man.dnssec-verify.html 7.43 KB
Newer Older
1
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
Tinderbox User's avatar
Tinderbox User committed
2
<!--
Tinderbox User's avatar
Tinderbox User committed
3
 - Copyright (C) 2000-2020 Internet Systems Consortium, Inc. ("ISC")
Tinderbox User's avatar
Tinderbox User committed
4
 - 
Tinderbox User's avatar
Tinderbox User committed
5 6 7
 - This Source Code Form is subject to the terms of the Mozilla Public
 - License, v. 2.0. If a copy of the MPL was not distributed with this
 - file, You can obtain one at http://mozilla.org/MPL/2.0/.
Tinderbox User's avatar
Tinderbox User committed
8
-->
9
<html lang="en">
Tinderbox User's avatar
Tinderbox User committed
10 11 12
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>dnssec-verify</title>
Tinderbox User's avatar
Tinderbox User committed
13
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
Evan Hunt's avatar
Evan Hunt committed
14
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
Tinderbox User's avatar
Tinderbox User committed
15
<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
Tinderbox User's avatar
Tinderbox User committed
16
<link rel="prev" href="man.dnssec-signzone.html" title="dnssec-signzone">
Evan Hunt's avatar
Evan Hunt committed
17
<link rel="next" href="man.lwresd.html" title="lwresd">
Tinderbox User's avatar
Tinderbox User committed
18 19 20 21 22 23 24 25 26
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
<div class="navheader">
<table width="100%" summary="Navigation header">
<tr><th colspan="3" align="center"><span class="application">dnssec-verify</span></th></tr>
<tr>
<td width="20%" align="left">
<a accesskey="p" href="man.dnssec-signzone.html">Prev</a></td>
<th width="60%" align="center">Manual pages</th>
Evan Hunt's avatar
Evan Hunt committed
27
<td width="20%" align="right"><a accesskey="n" href="man.lwresd.html">Next</a>
Tinderbox User's avatar
Tinderbox User committed
28 29 30 31 32
</td>
</tr>
</table>
<hr>
</div>
Tinderbox User's avatar
Tinderbox User committed
33
<div class="refentry">
Tinderbox User's avatar
Tinderbox User committed
34
<a name="man.dnssec-verify"></a><div class="titlepage"></div>
Tinderbox User's avatar
Tinderbox User committed
35 36 37 38 39 40
  
  

  

  <div class="refnamediv">
Tinderbox User's avatar
Tinderbox User committed
41
<h2>Name</h2>
Tinderbox User's avatar
Tinderbox User committed
42 43 44 45
<p>
    <span class="application">dnssec-verify</span>
     &#8212; DNSSEC zone verification tool
  </p>
Tinderbox User's avatar
Tinderbox User committed
46
</div>
Tinderbox User's avatar
Tinderbox User committed
47 48 49 50

  

  <div class="refsynopsisdiv">
Tinderbox User's avatar
Tinderbox User committed
51
<h2>Synopsis</h2>
Tinderbox User's avatar
Tinderbox User committed
52 53 54 55 56 57 58 59 60 61 62 63 64 65 66
    <div class="cmdsynopsis"><p>
      <code class="command">dnssec-verify</code> 
       [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
       [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>]
       [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>]
       [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>]
       [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
       [<code class="option">-V</code>]
       [<code class="option">-x</code>]
       [<code class="option">-z</code>]
       {zonefile}
    </p></div>
  </div>

  <div class="refsection">
Tinderbox User's avatar
Tinderbox User committed
67
<a name="id-1.14.17.7"></a><h2>DESCRIPTION</h2>
Tinderbox User's avatar
Tinderbox User committed
68 69

    <p><span class="command"><strong>dnssec-verify</strong></span>
Tinderbox User's avatar
Tinderbox User committed
70 71 72 73
      verifies that a zone is fully signed for each algorithm found
      in the DNSKEY RRset for the zone, and that the NSEC / NSEC3
      chains are complete.
    </p>
Tinderbox User's avatar
Tinderbox User committed
74 75 76
  </div>

