doc/arm/man.dnssec-verify.html

	man.dnssec-verify.html revision aa444144ad14bdd909fe5b70e1f7730b46ec6072
a82212bd36e1074408974b466798b9966bbaf49bvboxsync<!--
a82212bd36e1074408974b466798b9966bbaf49bvboxsync - Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC")
a82212bd36e1074408974b466798b9966bbaf49bvboxsync - Copyright (C) 2000-2003 Internet Software Consortium.
a82212bd36e1074408974b466798b9966bbaf49bvboxsync -
a82212bd36e1074408974b466798b9966bbaf49bvboxsync - Permission to use, copy, modify, and/or distribute this software for any
a82212bd36e1074408974b466798b9966bbaf49bvboxsync - purpose with or without fee is hereby granted, provided that the above
a82212bd36e1074408974b466798b9966bbaf49bvboxsync - copyright notice and this permission notice appear in all copies.
a82212bd36e1074408974b466798b9966bbaf49bvboxsync -
a82212bd36e1074408974b466798b9966bbaf49bvboxsync - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
a82212bd36e1074408974b466798b9966bbaf49bvboxsync - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
a82212bd36e1074408974b466798b9966bbaf49bvboxsync - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
a82212bd36e1074408974b466798b9966bbaf49bvboxsync - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
a82212bd36e1074408974b466798b9966bbaf49bvboxsync - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
a82212bd36e1074408974b466798b9966bbaf49bvboxsync - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
a82212bd36e1074408974b466798b9966bbaf49bvboxsync - PERFORMANCE OF THIS SOFTWARE.
a82212bd36e1074408974b466798b9966bbaf49bvboxsync-->
a82212bd36e1074408974b466798b9966bbaf49bvboxsync<!-- $Id$ -->
a82212bd36e1074408974b466798b9966bbaf49bvboxsync<html>
a82212bd36e1074408974b466798b9966bbaf49bvboxsync<head>
a82212bd36e1074408974b466798b9966bbaf49bvboxsync<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
a82212bd36e1074408974b466798b9966bbaf49bvboxsync<title>dnssec-verify</title>
a82212bd36e1074408974b466798b9966bbaf49bvboxsync<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
a82212bd36e1074408974b466798b9966bbaf49bvboxsync<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
a82212bd36e1074408974b466798b9966bbaf49bvboxsync<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
a82212bd36e1074408974b466798b9966bbaf49bvboxsync<link rel="prev" href="man.dnssec-signzone.html" title="dnssec-signzone">
a82212bd36e1074408974b466798b9966bbaf49bvboxsync<link rel="next" href="man.named-checkconf.html" title="named-checkconf">
a82212bd36e1074408974b466798b9966bbaf49bvboxsync</head>
a82212bd36e1074408974b466798b9966bbaf49bvboxsync<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
a82212bd36e1074408974b466798b9966bbaf49bvboxsync<div class="navheader">
a82212bd36e1074408974b466798b9966bbaf49bvboxsync<table width="100%" summary="Navigation header">
a82212bd36e1074408974b466798b9966bbaf49bvboxsync<tr><th colspan="3" align="center"><span class="application">dnssec-verify</span></th></tr>
a82212bd36e1074408974b466798b9966bbaf49bvboxsync<tr>
a82212bd36e1074408974b466798b9966bbaf49bvboxsync<td width="20%" align="left">
a82212bd36e1074408974b466798b9966bbaf49bvboxsync<a accesskey="p" href="man.dnssec-signzone.html">Prev</a>�</td>
a82212bd36e1074408974b466798b9966bbaf49bvboxsync<th width="60%" align="center">Manual pages</th>
a82212bd36e1074408974b466798b9966bbaf49bvboxsync<td width="20%" align="right">�<a accesskey="n" href="man.named-checkconf.html">Next</a>
a82212bd36e1074408974b466798b9966bbaf49bvboxsync</td>
