1254322Serwin<!-- 2254322Serwin - Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC") 3254322Serwin - 4254322Serwin - Permission to use, copy, modify, and/or distribute this software for any 5254322Serwin - purpose with or without fee is hereby granted, provided that the above 6254322Serwin - copyright notice and this permission notice appear in all copies. 7254322Serwin - 8254322Serwin - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH 9254322Serwin - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 10254322Serwin - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, 11254322Serwin - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 12254322Serwin - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE 13254322Serwin - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 14254322Serwin - PERFORMANCE OF THIS SOFTWARE. 15254322Serwin--> 16254322Serwin<!-- $Id$ --> 17254322Serwin<html> 18254322Serwin<head> 19254322Serwin<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> 20254322Serwin<title>dnssec-verify</title> 21254322Serwin<meta name="generator" content="DocBook XSL Stylesheets V1.71.1"> 22254322Serwin</head> 23254322Serwin<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"> 24254322Serwin<a name="man.dnssec-verify"></a><div class="titlepage"></div> 25254322Serwin<div class="refnamediv"> 26254322Serwin<h2>Name</h2> 27254322Serwin<p><span class="application">dnssec-verify</span> — DNSSEC zone verification tool</p> 28254322Serwin</div> 29254322Serwin<div class="refsynopsisdiv"> 30254322Serwin<h2>Synopsis</h2> 31254322Serwin<div class="cmdsynopsis"><p><code class="command">dnssec-verify</code> [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-x</code>] [<code class="option">-z</code>] {zonefile}</p></div> 32254322Serwin</div> 33254322Serwin<div class="refsect1" lang="en"> 34254322Serwin<a name="id2543390"></a><h2>DESCRIPTION</h2> 35254322Serwin<p><span><strong class="command">dnssec-verify</strong></span> 36254322Serwin verifies that a zone is fully signed for each algorithm found 37254322Serwin in the DNSKEY RRset for the zone, and that the NSEC / NSEC3 38254322Serwin chains are complete. 39254322Serwin </p> 40254322Serwin</div> 41254322Serwin<div class="refsect1" lang="en"> 42254322Serwin<a name="id2543402"></a><h2>OPTIONS</h2> 43254322Serwin<div class="variablelist"><dl> 44254322Serwin<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt> 45254322Serwin<dd><p> 46254322Serwin Specifies the DNS class of the zone. 47254322Serwin </p></dd> 48254322Serwin<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt> 49254322Serwin<dd><p> 50254322Serwin The format of the input zone file. 51254322Serwin Possible formats are <span><strong class="command">"text"</strong></span> (default) 52254322Serwin and <span><strong class="command">"raw"</strong></span>. 53254322Serwin This option is primarily intended to be used for dynamic 54254322Serwin signed zones so that the dumped zone file in a non-text 55254322Serwin format containing updates can be verified independently. 56254322Serwin The use of this option does not make much sense for 57254322Serwin non-dynamic zones. 58254322Serwin </p></dd> 59254322Serwin<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt> 60254322Serwin<dd><p> 61254322Serwin The zone origin. If not specified, the name of the zone file 62254322Serwin is assumed to be the origin. 63254322Serwin </p></dd> 64254322Serwin<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt> 65254322Serwin<dd><p> 66254322Serwin Sets the debugging level. 67254322Serwin </p></dd> 68254322Serwin<dt><span class="term">-x</span></dt> 69254322Serwin<dd><p> 70254322Serwin Only verify that the DNSKEY RRset is signed with key-signing 71254322Serwin keys. Without this flag, it is assumed that the DNSKEY RRset 72254322Serwin will be signed by all active keys. When this flag is set, 73254322Serwin it will not be an error if the DNSKEY RRset is not signed 74254322Serwin by zone-signing keys. This corresponds to the <code class="option">-x</code> 75254322Serwin option in <span><strong class="command">dnssec-signzone</strong></span>. 76254322Serwin </p></dd> 77254322Serwin<dt><span class="term">-z</span></dt> 78254322Serwin<dd> 79254322Serwin<p> 80254322Serwin Ignore the KSK flag on the keys when determining whether 81254322Serwin the zone if correctly signed. Without this flag it is 82254322Serwin assumed that there will be a non-revoked, self-signed 83254322Serwin DNSKEY with the KSK flag set for each algorithm and 84254322Serwin that RRsets other than DNSKEY RRset will be signed with 85254322Serwin a different DNSKEY without the KSK flag set. 86254322Serwin </p> 87254322Serwin<p> 88254322Serwin With this flag set, we only require that for each algorithm, 89254322Serwin there will be at least one non-revoked, self-signed DNSKEY, 90254322Serwin regardless of the KSK flag state, and that other RRsets 91254322Serwin will be signed by a non-revoked key for the same algorithm 92254322Serwin that includes the self-signed key; the same key may be used 93254322Serwin for both purposes. This corresponds to the <code class="option">-z</code> 94254322Serwin option in <span><strong class="command">dnssec-signzone</strong></span>. 95254322Serwin </p> 96254322Serwin</dd> 97254322Serwin<dt><span class="term">zonefile</span></dt> 98254322Serwin<dd><p> 99254322Serwin The file containing the zone to be signed. 100254322Serwin </p></dd> 101254322Serwin</dl></div> 102254322Serwin</div> 103254322Serwin<div class="refsect1" lang="en"> 104254322Serwin<a name="id2543543"></a><h2>SEE ALSO</h2> 105254322Serwin<p> 106254322Serwin <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>, 107254322Serwin <em class="citetitle">BIND 9 Administrator Reference Manual</em>, 108254322Serwin <em class="citetitle">RFC 4033</em>. 109254322Serwin </p> 110254322Serwin</div> 111254322Serwin<div class="refsect1" lang="en"> 112254322Serwin<a name="id2543637"></a><h2>AUTHOR</h2> 113254322Serwin<p><span class="corpauthor">Internet Systems Consortium</span> 114254322Serwin </p> 115254322Serwin</div> 116254322Serwin</div></body> 117254322Serwin</html> 118