doc/arm/man.dnssec-verify.html

	man.dnssec-verify.html revision a8fa482d0cc0134e2373509f8d3ac92c9f36d99a
2087a7aff26ea5d1bc2c7c29add3275328f36baaLennart Poettering<!--
2087a7aff26ea5d1bc2c7c29add3275328f36baaLennart Poettering - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
2087a7aff26ea5d1bc2c7c29add3275328f36baaLennart Poettering - Copyright (C) 2000-2003 Internet Software Consortium.
2087a7aff26ea5d1bc2c7c29add3275328f36baaLennart Poettering -
4d7859d173282e16bb75254c2b4ec14a915ef30bKay Sievers - Permission to use, copy, modify, and/or distribute this software for any
2087a7aff26ea5d1bc2c7c29add3275328f36baaLennart Poettering - purpose with or without fee is hereby granted, provided that the above
2087a7aff26ea5d1bc2c7c29add3275328f36baaLennart Poettering - copyright notice and this permission notice appear in all copies.
2087a7aff26ea5d1bc2c7c29add3275328f36baaLennart Poettering -
2087a7aff26ea5d1bc2c7c29add3275328f36baaLennart Poettering - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
2087a7aff26ea5d1bc2c7c29add3275328f36baaLennart Poettering - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
2087a7aff26ea5d1bc2c7c29add3275328f36baaLennart Poettering - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
2087a7aff26ea5d1bc2c7c29add3275328f36baaLennart Poettering - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
2087a7aff26ea5d1bc2c7c29add3275328f36baaLennart Poettering - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
2087a7aff26ea5d1bc2c7c29add3275328f36baaLennart Poettering - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
2087a7aff26ea5d1bc2c7c29add3275328f36baaLennart Poettering - PERFORMANCE OF THIS SOFTWARE.
2087a7aff26ea5d1bc2c7c29add3275328f36baaLennart Poettering-->
2087a7aff26ea5d1bc2c7c29add3275328f36baaLennart Poettering<!-- $Id$ -->
2087a7aff26ea5d1bc2c7c29add3275328f36baaLennart Poettering<html>
2087a7aff26ea5d1bc2c7c29add3275328f36baaLennart Poettering<head>
2087a7aff26ea5d1bc2c7c29add3275328f36baaLennart Poettering<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
3f6fd1ba65f962702753c4ad284b588e59689a23Lennart Poettering<title>dnssec-verify</title>
3f6fd1ba65f962702753c4ad284b588e59689a23Lennart Poettering<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
a9cdc94f7ff40f22a3cf9472f612a80730a1b010Dave Reisner<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
2087a7aff26ea5d1bc2c7c29add3275328f36baaLennart Poettering<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
3f6fd1ba65f962702753c4ad284b588e59689a23Lennart Poettering<link rel="prev" href="man.dnssec-signzone.html" title="dnssec-signzone">
2087a7aff26ea5d1bc2c7c29add3275328f36baaLennart Poettering<link rel="next" href="man.named-checkconf.html" title="named-checkconf">
2087a7aff26ea5d1bc2c7c29add3275328f36baaLennart Poettering</head>
4d7859d173282e16bb75254c2b4ec14a915ef30bKay Sievers<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
3f6fd1ba65f962702753c4ad284b588e59689a23Lennart Poettering<div class="navheader">
4d7859d173282e16bb75254c2b4ec14a915ef30bKay Sievers<table width="100%" summary="Navigation header">
3f6fd1ba65f962702753c4ad284b588e59689a23Lennart Poettering<tr><th colspan="3" align="center"><span class="application">dnssec-verify</span></th></tr>
0732ef7acf37473847992888bcb6446726d9d877Zbigniew Jędrzejewski-Szmek<tr>
3ffd4af22052963e7a29431721ee204e634bea75Lennart Poettering<td width="20%" align="left">
a34286684ebb78dd3db0d7f34feb2c121c9d00ccMichal Sekletar<a accesskey="p" href="man.dnssec-signzone.html">Prev</a>�</td>
