Update repub branch u/fanf2/patch to rebasing branch u/fanf2/rebasing revision v9_15_...
[ipreg/bind9.git] / bin / dnssec / dnssec-verify.8
CommitLineData
b4d3f782 1.\" Copyright (C) 2012, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
66327219 2.\"
6807a2dc
TU
3.\" This Source Code Form is subject to the terms of the Mozilla Public
4.\" License, v. 2.0. If a copy of the MPL was not distributed with this
5.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
ad127d83 6.\"
ad127d83
MA
7.hy 0
8.ad l
2eeb74d1
TU
9'\" t
10.\" Title: dnssec-verify
ad127d83 11.\" Author:
fd2597f7 12.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
2eeb74d1 13.\" Date: 2014-01-15
ad127d83 14.\" Manual: BIND9
2eeb74d1
TU
15.\" Source: ISC
16.\" Language: English
ad127d83 17.\"
2eeb74d1
TU
18.TH "DNSSEC\-VERIFY" "8" "2014\-01\-15" "ISC" "BIND9"
19.\" -----------------------------------------------------------------
20.\" * Define some portability stuff
21.\" -----------------------------------------------------------------
22.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
23.\" http://bugs.debian.org/507673
24.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
25.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
26.ie \n(.g .ds Aq \(aq
27.el .ds Aq '
28.\" -----------------------------------------------------------------
29.\" * set default formatting
30.\" -----------------------------------------------------------------
ad127d83
MA
31.\" disable hyphenation
32.nh
33.\" disable justification (adjust text to left margin only)
34.ad l
2eeb74d1
TU
35.\" -----------------------------------------------------------------
36.\" * MAIN CONTENT STARTS HERE *
37.\" -----------------------------------------------------------------
ad127d83 38.SH "NAME"
2eeb74d1 39dnssec-verify \- DNSSEC zone verification tool
ad127d83 40.SH "SYNOPSIS"
fd2597f7 41.HP \w'\fBdnssec\-verify\fR\ 'u
6f120589 42\fBdnssec\-verify\fR [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-I\ \fR\fB\fIinput\-format\fR\fR] [\fB\-o\ \fR\fB\fIorigin\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-V\fR] [\fB\-x\fR] [\fB\-z\fR] {zonefile}
ad127d83
MA
43.SH "DESCRIPTION"
44.PP
45\fBdnssec\-verify\fR
2eeb74d1 46verifies that a zone is fully signed for each algorithm found in the DNSKEY RRset for the zone, and that the NSEC / NSEC3 chains are complete\&.
ad127d83
MA
47.SH "OPTIONS"
48.PP
49\-c \fIclass\fR
50.RS 4
2eeb74d1 51Specifies the DNS class of the zone\&.
ad127d83
MA
52.RE
53.PP
6ea23853
TU
54\-E \fIengine\fR
55.RS 4
2eeb74d1 56Specifies the cryptographic hardware to use, when applicable\&.
6ea23853 57.sp
2eeb74d1 58When BIND is built with OpenSSL PKCS#11 support, this defaults to the string "pkcs11", which identifies an OpenSSL engine that can drive a cryptographic accelerator or hardware service module\&. When BIND is built with native PKCS#11 cryptography (\-\-enable\-native\-pkcs11), it defaults to the path of the PKCS#11 provider library specified via "\-\-with\-pkcs11"\&.
6ea23853
TU
59.RE
60.PP
ad127d83
MA
61\-I \fIinput\-format\fR
62.RS 4
2eeb74d1 63The format of the input zone file\&. Possible formats are
ad127d83
MA
64\fB"text"\fR
65(default) and
2eeb74d1 66\fB"raw"\fR\&. This option is primarily intended to be used for dynamic signed zones so that the dumped zone file in a non\-text format containing updates can be verified independently\&. The use of this option does not make much sense for non\-dynamic zones\&.
ad127d83
MA
67.RE
68.PP
69\-o \fIorigin\fR
70.RS 4
2eeb74d1 71The zone origin\&. If not specified, the name of the zone file is assumed to be the origin\&.
ad127d83
MA
72.RE
73.PP
74\-v \fIlevel\fR
75.RS 4
2eeb74d1 76Sets the debugging level\&.
ad127d83
MA
77.RE
78.PP
6f120589
TU
79\-V
80.RS 4
2eeb74d1 81Prints version information\&.
6f120589
TU
82.RE
83.PP
ad127d83
MA
84\-x
85.RS 4
2eeb74d1 86Only verify that the DNSKEY RRset is signed with key\-signing keys\&. Without this flag, it is assumed that the DNSKEY RRset will be signed by all active keys\&. When this flag is set, it will not be an error if the DNSKEY RRset is not signed by zone\-signing keys\&. This corresponds to the
ad127d83
MA
87\fB\-x\fR
88option in
2eeb74d1 89\fBdnssec\-signzone\fR\&.
ad127d83
MA
90.RE
91.PP
92\-z
93.RS 4
2eeb74d1 94Ignore the KSK flag on the keys when determining whether the zone if correctly signed\&. Without this flag it is assumed that there will be a non\-revoked, self\-signed DNSKEY with the KSK flag set for each algorithm and that RRsets other than DNSKEY RRset will be signed with a different DNSKEY without the KSK flag set\&.
ad127d83 95.sp
2eeb74d1 96With this flag set, we only require that for each algorithm, there will be at least one non\-revoked, self\-signed DNSKEY, regardless of the KSK flag state, and that other RRsets will be signed by a non\-revoked key for the same algorithm that includes the self\-signed key; the same key may be used for both purposes\&. This corresponds to the
ad127d83
MA
97\fB\-z\fR
98option in
2eeb74d1 99\fBdnssec\-signzone\fR\&.
ad127d83
MA
100.RE
101.PP
102zonefile
103.RS 4
2eeb74d1 104The file containing the zone to be signed\&.
ad127d83
MA
105.RE
106.SH "SEE ALSO"
107.PP
2eeb74d1 108\fBdnssec-signzone\fR(8),
ad127d83 109BIND 9 Administrator Reference Manual,
2eeb74d1 110RFC 4033\&.
ad127d83
MA
111.SH "AUTHOR"
112.PP
2eeb74d1 113\fBInternet Systems Consortium, Inc\&.\fR
ad127d83 114.SH "COPYRIGHT"
2eeb74d1 115.br
b4d3f782 116Copyright \(co 2012, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
ad127d83 117.br