1 <!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
2 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
3 [<!ENTITY mdash "—">]>
5 - Copyright (C) 2012, 2014 Internet Systems Consortium, Inc. ("ISC")
7 - Permission to use, copy, modify, and/or distribute this software for any
8 - purpose with or without fee is hereby granted, provided that the above
9 - copyright notice and this permission notice appear in all copies.
11 - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
12 - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
13 - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
14 - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
15 - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
16 - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
17 - PERFORMANCE OF THIS SOFTWARE.
20 <refentry id="man.dnssec-verify">
22 <date>January 15, 2014</date>
26 <refentrytitle><application>dnssec-verify</application></refentrytitle>
27 <manvolnum>8</manvolnum>
28 <refmiscinfo>BIND9</refmiscinfo>
32 <refname><application>dnssec-verify</application></refname>
33 <refpurpose>DNSSEC zone verification tool</refpurpose>
40 <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
46 <command>dnssec-verify</command>
47 <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
48 <arg><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
49 <arg><option>-I <replaceable class="parameter">input-format</replaceable></option></arg>
50 <arg><option>-o <replaceable class="parameter">origin</replaceable></option></arg>
51 <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
52 <arg><option>-V</option></arg>
53 <arg><option>-x</option></arg>
54 <arg><option>-z</option></arg>
55 <arg choice="req">zonefile</arg>
60 <title>DESCRIPTION</title>
61 <para><command>dnssec-verify</command>
62 verifies that a zone is fully signed for each algorithm found
63 in the DNSKEY RRset for the zone, and that the NSEC / NSEC3
69 <title>OPTIONS</title>
73 <term>-c <replaceable class="parameter">class</replaceable></term>
76 Specifies the DNS class of the zone.
82 <term>-E <replaceable class="parameter">engine</replaceable></term>
85 Specifies the cryptographic hardware to use, when applicable.
88 When BIND is built with OpenSSL PKCS#11 support, this defaults
89 to the string "pkcs11", which identifies an OpenSSL engine
90 that can drive a cryptographic accelerator or hardware service
91 module. When BIND is built with native PKCS#11 cryptography
92 (--enable-native-pkcs11), it defaults to the path of the PKCS#11
93 provider library specified via "--with-pkcs11".
99 <term>-I <replaceable class="parameter">input-format</replaceable></term>
102 The format of the input zone file.
103 Possible formats are <command>"text"</command> (default)
104 and <command>"raw"</command>.
105 This option is primarily intended to be used for dynamic
106 signed zones so that the dumped zone file in a non-text
107 format containing updates can be verified independently.
108 The use of this option does not make much sense for
115 <term>-o <replaceable class="parameter">origin</replaceable></term>
118 The zone origin. If not specified, the name of the zone file
119 is assumed to be the origin.
125 <term>-v <replaceable class="parameter">level</replaceable></term>
128 Sets the debugging level.
137 Prints version information.
146 Only verify that the DNSKEY RRset is signed with key-signing
147 keys. Without this flag, it is assumed that the DNSKEY RRset
148 will be signed by all active keys. When this flag is set,
149 it will not be an error if the DNSKEY RRset is not signed
150 by zone-signing keys. This corresponds to the <option>-x</option>
151 option in <command>dnssec-signzone</command>.
160 Ignore the KSK flag on the keys when determining whether
161 the zone if correctly signed. Without this flag it is
162 assumed that there will be a non-revoked, self-signed
163 DNSKEY with the KSK flag set for each algorithm and
164 that RRsets other than DNSKEY RRset will be signed with
165 a different DNSKEY without the KSK flag set.
168 With this flag set, we only require that for each algorithm,
169 there will be at least one non-revoked, self-signed DNSKEY,
170 regardless of the KSK flag state, and that other RRsets
171 will be signed by a non-revoked key for the same algorithm
172 that includes the self-signed key; the same key may be used
173 for both purposes. This corresponds to the <option>-z</option>
174 option in <command>dnssec-signzone</command>.
180 <term>zonefile</term>
183 The file containing the zone to be signed.
192 <title>SEE ALSO</title>
195 <refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
197 <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
198 <citetitle>RFC 4033</citetitle>.
203 <title>AUTHOR</title>
204 <para><corpauthor>Internet Systems Consortium</corpauthor>