63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder<html>

a1ed34933c266ce85066acb0d7b20c90cb8eb213Christian Maeder<head>

c0c2380bced8159ff0297ece14eba948bd236471Christian Maeder<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">

404166b9366552e9ec5abb87a37c76ec8a815fb7Klaus Luettich<title>dnssec-verify</title>

b1f59a4ea7c96f4c03a4d7cfcb9c5e66871cfbbbChristian Maeder<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">

ad270004874ce1d0697fb30d7309f180553bb315Christian Maeder<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">

4d56f2fa72e4aec20eb827c11ed49c8cbb7014bdChristian Maeder<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">

4cb215739e9ab13447fa21162482ebe485b47455Christian Maeder<link rel="prev" href="man.dnssec-signzone.html" title="dnssec-signzone">

8ef75f1cc0437656bf622cec5ac9e8ea221da8f2Christian Maeder<link rel="next" href="man.named-checkconf.html" title="named-checkconf">

404166b9366552e9ec5abb87a37c76ec8a815fb7Klaus Luettich</head>

63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">

74eed04be26f549d2f7ca35c370e1c03879b28b1Christian Maeder<div class="navheader">

d23b0cc79c0d204e6ec758dff8d0ba71c9f693f7Christian Maeder<table width="100%" summary="Navigation header">

3e8b136f23ed57d40ee617f49bcac37830b58cabChristian Maeder<tr><th colspan="3" align="center"><span class="application">dnssec-verify</span></th></tr>

ef9e8535c168d3f774d9e74368a2317a9eda5826Christian Maeder<tr>

bab2d88d650448628730ed3b65c9f99c52500e8cChristian Maeder<td width="20%" align="left">

3e8b136f23ed57d40ee617f49bcac37830b58cabChristian Maeder<a accesskey="p" href="man.dnssec-signzone.html">Prev</a>�</td>

ef9e8535c168d3f774d9e74368a2317a9eda5826Christian Maeder<th width="60%" align="center">Manual pages</th>

63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder<td width="20%" align="right">�<a accesskey="n" href="man.named-checkconf.html">Next</a>

e593b89bfd4952698dc37feced21cefe869d87a2Christian Maeder</td>

63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder</tr>

5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder</table>

c3053d57f642ca507cdf79512e604437c4546cb9Christian Maeder<hr>

dcbd32289a7bdf1e6edd06c6ab0698c6a9dbf37aChristian Maeder</div>

f4a2a20e49f41b2afa657e5e64d9e349c7faa091Christian Maeder<div class="refentry" lang="en">

f4a2a20e49f41b2afa657e5e64d9e349c7faa091Christian Maeder<a name="man.dnssec-verify"></a><div class="titlepage"></div>

dcbd32289a7bdf1e6edd06c6ab0698c6a9dbf37aChristian Maeder<div class="refnamediv">

05a62e84edac8c64de04f8349dee418598d216b9Christian Maeder<h2>Name</h2>

1cd4f6541984962658add5cfaa9f28a93879881bChristian Maeder<p><span class="application">dnssec-verify</span> &#8212; DNSSEC zone verification tool</p>

1aee4aaddde105264c1faf394d88e302c05094ffChristian Maeder</div>

8b767d09a78927b111f5596fdff9ca7d2c1a439fChristian Maeder<div class="refsynopsisdiv">

8b767d09a78927b111f5596fdff9ca7d2c1a439fChristian Maeder<h2>Synopsis</h2>

8b767d09a78927b111f5596fdff9ca7d2c1a439fChristian Maeder<div class="cmdsynopsis"><p><code class="command">dnssec-verify</code> [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-x</code>] [<code class="option">-z</code>] {zonefile}</p></div>

8b767d09a78927b111f5596fdff9ca7d2c1a439fChristian Maeder</div>

8b767d09a78927b111f5596fdff9ca7d2c1a439fChristian Maeder<div class="refsect1" lang="en">

8b767d09a78927b111f5596fdff9ca7d2c1a439fChristian Maeder<a name="id2635696"></a><h2>DESCRIPTION</h2>