7568345034f2890af745747783c5abfbf6eccf0fLennart Poettering<th width="60%" align="center">Manual pages</th>
3f6fd1ba65f962702753c4ad284b588e59689a23Lennart Poettering<td width="20%" align="right">�<a accesskey="n" href="man.named-checkconf.html">Next</a>
3f6fd1ba65f962702753c4ad284b588e59689a23Lennart Poettering</td>
3f6fd1ba65f962702753c4ad284b588e59689a23Lennart Poettering</tr>
3f6fd1ba65f962702753c4ad284b588e59689a23Lennart Poettering</table>
3f6fd1ba65f962702753c4ad284b588e59689a23Lennart Poettering<hr>
3f6fd1ba65f962702753c4ad284b588e59689a23Lennart Poettering</div>
2087a7aff26ea5d1bc2c7c29add3275328f36baaLennart Poettering<div class="refentry" lang="en">
2087a7aff26ea5d1bc2c7c29add3275328f36baaLennart Poettering<a name="man.dnssec-verify"></a><div class="titlepage"></div>
2087a7aff26ea5d1bc2c7c29add3275328f36baaLennart Poettering<div class="refnamediv">
4d7859d173282e16bb75254c2b4ec14a915ef30bKay Sievers<h2>Name</h2>
7085053a437456ab87d726f3697002dd811fdf7aDaniel Wallace<p><span class="application">dnssec-verify</span> &#8212; DNSSEC zone verification tool</p>
2087a7aff26ea5d1bc2c7c29add3275328f36baaLennart Poettering</div>
2087a7aff26ea5d1bc2c7c29add3275328f36baaLennart Poettering<div class="refsynopsisdiv">
2087a7aff26ea5d1bc2c7c29add3275328f36baaLennart Poettering<h2>Synopsis</h2>
2087a7aff26ea5d1bc2c7c29add3275328f36baaLennart Poettering<div class="cmdsynopsis"><p><code class="command">dnssec-verify</code>  [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-x</code>] [<code class="option">-z</code>] {zonefile}</p></div>
2087a7aff26ea5d1bc2c7c29add3275328f36baaLennart Poettering</div>
2087a7aff26ea5d1bc2c7c29add3275328f36baaLennart Poettering<div class="refsect1" lang="en">
2087a7aff26ea5d1bc2c7c29add3275328f36baaLennart Poettering<a name="id2647424"></a><h2>DESCRIPTION</h2>
1b12a7b5896f94bdf33b3a6661ebabd761ea6adcHarald Hoyer<p><span><strong class="command">dnssec-verify</strong></span>
2087a7aff26ea5d1bc2c7c29add3275328f36baaLennart Poettering      verifies that a zone is fully signed for each algorithm found
2087a7aff26ea5d1bc2c7c29add3275328f36baaLennart Poettering      in the DNSKEY RRset for the zone, and that the NSEC / NSEC3
2087a7aff26ea5d1bc2c7c29add3275328f36baaLennart Poettering      chains are complete.
2087a7aff26ea5d1bc2c7c29add3275328f36baaLennart Poettering    </p>
2087a7aff26ea5d1bc2c7c29add3275328f36baaLennart Poettering</div>
2087a7aff26ea5d1bc2c7c29add3275328f36baaLennart Poettering<div class="refsect1" lang="en">
2087a7aff26ea5d1bc2c7c29add3275328f36baaLennart Poettering<a name="id2647437"></a><h2>OPTIONS</h2>
2087a7aff26ea5d1bc2c7c29add3275328f36baaLennart Poettering<div class="variablelist"><dl>
46e65dcc3a522b5e992e165b5e61d14254026859Lennart Poettering<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
46e65dcc3a522b5e992e165b5e61d14254026859Lennart Poettering<dd><p>
46e65dcc3a522b5e992e165b5e61d14254026859Lennart Poettering            Specifies the DNS class of the zone.
2087a7aff26ea5d1bc2c7c29add3275328f36baaLennart Poettering          </p></dd>
2087a7aff26ea5d1bc2c7c29add3275328f36baaLennart Poettering<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
2087a7aff26ea5d1bc2c7c29add3275328f36baaLennart Poettering<dd>
2087a7aff26ea5d1bc2c7c29add3275328f36baaLennart Poettering<p>
2087a7aff26ea5d1bc2c7c29add3275328f36baaLennart Poettering            Specifies the cryptographic hardware to use, when applicable.