a82212bd36e1074408974b466798b9966bbaf49bvboxsync</tr>
a82212bd36e1074408974b466798b9966bbaf49bvboxsync</table>
a82212bd36e1074408974b466798b9966bbaf49bvboxsync<hr>
a82212bd36e1074408974b466798b9966bbaf49bvboxsync</div>
a82212bd36e1074408974b466798b9966bbaf49bvboxsync<div class="refentry" lang="en">
a82212bd36e1074408974b466798b9966bbaf49bvboxsync<a name="man.dnssec-verify"></a><div class="titlepage"></div>
a82212bd36e1074408974b466798b9966bbaf49bvboxsync<div class="refnamediv">
a82212bd36e1074408974b466798b9966bbaf49bvboxsync<h2>Name</h2>
a82212bd36e1074408974b466798b9966bbaf49bvboxsync<p><span class="application">dnssec-verify</span> &#8212; DNSSEC zone verification tool</p>
a82212bd36e1074408974b466798b9966bbaf49bvboxsync</div>
a82212bd36e1074408974b466798b9966bbaf49bvboxsync<div class="refsynopsisdiv">
a82212bd36e1074408974b466798b9966bbaf49bvboxsync<h2>Synopsis</h2>
a82212bd36e1074408974b466798b9966bbaf49bvboxsync<div class="cmdsynopsis"><p><code class="command">dnssec-verify</code>  [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-x</code>] [<code class="option">-z</code>] {zonefile}</p></div>
a82212bd36e1074408974b466798b9966bbaf49bvboxsync</div>
a82212bd36e1074408974b466798b9966bbaf49bvboxsync<div class="refsect1" lang="en">
a82212bd36e1074408974b466798b9966bbaf49bvboxsync<a name="id2619589"></a><h2>DESCRIPTION</h2>
a82212bd36e1074408974b466798b9966bbaf49bvboxsync<p><span><strong class="command">dnssec-verify</strong></span>
a82212bd36e1074408974b466798b9966bbaf49bvboxsync      verifies that a zone is fully signed for each algorithm found
a82212bd36e1074408974b466798b9966bbaf49bvboxsync      in the DNSKEY RRset for the zone, and that the NSEC / NSEC3
a82212bd36e1074408974b466798b9966bbaf49bvboxsync      chains are complete.
a82212bd36e1074408974b466798b9966bbaf49bvboxsync    </p>
a82212bd36e1074408974b466798b9966bbaf49bvboxsync</div>
a82212bd36e1074408974b466798b9966bbaf49bvboxsync<div class="refsect1" lang="en">
a82212bd36e1074408974b466798b9966bbaf49bvboxsync<a name="id2619603"></a><h2>OPTIONS</h2>
a82212bd36e1074408974b466798b9966bbaf49bvboxsync<div class="variablelist"><dl>
a82212bd36e1074408974b466798b9966bbaf49bvboxsync<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
a82212bd36e1074408974b466798b9966bbaf49bvboxsync<dd><p>
a82212bd36e1074408974b466798b9966bbaf49bvboxsync            Specifies the DNS class of the zone.
a82212bd36e1074408974b466798b9966bbaf49bvboxsync          </p></dd>
a82212bd36e1074408974b466798b9966bbaf49bvboxsync<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
a82212bd36e1074408974b466798b9966bbaf49bvboxsync<dd><p>
a82212bd36e1074408974b466798b9966bbaf49bvboxsync            The format of the input zone file.
a82212bd36e1074408974b466798b9966bbaf49bvboxsync        Possible formats are <span><strong class="command">"text"</strong></span> (default)
a82212bd36e1074408974b466798b9966bbaf49bvboxsync        and <span><strong class="command">"raw"</strong></span>.
a82212bd36e1074408974b466798b9966bbaf49bvboxsync        This option is primarily intended to be used for dynamic
a82212bd36e1074408974b466798b9966bbaf49bvboxsync            signed zones so that the dumped zone file in a non-text
a82212bd36e1074408974b466798b9966bbaf49bvboxsync            format containing updates can be verified independently.
a82212bd36e1074408974b466798b9966bbaf49bvboxsync        The use of this option does not make much sense for
a82212bd36e1074408974b466798b9966bbaf49bvboxsync        non-dynamic zones.