456238178f89e5a3de2988ee6c8af924297d52d9Christian Maeder<p><span><strong class="command">dnssec-verify</strong></span>

d54cd08a4cfa26256c38d8ed12c343adbfe1a0e3Christian Maeder verifies that a zone is fully signed for each algorithm found

23b4e542dca35852f58d1fb3f7d9078c1de5ab06Christian Maeder in the DNSKEY RRset for the zone, and that the NSEC / NSEC3

bab2d88d650448628730ed3b65c9f99c52500e8cChristian Maeder chains are complete.

bab2d88d650448628730ed3b65c9f99c52500e8cChristian Maeder </p>

8cacad2a09782249243b80985f28e9387019fe40Christian Maeder</div>

6a2dad705deefd1b7a7e09b84fd2d75f2213be47Christian Maeder<div class="refsect1" lang="en">

a7c27282e71cf4505026645f96d4f5cb8a284e32Christian Maeder<a name="id2635709"></a><h2>OPTIONS</h2>

363939beade943a02b31004cea09dec34fa8a6d9Christian Maeder<div class="variablelist"><dl>

014dc30f64ec25e4790cca987d4d1e6635430510Christian Maeder<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>

f04e8f3ff56405901be968fd4c6e9769239f1a9bKlaus Luettich<dd><p>

6aea82c63ba1d2efc0329bc784a14e521469ec20Christian Maeder Specifies the DNS class of the zone.

4ba08bfca0cc8d9da65397b8dfd2654fdb4c0e62Christian Maeder </p></dd>

feca1d35123d8c31aee238c9ce79947b0bf65494Christian Maeder<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>

431d34c7007a787331c4e5ec997badb0f8190fc7Christian Maeder<dd>

f1541d4a151dbd08002dbd14e7eb1d5dde253689Christian Maeder<p>

c8012b9719c73f08418af7a0b4ba28fa1d200631Christian Maeder Specifies the cryptographic hardware to use, when applicable.

f1541d4a151dbd08002dbd14e7eb1d5dde253689Christian Maeder </p>

6dc9bc98d0854fe2e3dd3bfc4275096a0c28ee1cChristian Maeder<p>

6dc9bc98d0854fe2e3dd3bfc4275096a0c28ee1cChristian Maeder When BIND is built with OpenSSL PKCS#11 support, this defaults

6dc9bc98d0854fe2e3dd3bfc4275096a0c28ee1cChristian Maeder to the string "pkcs11", which identifies an OpenSSL engine

23ffcc44ca8612feccbd8fda63fa5be7ab5f9dc3Christian Maeder that can drive a cryptographic accelerator or hardware service

61fa0ac06ede811c7aad54ec4c4202346727368eChristian Maeder module. When BIND is built with native PKCS#11 cryptography

c0c2380bced8159ff0297ece14eba948bd236471Christian Maeder (--enable-native-pkcs11), it defaults to the path of the PKCS#11

63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder provider library specified via "--with-pkcs11".

63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder </p>

63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder</dd>

63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>

63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder<dd><p>

9e748851c150e1022fb952bab3315e869aaf0214Christian Maeder The format of the input zone file.

6a79849bed67264c396dddb3e9c184bdfc1a1bc9Christian Maeder Possible formats are <span><strong class="command">"text"</strong></span> (default)

6a79849bed67264c396dddb3e9c184bdfc1a1bc9Christian Maeder and <span><strong class="command">"raw"</strong></span>.

6a79849bed67264c396dddb3e9c184bdfc1a1bc9Christian Maeder This option is primarily intended to be used for dynamic

63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder signed zones so that the dumped zone file in a non-text

ca074a78b8dcccbb8c419586787882f98d0c6163Christian Maeder format containing updates can be verified independently.