e7e55dbdc38f929805ab2407fbd50886043a9e7cDavid Herrmann          </p>
e7e55dbdc38f929805ab2407fbd50886043a9e7cDavid Herrmann<p>
e7e55dbdc38f929805ab2407fbd50886043a9e7cDavid Herrmann            When BIND is built with OpenSSL PKCS#11 support, this defaults
e7e55dbdc38f929805ab2407fbd50886043a9e7cDavid Herrmann            to the string "pkcs11", which identifies an OpenSSL engine
e7e55dbdc38f929805ab2407fbd50886043a9e7cDavid Herrmann            that can drive a cryptographic accelerator or hardware service
e7e55dbdc38f929805ab2407fbd50886043a9e7cDavid Herrmann            module.  When BIND is built with native PKCS#11 cryptography
2087a7aff26ea5d1bc2c7c29add3275328f36baaLennart Poettering            (--enable-native-pkcs11), it defaults to the path of the PKCS#11
2087a7aff26ea5d1bc2c7c29add3275328f36baaLennart Poettering            provider library specified via "--with-pkcs11".
e7e55dbdc38f929805ab2407fbd50886043a9e7cDavid Herrmann          </p>
e7e55dbdc38f929805ab2407fbd50886043a9e7cDavid Herrmann</dd>
e7e55dbdc38f929805ab2407fbd50886043a9e7cDavid Herrmann<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
e7e55dbdc38f929805ab2407fbd50886043a9e7cDavid Herrmann<dd><p>
e7e55dbdc38f929805ab2407fbd50886043a9e7cDavid Herrmann            The format of the input zone file.
e7e55dbdc38f929805ab2407fbd50886043a9e7cDavid Herrmann        Possible formats are <span><strong class="command">"text"</strong></span> (default)
e7e55dbdc38f929805ab2407fbd50886043a9e7cDavid Herrmann        and <span><strong class="command">"raw"</strong></span>.
e7e55dbdc38f929805ab2407fbd50886043a9e7cDavid Herrmann        This option is primarily intended to be used for dynamic
e7e55dbdc38f929805ab2407fbd50886043a9e7cDavid Herrmann            signed zones so that the dumped zone file in a non-text
e7e55dbdc38f929805ab2407fbd50886043a9e7cDavid Herrmann            format containing updates can be verified independently.
e7e55dbdc38f929805ab2407fbd50886043a9e7cDavid Herrmann        The use of this option does not make much sense for
e7e55dbdc38f929805ab2407fbd50886043a9e7cDavid Herrmann        non-dynamic zones.
e7e55dbdc38f929805ab2407fbd50886043a9e7cDavid Herrmann          </p></dd>
ff9b60f38bf68eba4a47cabff14547d92e083214Torstein Husebø<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
a34286684ebb78dd3db0d7f34feb2c121c9d00ccMichal Sekletar<dd><p>
a34286684ebb78dd3db0d7f34feb2c121c9d00ccMichal Sekletar            The zone origin.  If not specified, the name of the zone file
a34286684ebb78dd3db0d7f34feb2c121c9d00ccMichal Sekletar            is assumed to be the origin.
a34286684ebb78dd3db0d7f34feb2c121c9d00ccMichal Sekletar          </p></dd>
a34286684ebb78dd3db0d7f34feb2c121c9d00ccMichal Sekletar<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
75f86906c52735c98dc0aa7e24b773edb42ee814Lennart Poettering<dd><p>
a34286684ebb78dd3db0d7f34feb2c121c9d00ccMichal Sekletar            Sets the debugging level.
a34286684ebb78dd3db0d7f34feb2c121c9d00ccMichal Sekletar          </p></dd>
a34286684ebb78dd3db0d7f34feb2c121c9d00ccMichal Sekletar<dt><span class="term">-V</span></dt>
a34286684ebb78dd3db0d7f34feb2c121c9d00ccMichal Sekletar<dd><p>
a34286684ebb78dd3db0d7f34feb2c121c9d00ccMichal Sekletar        Prints version information.
