man.dnssec-verify.html revision d8620c7234281056fdfd2ee40cf16636b8281092
eb05dfd0382a6e15ffb44246e646323f3dca2fa4mderezynski - Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
eb05dfd0382a6e15ffb44246e646323f3dca2fa4mderezynski - Copyright (C) 2000-2003 Internet Software Consortium.
eb05dfd0382a6e15ffb44246e646323f3dca2fa4mderezynski - Permission to use, copy, modify, and/or distribute this software for any
eb05dfd0382a6e15ffb44246e646323f3dca2fa4mderezynski - purpose with or without fee is hereby granted, provided that the above
eb05dfd0382a6e15ffb44246e646323f3dca2fa4mderezynski - copyright notice and this permission notice appear in all copies.
eb05dfd0382a6e15ffb44246e646323f3dca2fa4mderezynski - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
eb05dfd0382a6e15ffb44246e646323f3dca2fa4mderezynski - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
eb05dfd0382a6e15ffb44246e646323f3dca2fa4mderezynski - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
eb05dfd0382a6e15ffb44246e646323f3dca2fa4mderezynski - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
eb05dfd0382a6e15ffb44246e646323f3dca2fa4mderezynski - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
eb05dfd0382a6e15ffb44246e646323f3dca2fa4mderezynski - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
eb05dfd0382a6e15ffb44246e646323f3dca2fa4mderezynski - PERFORMANCE OF THIS SOFTWARE.
5a0c9c0d523287747d281c61c78cb529b1118778Alex Valavanis<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
dc4634a01ba347c5f4803da914f6bed41da3a64bmderezynski<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
eb05dfd0382a6e15ffb44246e646323f3dca2fa4mderezynski<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
eb05dfd0382a6e15ffb44246e646323f3dca2fa4mderezynski<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
eb05dfd0382a6e15ffb44246e646323f3dca2fa4mderezynski<link rel="prev" href="man.dnssec-signzone.html" title="dnssec-signzone">
eb05dfd0382a6e15ffb44246e646323f3dca2fa4mderezynski<link rel="next" href="man.named-checkconf.html" title="named-checkconf">
eb05dfd0382a6e15ffb44246e646323f3dca2fa4mderezynski<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
eb05dfd0382a6e15ffb44246e646323f3dca2fa4mderezynski<tr><th colspan="3" align="center"><span class="application">dnssec-verify</span></th></tr>
9bc8c3c5a9c7c7364a767e1209fc44293a444b0bmderezynski<a accesskey="p" href="man.dnssec-signzone.html">Prev</a>�</td>
9bc8c3c5a9c7c7364a767e1209fc44293a444b0bmderezynski<td width="20%" align="right">�<a accesskey="n" href="man.named-checkconf.html">Next</a>
eb05dfd0382a6e15ffb44246e646323f3dca2fa4mderezynski<a name="man.dnssec-verify"></a><div class="titlepage"></div>
eb05dfd0382a6e15ffb44246e646323f3dca2fa4mderezynski<p><span class="application">dnssec-verify</span> — DNSSEC zone verification tool</p>
5834db43b21308e958a2fdbbec082b1a4f019a38bryce<div class="cmdsynopsis"><p><code class="command">dnssec-verify</code> [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-x</code>] [<code class="option">-z</code>] {zonefile}</p></div>
eb05dfd0382a6e15ffb44246e646323f3dca2fa4mderezynski<p><span><strong class="command">dnssec-verify</strong></span>
eb05dfd0382a6e15ffb44246e646323f3dca2fa4mderezynski verifies that a zone is fully signed for each algorithm found
eb05dfd0382a6e15ffb44246e646323f3dca2fa4mderezynski in the DNSKEY RRset for the zone, and that the NSEC / NSEC3
eb05dfd0382a6e15ffb44246e646323f3dca2fa4mderezynski chains are complete.
eb05dfd0382a6e15ffb44246e646323f3dca2fa4mderezynski<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
bc6905ac9361640557ade723dad00ea4d117a173buliabyak Specifies the DNS class of the zone.
bc6905ac9361640557ade723dad00ea4d117a173buliabyak<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
bc6905ac9361640557ade723dad00ea4d117a173buliabyak The format of the input zone file.
