1191N/A - Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC") 1191N/A - Copyright (C) 2000-2003 Internet Software Consortium. 1191N/A - Permission to use, copy, modify, and/or distribute this software for any 1191N/A - purpose with or without fee is hereby granted, provided that the above 1191N/A - copyright notice and this permission notice appear in all copies. 1191N/A - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH 1191N/A - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 1191N/A - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, 1191N/A - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 1191N/A - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE 1191N/A - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 1191N/A - PERFORMANCE OF THIS SOFTWARE. 1191N/A<
meta http-
equiv="Content-Type" content="text/html; charset=ISO-8859-1">
1191N/A<
title>dnssec-verify</
title>
1191N/A<
meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
1191N/A<
link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
3194N/A<
body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
1448N/A<
table width="100%" summary="Navigation header">
1448N/A<
tr><
th colspan="3" align="center"><
span class="application">dnssec-verify</
span></
th></
tr>
1191N/A<
td width="20%" align="left">
3234N/A<
th width="60%" align="center">Manual pages</
th>
1448N/A<
div class="refentry" lang="en">
2701N/A<
p><
span class="application">dnssec-verify</
span> — DNSSEC zone verification tool</
p>
1191N/A<
div class="refsynopsisdiv">
1191N/A<
div class="cmdsynopsis"><
p><
code class="command">dnssec-verify</
code> [<
code class="option">-c <
em class="replaceable"><
code>class</
code></
em></
code>] [<
code class="option">-E <
em class="replaceable"><
code>engine</
code></
em></
code>] [<
code class="option">-I <
em class="replaceable"><
code>input-format</
code></
em></
code>] [<
code class="option">-o <
em class="replaceable"><
code>origin</
code></
em></
code>] [<
code class="option">-v <
em class="replaceable"><
code>level</
code></
em></
code>] [<
code class="option">-x</
code>] [<
code class="option">-z</
code>] {zonefile}</
p></
div>
1191N/A<
div class="refsect1" lang="en">
1191N/A<
a name="id2620156"></
a><
h2>DESCRIPTION</
h2>
1191N/A<
p><
span><
strong class="command">dnssec-verify</
strong></
span>
1191N/A verifies that a zone is fully signed for each algorithm found
2701N/A in the DNSKEY RRset for the zone, and that the NSEC / NSEC3
2701N/A<
div class="refsect1" lang="en">
2701N/A<
a name="id2620170"></
a><
h2>OPTIONS</
h2>
2701N/A<
div class="variablelist"><
dl>
2701N/A<
dt><
span class="term">-c <
em class="replaceable"><
code>class</
code></
em></
span></
dt>
2701N/A Specifies the DNS class of the zone.
3226N/A<
dt><
span class="term">-I <
em class="replaceable"><
code>input-format</
code></
em></
span></
dt>
2701N/A The format of the input zone file.
2711N/A Possible formats are <
span><
strong class="command">"text"</
strong></
span> (default)
2701N/A and <
span><
strong class="command">"raw"</
strong></
span>.
2701N/A This option is primarily intended to be used for dynamic
2701N/A signed zones so that the dumped zone file in a non-text
2701N/A format containing updates can be verified independently.
1191N/A The use of this option does not make much sense for
3158N/A<
dt><
span class="term">-o <
em class="replaceable"><
code>origin</
code></
em></
span></
dt>
3158N/A The zone origin. If not specified, the name of the zone file
3158N/A is assumed to be the origin.
1191N/A<
dt><
span class="term">-v <
em class="replaceable"><
code>level</
code></
em></
span></
dt>
1448N/A<
dt><
span class="term">-x</
span></
dt>
2701N/A Only verify that the DNSKEY RRset is signed with key-signing
3158N/A keys. Without this flag, it is assumed that the DNSKEY RRset
3158N/A will be signed by all active keys. When this flag is set,
3158N/A it will not be an error if the DNSKEY RRset is not signed
1191N/A by zone-signing keys. This corresponds to the <
code class="option">-x</
code>
1448N/A option in <
span><
strong class="command">dnssec-signzone</
strong></
span>.
1448N/A<
dt><
span class="term">-z</
span></
dt>
1448N/A Ignore the KSK flag on the keys when determining whether
1448N/A the zone if correctly signed. Without this flag it is
1448N/A assumed that there will be a non-revoked, self-signed
1191N/A DNSKEY with the KSK flag set for each algorithm and
1448N/A that RRsets other than DNSKEY RRset will be signed with
2701N/A a different DNSKEY without the KSK flag set.
1448N/A With this flag set, we only require that for each algorithm,
1448N/A there will be at least one non-revoked, self-signed DNSKEY,
2701N/A regardless of the KSK flag state, and that other RRsets
1448N/A will be signed by a non-revoked key for the same algorithm
1448N/A that includes the self-signed key; the same key may be used
1448N/A for both purposes. This corresponds to the <
code class="option">-z</
code>
1448N/A option in <
span><
strong class="command">dnssec-signzone</
strong></
span>.
1191N/A<
dt><
span class="term">zonefile</
span></
dt>
1191N/A The file containing the zone to be signed.
1448N/A<
div class="refsect1" lang="en">
1448N/A<
a name="id2620320"></
a><
h2>SEE ALSO</
h2>
1448N/A <
span class="citerefentry"><
span class="refentrytitle">dnssec-signzone</
span>(8)</
span>,
1448N/A <
em class="citetitle">BIND 9 Administrator Reference Manual</
em>,
1448N/A <
em class="citetitle">RFC 4033</
em>.
2701N/A<
div class="refsect1" lang="en">
1895N/A<
a name="id2620345"></
a><
h2>AUTHOR</
h2>
1895N/A<
p><
span class="corpauthor">Internet Systems Consortium</
span>
1895N/A<
table width="100%" summary="Navigation footer">
1895N/A<
td width="40%" align="left">
3253N/A<
td width="40%" align="left" valign="top">
1448N/A<
span class="application">dnssec-signzone</
span>�</
td>
1191N/A<
td width="40%" align="right" valign="top">�<
span class="application">named-checkconf</
span>