Update repub branch u/fanf2/patch to rebasing branch u/fanf2/rebasing revision v9_13_...
[ipreg/bind9.git] / bin / dnssec / dnssec-verify.docbook
CommitLineData
ad127d83 1<!--
843d3896 2 - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
ad127d83 3 -
0c27b3fe
MA
4 - This Source Code Form is subject to the terms of the Mozilla Public
5 - License, v. 2.0. If a copy of the MPL was not distributed with this
6 - file, You can obtain one at http://mozilla.org/MPL/2.0/.
843d3896
OS
7 -
8 - See the COPYRIGHT file distributed with this work for additional
9 - information regarding copyright ownership.
ad127d83 10-->
2eeb74d1 11
14a656f9 12<!-- Converted by db4-upgrade version 1.0 -->
1b8ce3b3 13<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-verify">
14a656f9
EH
14 <info>
15 <date>2014-01-15</date>
16 </info>
ad127d83 17 <refentryinfo>
14a656f9
EH
18 <corpname>ISC</corpname>
19 <corpauthor>Internet Systems Consortium, Inc.</corpauthor>
ad127d83
MA
20 </refentryinfo>
21
22 <refmeta>
23 <refentrytitle><application>dnssec-verify</application></refentrytitle>
24 <manvolnum>8</manvolnum>
25 <refmiscinfo>BIND9</refmiscinfo>
26 </refmeta>
27
28 <refnamediv>
29 <refname><application>dnssec-verify</application></refname>
30 <refpurpose>DNSSEC zone verification tool</refpurpose>
31 </refnamediv>
32
33 <docinfo>
34 <copyright>
35 <year>2012</year>
6ea23853 36 <year>2014</year>
19c7b1a0 37 <year>2015</year>
0c27b3fe 38 <year>2016</year>
843d3896 39 <year>2018</year>
dc64b706 40 <year>2019</year>
ad127d83
MA
41 <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
42 </copyright>
43 </docinfo>
44
45 <refsynopsisdiv>
14a656f9 46 <cmdsynopsis sepchar=" ">
ad127d83 47 <command>dnssec-verify</command>
14a656f9
EH
48 <arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>
49 <arg choice="opt" rep="norepeat"><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
50 <arg choice="opt" rep="norepeat"><option>-I <replaceable class="parameter">input-format</replaceable></option></arg>
51 <arg choice="opt" rep="norepeat"><option>-o <replaceable class="parameter">origin</replaceable></option></arg>
52 <arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
53 <arg choice="opt" rep="norepeat"><option>-V</option></arg>
54 <arg choice="opt" rep="norepeat"><option>-x</option></arg>
55 <arg choice="opt" rep="norepeat"><option>-z</option></arg>
56 <arg choice="req" rep="norepeat">zonefile</arg>
ad127d83
MA
57 </cmdsynopsis>
58 </refsynopsisdiv>
59
14a656f9 60 <refsection><info><title>DESCRIPTION</title></info>
30eec077 61
ad127d83
MA
62 <para><command>dnssec-verify</command>
63 verifies that a zone is fully signed for each algorithm found
64 in the DNSKEY RRset for the zone, and that the NSEC / NSEC3
65 chains are complete.
66 </para>
14a656f9 67 </refsection>
ad127d83 68
14a656f9 69 <refsection><info><title>OPTIONS</title></info>
30eec077 70
ad127d83
MA
71
72 <variablelist>
73 <varlistentry>
74 <term>-c <replaceable class="parameter">class</replaceable></term>
75 <listitem>
76 <para>
77 Specifies the DNS class of the zone.
78 </para>
79 </listitem>
80 </varlistentry>
81
ba751492
EH
82 <varlistentry>
83 <term>-E <replaceable class="parameter">engine</replaceable></term>
84 <listitem>
85 <para>
86 Specifies the cryptographic hardware to use, when applicable.
87 </para>
88 <para>
89 When BIND is built with OpenSSL PKCS#11 support, this defaults
90 to the string "pkcs11", which identifies an OpenSSL engine
91 that can drive a cryptographic accelerator or hardware service
92 module. When BIND is built with native PKCS#11 cryptography
93 (--enable-native-pkcs11), it defaults to the path of the PKCS#11
94 provider library specified via "--with-pkcs11".
95 </para>
96 </listitem>
97 </varlistentry>
98
ad127d83
MA
99 <varlistentry>
100 <term>-I <replaceable class="parameter">input-format</replaceable></term>
101 <listitem>
102 <para>
103 The format of the input zone file.
104 Possible formats are <command>"text"</command> (default)
105 and <command>"raw"</command>.
106 This option is primarily intended to be used for dynamic
107 signed zones so that the dumped zone file in a non-text
108 format containing updates can be verified independently.
109 The use of this option does not make much sense for
110 non-dynamic zones.
111 </para>
112 </listitem>
113 </varlistentry>
114
115 <varlistentry>
116 <term>-o <replaceable class="parameter">origin</replaceable></term>
117 <listitem>
118 <para>
119 The zone origin. If not specified, the name of the zone file
120 is assumed to be the origin.
121 </para>
122 </listitem>
123 </varlistentry>
124
125 <varlistentry>
126 <term>-v <replaceable class="parameter">level</replaceable></term>
127 <listitem>
128 <para>
129 Sets the debugging level.
130 </para>
131 </listitem>
132 </varlistentry>
133
42782931
MS
134 <varlistentry>
135 <term>-V</term>
136 <listitem>
137 <para>
138 Prints version information.
139 </para>
140 </listitem>
141 </varlistentry>
142
ad127d83
MA
143 <varlistentry>
144 <term>-x</term>
145 <listitem>
146 <para>
147 Only verify that the DNSKEY RRset is signed with key-signing
148 keys. Without this flag, it is assumed that the DNSKEY RRset
149 will be signed by all active keys. When this flag is set,
150 it will not be an error if the DNSKEY RRset is not signed
151 by zone-signing keys. This corresponds to the <option>-x</option>
152 option in <command>dnssec-signzone</command>.
153 </para>
154 </listitem>
155 </varlistentry>
156
157 <varlistentry>
158 <term>-z</term>
159 <listitem>
160 <para>
161 Ignore the KSK flag on the keys when determining whether
162 the zone if correctly signed. Without this flag it is
163 assumed that there will be a non-revoked, self-signed
164 DNSKEY with the KSK flag set for each algorithm and
165 that RRsets other than DNSKEY RRset will be signed with
166 a different DNSKEY without the KSK flag set.
167 </para>
168 <para>
169 With this flag set, we only require that for each algorithm,
170 there will be at least one non-revoked, self-signed DNSKEY,
171 regardless of the KSK flag state, and that other RRsets
172 will be signed by a non-revoked key for the same algorithm
173 that includes the self-signed key; the same key may be used
174 for both purposes. This corresponds to the <option>-z</option>
175 option in <command>dnssec-signzone</command>.
176 </para>
177 </listitem>
178 </varlistentry>
179
180 <varlistentry>
181 <term>zonefile</term>
182 <listitem>
183 <para>
184 The file containing the zone to be signed.
185 </para>
186 </listitem>
187 </varlistentry>
188
189 </variablelist>
14a656f9 190 </refsection>
ad127d83 191
14a656f9 192 <refsection><info><title>SEE ALSO</title></info>
30eec077 193
ad127d83
MA
194 <para>
195 <citerefentry>
196 <refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
197 </citerefentry>,
198 <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
199 <citetitle>RFC 4033</citetitle>.
200 </para>
14a656f9 201 </refsection>
ad127d83 202
14a656f9 203</refentry>