  <div class="refsection">
Tinderbox User's avatar
Tinderbox User committed
77
<a name="id-1.14.17.8"></a><h2>OPTIONS</h2>
Tinderbox User's avatar
Tinderbox User committed
78 79 80


    <div class="variablelist"><dl class="variablelist">
Tinderbox User's avatar
Tinderbox User committed
81
<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
82 83
<dd>
          <p>
Tinderbox User's avatar
Tinderbox User committed
84
            Specifies the DNS class of the zone.
Tinderbox User's avatar
Tinderbox User committed
85 86
          </p>
        </dd>
Tinderbox User's avatar
Tinderbox User committed
87 88
<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
<dd>
Tinderbox User's avatar
Tinderbox User committed
89
          <p>
Tinderbox User's avatar
Tinderbox User committed
90 91
            Specifies the cryptographic hardware to use, when applicable.
          </p>
Tinderbox User's avatar
Tinderbox User committed
92
          <p>
Tinderbox User's avatar
Tinderbox User committed
93 94 95 96 97 98 99
            When BIND is built with OpenSSL PKCS#11 support, this defaults
            to the string "pkcs11", which identifies an OpenSSL engine
            that can drive a cryptographic accelerator or hardware service
            module.  When BIND is built with native PKCS#11 cryptography
            (--enable-native-pkcs11), it defaults to the path of the PKCS#11
            provider library specified via "--with-pkcs11".
          </p>
Tinderbox User's avatar
Tinderbox User committed
100
        </dd>
Tinderbox User's avatar
Tinderbox User committed
101
<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
102 103
<dd>
          <p>
Tinderbox User's avatar
Tinderbox User committed
104
            The format of the input zone file.
Evan Hunt's avatar
Evan Hunt committed
105 106
	    Possible formats are <span class="command"><strong>"text"</strong></span> (default)
	    and <span class="command"><strong>"raw"</strong></span>.
Tinderbox User's avatar
Tinderbox User committed
107 108 109 110 111
	    This option is primarily intended to be used for dynamic
            signed zones so that the dumped zone file in a non-text
            format containing updates can be verified independently.
	    The use of this option does not make much sense for
	    non-dynamic zones.
Tinderbox User's avatar
Tinderbox User committed
112 113
          </p>
        </dd>
Tinderbox User's avatar
Tinderbox User committed
114
<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
115 116
<dd>
          <p>
Tinderbox User's avatar
Tinderbox User committed
117 118
            The zone origin.  If not specified, the name of the zone file
            is assumed to be the origin.
Tinderbox User's avatar
Tinderbox User committed
119 120
          </p>
        </dd>
Tinderbox User's avatar
Tinderbox User committed
121
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
122 123
<dd>
          <p>
Tinderbox User's avatar
Tinderbox User committed
124
            Sets the debugging level.
Tinderbox User's avatar
Tinderbox User committed
125 126
          </p>
        </dd>
Tinderbox User's avatar
Tinderbox User committed
127
<dt><span class="term">-V</span></dt>
Tinderbox User's avatar
Tinderbox User committed
128 129
<dd>
	  <p>
Tinderbox User's avatar
Tinderbox User committed
130
	    Prints version information.
Tinderbox User's avatar
Tinderbox User committed
131 132
	  </p>
        </dd>
Tinderbox User's avatar
Tinderbox User committed
133
<dt><span class="term">-x</span></dt>
Tinderbox User's avatar
Tinderbox User committed
134 135
<dd>
          <p>
Tinderbox User's avatar
Tinderbox User committed
136 137 138 139 140
            Only verify that the DNSKEY RRset is signed with key-signing
            keys.  Without this flag, it is assumed that the DNSKEY RRset
            will be signed by all active keys.  When this flag is set,
            it will not be an error if the DNSKEY RRset is not signed
            by zone-signing keys.  This corresponds to the <code class="option">-x</code>
Evan Hunt's avatar
Evan Hunt committed
141
            option in <span class="command"><strong>dnssec-signzone</strong></span>.
Tinderbox User's avatar
Tinderbox User committed
142 143
          </p>
        </dd>
Tinderbox User's avatar
Tinderbox User committed
144 145
<dt><span class="term">-z</span></dt>
<dd>
Tinderbox User's avatar
Tinderbox User committed
146
	  <p>
Tinderbox User's avatar
Tinderbox User committed
147 148 149 150 151 152 153
	    Ignore the KSK flag on the keys when determining whether
            the zone if correctly signed.  Without this flag it is
	    assumed that there will be a non-revoked, self-signed
	    DNSKEY with the KSK flag set for each algorithm and
	    that RRsets other than DNSKEY RRset will be signed with
            a different DNSKEY without the KSK flag set.
	  </p>
Tinderbox User's avatar
Tinderbox User committed
154
	  <p>
Tinderbox User's avatar
Tinderbox User committed
155 156 157 158 159 160
	    With this flag set, we only require that for each algorithm,
            there will be at least one non-revoked, self-signed DNSKEY,
            regardless of the KSK flag state, and that other RRsets
	    will be signed by a non-revoked key for the same algorithm
            that includes the self-signed key; the same key may be used
            for both purposes.  This corresponds to the <code class="option">-z</code>
Evan Hunt's avatar
Evan Hunt committed
161
            option in <span class="command"><strong>dnssec-signzone</strong></span>.
Tinderbox User's avatar
Tinderbox User committed
162
	  </p>
Tinderbox User's avatar
Tinderbox User committed
163
	</dd>
Tinderbox User's avatar
Tinderbox User committed
164
<dt><span class="term">zonefile</span></dt>
Tinderbox User's avatar
Tinderbox User committed
165 166
<dd>
          <p>
Tinderbox User's avatar
Tinderbox User committed
167
            The file containing the zone to be signed.
Tinderbox User's avatar
Tinderbox User committed
168 169
          </p>
        </dd>
Tinderbox User's avatar
Tinderbox User committed
170
</dl></div>
Tinderbox User's avatar
Tinderbox User committed
171 172 173
  </div>

