Update repub branch u/fanf2/patch to rebasing branch u/fanf2/rebasing revision v9_15_...
[ipreg/bind9.git] / bin / dnssec / dnssec-verify.html
CommitLineData
63fe88e8 1<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
ad127d83 2<!--
b4d3f782 3 - Copyright (C) 2012, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
9b20c5d7 4 -
6807a2dc
TU
5 - This Source Code Form is subject to the terms of the Mozilla Public
6 - License, v. 2.0. If a copy of the MPL was not distributed with this
7 - file, You can obtain one at http://mozilla.org/MPL/2.0/.
ad127d83 8-->
63fe88e8 9<html lang="en">
ad127d83
MA
10<head>
11<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
12<title>dnssec-verify</title>
fd2597f7 13<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
ad127d83 14</head>
fd2597f7 15<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
ad127d83 16<a name="man.dnssec-verify"></a><div class="titlepage"></div>
16fde7f0
TU
17
18
19
20
21
22 <div class="refnamediv">
ad127d83 23<h2>Name</h2>
16fde7f0
TU
24<p>
25 <span class="application">dnssec-verify</span>
26 &#8212; DNSSEC zone verification tool
27 </p>
ad127d83 28</div>
16fde7f0
TU
29
30
31
32 <div class="refsynopsisdiv">
ad127d83 33<h2>Synopsis</h2>
16fde7f0
TU
34 <div class="cmdsynopsis"><p>
35 <code class="command">dnssec-verify</code>
36 [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
37 [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>]
38 [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>]
39 [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>]
40 [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
41 [<code class="option">-V</code>]
42 [<code class="option">-x</code>]
43 [<code class="option">-z</code>]
44 {zonefile}
45 </p></div>
46 </div>
47
48 <div class="refsection">
fd2597f7 49<a name="id-1.7"></a><h2>DESCRIPTION</h2>
16fde7f0
TU
50
51 <p><span class="command"><strong>dnssec-verify</strong></span>
ad127d83
MA
52 verifies that a zone is fully signed for each algorithm found
53 in the DNSKEY RRset for the zone, and that the NSEC / NSEC3
54 chains are complete.
55 </p>
16fde7f0
TU
56 </div>
57
58 <div class="refsection">
fd2597f7 59<a name="id-1.8"></a><h2>OPTIONS</h2>
16fde7f0
TU
60
61
62 <div class="variablelist"><dl class="variablelist">
ad127d83 63<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
16fde7f0
TU
64<dd>
65 <p>
ad127d83 66 Specifies the DNS class of the zone.
16fde7f0
TU
67 </p>
68 </dd>
6ea23853
TU
69<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
70<dd>
16fde7f0 71 <p>
6ea23853
TU
72 Specifies the cryptographic hardware to use, when applicable.
73 </p>
16fde7f0 74 <p>
6ea23853
TU
75 When BIND is built with OpenSSL PKCS#11 support, this defaults
76 to the string "pkcs11", which identifies an OpenSSL engine
77 that can drive a cryptographic accelerator or hardware service
78 module. When BIND is built with native PKCS#11 cryptography
79 (--enable-native-pkcs11), it defaults to the path of the PKCS#11
80 provider library specified via "--with-pkcs11".
81 </p>
16fde7f0 82 </dd>
ad127d83 83<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
16fde7f0
TU
84<dd>
85 <p>
ad127d83 86 The format of the input zone file.
2eeb74d1
TU
87 Possible formats are <span class="command"><strong>"text"</strong></span> (default)
88 and <span class="command"><strong>"raw"</strong></span>.
ad127d83
MA
89 This option is primarily intended to be used for dynamic
90 signed zones so that the dumped zone file in a non-text
91 format containing updates can be verified independently.
92 The use of this option does not make much sense for
93 non-dynamic zones.
16fde7f0
TU
94 </p>
95 </dd>
ad127d83 96<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
16fde7f0
TU
97<dd>
98 <p>
ad127d83
MA
99 The zone origin. If not specified, the name of the zone file
100 is assumed to be the origin.
16fde7f0
TU
101 </p>
102 </dd>
ad127d83 103<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
16fde7f0
TU
104<dd>
105 <p>
ad127d83 106 Sets the debugging level.
16fde7f0
TU
107 </p>
108 </dd>
6f120589 109<dt><span class="term">-V</span></dt>
16fde7f0
TU
110<dd>
111 <p>
6f120589 112 Prints version information.
16fde7f0
TU
113 </p>
114 </dd>
ad127d83 115<dt><span class="term">-x</span></dt>
16fde7f0
TU
116<dd>
117 <p>
ad127d83
MA
118 Only verify that the DNSKEY RRset is signed with key-signing
119 keys. Without this flag, it is assumed that the DNSKEY RRset
120 will be signed by all active keys. When this flag is set,
121 it will not be an error if the DNSKEY RRset is not signed
122 by zone-signing keys. This corresponds to the <code class="option">-x</code>
2eeb74d1 123 option in <span class="command"><strong>dnssec-signzone</strong></span>.
16fde7f0
TU
124 </p>
125 </dd>
ad127d83
MA
126<dt><span class="term">-z</span></dt>
127<dd>
16fde7f0 128 <p>
ad127d83
MA
129 Ignore the KSK flag on the keys when determining whether
130 the zone if correctly signed. Without this flag it is
131 assumed that there will be a non-revoked, self-signed
132 DNSKEY with the KSK flag set for each algorithm and
133 that RRsets other than DNSKEY RRset will be signed with
134 a different DNSKEY without the KSK flag set.
135 </p>
16fde7f0 136 <p>
ad127d83
MA
137 With this flag set, we only require that for each algorithm,
138 there will be at least one non-revoked, self-signed DNSKEY,
139 regardless of the KSK flag state, and that other RRsets
140 will be signed by a non-revoked key for the same algorithm
141 that includes the self-signed key; the same key may be used
142 for both purposes. This corresponds to the <code class="option">-z</code>
2eeb74d1 143 option in <span class="command"><strong>dnssec-signzone</strong></span>.
ad127d83 144 </p>
16fde7f0 145 </dd>
ad127d83 146<dt><span class="term">zonefile</span></dt>
16fde7f0
TU
147<dd>
148 <p>
ad127d83 149 The file containing the zone to be signed.
16fde7f0
TU
150 </p>
151 </dd>
ad127d83 152</dl></div>
16fde7f0
TU
153 </div>
154
155 <div class="refsection">
fd2597f7 156<a name="id-1.9"></a><h2>SEE ALSO</h2>
16fde7f0
TU
157
158 <p>
159 <span class="citerefentry">
160 <span class="refentrytitle">dnssec-signzone</span>(8)
161 </span>,
ad127d83
MA
162 <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
163 <em class="citetitle">RFC 4033</em>.
164 </p>
16fde7f0
TU
165 </div>
166
ad127d83
MA
167</div></body>
168</html>