0N/A<html>

873N/A<head>

0N/A<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">

0N/A<title>dnssec-verify</title>

0N/A<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">

0N/A<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">

0N/A<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">

4197N/A<link rel="prev" href="man.dnssec-signzone.html" title="dnssec-signzone">

5744N/A<link rel="next" href="man.named-checkconf.html" title="named-checkconf">

0N/A</head>

0N/A<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">

2086N/A<div class="navheader">

0N/A<table width="100%" summary="Navigation header">

0N/A<tr><th colspan="3" align="center"><span class="application">dnssec-verify</span></th></tr>

0N/A<tr>

0N/A<td width="20%" align="left">

0N/A<a accesskey="p" href="man.dnssec-signzone.html">Prev</a>�</td>

0N/A<th width="60%" align="center">Manual pages</th>

0N/A<td width="20%" align="right">�<a accesskey="n" href="man.named-checkconf.html">Next</a>

0N/A</td>

0N/A</tr>

0N/A</table>

0N/A<hr>

0N/A</div>

0N/A<div class="refentry" lang="en">

0N/A<a name="man.dnssec-verify"></a><div class="titlepage"></div>

0N/A<div class="refnamediv">

0N/A<h2>Name</h2>

0N/A<p><span class="application">dnssec-verify</span> &#8212; DNSSEC zone verification tool</p>

0N/A</div>

0N/A<div class="refsynopsisdiv">

0N/A<h2>Synopsis</h2>

0N/A<div class="cmdsynopsis"><p><code class="command">dnssec-verify</code> [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-x</code>] [<code class="option">-z</code>] {zonefile}</p></div>

0N/A</div>

0N/A<div class="refsect1" lang="en">

0N/A<a name="id2647424"></a><h2>DESCRIPTION</h2>

0N/A<p><span><strong class="command">dnssec-verify</strong></span>

0N/A verifies that a zone is fully signed for each algorithm found

0N/A in the DNSKEY RRset for the zone, and that the NSEC / NSEC3

0N/A chains are complete.

0N/A </p>

0N/A</div>

0N/A<div class="refsect1" lang="en">

0N/A<a name="id2647437"></a><h2>OPTIONS</h2>

0N/A<div class="variablelist"><dl>

0N/A<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>

0N/A<dd><p>

0N/A Specifies the DNS class of the zone.

0N/A </p></dd>

1177N/A<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>

4134N/A<dd>

4134N/A<p>

4134N/A Specifies the cryptographic hardware to use, when applicable.

0N/A </p>

0N/A<p>

0N/A When BIND is built with OpenSSL PKCS#11 support, this defaults

2086N/A to the string "pkcs11", which identifies an OpenSSL engine

2086N/A that can drive a cryptographic accelerator or hardware service

0N/A module. When BIND is built with native PKCS#11 cryptography

0N/A (--enable-native-pkcs11), it defaults to the path of the PKCS#11

0N/A provider library specified via "--with-pkcs11".

0N/A </p>

0N/A</dd>

0N/A<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>

0N/A<dd><p>

0N/A The format of the input zone file.

0N/A Possible formats are <span><strong class="command">"text"</strong></span> (default)

0N/A and <span><strong class="command">"raw"</strong></span>.

0N/A This option is primarily intended to be used for dynamic

0N/A signed zones so that the dumped zone file in a non-text

0N/A format containing updates can be verified independently.

0N/A The use of this option does not make much sense for

0N/A non-dynamic zones.

0N/A </p></dd>

0N/A<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>

0N/A<dd><p>

0N/A The zone origin. If not specified, the name of the zone file

0N/A is assumed to be the origin.

5744N/A </p></dd>

0N/A<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>

0N/A<dd><p>

0N/A Sets the debugging level.

0N/A </p></dd>

0N/A<dt><span class="term">-V</span></dt>

0N/A<dd><p>

0N/A Prints version information.

4134N/A </p></dd>

0N/A<dt><span class="term">-x</span></dt>

1924N/A<dd><p>

5744N/A Only verify that the DNSKEY RRset is signed with key-signing

1924N/A keys. Without this flag, it is assumed that the DNSKEY RRset

1924N/A will be signed by all active keys. When this flag is set,

5744N/A it will not be an error if the DNSKEY RRset is not signed

0N/A by zone-signing keys. This corresponds to the <code class="option">-x</code>

0N/A option in <span><strong class="command">dnssec-signzone</strong></span>.

0N/A </p></dd>

5744N/A<dt><span class="term">-z</span></dt>

0N/A<dd>

0N/A<p>

0N/A Ignore the KSK flag on the keys when determining whether

0N/A the zone if correctly signed. Without this flag it is

0N/A assumed that there will be a non-revoked, self-signed

0N/A DNSKEY with the KSK flag set for each algorithm and

0N/A that RRsets other than DNSKEY RRset will be signed with

0N/A a different DNSKEY without the KSK flag set.

0N/A </p>

0N/A<p>

0N/A With this flag set, we only require that for each algorithm,

0N/A there will be at least one non-revoked, self-signed DNSKEY,

0N/A regardless of the KSK flag state, and that other RRsets

0N/A will be signed by a non-revoked key for the same algorithm

0N/A that includes the self-signed key; the same key may be used

0N/A for both purposes. This corresponds to the <code class="option">-z</code>

0N/A option in <span><strong class="command">dnssec-signzone</strong></span>.

0N/A </p>

0N/A</dd>

0N/A<dt><span class="term">zonefile</span></dt>

0N/A<dd><p>

0N/A The file containing the zone to be signed.

0N/A </p></dd>

0N/A</dl></div>

0N/A</div>

0N/A<div class="refsect1" lang="en">

5744N/A<a name="id2647621"></a><h2>SEE ALSO</h2>

0N/A<p>

0N/A <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,

0N/A <em class="citetitle">BIND 9 Administrator Reference Manual</em>,

0N/A <em class="citetitle">RFC 4033</em>.

0N/A </p>

0N/A</div>

0N/A<div class="refsect1" lang="en">

0N/A<a name="id2647646"></a><h2>AUTHOR</h2>

0N/A<p><span class="corpauthor">Internet Systems Consortium</span>

0N/A </p>

0N/A</div>

0N/A</div>

1924N/A<div class="navfooter">

0N/A<hr>

1924N/A<table width="100%" summary="Navigation footer">

0N/A<tr>

0N/A<td width="40%" align="left">

0N/A<a accesskey="p" href="man.dnssec-signzone.html">Prev</a>�</td>

0N/A<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>

0N/A<td width="40%" align="right">�<a accesskey="n" href="man.named-checkconf.html">Next</a>

0N/A</td>

1924N/A</tr>

0N/A<tr>

0N/A<td width="40%" align="left" valign="top">

1924N/A<span class="application">dnssec-signzone</span>�</td>

1924N/A<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>

0N/A<td width="40%" align="right" valign="top">�<span class="application">named-checkconf</span>

0N/A</td>

0N/A</tr>

0N/A</table>

0N/A</div>

0N/A<p style="text-align: center;">BIND 9.11.0pre-alpha</p>

0N/A</body>

0N/A</html>

0N/A