man.dnssec-verify.html revision e3d49a1c84a79b33e3244c9abc29593d74e8af2f
59663800d2ec04777dae2791dd92aa563faf94c8Evan Hunt - Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
59663800d2ec04777dae2791dd92aa563faf94c8Evan Hunt - Copyright (C) 2000-2003 Internet Software Consortium.
59663800d2ec04777dae2791dd92aa563faf94c8Evan Hunt - Permission to use, copy, modify, and/or distribute this software for any
59663800d2ec04777dae2791dd92aa563faf94c8Evan Hunt - purpose with or without fee is hereby granted, provided that the above
59663800d2ec04777dae2791dd92aa563faf94c8Evan Hunt - copyright notice and this permission notice appear in all copies.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt - PERFORMANCE OF THIS SOFTWARE.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt<!-- $Id$ -->
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt<link rel="prev" href="man.dnssec-signzone.html" title="dnssec-signzone">
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt<link rel="next" href="man.named-checkconf.html" title="named-checkconf">
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt<tr><th colspan="3" align="center"><span class="application">dnssec-verify</span></th></tr>
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt<a accesskey="p" href="man.dnssec-signzone.html">Prev</a>�</td>
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt<td width="20%" align="right">�<a accesskey="n" href="man.named-checkconf.html">Next</a>
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt<a name="man.dnssec-verify"></a><div class="titlepage"></div>
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt<p><span class="application">dnssec-verify</span> — DNSSEC zone verification tool</p>
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt<div class="cmdsynopsis"><p><code class="command">dnssec-verify</code> [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-x</code>] [<code class="option">-z</code>] {zonefile}</p></div>
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt<p><span><strong class="command">dnssec-verify</strong></span>
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt verifies that a zone is fully signed for each algorithm found
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt in the DNSKEY RRset for the zone, and that the NSEC / NSEC3
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt chains are complete.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt Specifies the DNS class of the zone.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt The format of the input zone file.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt Possible formats are <span><strong class="command">"text"</strong></span> (default)
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt and <span><strong class="command">"raw"</strong></span>.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt This option is primarily intended to be used for dynamic
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt signed zones so that the dumped zone file in a non-text
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt format containing updates can be verified independently.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt The use of this option does not make much sense for
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt non-dynamic zones.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt The zone origin. If not specified, the name of the zone file
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt is assumed to be the origin.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt Sets the debugging level.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt Only verify that the DNSKEY RRset is signed with key-signing
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt keys. Without this flag, it is assumed that the DNSKEY RRset
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt will be signed by all active keys. When this flag is set,
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt it will not be an error if the DNSKEY RRset is not signed
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt by zone-signing keys. This corresponds to the <code class="option">-x</code>
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt option in <span><strong class="command">dnssec-signzone</strong></span>.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt Ignore the KSK flag on the keys when determining whether
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt the zone if correctly signed. Without this flag it is
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt assumed that there will be a non-revoked, self-signed
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt DNSKEY with the KSK flag set for each algorithm and
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt that RRsets other than DNSKEY RRset will be signed with
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt a different DNSKEY without the KSK flag set.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt With this flag set, we only require that for each algorithm,
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt there will be at least one non-revoked, self-signed DNSKEY,
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt regardless of the KSK flag state, and that other RRsets
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt will be signed by a non-revoked key for the same algorithm
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt that includes the self-signed key; the same key may be used
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt for both purposes. This corresponds to the <code class="option">-z</code>
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt option in <span><strong class="command">dnssec-signzone</strong></span>.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt The file containing the zone to be signed.
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt<p><span class="corpauthor">Internet Systems Consortium</span>
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt<a accesskey="p" href="man.dnssec-signzone.html">Prev</a>�</td>
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt<td width="40%" align="right">�<a accesskey="n" href="man.named-checkconf.html">Next</a>
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt<span class="application">dnssec-signzone</span>�</td>
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
0d7548ee341c83c540624a423e2c701b6e9ddc4eEvan Hunt<td width="40%" align="right" valign="top">�<span class="application">named-checkconf</span>