a82212bd36e1074408974b466798b9966bbaf49bvboxsync          </p></dd>
a82212bd36e1074408974b466798b9966bbaf49bvboxsync<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
a82212bd36e1074408974b466798b9966bbaf49bvboxsync<dd><p>
a82212bd36e1074408974b466798b9966bbaf49bvboxsync            The zone origin.  If not specified, the name of the zone file
a82212bd36e1074408974b466798b9966bbaf49bvboxsync            is assumed to be the origin.
a82212bd36e1074408974b466798b9966bbaf49bvboxsync          </p></dd>
a82212bd36e1074408974b466798b9966bbaf49bvboxsync<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
a82212bd36e1074408974b466798b9966bbaf49bvboxsync<dd><p>
a82212bd36e1074408974b466798b9966bbaf49bvboxsync            Sets the debugging level.
a82212bd36e1074408974b466798b9966bbaf49bvboxsync          </p></dd>
a82212bd36e1074408974b466798b9966bbaf49bvboxsync<dt><span class="term">-x</span></dt>
a82212bd36e1074408974b466798b9966bbaf49bvboxsync<dd><p>
a82212bd36e1074408974b466798b9966bbaf49bvboxsync            Only verify that the DNSKEY RRset is signed with key-signing
a82212bd36e1074408974b466798b9966bbaf49bvboxsync            keys.  Without this flag, it is assumed that the DNSKEY RRset
a82212bd36e1074408974b466798b9966bbaf49bvboxsync            will be signed by all active keys.  When this flag is set,
a82212bd36e1074408974b466798b9966bbaf49bvboxsync            it will not be an error if the DNSKEY RRset is not signed
a82212bd36e1074408974b466798b9966bbaf49bvboxsync            by zone-signing keys.  This corresponds to the <code class="option">-x</code>
a82212bd36e1074408974b466798b9966bbaf49bvboxsync            option in <span><strong class="command">dnssec-signzone</strong></span>.
a82212bd36e1074408974b466798b9966bbaf49bvboxsync          </p></dd>
a82212bd36e1074408974b466798b9966bbaf49bvboxsync<dt><span class="term">-z</span></dt>
a82212bd36e1074408974b466798b9966bbaf49bvboxsync<dd>
a82212bd36e1074408974b466798b9966bbaf49bvboxsync<p>
a82212bd36e1074408974b466798b9966bbaf49bvboxsync        Ignore the KSK flag on the keys when determining whether
a82212bd36e1074408974b466798b9966bbaf49bvboxsync            the zone if correctly signed.  Without this flag it is
a82212bd36e1074408974b466798b9966bbaf49bvboxsync        assumed that there will be a non-revoked, self-signed
a82212bd36e1074408974b466798b9966bbaf49bvboxsync        DNSKEY with the KSK flag set for each algorithm and
a82212bd36e1074408974b466798b9966bbaf49bvboxsync        that RRsets other than DNSKEY RRset will be signed with
a82212bd36e1074408974b466798b9966bbaf49bvboxsync            a different DNSKEY without the KSK flag set.
a82212bd36e1074408974b466798b9966bbaf49bvboxsync      </p>
a82212bd36e1074408974b466798b9966bbaf49bvboxsync<p>
a82212bd36e1074408974b466798b9966bbaf49bvboxsync        With this flag set, we only require that for each algorithm,
a82212bd36e1074408974b466798b9966bbaf49bvboxsync            there will be at least one non-revoked, self-signed DNSKEY,
a82212bd36e1074408974b466798b9966bbaf49bvboxsync            regardless of the KSK flag state, and that other RRsets
a82212bd36e1074408974b466798b9966bbaf49bvboxsync        will be signed by a non-revoked key for the same algorithm
a82212bd36e1074408974b466798b9966bbaf49bvboxsync            that includes the self-signed key; the same key may be used
a82212bd36e1074408974b466798b9966bbaf49bvboxsync            for both purposes.  This corresponds to the <code class="option">-z</code>
a82212bd36e1074408974b466798b9966bbaf49bvboxsync            option in <span><strong class="command">dnssec-signzone</strong></span>.