bc6905ac9361640557ade723dad00ea4d117a173buliabyak Possible formats are <span><strong class="command">"text"</strong></span> (default)
bc6905ac9361640557ade723dad00ea4d117a173buliabyak and <span><strong class="command">"raw"</strong></span>.
bc6905ac9361640557ade723dad00ea4d117a173buliabyak This option is primarily intended to be used for dynamic
bc6905ac9361640557ade723dad00ea4d117a173buliabyak signed zones so that the dumped zone file in a non-text
bc6905ac9361640557ade723dad00ea4d117a173buliabyak format containing updates can be verified independently.
bc6905ac9361640557ade723dad00ea4d117a173buliabyak The use of this option does not make much sense for
bc6905ac9361640557ade723dad00ea4d117a173buliabyak non-dynamic zones.
eb05dfd0382a6e15ffb44246e646323f3dca2fa4mderezynski<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
eb05dfd0382a6e15ffb44246e646323f3dca2fa4mderezynski The zone origin. If not specified, the name of the zone file
eb05dfd0382a6e15ffb44246e646323f3dca2fa4mderezynski is assumed to be the origin.
eb05dfd0382a6e15ffb44246e646323f3dca2fa4mderezynski<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
eb05dfd0382a6e15ffb44246e646323f3dca2fa4mderezynski Sets the debugging level.
eb05dfd0382a6e15ffb44246e646323f3dca2fa4mderezynski Only verify that the DNSKEY RRset is signed with key-signing
eb05dfd0382a6e15ffb44246e646323f3dca2fa4mderezynski keys. Without this flag, it is assumed that the DNSKEY RRset
eb05dfd0382a6e15ffb44246e646323f3dca2fa4mderezynski will be signed by all active keys. When this flag is set,
eb05dfd0382a6e15ffb44246e646323f3dca2fa4mderezynski it will not be an error if the DNSKEY RRset is not signed
eb05dfd0382a6e15ffb44246e646323f3dca2fa4mderezynski by zone-signing keys. This corresponds to the <code class="option">-x</code>
eb05dfd0382a6e15ffb44246e646323f3dca2fa4mderezynski option in <span><strong class="command">dnssec-signzone</strong></span>.
eb05dfd0382a6e15ffb44246e646323f3dca2fa4mderezynski Ignore the KSK flag on the keys when determining whether
eb05dfd0382a6e15ffb44246e646323f3dca2fa4mderezynski the zone if correctly signed. Without this flag it is
9bc8c3c5a9c7c7364a767e1209fc44293a444b0bmderezynski assumed that there will be a non-revoked, self-signed
eb05dfd0382a6e15ffb44246e646323f3dca2fa4mderezynski DNSKEY with the KSK flag set for each algorithm and
eb05dfd0382a6e15ffb44246e646323f3dca2fa4mderezynski that RRsets other than DNSKEY RRset will be signed with
eb05dfd0382a6e15ffb44246e646323f3dca2fa4mderezynski a different DNSKEY without the KSK flag set.
eb05dfd0382a6e15ffb44246e646323f3dca2fa4mderezynski With this flag set, we only require that for each algorithm,
eb05dfd0382a6e15ffb44246e646323f3dca2fa4mderezynski there will be at least one non-revoked, self-signed DNSKEY,
eb05dfd0382a6e15ffb44246e646323f3dca2fa4mderezynski regardless of the KSK flag state, and that other RRsets
eb05dfd0382a6e15ffb44246e646323f3dca2fa4mderezynski will be signed by a non-revoked key for the same algorithm
eb05dfd0382a6e15ffb44246e646323f3dca2fa4mderezynski that includes the self-signed key; the same key may be used
eb05dfd0382a6e15ffb44246e646323f3dca2fa4mderezynski for both purposes. This corresponds to the <code class="option">-z</code>
eb05dfd0382a6e15ffb44246e646323f3dca2fa4mderezynski option in <span><strong class="command">dnssec-signzone</strong></span>.
eb05dfd0382a6e15ffb44246e646323f3dca2fa4mderezynski The file containing the zone to be signed.
eb05dfd0382a6e15ffb44246e646323f3dca2fa4mderezynski <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
eb05dfd0382a6e15ffb44246e646323f3dca2fa4mderezynski <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
eb05dfd0382a6e15ffb44246e646323f3dca2fa4mderezynski<p><span class="corpauthor">Internet Systems Consortium</span>