man.dnssec-verify.html revision b2f07642fd712c8fda81a116bcdde229ab291f33
8b1f2574ce7a964965a18ab047ab09c4694380c4Jan Zeleny - Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
8b1f2574ce7a964965a18ab047ab09c4694380c4Jan Zeleny - Copyright (C) 2000-2003 Internet Software Consortium.
8b1f2574ce7a964965a18ab047ab09c4694380c4Jan Zeleny - Permission to use, copy, modify, and/or distribute this software for any
8b1f2574ce7a964965a18ab047ab09c4694380c4Jan Zeleny - purpose with or without fee is hereby granted, provided that the above
8b1f2574ce7a964965a18ab047ab09c4694380c4Jan Zeleny - copyright notice and this permission notice appear in all copies.
8b1f2574ce7a964965a18ab047ab09c4694380c4Jan Zeleny - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
8b1f2574ce7a964965a18ab047ab09c4694380c4Jan Zeleny - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
8b1f2574ce7a964965a18ab047ab09c4694380c4Jan Zeleny - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
8b1f2574ce7a964965a18ab047ab09c4694380c4Jan Zeleny - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
8b1f2574ce7a964965a18ab047ab09c4694380c4Jan Zeleny - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
8b1f2574ce7a964965a18ab047ab09c4694380c4Jan Zeleny - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
8b1f2574ce7a964965a18ab047ab09c4694380c4Jan Zeleny - PERFORMANCE OF THIS SOFTWARE.
8b1f2574ce7a964965a18ab047ab09c4694380c4Jan Zeleny<!-- $Id$ -->
8b1f2574ce7a964965a18ab047ab09c4694380c4Jan Zeleny<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
8b1f2574ce7a964965a18ab047ab09c4694380c4Jan Zeleny<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
8b1f2574ce7a964965a18ab047ab09c4694380c4Jan Zeleny<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
8b1f2574ce7a964965a18ab047ab09c4694380c4Jan Zeleny<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
8b1f2574ce7a964965a18ab047ab09c4694380c4Jan Zeleny<link rel="prev" href="man.dnssec-signzone.html" title="dnssec-signzone">
8b1f2574ce7a964965a18ab047ab09c4694380c4Jan Zeleny<link rel="next" href="man.named-checkconf.html" title="named-checkconf">
8b1f2574ce7a964965a18ab047ab09c4694380c4Jan Zeleny<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
8b1f2574ce7a964965a18ab047ab09c4694380c4Jan Zeleny<tr><th colspan="3" align="center"><span class="application">dnssec-verify</span></th></tr>
6ff0d2242fe93d694b81b29ab12289db4859e1dcSimo Sorce<a accesskey="p" href="man.dnssec-signzone.html">Prev</a>�</td>
6ff0d2242fe93d694b81b29ab12289db4859e1dcSimo Sorce<td width="20%" align="right">�<a accesskey="n" href="man.named-checkconf.html">Next</a>
6ff0d2242fe93d694b81b29ab12289db4859e1dcSimo Sorce<a name="man.dnssec-verify"></a><div class="titlepage"></div>
6ff0d2242fe93d694b81b29ab12289db4859e1dcSimo Sorce<p><span class="application">dnssec-verify</span> — DNSSEC zone verification tool</p>
6ff0d2242fe93d694b81b29ab12289db4859e1dcSimo Sorce<div class="cmdsynopsis"><p><code class="command">dnssec-verify</code> [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-x</code>] [<code class="option">-z</code>] {zonefile}</p></div>
6ff0d2242fe93d694b81b29ab12289db4859e1dcSimo Sorce<p><span><strong class="command">dnssec-verify</strong></span>
6ff0d2242fe93d694b81b29ab12289db4859e1dcSimo Sorce verifies that a zone is fully signed for each algorithm found
6ff0d2242fe93d694b81b29ab12289db4859e1dcSimo Sorce in the DNSKEY RRset for the zone, and that the NSEC / NSEC3
6ff0d2242fe93d694b81b29ab12289db4859e1dcSimo Sorce chains are complete.
acebf94a16c91b17c7c082538ab3083ee26aa992Sumit Bose<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
acebf94a16c91b17c7c082538ab3083ee26aa992Sumit Bose Specifies the DNS class of the zone.
39be7dbfa25a1cae78741a1c6c8c744e8c87e38fSimo Sorce<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
39be7dbfa25a1cae78741a1c6c8c744e8c87e38fSimo Sorce The format of the input zone file.
39be7dbfa25a1cae78741a1c6c8c744e8c87e38fSimo Sorce Possible formats are <span><strong class="command">"text"</strong></span> (default)
8b1f2574ce7a964965a18ab047ab09c4694380c4Jan Zeleny and <span><strong class="command">"raw"</strong></span>.
