347N/A dnssec-verify a tool to verify a zone is correctly signed.
347N/A* check that every record that should be signed has a valid RRSIG set.
943N/A* check that every record that shouldn't be signed isn't.
347N/A* check that each RRSIG set has a valid RRSIG and that all DNSKEY algorithms
919N/A* provide a mechanism to mark DNSKEY algorithms to be ignored to support
919N/A support for a algorithm.
919N/A* provide a mechanism to check the zone as of a specified date and time.
919N/A* check that RRSIG won't expire within the TTL interval.
919N/A* check that original TTL matches.
919N/A* check that every node with data within the zone has a NSEC RRset.
919N/A* check that empty nodes don't have a NSEC record.
919N/A* check that nodes outside the zone do not have a NSEC record.
919N/A* check that the NSEC chain is valid.
919N/ANSEC3: for each NSEC3 chain
919N/A* check that every node with data within the zone has a NSEC3 RRset.
919N/A* check that empty nodes within the zone have a NSEC3 record.
919N/A* check that nodes outside the zone do not have a NSEC3 record.
347N/A* check that each NSEC3 in the NSEC3PARAM record is valid.