Update repub branch u/fanf2/patch to rebasing branch u/fanf2/rebasing revision v9_15_...
[ipreg/bind9.git] / bin / dnssec / dnssec-verify.8
1 .\" Copyright (C) 2012, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
2 .\"
3 .\" This Source Code Form is subject to the terms of the Mozilla Public
4 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
5 .\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
6 .\"
7 .hy 0
8 .ad l
9 '\" t
10 .\" Title: dnssec-verify
11 .\" Author:
12 .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
13 .\" Date: 2014-01-15
14 .\" Manual: BIND9
15 .\" Source: ISC
16 .\" Language: English
17 .\"
18 .TH "DNSSEC\-VERIFY" "8" "2014\-01\-15" "ISC" "BIND9"
19 .\" -----------------------------------------------------------------
20 .\" * Define some portability stuff
21 .\" -----------------------------------------------------------------
22 .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
23 .\" http://bugs.debian.org/507673
24 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
25 .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
26 .ie \n(.g .ds Aq \(aq
27 .el .ds Aq '
28 .\" -----------------------------------------------------------------
29 .\" * set default formatting
30 .\" -----------------------------------------------------------------
31 .\" disable hyphenation
32 .nh
33 .\" disable justification (adjust text to left margin only)
34 .ad l
35 .\" -----------------------------------------------------------------
36 .\" * MAIN CONTENT STARTS HERE *
37 .\" -----------------------------------------------------------------
38 .SH "NAME"
39 dnssec-verify \- DNSSEC zone verification tool
40 .SH "SYNOPSIS"
41 .HP \w'\fBdnssec\-verify\fR\ 'u
42 \fBdnssec\-verify\fR [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-I\ \fR\fB\fIinput\-format\fR\fR] [\fB\-o\ \fR\fB\fIorigin\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-V\fR] [\fB\-x\fR] [\fB\-z\fR] {zonefile}
43 .SH "DESCRIPTION"
44 .PP
45 \fBdnssec\-verify\fR
46 verifies that a zone is fully signed for each algorithm found in the DNSKEY RRset for the zone, and that the NSEC / NSEC3 chains are complete\&.
47 .SH "OPTIONS"
48 .PP
49 \-c \fIclass\fR
50 .RS 4
51 Specifies the DNS class of the zone\&.
52 .RE
53 .PP
54 \-E \fIengine\fR
55 .RS 4
56 Specifies the cryptographic hardware to use, when applicable\&.
57 .sp
58 When BIND is built with OpenSSL PKCS#11 support, this defaults to the string "pkcs11", which identifies an OpenSSL engine that can drive a cryptographic accelerator or hardware service module\&. When BIND is built with native PKCS#11 cryptography (\-\-enable\-native\-pkcs11), it defaults to the path of the PKCS#11 provider library specified via "\-\-with\-pkcs11"\&.
59 .RE
60 .PP
61 \-I \fIinput\-format\fR
62 .RS 4
63 The format of the input zone file\&. Possible formats are
64 \fB"text"\fR
65 (default) and
66 \fB"raw"\fR\&. This option is primarily intended to be used for dynamic signed zones so that the dumped zone file in a non\-text format containing updates can be verified independently\&. The use of this option does not make much sense for non\-dynamic zones\&.
67 .RE
68 .PP
69 \-o \fIorigin\fR
70 .RS 4
71 The zone origin\&. If not specified, the name of the zone file is assumed to be the origin\&.
72 .RE
73 .PP
74 \-v \fIlevel\fR
75 .RS 4
76 Sets the debugging level\&.
77 .RE
78 .PP
79 \-V
80 .RS 4
81 Prints version information\&.
82 .RE
83 .PP
84 \-x
85 .RS 4
86 Only verify that the DNSKEY RRset is signed with key\-signing keys\&. Without this flag, it is assumed that the DNSKEY RRset will be signed by all active keys\&. When this flag is set, it will not be an error if the DNSKEY RRset is not signed by zone\-signing keys\&. This corresponds to the
87 \fB\-x\fR
88 option in
89 \fBdnssec\-signzone\fR\&.
90 .RE
91 .PP
92 \-z
93 .RS 4
94 Ignore the KSK flag on the keys when determining whether the zone if correctly signed\&. Without this flag it is assumed that there will be a non\-revoked, self\-signed DNSKEY with the KSK flag set for each algorithm and that RRsets other than DNSKEY RRset will be signed with a different DNSKEY without the KSK flag set\&.
95 .sp
96 With this flag set, we only require that for each algorithm, there will be at least one non\-revoked, self\-signed DNSKEY, regardless of the KSK flag state, and that other RRsets will be signed by a non\-revoked key for the same algorithm that includes the self\-signed key; the same key may be used for both purposes\&. This corresponds to the
97 \fB\-z\fR
98 option in
99 \fBdnssec\-signzone\fR\&.
100 .RE
101 .PP
102 zonefile
103 .RS 4
104 The file containing the zone to be signed\&.
105 .RE
106 .SH "SEE ALSO"
107 .PP
108 \fBdnssec-signzone\fR(8),
109 BIND 9 Administrator Reference Manual,
110 RFC 4033\&.
111 .SH "AUTHOR"
112 .PP
113 \fBInternet Systems Consortium, Inc\&.\fR
114 .SH "COPYRIGHT"
115 .br
116 Copyright \(co 2012, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
117 .br