1254322Serwin<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" 2254322Serwin "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" 3254322Serwin [<!ENTITY mdash "—">]> 4254322Serwin<!-- 5254322Serwin - Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC") 6254322Serwin - 7254322Serwin - Permission to use, copy, modify, and/or distribute this software for any 8254322Serwin - purpose with or without fee is hereby granted, provided that the above 9254322Serwin - copyright notice and this permission notice appear in all copies. 10254322Serwin - 11254322Serwin - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH 12254322Serwin - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 13254322Serwin - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, 14254322Serwin - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 15254322Serwin - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE 16254322Serwin - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 17254322Serwin - PERFORMANCE OF THIS SOFTWARE. 18254322Serwin--> 19254322Serwin 20254322Serwin<!-- $Id: dnssec-verify.docbook,v 1.52 2011/12/22 07:32:40 each Exp $ --> 21254322Serwin<refentry id="man.dnssec-verify"> 22254322Serwin <refentryinfo> 23254322Serwin <date>April 12, 2012</date> 24254322Serwin </refentryinfo> 25254322Serwin 26254322Serwin <refmeta> 27254322Serwin <refentrytitle><application>dnssec-verify</application></refentrytitle> 28254322Serwin <manvolnum>8</manvolnum> 29254322Serwin <refmiscinfo>BIND9</refmiscinfo> 30254322Serwin </refmeta> 31254322Serwin 32254322Serwin <refnamediv> 33254322Serwin <refname><application>dnssec-verify</application></refname> 34254322Serwin <refpurpose>DNSSEC zone verification tool</refpurpose> 35254322Serwin </refnamediv> 36254322Serwin 37254322Serwin <docinfo> 38254322Serwin <copyright> 39254322Serwin <year>2012</year> 40254322Serwin <holder>Internet Systems Consortium, Inc. ("ISC")</holder> 41254322Serwin </copyright> 42254322Serwin </docinfo> 43254322Serwin 44254322Serwin <refsynopsisdiv> 45254322Serwin <cmdsynopsis> 46254322Serwin <command>dnssec-verify</command> 47254322Serwin <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg> 48254322Serwin <arg><option>-E <replaceable class="parameter">engine</replaceable></option></arg> 49254322Serwin <arg><option>-I <replaceable class="parameter">input-format</replaceable></option></arg> 50254322Serwin <arg><option>-o <replaceable class="parameter">origin</replaceable></option></arg> 51254322Serwin <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg> 52254322Serwin <arg><option>-x</option></arg> 53254322Serwin <arg><option>-z</option></arg> 54254322Serwin <arg choice="req">zonefile</arg> 55254322Serwin </cmdsynopsis> 56254322Serwin </refsynopsisdiv> 57254322Serwin 58254322Serwin <refsect1> 59254322Serwin <title>DESCRIPTION</title> 60254322Serwin <para><command>dnssec-verify</command> 61254322Serwin verifies that a zone is fully signed for each algorithm found 62254322Serwin in the DNSKEY RRset for the zone, and that the NSEC / NSEC3 63254322Serwin chains are complete. 64254322Serwin </para> 65254322Serwin </refsect1> 66254322Serwin 67254322Serwin <refsect1> 68254322Serwin <title>OPTIONS</title> 69254322Serwin 70254322Serwin <variablelist> 71254322Serwin <varlistentry> 72254322Serwin <term>-c <replaceable class="parameter">class</replaceable></term> 73254322Serwin <listitem> 74254322Serwin <para> 75254322Serwin Specifies the DNS class of the zone. 76254322Serwin </para> 77254322Serwin </listitem> 78254322Serwin </varlistentry> 79254322Serwin 80254322Serwin <varlistentry> 81254322Serwin <term>-I <replaceable class="parameter">input-format</replaceable></term> 82254322Serwin <listitem> 83254322Serwin <para> 84254322Serwin The format of the input zone file. 85254322Serwin Possible formats are <command>"text"</command> (default) 86254322Serwin and <command>"raw"</command>. 