0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark AndrewsCopyright (C) 2012, 2016 Internet Systems Consortium, Inc. ("ISC")
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark AndrewsThis Source Code Form is subject to the terms of the Mozilla Public
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark AndrewsLicense, v. 2.0. If a copy of the MPL was not distributed with this
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrewsfile, You can obtain one at http://mozilla.org/MPL/2.0/.
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews dnssec-verify a tool to verify a zone is correctly signed.
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews* check that every record that should be signed has a valid RRSIG set.
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews* check that every record that shouldn't be signed isn't.
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews* check that each RRSIG set has a valid RRSIG and that all DNSKEY algorithms
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews in use are checked.
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews* provide a mechanism to mark DNSKEY algorithms to be ignored to support
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews verification of zones that are in the processs of adding/removing
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews support for a algorithm.
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews* provide a mechanism to check the zone as of a specified date and time.
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews* check that RRSIG won't expire within the TTL interval.
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews* check that original TTL matches.
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews* check that every node with data within the zone has a NSEC RRset.
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews* check that empty nodes don't have a NSEC record.
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews* check that nodes outside the zone do not have a NSEC record.
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews* check that the NSEC chain is valid.
ad127d839d2e7aa542939a8a336691407e23397eMark AndrewsNSEC3: for each NSEC3 chain
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews* check that every node with data within the zone has a NSEC3 RRset.
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews* check that empty nodes within the zone have a NSEC3 record.
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews* check that nodes outside the zone do not have a NSEC3 record.
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews* check that each NSEC3 in the NSEC3PARAM record is valid.