Cross Reference: /bind-9.11.3/doc/design/verify

0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark AndrewsCopyright (C) 2012, 2016  Internet Systems Consortium, Inc. ("ISC")
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark AndrewsThis Source Code Form is subject to the terms of the Mozilla Public
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark AndrewsLicense, v. 2.0. If a copy of the MPL was not distributed with this
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrewsfile, You can obtain one at http://mozilla.org/MPL/2.0/.
da5d53fb1401f5e17a77373af32d865489aa04a8Tinderbox User
da5d53fb1401f5e17a77373af32d865489aa04a8Tinderbox User$Id$
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews    dnssec-verify a tool to verify a zone is correctly signed.
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews* check that every record that should be signed has a valid RRSIG set.
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews* check that every record that shouldn't be signed isn't.
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews* check that each RRSIG set has a valid RRSIG and that all DNSKEY algorithms
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews    in use are checked.
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews* provide a mechanism to mark DNSKEY algorithms to be ignored to support
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews    verification of zones that are in the processs of adding/removing
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews    support for a algorithm.
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews* provide a mechanism to check the zone as of a specified date and time.
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews* check that RRSIG won't expire within the TTL interval.
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews* check that original TTL matches.
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews
ad127d839d2e7aa542939a8a336691407e23397eMark AndrewsNSEC:
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews* check that every node with data within the zone has a NSEC RRset.
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews* check that empty nodes don't have a NSEC record.
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews* check that nodes outside the zone do not have a NSEC record.
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews* check that the NSEC chain is valid.
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews
ad127d839d2e7aa542939a8a336691407e23397eMark AndrewsNSEC3: for each NSEC3 chain
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews* check that every node with data within the zone has a NSEC3 RRset.
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews* check that empty nodes within the zone have a NSEC3 record.
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews* check that nodes outside the zone do not have a NSEC3 record.
ad127d839d2e7aa542939a8a336691407e23397eMark Andrews* check that each NSEC3 in the NSEC3PARAM record is valid.