87254322Serwin This option is primarily intended to be used for dynamic 88254322Serwin signed zones so that the dumped zone file in a non-text 89254322Serwin format containing updates can be verified independently. 90254322Serwin The use of this option does not make much sense for 91254322Serwin non-dynamic zones. 92254322Serwin </para> 93254322Serwin </listitem> 94254322Serwin </varlistentry> 95254322Serwin 96254322Serwin <varlistentry> 97254322Serwin <term>-o <replaceable class="parameter">origin</replaceable></term> 98254322Serwin <listitem> 99254322Serwin <para> 100254322Serwin The zone origin. If not specified, the name of the zone file 101254322Serwin is assumed to be the origin. 102254322Serwin </para> 103254322Serwin </listitem> 104254322Serwin </varlistentry> 105254322Serwin 106254322Serwin <varlistentry> 107254322Serwin <term>-v <replaceable class="parameter">level</replaceable></term> 108254322Serwin <listitem> 109254322Serwin <para> 110254322Serwin Sets the debugging level. 111254322Serwin </para> 112254322Serwin </listitem> 113254322Serwin </varlistentry> 114254322Serwin 115254322Serwin <varlistentry> 116254322Serwin <term>-x</term> 117254322Serwin <listitem> 118254322Serwin <para> 119254322Serwin Only verify that the DNSKEY RRset is signed with key-signing 120254322Serwin keys. Without this flag, it is assumed that the DNSKEY RRset 121254322Serwin will be signed by all active keys. When this flag is set, 122254322Serwin it will not be an error if the DNSKEY RRset is not signed 123254322Serwin by zone-signing keys. This corresponds to the <option>-x</option> 124254322Serwin option in <command>dnssec-signzone</command>. 125254322Serwin </para> 126254322Serwin </listitem> 127254322Serwin </varlistentry> 128254322Serwin 129254322Serwin <varlistentry> 130254322Serwin <term>-z</term> 131254322Serwin <listitem> 132254322Serwin <para> 133254322Serwin Ignore the KSK flag on the keys when determining whether 134254322Serwin the zone if correctly signed. Without this flag it is 135254322Serwin assumed that there will be a non-revoked, self-signed 136254322Serwin DNSKEY with the KSK flag set for each algorithm and 137254322Serwin that RRsets other than DNSKEY RRset will be signed with 138254322Serwin a different DNSKEY without the KSK flag set. 139254322Serwin </para> 140254322Serwin <para> 141254322Serwin With this flag set, we only require that for each algorithm, 142254322Serwin there will be at least one non-revoked, self-signed DNSKEY, 143254322Serwin regardless of the KSK flag state, and that other RRsets 144254322Serwin will be signed by a non-revoked key for the same algorithm 145254322Serwin that includes the self-signed key; the same key may be used 146254322Serwin for both purposes. This corresponds to the <option>-z</option> 147254322Serwin option in <command>dnssec-signzone</command>. 148254322Serwin </para> 149254322Serwin </listitem> 150254322Serwin </varlistentry> 151254322Serwin 152254322Serwin <varlistentry> 153254322Serwin <term>zonefile</term> 154254322Serwin <listitem> 155254322Serwin <para> 156254322Serwin The file containing the zone to be signed. 157254322Serwin </para> 158254322Serwin </listitem> 159254322Serwin </varlistentry> 160254322Serwin 161254322Serwin </variablelist> 162254322Serwin </refsect1> 163254322Serwin 164254322Serwin <refsect1> 165254322Serwin <title>SEE ALSO</title> 166254322Serwin <para> 167254322Serwin <citerefentry> 168254322Serwin <refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum> 169254322Serwin </citerefentry>, 170254322Serwin <citetitle>BIND 9 Administrator Reference Manual</citetitle>, 171254322Serwin <citetitle>RFC 4033</citetitle>. 172254322Serwin </para> 173254322Serwin </refsect1> 174254322Serwin 175254322Serwin <refsect1> 176254322Serwin <title>AUTHOR</title> 177254322Serwin <para><corpauthor>Internet Systems Consortium</corpauthor> 178254322Serwin </para> 179254322Serwin </refsect1> 180254322Serwin 181254322Serwin</refentry><!-- 182254322Serwin - Local variables: 183254322Serwin - mode: sgml 184254322Serwin - End: 185254322Serwin--> 186