a34286684ebb78dd3db0d7f34feb2c121c9d00ccMichal Sekletar      </p></dd>
a34286684ebb78dd3db0d7f34feb2c121c9d00ccMichal Sekletar<dt><span class="term">-x</span></dt>
a34286684ebb78dd3db0d7f34feb2c121c9d00ccMichal Sekletar<dd><p>
a34286684ebb78dd3db0d7f34feb2c121c9d00ccMichal Sekletar            Only verify that the DNSKEY RRset is signed with key-signing
a34286684ebb78dd3db0d7f34feb2c121c9d00ccMichal Sekletar            keys.  Without this flag, it is assumed that the DNSKEY RRset
a34286684ebb78dd3db0d7f34feb2c121c9d00ccMichal Sekletar            will be signed by all active keys.  When this flag is set,
a34286684ebb78dd3db0d7f34feb2c121c9d00ccMichal Sekletar            it will not be an error if the DNSKEY RRset is not signed
a34286684ebb78dd3db0d7f34feb2c121c9d00ccMichal Sekletar            by zone-signing keys.  This corresponds to the <code class="option">-x</code>
a34286684ebb78dd3db0d7f34feb2c121c9d00ccMichal Sekletar            option in <span><strong class="command">dnssec-signzone</strong></span>.
a34286684ebb78dd3db0d7f34feb2c121c9d00ccMichal Sekletar          </p></dd>
a34286684ebb78dd3db0d7f34feb2c121c9d00ccMichal Sekletar<dt><span class="term">-z</span></dt>
a34286684ebb78dd3db0d7f34feb2c121c9d00ccMichal Sekletar<dd>
a34286684ebb78dd3db0d7f34feb2c121c9d00ccMichal Sekletar<p>
a34286684ebb78dd3db0d7f34feb2c121c9d00ccMichal Sekletar        Ignore the KSK flag on the keys when determining whether
a34286684ebb78dd3db0d7f34feb2c121c9d00ccMichal Sekletar            the zone if correctly signed.  Without this flag it is
da927ba997d68401563b927f92e6e40e021a8e5cMichal Schmidt        assumed that there will be a non-revoked, self-signed
a34286684ebb78dd3db0d7f34feb2c121c9d00ccMichal Sekletar        DNSKEY with the KSK flag set for each algorithm and
a34286684ebb78dd3db0d7f34feb2c121c9d00ccMichal Sekletar        that RRsets other than DNSKEY RRset will be signed with
a34286684ebb78dd3db0d7f34feb2c121c9d00ccMichal Sekletar            a different DNSKEY without the KSK flag set.
63229aa1abdb98aa69fda9819ed2f40c8082762bLennart Poettering      </p>
a34286684ebb78dd3db0d7f34feb2c121c9d00ccMichal Sekletar<p>
a34286684ebb78dd3db0d7f34feb2c121c9d00ccMichal Sekletar        With this flag set, we only require that for each algorithm,
b344bcbbfda8fbe14dadc5aa4b5dfb3ced6d76e2Lennart Poettering            there will be at least one non-revoked, self-signed DNSKEY,
ff49bc3212cb07d850dcfd59940539773a0be26fMichal Schmidt            regardless of the KSK flag state, and that other RRsets
a34286684ebb78dd3db0d7f34feb2c121c9d00ccMichal Sekletar        will be signed by a non-revoked key for the same algorithm
a34286684ebb78dd3db0d7f34feb2c121c9d00ccMichal Sekletar            that includes the self-signed key; the same key may be used
b344bcbbfda8fbe14dadc5aa4b5dfb3ced6d76e2Lennart Poettering            for both purposes.  This corresponds to the <code class="option">-z</code>
ff49bc3212cb07d850dcfd59940539773a0be26fMichal Schmidt            option in <span><strong class="command">dnssec-signzone</strong></span>.
a34286684ebb78dd3db0d7f34feb2c121c9d00ccMichal Sekletar      </p>
a34286684ebb78dd3db0d7f34feb2c121c9d00ccMichal Sekletar</dd>
63229aa1abdb98aa69fda9819ed2f40c8082762bLennart Poettering<dt><span class="term">zonefile</span></dt>
a34286684ebb78dd3db0d7f34feb2c121c9d00ccMichal Sekletar<dd><p>
a34286684ebb78dd3db0d7f34feb2c121c9d00ccMichal Sekletar            The file containing the zone to be signed.
