1<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" 2 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" 3 [<!ENTITY mdash "—">]> 4<!-- 5 - Copyright (C) 2012, 2014 Internet Systems Consortium, Inc. ("ISC") 6 - 7 - Permission to use, copy, modify, and/or distribute this software for any 8 - purpose with or without fee is hereby granted, provided that the above 9 - copyright notice and this permission notice appear in all copies. 10 - 11 - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH 12 - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 13 - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, 14 - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 15 - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE 16 - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 17 - PERFORMANCE OF THIS SOFTWARE. 18--> 19 20<refentry id="man.dnssec-verify"> 21 <refentryinfo> 22 <date>January 15, 2014</date> 23 </refentryinfo> 24 25 <refmeta> 26 <refentrytitle><application>dnssec-verify</application></refentrytitle> 27 <manvolnum>8</manvolnum> 28 <refmiscinfo>BIND9</refmiscinfo> 29 </refmeta> 30 31 <refnamediv> 32 <refname><application>dnssec-verify</application></refname> 33 <refpurpose>DNSSEC zone verification tool</refpurpose> 34 </refnamediv> 35 36 <docinfo> 37 <copyright> 38 <year>2012</year> 39 <year>2014</year> 40 <holder>Internet Systems Consortium, Inc. ("ISC")</holder> 41 </copyright> 42 </docinfo> 43 44 <refsynopsisdiv> 45 <cmdsynopsis> 46 <command>dnssec-verify</command> 47 <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg> 48 <arg><option>-E <replaceable class="parameter">engine</replaceable></option></arg> 49 <arg><option>-I <replaceable class="parameter">input-format</replaceable></option></arg> 50 <arg><option>-o <replaceable class="parameter">origin</replaceable></option></arg> 51 <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg> 52 <arg><option>-V</option></arg> 53 <arg><option>-x</option></arg> 54 <arg><option>-z</option></arg> 55 <arg choice="req">zonefile</arg> 56 </cmdsynopsis> 57 </refsynopsisdiv> 58 59 <refsect1> 60 <title>DESCRIPTION</title> 61 <para><command>dnssec-verify</command> 62 verifies that a zone is fully signed for each algorithm found 63 in the DNSKEY RRset for the zone, and that the NSEC / NSEC3 64 chains are complete. 65 </para> 66 </refsect1> 67 68 <refsect1> 69 <title>OPTIONS</title> 70 71 <variablelist> 72 <varlistentry> 73 <term>-c <replaceable class="parameter">class</replaceable></term> 74 <listitem> 75 <para> 76 Specifies the DNS class of the zone. 77 </para> 78 </listitem> 79 </varlistentry> 80 81 <varlistentry> 82 <term>-E <replaceable class="parameter">engine</replaceable></term> 83 <listitem> 84 <para> 85 Specifies the cryptographic hardware to use, when applicable. 86 </para> 87 <para> 88 When BIND is built with OpenSSL PKCS#11 support, this defaults 89 to the string "pkcs11", which identifies an OpenSSL engine 90 that can drive a cryptographic accelerator or hardware service 91 module. When BIND is built with native PKCS#11 cryptography 92 (--enable-native-pkcs11), it defaults to the path of the PKCS#11 93 provider library specified via "--with-pkcs11". 94 </para> 95 </listitem> 96 </varlistentry> 97 98 <varlistentry> 99 <term>-I <replaceable class="parameter">input-format</replaceable></term> 100 <listitem> 101 <para> 102 The format of the input zone file. 103 Possible formats are <command>"text"</command> (default) 104 and <command>"raw"</command>. 105 This option is primarily intended to be used for dynamic 106 signed zones so that the dumped zone file in a non-text 107 format containing updates can be verified independently. 108 The use of this option does not make much sense for 109 non-dynamic zones. 110 </para> 111 </listitem> 112 </varlistentry> 113 114 <varlistentry> 115 <term>-o <replaceable class="parameter">origin</replaceable></term> 116 <listitem> 117 <para> 118 The zone origin. If not specified, the name of the zone file 119 is assumed to be the origin. 120 </para> 121 </listitem> 122 </varlistentry> 123 124 <varlistentry> 125 <term>-v <replaceable class="parameter">level</replaceable></term> 126 <listitem> 127 <para> 128 Sets the debugging level. 129 </para> 130 </listitem> 131 </varlistentry> 132 133 <varlistentry> 134 <term>-V</term> 135 <listitem> 136 <para> 137 Prints version information. 138 </para> 139 </listitem> 140 </varlistentry> 141 142 <varlistentry> 143 <term>-x</term> 144 <listitem> 145 <para> 146 Only verify that the DNSKEY RRset is signed with key-signing 147 keys. Without this flag, it is assumed that the DNSKEY RRset 148 will be signed by all active keys. When this flag is set, 149 it will not be an error if the DNSKEY RRset is not signed 150 by zone-signing keys. This corresponds to the <option>-x</option> 151 option in <command>dnssec-signzone</command>. 152 </para> 153 </listitem> 154 </varlistentry> 155 156 <varlistentry> 157 <term>-z</term> 158 <listitem> 159 <para> 160 Ignore the KSK flag on the keys when determining whether 161 the zone if correctly signed. Without this flag it is 162 assumed that there will be a non-revoked, self-signed 163 DNSKEY with the KSK flag set for each algorithm and 164 that RRsets other than DNSKEY RRset will be signed with 165 a different DNSKEY without the KSK flag set. 166 </para> 167 <para> 168 With this flag set, we only require that for each algorithm, 169 there will be at least one non-revoked, self-signed DNSKEY, 170 regardless of the KSK flag state, and that other RRsets 171 will be signed by a non-revoked key for the same algorithm 172 that includes the self-signed key; the same key may be used 173 for both purposes. This corresponds to the <option>-z</option> 174 option in <command>dnssec-signzone</command>. 175 </para> 176 </listitem> 177 </varlistentry> 178 179 <varlistentry> 180 <term>zonefile</term> 181 <listitem> 182 <para> 183 The file containing the zone to be signed. 184 </para> 185 </listitem> 186 </varlistentry> 187 188 </variablelist> 189 </refsect1> 190 191 <refsect1> 192 <title>SEE ALSO</title> 193 <para> 194 <citerefentry> 195 <refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum> 196 </citerefentry>, 197 <citetitle>BIND 9 Administrator Reference Manual</citetitle>, 198 <citetitle>RFC 4033</citetitle>. 199 </para> 200 </refsect1> 201 202 <refsect1> 203 <title>AUTHOR</title> 204 <para><corpauthor>Internet Systems Consortium</corpauthor> 205 </para> 206 </refsect1> 207 208</refentry><!-- 209 - Local variables: 210 - mode: sgml 211 - End: 212--> 213