db3ade5c9bc234kz</body>
60405de4d8688d96dd05157c28db3ade5c9bc234kz</html>
60405de4d8688d96dd05157c28db3ade5c9bc234kz