a82212bd36e1074408974b466798b9966bbaf49bvboxsync      </p>
a82212bd36e1074408974b466798b9966bbaf49bvboxsync</dd>
a82212bd36e1074408974b466798b9966bbaf49bvboxsync<dt><span class="term">zonefile</span></dt>
a82212bd36e1074408974b466798b9966bbaf49bvboxsync<dd><p>
a82212bd36e1074408974b466798b9966bbaf49bvboxsync            The file containing the zone to be signed.
a82212bd36e1074408974b466798b9966bbaf49bvboxsync          </p></dd>
a82212bd36e1074408974b466798b9966bbaf49bvboxsync</dl></div>
a82212bd36e1074408974b466798b9966bbaf49bvboxsync</div>
a82212bd36e1074408974b466798b9966bbaf49bvboxsync<div class="refsect1" lang="en">
a82212bd36e1074408974b466798b9966bbaf49bvboxsync<a name="id2619752"></a><h2>SEE ALSO</h2>
a82212bd36e1074408974b466798b9966bbaf49bvboxsync<p>
a82212bd36e1074408974b466798b9966bbaf49bvboxsync      <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
a82212bd36e1074408974b466798b9966bbaf49bvboxsync      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
a82212bd36e1074408974b466798b9966bbaf49bvboxsync      <em class="citetitle">RFC 4033</em>.
a82212bd36e1074408974b466798b9966bbaf49bvboxsync    </p>
a82212bd36e1074408974b466798b9966bbaf49bvboxsync</div>
a82212bd36e1074408974b466798b9966bbaf49bvboxsync<div class="refsect1" lang="en">
a82212bd36e1074408974b466798b9966bbaf49bvboxsync<a name="id2619778"></a><h2>AUTHOR</h2>
a82212bd36e1074408974b466798b9966bbaf49bvboxsync<p><span class="corpauthor">Internet Systems Consortium</span>
a82212bd36e1074408974b466798b9966bbaf49bvboxsync    </p>
a82212bd36e1074408974b466798b9966bbaf49bvboxsync</div>
a82212bd36e1074408974b466798b9966bbaf49bvboxsync</div>
a82212bd36e1074408974b466798b9966bbaf49bvboxsync<div class="navfooter">
a82212bd36e1074408974b466798b9966bbaf49bvboxsync<hr>
a82212bd36e1074408974b466798b9966bbaf49bvboxsync<table width="100%" summary="Navigation footer">
a82212bd36e1074408974b466798b9966bbaf49bvboxsync<tr>
a82212bd36e1074408974b466798b9966bbaf49bvboxsync<td width="40%" align="left">
a82212bd36e1074408974b466798b9966bbaf49bvboxsync<a accesskey="p" href="man.dnssec-signzone.html">Prev</a>�</td>
a82212bd36e1074408974b466798b9966bbaf49bvboxsync<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
a82212bd36e1074408974b466798b9966bbaf49bvboxsync<td width="40%" align="right">�<a accesskey="n" href="man.named-checkconf.html">Next</a>
a82212bd36e1074408974b466798b9966bbaf49bvboxsync</td>
a82212bd36e1074408974b466798b9966bbaf49bvboxsync</tr>
a82212bd36e1074408974b466798b9966bbaf49bvboxsync<tr>
a82212bd36e1074408974b466798b9966bbaf49bvboxsync<td width="40%" align="left" valign="top">
a82212bd36e1074408974b466798b9966bbaf49bvboxsync<span class="application">dnssec-signzone</span>�</td>
a82212bd36e1074408974b466798b9966bbaf49bvboxsync<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
a82212bd36e1074408974b466798b9966bbaf49bvboxsync<td width="40%" align="right" valign="top">�<span class="application">named-checkconf</span>
a82212bd36e1074408974b466798b9966bbaf49bvboxsync</td>
a82212bd36e1074408974b466798b9966bbaf49bvboxsync</tr>
a82212bd36e1074408974b466798b9966bbaf49bvboxsync</table>
a82212bd36e1074408974b466798b9966bbaf49bvboxsync</div>
a82212bd36e1074408974b466798b9966bbaf49bvboxsync</body>
a82212bd36e1074408974b466798b9966bbaf49bvboxsync</html>
a82212bd36e1074408974b466798b9966bbaf49bvboxsync