a34286684ebb78dd3db0d7f34feb2c121c9d00ccMichal Sekletar          </p></dd>
2087a7aff26ea5d1bc2c7c29add3275328f36baaLennart Poettering</dl></div>
2087a7aff26ea5d1bc2c7c29add3275328f36baaLennart Poettering</div>
2087a7aff26ea5d1bc2c7c29add3275328f36baaLennart Poettering<div class="refsect1" lang="en">
2087a7aff26ea5d1bc2c7c29add3275328f36baaLennart Poettering<a name="id2647621"></a><h2>SEE ALSO</h2>
2087a7aff26ea5d1bc2c7c29add3275328f36baaLennart Poettering<p>
2087a7aff26ea5d1bc2c7c29add3275328f36baaLennart Poettering      <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
2087a7aff26ea5d1bc2c7c29add3275328f36baaLennart Poettering      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
2087a7aff26ea5d1bc2c7c29add3275328f36baaLennart Poettering      <em class="citetitle">RFC 4033</em>.
2087a7aff26ea5d1bc2c7c29add3275328f36baaLennart Poettering    </p>
2087a7aff26ea5d1bc2c7c29add3275328f36baaLennart Poettering</div>
2087a7aff26ea5d1bc2c7c29add3275328f36baaLennart Poettering<div class="refsect1" lang="en">
2087a7aff26ea5d1bc2c7c29add3275328f36baaLennart Poettering<a name="id2647646"></a><h2>AUTHOR</h2>
2087a7aff26ea5d1bc2c7c29add3275328f36baaLennart Poettering<p><span class="corpauthor">Internet Systems Consortium</span>
2087a7aff26ea5d1bc2c7c29add3275328f36baaLennart Poettering    </p>
2087a7aff26ea5d1bc2c7c29add3275328f36baaLennart Poettering</div>
2087a7aff26ea5d1bc2c7c29add3275328f36baaLennart Poettering</div>
2087a7aff26ea5d1bc2c7c29add3275328f36baaLennart Poettering<div class="navfooter">
2087a7aff26ea5d1bc2c7c29add3275328f36baaLennart Poettering<hr>
2087a7aff26ea5d1bc2c7c29add3275328f36baaLennart Poettering<table width="100%" summary="Navigation footer">
2087a7aff26ea5d1bc2c7c29add3275328f36baaLennart Poettering<tr>
2087a7aff26ea5d1bc2c7c29add3275328f36baaLennart Poettering<td width="40%" align="left">
2087a7aff26ea5d1bc2c7c29add3275328f36baaLennart Poettering<a accesskey="p" href="man.dnssec-signzone.html">Prev</a>�</td>
2087a7aff26ea5d1bc2c7c29add3275328f36baaLennart Poettering<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
2087a7aff26ea5d1bc2c7c29add3275328f36baaLennart Poettering<td width="40%" align="right">�<a accesskey="n" href="man.named-checkconf.html">Next</a>
2087a7aff26ea5d1bc2c7c29add3275328f36baaLennart Poettering</td>
2087a7aff26ea5d1bc2c7c29add3275328f36baaLennart Poettering</tr>
4d7859d173282e16bb75254c2b4ec14a915ef30bKay Sievers<tr>
e7e55dbdc38f929805ab2407fbd50886043a9e7cDavid Herrmann<td width="40%" align="left" valign="top">
9f6eb1cd58f2ddf2eb6ba0e4de056e13d938af75Kay Sievers<span class="application">dnssec-signzone</span>�</td>
9f6eb1cd58f2ddf2eb6ba0e4de056e13d938af75Kay Sievers<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
9f6eb1cd58f2ddf2eb6ba0e4de056e13d938af75Kay Sievers<td width="40%" align="right" valign="top">�<span class="application">named-checkconf</span>
9f6eb1cd58f2ddf2eb6ba0e4de056e13d938af75Kay Sievers</td>
9f6eb1cd58f2ddf2eb6ba0e4de056e13d938af75Kay Sievers</tr>
9f6eb1cd58f2ddf2eb6ba0e4de056e13d938af75Kay Sievers</table>
9f6eb1cd58f2ddf2eb6ba0e4de056e13d938af75Kay Sievers</div>
9f6eb1cd58f2ddf2eb6ba0e4de056e13d938af75Kay Sievers<p style="text-align: center;">BIND 9.11.0pre-alpha</p>
9f6eb1cd58f2ddf2eb6ba0e4de056e13d938af75Kay Sievers</body>
ffc06c3513d9a0693c7f810d03b20705127ba55aKay Sievers</html>
ffc06c3513d9a0693c7f810d03b20705127ba55aKay Sievers