6ff0d2242fe93d694b81b29ab12289db4859e1dcSimo Sorce This option is primarily intended to be used for dynamic
8b1f2574ce7a964965a18ab047ab09c4694380c4Jan Zeleny signed zones so that the dumped zone file in a non-text
8b1f2574ce7a964965a18ab047ab09c4694380c4Jan Zeleny format containing updates can be verified independently.
8b1f2574ce7a964965a18ab047ab09c4694380c4Jan Zeleny The use of this option does not make much sense for
03abdaa21ecf562b714f204ca42379ff08626f75Simo Sorce non-dynamic zones.
8b1f2574ce7a964965a18ab047ab09c4694380c4Jan Zeleny<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
6ff0d2242fe93d694b81b29ab12289db4859e1dcSimo Sorce The zone origin. If not specified, the name of the zone file
8b1f2574ce7a964965a18ab047ab09c4694380c4Jan Zeleny is assumed to be the origin.
03abdaa21ecf562b714f204ca42379ff08626f75Simo Sorce<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
8b1f2574ce7a964965a18ab047ab09c4694380c4Jan Zeleny Sets the debugging level.
8b1f2574ce7a964965a18ab047ab09c4694380c4Jan Zeleny Only verify that the DNSKEY RRset is signed with key-signing
cbaba2f47da96c4191971bce86f03afb3f88864aSimo Sorce keys. Without this flag, it is assumed that the DNSKEY RRset
8b1f2574ce7a964965a18ab047ab09c4694380c4Jan Zeleny will be signed by all active keys. When this flag is set,
03abdaa21ecf562b714f204ca42379ff08626f75Simo Sorce it will not be an error if the DNSKEY RRset is not signed
3d28e0e560b787b5c57ed7327d184310342a7e38Jakub Hrozek by zone-signing keys. This corresponds to the <code class="option">-x</code>
3d28e0e560b787b5c57ed7327d184310342a7e38Jakub Hrozek option in <span><strong class="command">dnssec-signzone</strong></span>.
e11c7dc43f4ff9897e37cc0d793f8e1fb3b8453aSimo Sorce Ignore the KSK flag on the keys when determining whether
6ff0d2242fe93d694b81b29ab12289db4859e1dcSimo Sorce the zone if correctly signed. Without this flag it is
8b1f2574ce7a964965a18ab047ab09c4694380c4Jan Zeleny assumed that there will be a non-revoked, self-signed
6ff0d2242fe93d694b81b29ab12289db4859e1dcSimo Sorce DNSKEY with the KSK flag set for each algorithm and
6ff0d2242fe93d694b81b29ab12289db4859e1dcSimo Sorce that RRsets other than DNSKEY RRset will be signed with
8b1f2574ce7a964965a18ab047ab09c4694380c4Jan Zeleny a different DNSKEY without the KSK flag set.
8b1f2574ce7a964965a18ab047ab09c4694380c4Jan Zeleny With this flag set, we only require that for each algorithm,
6ff0d2242fe93d694b81b29ab12289db4859e1dcSimo Sorce there will be at least one non-revoked, self-signed DNSKEY,
6ff0d2242fe93d694b81b29ab12289db4859e1dcSimo Sorce regardless of the KSK flag state, and that other RRsets
acebf94a16c91b17c7c082538ab3083ee26aa992Sumit Bose will be signed by a non-revoked key for the same algorithm
acebf94a16c91b17c7c082538ab3083ee26aa992Sumit Bose that includes the self-signed key; the same key may be used
acebf94a16c91b17c7c082538ab3083ee26aa992Sumit Bose for both purposes. This corresponds to the <code class="option">-z</code>
8b1f2574ce7a964965a18ab047ab09c4694380c4Jan Zeleny option in <span><strong class="command">dnssec-signzone</strong></span>.
6ff0d2242fe93d694b81b29ab12289db4859e1dcSimo Sorce The file containing the zone to be signed.
cbaba2f47da96c4191971bce86f03afb3f88864aSimo Sorce <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
6ff0d2242fe93d694b81b29ab12289db4859e1dcSimo Sorce <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
6ff0d2242fe93d694b81b29ab12289db4859e1dcSimo Sorce<p><span class="corpauthor">Internet Systems Consortium</span>
39be7dbfa25a1cae78741a1c6c8c744e8c87e38fSimo Sorce<a accesskey="p" href="man.dnssec-signzone.html">Prev</a>�</td>
6ff0d2242fe93d694b81b29ab12289db4859e1dcSimo Sorce<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
6ff0d2242fe93d694b81b29ab12289db4859e1dcSimo Sorce<td width="40%" align="right">�<a accesskey="n" href="man.named-checkconf.html">Next</a>
765d9075bb1e10ae0f09b6c2701bfd50aeb423d4Sumit Bose<span class="application">dnssec-signzone</span>�</td>
eab17959df71341073f946c533f59fc5e593b35cSumit Bose<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
765d9075bb1e10ae0f09b6c2701bfd50aeb423d4Sumit Bose<td width="40%" align="right" valign="top">�<span class="application">named-checkconf</span>