doc/arm/man.dnssec-verify.html

	man.dnssec-verify.html revision 53f41dd99da107af4e4e1e673d9c19a185463b24
d6fa26d0adaec6c910115be34fe7a5a5f402c14fMark Andrews<!--
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
71cef386fae61275b03e203825680b39fedaa8c6Tinderbox User - Copyright (C) 2000-2003 Internet Software Consortium.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein -
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User - Permission to use, copy, modify, and/or distribute this software for any
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User - purpose with or without fee is hereby granted, provided that the above
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User - copyright notice and this permission notice appear in all copies.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein -
d6fa26d0adaec6c910115be34fe7a5a5f402c14fMark Andrews - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - PERFORMANCE OF THIS SOFTWARE.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein-->
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<!-- $Id$ -->
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<html>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<head>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<title>dnssec-verify</title>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="prev" href="man.dnssec-signzone.html" title="dnssec-signzone">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="next" href="man.named-checkconf.html" title="named-checkconf">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</head>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="navheader">
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<table width="100%" summary="Navigation header">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<tr><th colspan="3" align="center"><span class="application">dnssec-verify</span></th></tr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<tr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="20%" align="left">
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<a accesskey="p" href="man.dnssec-signzone.html">Prev</a>�</td>
0b89eee6167201843c9a46b7e7c63cb1e4e09ba3Tinderbox User<th width="60%" align="center">Manual pages</th>
71cef386fae61275b03e203825680b39fedaa8c6Tinderbox User<td width="20%" align="right">�<a accesskey="n" href="man.named-checkconf.html">Next</a>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</td>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</tr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</table>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<hr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<div class="refentry" lang="en">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="man.dnssec-verify"></a><div class="titlepage"></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="refnamediv">
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User<h2>Name</h2>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User<p><span class="application">dnssec-verify</span> &#8212; DNSSEC zone verification tool</p>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User</div>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User<div class="refsynopsisdiv">
010a51c427bfb6ab658fc0056955a1a5b69810beTinderbox User<h2>Synopsis</h2>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User<div class="cmdsynopsis"><p><code class="command">dnssec-verify</code>  [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-x</code>] [<code class="option">-z</code>] {zonefile}</p></div>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User</div>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User<div class="refsect1" lang="en">
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User<a name="id2622664"></a><h2>DESCRIPTION</h2>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User<p><span><strong class="command">dnssec-verify</strong></span>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User      verifies that a zone is fully signed for each algorithm found
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      in the DNSKEY RRset for the zone, and that the NSEC / NSEC3
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      chains are complete.
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews    </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User<div class="refsect1" lang="en">
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User<a name="id2622678"></a><h2>OPTIONS</h2>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User<div class="variablelist"><dl>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User<dd><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            Specifies the DNS class of the zone.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          </p></dd>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dd><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            The format of the input zone file.
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User        Possible formats are <span><strong class="command">"text"</strong></span> (default)
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User        and <span><strong class="command">"raw"</strong></span>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        This option is primarily intended to be used for dynamic
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User            signed zones so that the dumped zone file in a non-text
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User            format containing updates can be verified independently.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        The use of this option does not make much sense for
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User        non-dynamic zones.
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User          </p></dd>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dd><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            The zone origin.  If not specified, the name of the zone file
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            is assumed to be the origin.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          </p></dd>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dd><p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            Sets the debugging level.
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User          </p></dd>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User<dt><span class="term">-x</span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dd><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            Only verify that the DNSKEY RRset is signed with key-signing
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User            keys.  Without this flag, it is assumed that the DNSKEY RRset
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User            will be signed by all active keys.  When this flag is set,
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User            it will not be an error if the DNSKEY RRset is not signed
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User            by zone-signing keys.  This corresponds to the <code class="option">-x</code>
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User            option in <span><strong class="command">dnssec-signzone</strong></span>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          </p></dd>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User<dt><span class="term">-z</span></dt>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User<dd>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein        Ignore the KSK flag on the keys when determining whether
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User            the zone if correctly signed.  Without this flag it is
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User        assumed that there will be a non-revoked, self-signed
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User        DNSKEY with the KSK flag set for each algorithm and
44d0f0256fbdce130a18655023c3b06bacacbd61Automatic Updater        that RRsets other than DNSKEY RRset will be signed with
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            a different DNSKEY without the KSK flag set.