63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder The use of this option does not make much sense for

6a79849bed67264c396dddb3e9c184bdfc1a1bc9Christian Maeder non-dynamic zones.

a5e5b8c3e5c11177e5034ef2423813a5d28979edChristian Maeder </p></dd>

bc8cbf12aa172bf5673b92a9e7a0151d4aa4c315Christian Maeder<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>

2d130d212db7208777ca896a7ecad619a8944971Christian Maeder<dd><p>

2d130d212db7208777ca896a7ecad619a8944971Christian Maeder The zone origin. If not specified, the name of the zone file

51d769d55d88dfa88bdf54bee78d8fa85a2deba8Christian Maeder is assumed to be the origin.

a5e5b8c3e5c11177e5034ef2423813a5d28979edChristian Maeder </p></dd>

a42fbfe7becf0eae2d624123eb0db73a794593f0Christian Maeder<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>

a42fbfe7becf0eae2d624123eb0db73a794593f0Christian Maeder<dd><p>

b363eb04791e7f735633b9b4088502c2bc50ebfcChristian Maeder Sets the debugging level.

a42fbfe7becf0eae2d624123eb0db73a794593f0Christian Maeder </p></dd>

1cd4f6541984962658add5cfaa9f28a93879881bChristian Maeder<dt><span class="term">-x</span></dt>

1cd4f6541984962658add5cfaa9f28a93879881bChristian Maeder<dd><p>

2d130d212db7208777ca896a7ecad619a8944971Christian Maeder Only verify that the DNSKEY RRset is signed with key-signing

6a79849bed67264c396dddb3e9c184bdfc1a1bc9Christian Maeder keys. Without this flag, it is assumed that the DNSKEY RRset

6ff7a91875597d6e4dfaa68c79187d01473e8341Christian Maeder will be signed by all active keys. When this flag is set,

6ff7a91875597d6e4dfaa68c79187d01473e8341Christian Maeder it will not be an error if the DNSKEY RRset is not signed

6a79849bed67264c396dddb3e9c184bdfc1a1bc9Christian Maeder by zone-signing keys. This corresponds to the <code class="option">-x</code>

6a79849bed67264c396dddb3e9c184bdfc1a1bc9Christian Maeder option in <span><strong class="command">dnssec-signzone</strong></span>.

4017ebc0f692820736d796af3110c3b3018c108aChristian Maeder </p></dd>

a9b59eb2ce961014974276cdae0e9df4419bd212Christian Maeder<dt><span class="term">-z</span></dt>

6a79849bed67264c396dddb3e9c184bdfc1a1bc9Christian Maeder<dd>

6a79849bed67264c396dddb3e9c184bdfc1a1bc9Christian Maeder<p>

6a79849bed67264c396dddb3e9c184bdfc1a1bc9Christian Maeder Ignore the KSK flag on the keys when determining whether

6a79849bed67264c396dddb3e9c184bdfc1a1bc9Christian Maeder the zone if correctly signed. Without this flag it is

6a79849bed67264c396dddb3e9c184bdfc1a1bc9Christian Maeder assumed that there will be a non-revoked, self-signed

a3c6d8e0670bf2aa71bc8e2a3b1f45d56dd65e4cChristian Maeder DNSKEY with the KSK flag set for each algorithm and

dc679edd4ca027663212afdf00926ae2ce19b555Christian Maeder that RRsets other than DNSKEY RRset will be signed with

63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder a different DNSKEY without the KSK flag set.

ca074a78b8dcccbb8c419586787882f98d0c6163Christian Maeder </p>

63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder<p>

ca074a78b8dcccbb8c419586787882f98d0c6163Christian Maeder With this flag set, we only require that for each algorithm,

ca074a78b8dcccbb8c419586787882f98d0c6163Christian Maeder there will be at least one non-revoked, self-signed DNSKEY,

ca074a78b8dcccbb8c419586787882f98d0c6163Christian Maeder regardless of the KSK flag state, and that other RRsets

4017ebc0f692820736d796af3110c3b3018c108aChristian Maeder will be signed by a non-revoked key for the same algorithm

b568982efd0997d877286faa592d81b03c8c67b8Christian Maeder that includes the self-signed key; the same key may be used

ca074a78b8dcccbb8c419586787882f98d0c6163Christian Maeder for both purposes. This corresponds to the <code class="option">-z</code>

0be0db405c49906bd7057255069bf6df53395ac9Klaus Luettich option in <span><strong class="command">dnssec-signzone</strong></span>.

ca074a78b8dcccbb8c419586787882f98d0c6163Christian Maeder </p>

63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder</dd>

63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder<dt><span class="term">zonefile</span></dt>