  <div class="refsection">
Tinderbox User's avatar
Tinderbox User committed
174
<a name="id-1.14.17.9"></a><h2>SEE ALSO</h2>
Tinderbox User's avatar
Tinderbox User committed
175 176 177 178 179

    <p>
      <span class="citerefentry">
        <span class="refentrytitle">dnssec-signzone</span>(8)
      </span>,
Tinderbox User's avatar
Tinderbox User committed
180 181 182
      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
      <em class="citetitle">RFC 4033</em>.
    </p>
Tinderbox User's avatar
Tinderbox User committed
183 184
  </div>

Tinderbox User's avatar
Tinderbox User committed
185 186 187 188 189 190 191
</div>
<div class="navfooter">
<hr>
<table width="100%" summary="Navigation footer">
<tr>
<td width="40%" align="left">
<a accesskey="p" href="man.dnssec-signzone.html">Prev</a></td>
Tinderbox User's avatar
Tinderbox User committed
192
<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
Evan Hunt's avatar
Evan Hunt committed
193
<td width="40%" align="right"><a accesskey="n" href="man.lwresd.html">Next</a>
Tinderbox User's avatar
Tinderbox User committed
194 195 196 197 198 199
</td>
</tr>
<tr>
<td width="40%" align="left" valign="top">
<span class="application">dnssec-signzone</span></td>
<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
Evan Hunt's avatar
Evan Hunt committed
200
<td width="40%" align="right" valign="top"><span class="application">lwresd</span>
Tinderbox User's avatar
Tinderbox User committed
201 202 203 204
</td>
</tr>
</table>
</div>
Tinderbox User's avatar
Tinderbox User committed
205
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.21 (Extended Support Version)</p>
Tinderbox User's avatar
Tinderbox User committed
206 207
</body>
</html>