man.dnssec-verify.html revision c266f8b440d139002432e3d3b82416c9d75048d1
f062ed7bd262a37a909dd77ce5fc23b446818823fielding - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
f062ed7bd262a37a909dd77ce5fc23b446818823fielding - Copyright (C) 2000-2003 Internet Software Consortium.
f062ed7bd262a37a909dd77ce5fc23b446818823fielding - Permission to use, copy, modify, and/or distribute this software for any
2d2eda71267231c2526be701fe655db125852c1ffielding - purpose with or without fee is hereby granted, provided that the above
2d2eda71267231c2526be701fe655db125852c1ffielding - copyright notice and this permission notice appear in all copies.
2d2eda71267231c2526be701fe655db125852c1ffielding - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
2d2eda71267231c2526be701fe655db125852c1ffielding - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
2d2eda71267231c2526be701fe655db125852c1ffielding - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
2d2eda71267231c2526be701fe655db125852c1ffielding - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
2d2eda71267231c2526be701fe655db125852c1ffielding - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
2d2eda71267231c2526be701fe655db125852c1ffielding - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
2d2eda71267231c2526be701fe655db125852c1ffielding - PERFORMANCE OF THIS SOFTWARE.
2d2eda71267231c2526be701fe655db125852c1ffielding<!-- $Id$ -->
f062ed7bd262a37a909dd77ce5fc23b446818823fielding<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
f062ed7bd262a37a909dd77ce5fc23b446818823fielding<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
f062ed7bd262a37a909dd77ce5fc23b446818823fielding<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
f062ed7bd262a37a909dd77ce5fc23b446818823fielding<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
2d2eda71267231c2526be701fe655db125852c1ffielding<link rel="prev" href="man.dnssec-signzone.html" title="dnssec-signzone">
f062ed7bd262a37a909dd77ce5fc23b446818823fielding<link rel="next" href="man.named-checkconf.html" title="named-checkconf">
f062ed7bd262a37a909dd77ce5fc23b446818823fielding<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
f062ed7bd262a37a909dd77ce5fc23b446818823fielding<tr><th colspan="3" align="center"><span class="application">dnssec-verify</span></th></tr>
2d2eda71267231c2526be701fe655db125852c1ffielding<a accesskey="p" href="man.dnssec-signzone.html">Prev</a>�</td>
f062ed7bd262a37a909dd77ce5fc23b446818823fielding<td width="20%" align="right">�<a accesskey="n" href="man.named-checkconf.html">Next</a>
f062ed7bd262a37a909dd77ce5fc23b446818823fielding<a name="man.dnssec-verify"></a><div class="titlepage"></div>
f062ed7bd262a37a909dd77ce5fc23b446818823fielding<p><span class="application">dnssec-verify</span> — DNSSEC zone verification tool</p>
f062ed7bd262a37a909dd77ce5fc23b446818823fielding<div class="cmdsynopsis"><p><code class="command">dnssec-verify</code> [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-x</code>] [<code class="option">-z</code>] {zonefile}</p></div>
f062ed7bd262a37a909dd77ce5fc23b446818823fielding<p><span><strong class="command">dnssec-verify</strong></span>
f062ed7bd262a37a909dd77ce5fc23b446818823fielding verifies that a zone is fully signed for each algorithm found
f062ed7bd262a37a909dd77ce5fc23b446818823fielding in the DNSKEY RRset for the zone, and that the NSEC / NSEC3
2d2eda71267231c2526be701fe655db125852c1ffielding chains are complete.
b980ad7fdc218b4855cde9f75a747527f50c554dwrowe<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
92f3af936ce61f25358a3ee4f28df2f6d62040dfdreid Specifies the DNS class of the zone.
c9a95767fbf0f5fb0976a06b97a256033925e433rbb<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
2d2eda71267231c2526be701fe655db125852c1ffielding Specifies the cryptographic hardware to use, when applicable.
61fd0cab072a05b855cbef9c585702401ac5ae29rbb When BIND is built with OpenSSL PKCS#11 support, this defaults
61fd0cab072a05b855cbef9c585702401ac5ae29rbb to the string "pkcs11", which identifies an OpenSSL engine
61fd0cab072a05b855cbef9c585702401ac5ae29rbb that can drive a cryptographic accelerator or hardware service
61fd0cab072a05b855cbef9c585702401ac5ae29rbb module. When BIND is built with native PKCS#11 cryptography
fd492f9543f14fb5bae78e04b135c3448eb9cc56rbb (--enable-native-pkcs11), it defaults to the path of the PKCS#11
fd492f9543f14fb5bae78e04b135c3448eb9cc56rbb provider library specified via "--with-pkcs11".
fd492f9543f14fb5bae78e04b135c3448eb9cc56rbb<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
2d2eda71267231c2526be701fe655db125852c1ffielding The format of the input zone file.