63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder<dd><p>

f2f9df2e17e70674f0bf426ed1763c973ee4cde0Christian Maeder The file containing the zone to be signed.

d946c1bfdd7d58aa7c023efe864d5999eb44a61bChristian Maeder </p></dd>

d946c1bfdd7d58aa7c023efe864d5999eb44a61bChristian Maeder</dl></div>

d946c1bfdd7d58aa7c023efe864d5999eb44a61bChristian Maeder</div>

d946c1bfdd7d58aa7c023efe864d5999eb44a61bChristian Maeder<div class="refsect1" lang="en">

d946c1bfdd7d58aa7c023efe864d5999eb44a61bChristian Maeder<a name="id2640589"></a><h2>SEE ALSO</h2>

63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder<p>

d23b0cc79c0d204e6ec758dff8d0ba71c9f693f7Christian Maeder <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,

63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder <em class="citetitle">BIND 9 Administrator Reference Manual</em>,

63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder <em class="citetitle">RFC 4033</em>.

ca074a78b8dcccbb8c419586787882f98d0c6163Christian Maeder </p>

ca074a78b8dcccbb8c419586787882f98d0c6163Christian Maeder</div>

63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder<div class="refsect1" lang="en">

63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder<a name="id2640615"></a><h2>AUTHOR</h2>

ca074a78b8dcccbb8c419586787882f98d0c6163Christian Maeder<p><span class="corpauthor">Internet Systems Consortium</span>

ca074a78b8dcccbb8c419586787882f98d0c6163Christian Maeder </p>

d23b0cc79c0d204e6ec758dff8d0ba71c9f693f7Christian Maeder</div>

3e8b136f23ed57d40ee617f49bcac37830b58cabChristian Maeder</div>

f1541d4a151dbd08002dbd14e7eb1d5dde253689Christian Maeder<div class="navfooter">

6dc9bc98d0854fe2e3dd3bfc4275096a0c28ee1cChristian Maeder<hr>

d946c1bfdd7d58aa7c023efe864d5999eb44a61bChristian Maeder<table width="100%" summary="Navigation footer">

e6d5dbbc3308f05197868806e0b860f4f53875f1Christian Maeder<tr>

363939beade943a02b31004cea09dec34fa8a6d9Christian Maeder<td width="40%" align="left">

e4f4d096e5e6d60dd91c746d0e833d0ac7a29c50Christian Maeder<a accesskey="p" href="man.dnssec-signzone.html">Prev</a>�</td>

eb74267cf39e4e95f9eeb5c765f4c8dac33971b4Christian Maeder<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>

eb74267cf39e4e95f9eeb5c765f4c8dac33971b4Christian Maeder<td width="40%" align="right">�<a accesskey="n" href="man.named-checkconf.html">Next</a>

e4f4d096e5e6d60dd91c746d0e833d0ac7a29c50Christian Maeder</td>

61fa0ac06ede811c7aad54ec4c4202346727368eChristian Maeder</tr>

456238178f89e5a3de2988ee6c8af924297d52d9Christian Maeder<tr>

f1541d4a151dbd08002dbd14e7eb1d5dde253689Christian Maeder<td width="40%" align="left" valign="top">

8d178ae08a52d61379e6b8074f61646499bc88bbChristian Maeder<span class="application">dnssec-signzone</span>�</td>

456238178f89e5a3de2988ee6c8af924297d52d9Christian Maeder<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>

6cd33d6101fb1b93baa6d86fac158af18a115108Christian Maeder<td width="40%" align="right" valign="top">�<span class="application">named-checkconf</span>

6cd33d6101fb1b93baa6d86fac158af18a115108Christian Maeder</td>

6cd33d6101fb1b93baa6d86fac158af18a115108Christian Maeder</tr>

6cd33d6101fb1b93baa6d86fac158af18a115108Christian Maeder</table>

6cd33d6101fb1b93baa6d86fac158af18a115108Christian Maeder</div>

b2ac5a92cf36382e8deea5661c1964566caf72b3Christian Maeder</body>

59138b404f12352d103eeffbeaeb3957b90e75fdChristian Maeder</html>

b2ac5a92cf36382e8deea5661c1964566caf72b3Christian Maeder