6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater      </p>
17fdbf542a0db30107b200403c51a72fe62c218dTinderbox User<p>
17fdbf542a0db30107b200403c51a72fe62c218dTinderbox User        With this flag set, we only require that for each algorithm,
17fdbf542a0db30107b200403c51a72fe62c218dTinderbox User            there will be at least one non-revoked, self-signed DNSKEY,
17fdbf542a0db30107b200403c51a72fe62c218dTinderbox User            regardless of the KSK flag state, and that other RRsets
17fdbf542a0db30107b200403c51a72fe62c218dTinderbox User        will be signed by a non-revoked key for the same algorithm
17fdbf542a0db30107b200403c51a72fe62c218dTinderbox User            that includes the self-signed key; the same key may be used
17fdbf542a0db30107b200403c51a72fe62c218dTinderbox User            for both purposes.  This corresponds to the <code class="option">-z</code>
17fdbf542a0db30107b200403c51a72fe62c218dTinderbox User            option in <span><strong class="command">dnssec-signzone</strong></span>.
17fdbf542a0db30107b200403c51a72fe62c218dTinderbox User      </p>
17fdbf542a0db30107b200403c51a72fe62c218dTinderbox User</dd>
17fdbf542a0db30107b200403c51a72fe62c218dTinderbox User<dt><span class="term">zonefile</span></dt>
17fdbf542a0db30107b200403c51a72fe62c218dTinderbox User<dd><p>
17fdbf542a0db30107b200403c51a72fe62c218dTinderbox User            The file containing the zone to be signed.
6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater          </p></dd>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt</dl></div>
44d0f0256fbdce130a18655023c3b06bacacbd61Automatic Updater</div>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<div class="refsect1" lang="en">
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<a name="id2624329"></a><h2>SEE ALSO</h2>
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User<p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User      <em class="citetitle">RFC 4033</em>.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User    </p>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User</div>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<div class="refsect1" lang="en">
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<a name="id2624355"></a><h2>AUTHOR</h2>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<p><span class="corpauthor">Internet Systems Consortium</span>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User    </p>
44d0f0256fbdce130a18655023c3b06bacacbd61Automatic Updater</div>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt</div>
44d0f0256fbdce130a18655023c3b06bacacbd61Automatic Updater<div class="navfooter">
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<hr>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<table width="100%" summary="Navigation footer">
bcf15a19ae0efa72a22cdfb50666a3c6ce39eb9fTinderbox User<tr>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<td width="40%" align="left">
bcf15a19ae0efa72a22cdfb50666a3c6ce39eb9fTinderbox User<a accesskey="p" href="man.dnssec-signzone.html">Prev</a>�</td>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<td width="40%" align="right">�<a accesskey="n" href="man.named-checkconf.html">Next</a>
983df82baf1d7d0b668c98cf45928a19f175c6e7Tinderbox User</td>
260e8e04b0dc24cb884c789b5d9eb046457f264eTinderbox User</tr>
260e8e04b0dc24cb884c789b5d9eb046457f264eTinderbox User<tr>
260e8e04b0dc24cb884c789b5d9eb046457f264eTinderbox User<td width="40%" align="left" valign="top">
260e8e04b0dc24cb884c789b5d9eb046457f264eTinderbox User<span class="application">dnssec-signzone</span>�</td>
260e8e04b0dc24cb884c789b5d9eb046457f264eTinderbox User<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
260e8e04b0dc24cb884c789b5d9eb046457f264eTinderbox User<td width="40%" align="right" valign="top">�<span class="application">named-checkconf</span>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User</td>
983df82baf1d7d0b668c98cf45928a19f175c6e7Tinderbox User</tr>
260e8e04b0dc24cb884c789b5d9eb046457f264eTinderbox User</table>
260e8e04b0dc24cb884c789b5d9eb046457f264eTinderbox User</div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</body>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</html>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews