man.dnssec-verify.html revision dd1ce8b52478fa98c844720af9e77fae2978f18d
2fabf91e5bfc718f274e19c5fa8844fdae90ae41Brian Wellington - Copyright (C) 2004-2014 Internet Systems Consortium, Inc. ("ISC")
01d202be8fb07c010388eada31635e40ae3bffe5Brian Wellington - Copyright (C) 2000-2003 Internet Software Consortium.
01d202be8fb07c010388eada31635e40ae3bffe5Brian Wellington - Permission to use, copy, modify, and/or distribute this software for any
01d202be8fb07c010388eada31635e40ae3bffe5Brian Wellington - purpose with or without fee is hereby granted, provided that the above
01d202be8fb07c010388eada31635e40ae3bffe5Brian Wellington - copyright notice and this permission notice appear in all copies.
01d202be8fb07c010388eada31635e40ae3bffe5Brian Wellington - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
01d202be8fb07c010388eada31635e40ae3bffe5Brian Wellington - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
01d202be8fb07c010388eada31635e40ae3bffe5Brian Wellington - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
01d202be8fb07c010388eada31635e40ae3bffe5Brian Wellington - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
01d202be8fb07c010388eada31635e40ae3bffe5Brian Wellington - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
01d202be8fb07c010388eada31635e40ae3bffe5Brian Wellington - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
01d202be8fb07c010388eada31635e40ae3bffe5Brian Wellington - PERFORMANCE OF THIS SOFTWARE.
2fabf91e5bfc718f274e19c5fa8844fdae90ae41Brian Wellington<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
2fabf91e5bfc718f274e19c5fa8844fdae90ae41Brian Wellington<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
2fabf91e5bfc718f274e19c5fa8844fdae90ae41Brian Wellington<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
71f5ad0517325eb32ecbee112206277c6277af87Brian Wellington<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
01d202be8fb07c010388eada31635e40ae3bffe5Brian Wellington<link rel="prev" href="man.dnssec-signzone.html" title="dnssec-signzone">
2fabf91e5bfc718f274e19c5fa8844fdae90ae41Brian Wellington<link rel="next" href="man.named-checkconf.html" title="named-checkconf">
2fabf91e5bfc718f274e19c5fa8844fdae90ae41Brian Wellington<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
7dc1fe241043e47a6721fd841e2c52d3691379ebBrian Wellington<table width="100%" summary="Navigation header">
01d202be8fb07c010388eada31635e40ae3bffe5Brian Wellington<tr><th colspan="3" align="center"><span class="application">dnssec-verify</span></th></tr>
01d202be8fb07c010388eada31635e40ae3bffe5Brian Wellington<a accesskey="p" href="man.dnssec-signzone.html">Prev</a>�</td>
01d202be8fb07c010388eada31635e40ae3bffe5Brian Wellington<th width="60%" align="center">Manual pages</th>
01d202be8fb07c010388eada31635e40ae3bffe5Brian Wellington<td width="20%" align="right">�<a accesskey="n" href="man.named-checkconf.html">Next</a>
01d202be8fb07c010388eada31635e40ae3bffe5Brian Wellington<a name="man.dnssec-verify"></a><div class="titlepage"></div>
01d202be8fb07c010388eada31635e40ae3bffe5Brian Wellington<p><span class="application">dnssec-verify</span> — DNSSEC zone verification tool</p>
01d202be8fb07c010388eada31635e40ae3bffe5Brian Wellington<div class="cmdsynopsis"><p><code class="command">dnssec-verify</code> [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-x</code>] [<code class="option">-z</code>] {zonefile}</p></div>
01d202be8fb07c010388eada31635e40ae3bffe5Brian Wellington<a name="id2621640"></a><h2>DESCRIPTION</h2>
2fabf91e5bfc718f274e19c5fa8844fdae90ae41Brian Wellington<p><span><strong class="command">dnssec-verify</strong></span>
01d202be8fb07c010388eada31635e40ae3bffe5Brian Wellington verifies that a zone is fully signed for each algorithm found
01d202be8fb07c010388eada31635e40ae3bffe5Brian Wellington in the DNSKEY RRset for the zone, and that the NSEC / NSEC3
01d202be8fb07c010388eada31635e40ae3bffe5Brian Wellington chains are complete.
01d202be8fb07c010388eada31635e40ae3bffe5Brian Wellington<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
01d202be8fb07c010388eada31635e40ae3bffe5Brian Wellington Specifies the DNS class of the zone.
01d202be8fb07c010388eada31635e40ae3bffe5Brian Wellington<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
01d202be8fb07c010388eada31635e40ae3bffe5Brian Wellington Specifies the cryptographic hardware to use, when applicable.
01d202be8fb07c010388eada31635e40ae3bffe5Brian Wellington When BIND is built with OpenSSL PKCS#11 support, this defaults
01d202be8fb07c010388eada31635e40ae3bffe5Brian Wellington to the string "pkcs11", which identifies an OpenSSL engine
01d202be8fb07c010388eada31635e40ae3bffe5Brian Wellington that can drive a cryptographic accelerator or hardware service
01d202be8fb07c010388eada31635e40ae3bffe5Brian Wellington module. When BIND is built with native PKCS#11 cryptography
01d202be8fb07c010388eada31635e40ae3bffe5Brian Wellington (--enable-native-pkcs11), it defaults to the path of the PKCS#11
01d202be8fb07c010388eada31635e40ae3bffe5Brian Wellington provider library specified via "--with-pkcs11".
01d202be8fb07c010388eada31635e40ae3bffe5Brian Wellington<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
01d202be8fb07c010388eada31635e40ae3bffe5Brian Wellington The format of the input zone file.
01d202be8fb07c010388eada31635e40ae3bffe5Brian Wellington Possible formats are <span><strong class="command">"text"</strong></span> (default)
01d202be8fb07c010388eada31635e40ae3bffe5Brian Wellington and <span><strong class="command">"raw"</strong></span>.
01d202be8fb07c010388eada31635e40ae3bffe5Brian Wellington This option is primarily intended to be used for dynamic
01d202be8fb07c010388eada31635e40ae3bffe5Brian Wellington signed zones so that the dumped zone file in a non-text
01d202be8fb07c010388eada31635e40ae3bffe5Brian Wellington format containing updates can be verified independently.
01d202be8fb07c010388eada31635e40ae3bffe5Brian Wellington The use of this option does not make much sense for
7dc1fe241043e47a6721fd841e2c52d3691379ebBrian Wellington non-dynamic zones.
7dc1fe241043e47a6721fd841e2c52d3691379ebBrian Wellington<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
01d202be8fb07c010388eada31635e40ae3bffe5Brian Wellington The zone origin. If not specified, the name of the zone file
01d202be8fb07c010388eada31635e40ae3bffe5Brian Wellington is assumed to be the origin.
01d202be8fb07c010388eada31635e40ae3bffe5Brian Wellington<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
7dc1fe241043e47a6721fd841e2c52d3691379ebBrian Wellington Sets the debugging level.
7dc1fe241043e47a6721fd841e2c52d3691379ebBrian Wellington Only verify that the DNSKEY RRset is signed with key-signing
01d202be8fb07c010388eada31635e40ae3bffe5Brian Wellington keys. Without this flag, it is assumed that the DNSKEY RRset
01d202be8fb07c010388eada31635e40ae3bffe5Brian Wellington will be signed by all active keys. When this flag is set,
01d202be8fb07c010388eada31635e40ae3bffe5Brian Wellington it will not be an error if the DNSKEY RRset is not signed
01d202be8fb07c010388eada31635e40ae3bffe5Brian Wellington by zone-signing keys. This corresponds to the <code class="option">-x</code>
01d202be8fb07c010388eada31635e40ae3bffe5Brian Wellington option in <span><strong class="command">dnssec-signzone</strong></span>.
01d202be8fb07c010388eada31635e40ae3bffe5Brian Wellington Ignore the KSK flag on the keys when determining whether
01d202be8fb07c010388eada31635e40ae3bffe5Brian Wellington the zone if correctly signed. Without this flag it is
01d202be8fb07c010388eada31635e40ae3bffe5Brian Wellington assumed that there will be a non-revoked, self-signed
01d202be8fb07c010388eada31635e40ae3bffe5Brian Wellington DNSKEY with the KSK flag set for each algorithm and
01d202be8fb07c010388eada31635e40ae3bffe5Brian Wellington that RRsets other than DNSKEY RRset will be signed with
7dc1fe241043e47a6721fd841e2c52d3691379ebBrian Wellington a different DNSKEY without the KSK flag set.
7dc1fe241043e47a6721fd841e2c52d3691379ebBrian Wellington With this flag set, we only require that for each algorithm,
01d202be8fb07c010388eada31635e40ae3bffe5Brian Wellington there will be at least one non-revoked, self-signed DNSKEY,
7dc1fe241043e47a6721fd841e2c52d3691379ebBrian Wellington regardless of the KSK flag state, and that other RRsets
7dc1fe241043e47a6721fd841e2c52d3691379ebBrian Wellington will be signed by a non-revoked key for the same algorithm
7dc1fe241043e47a6721fd841e2c52d3691379ebBrian Wellington that includes the self-signed key; the same key may be used
7dc1fe241043e47a6721fd841e2c52d3691379ebBrian Wellington for both purposes. This corresponds to the <code class="option">-z</code>
7dc1fe241043e47a6721fd841e2c52d3691379ebBrian Wellington option in <span><strong class="command">dnssec-signzone</strong></span>.
01d202be8fb07c010388eada31635e40ae3bffe5Brian Wellington The file containing the zone to be signed.
01d202be8fb07c010388eada31635e40ae3bffe5Brian Wellington <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
01d202be8fb07c010388eada31635e40ae3bffe5Brian Wellington <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
01d202be8fb07c010388eada31635e40ae3bffe5Brian Wellington<p><span class="corpauthor">Internet Systems Consortium</span>
01d202be8fb07c010388eada31635e40ae3bffe5Brian Wellington<table width="100%" summary="Navigation footer">
01d202be8fb07c010388eada31635e40ae3bffe5Brian Wellington<a accesskey="p" href="man.dnssec-signzone.html">Prev</a>�</td>
01d202be8fb07c010388eada31635e40ae3bffe5Brian Wellington<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
01d202be8fb07c010388eada31635e40ae3bffe5Brian Wellington<td width="40%" align="right">�<a accesskey="n" href="man.named-checkconf.html">Next</a>
01d202be8fb07c010388eada31635e40ae3bffe5Brian Wellington<span class="application">dnssec-signzone</span>�</td>
01d202be8fb07c010388eada31635e40ae3bffe5Brian Wellington<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
01d202be8fb07c010388eada31635e40ae3bffe5Brian Wellington<td width="40%" align="right" valign="top">�<span class="application">named-checkconf</span>