2d2eda71267231c2526be701fe655db125852c1ffielding Possible formats are <span><strong class="command">"text"</strong></span> (default)
2d2eda71267231c2526be701fe655db125852c1ffielding and <span><strong class="command">"raw"</strong></span>.
2d2eda71267231c2526be701fe655db125852c1ffielding This option is primarily intended to be used for dynamic
61fd0cab072a05b855cbef9c585702401ac5ae29rbb signed zones so that the dumped zone file in a non-text
61fd0cab072a05b855cbef9c585702401ac5ae29rbb format containing updates can be verified independently.
61fd0cab072a05b855cbef9c585702401ac5ae29rbb The use of this option does not make much sense for
61fd0cab072a05b855cbef9c585702401ac5ae29rbb non-dynamic zones.
2d2eda71267231c2526be701fe655db125852c1ffielding<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
8af88bd6958b80c224e964892b8237720b13ab1ajerenkrantz The zone origin. If not specified, the name of the zone file
8af88bd6958b80c224e964892b8237720b13ab1ajerenkrantz is assumed to be the origin.
8af88bd6958b80c224e964892b8237720b13ab1ajerenkrantz<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
8af88bd6958b80c224e964892b8237720b13ab1ajerenkrantz Sets the debugging level.
61fd0cab072a05b855cbef9c585702401ac5ae29rbb Prints version information.
61fd0cab072a05b855cbef9c585702401ac5ae29rbb Only verify that the DNSKEY RRset is signed with key-signing
3d96ee83babeec32482c9082c9426340cee8c44dwrowe keys. Without this flag, it is assumed that the DNSKEY RRset
2d2eda71267231c2526be701fe655db125852c1ffielding will be signed by all active keys. When this flag is set,
61fd0cab072a05b855cbef9c585702401ac5ae29rbb it will not be an error if the DNSKEY RRset is not signed
61fd0cab072a05b855cbef9c585702401ac5ae29rbb by zone-signing keys. This corresponds to the <code class="option">-x</code>
61fd0cab072a05b855cbef9c585702401ac5ae29rbb option in <span><strong class="command">dnssec-signzone</strong></span>.
61fd0cab072a05b855cbef9c585702401ac5ae29rbb Ignore the KSK flag on the keys when determining whether
61fd0cab072a05b855cbef9c585702401ac5ae29rbb the zone if correctly signed. Without this flag it is
2d2eda71267231c2526be701fe655db125852c1ffielding assumed that there will be a non-revoked, self-signed
3d96ee83babeec32482c9082c9426340cee8c44dwrowe DNSKEY with the KSK flag set for each algorithm and
2d2eda71267231c2526be701fe655db125852c1ffielding that RRsets other than DNSKEY RRset will be signed with
2d2eda71267231c2526be701fe655db125852c1ffielding a different DNSKEY without the KSK flag set.
000b67449410515eac43e76ef6667915bfd4d2abgstein With this flag set, we only require that for each algorithm,
2d2eda71267231c2526be701fe655db125852c1ffielding there will be at least one non-revoked, self-signed DNSKEY,
2d2eda71267231c2526be701fe655db125852c1ffielding regardless of the KSK flag state, and that other RRsets
2d2eda71267231c2526be701fe655db125852c1ffielding will be signed by a non-revoked key for the same algorithm
61fd0cab072a05b855cbef9c585702401ac5ae29rbb that includes the self-signed key; the same key may be used
61fd0cab072a05b855cbef9c585702401ac5ae29rbb for both purposes. This corresponds to the <code class="option">-z</code>
61fd0cab072a05b855cbef9c585702401ac5ae29rbb option in <span><strong class="command">dnssec-signzone</strong></span>.
7bdef86e15d47d16dcbe7a5611683191774bd5fbgstein The file containing the zone to be signed.
3d96ee83babeec32482c9082c9426340cee8c44dwrowe <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
7bdef86e15d47d16dcbe7a5611683191774bd5fbgstein <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
61fd0cab072a05b855cbef9c585702401ac5ae29rbb<p><span class="corpauthor">Internet Systems Consortium</span>
c9a95767fbf0f5fb0976a06b97a256033925e433rbb<a accesskey="p" href="man.dnssec-signzone.html">Prev</a>�</td>
c9a95767fbf0f5fb0976a06b97a256033925e433rbb<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
c9a95767fbf0f5fb0976a06b97a256033925e433rbb<td width="40%" align="right">�<a accesskey="n" href="man.named-checkconf.html">Next</a>
d82d78a97558238d16c52ec5278fe921bb7d7ec3brianp<span class="application">dnssec-signzone</span>�</td>
d82d78a97558238d16c52ec5278fe921bb7d7ec3brianp<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
d82d78a97558238d16c52ec5278fe921bb7d7ec3brianp<td width="40%" align="right" valign="top">�<span class="application">named-checkconf</span>
d82d78a97558238d16c52ec5278fe921bb7d7ec3brianp<p style="text-align: center;">BIND 9.11.0pre-alpha</p>