DNSSEC-VERIFY(8)



DNSSEC-VERIFY(8)                    BIND 9                    DNSSEC-VERIFY(8)

NAME
       dnssec-verify - DNSSEC zone verification tool

SYNOPSIS
       dnssec-verify [-c class] [-E engine] [-I input-format] [-o origin] [-q]
       [-v level] [-V] [-x] [-z] {zonefile}

DESCRIPTION
       dnssec-verify verifies that a zone is fully signed for  each  algorithm
       found  in  the  DNSKEY  RRset  for  the zone, and that the NSEC / NSEC3
       chains are complete.

OPTIONS
       -c class
              Specifies the DNS class of the zone.

       -E engine
              Specifies the cryptographic hardware to use, when applicable.

              When BIND is built with OpenSSL PKCS#11 support,  this  defaults
              to  the string "pkcs11", which identifies an OpenSSL engine that
              can drive a cryptographic accelerator or hardware  service  mod-
              ule.  When BIND is built with native PKCS#11 cryptography (--en-
              able-native-pkcs11), it defaults to  the  path  of  the  PKCS#11
              provider library specified via "--with-pkcs11".

       -I input-format
              The  format  of the input zone file. Possible formats are "text"
              (default) and "raw". This option is  primarily  intended  to  be
              used  for dynamic signed zones so that the dumped zone file in a
              non-text format containing  updates  can  be  verified  indepen-
              dently.  The  use  of  this  option does not make much sense for
              non-dynamic zones.

       -o origin
              The zone origin. If not specified, the name of the zone file  is
              assumed to be the origin.

       -v level
              Sets the debugging level.

       -V     Prints version information.

       -q     Quiet  mode:  Suppresses  output.   Without  this  option,  when
              dnssec-verify is run it will print to standard output the number
              of  keys  in  use,  the  algorithms  used to verify the zone was
              signed correctly and other status  information.   With  it,  all
              non-error  output is suppressed, and only the exit code will in-
              dicate success.

       -x     Only verify that the DNSKEY RRset  is  signed  with  key-signing
              keys.   Without  this  flag, it is assumed that the DNSKEY RRset
              will be signed by all active keys. When this  flag  is  set,  it
              will  not  be  an  error  if  the  DNSKEY RRset is not signed by
              zone-signing  keys.  This  corresponds  to  the  -x  option   in
              dnssec-signzone.

       -z     Ignore  the  KSK  flag  on the keys when determining whether the
              zone if correctly signed. Without this flag it is  assumed  that
              there  will  be  a  non-revoked, self-signed DNSKEY with the KSK
              flag set for each algorithm and that RRsets  other  than  DNSKEY
              RRset  will  be  signed  with a different DNSKEY without the KSK
              flag set.

              With this flag set, we only require  that  for  each  algorithm,
              there  will be at least one non-revoked, self-signed DNSKEY, re-
              gardless of the KSK flag state, and that other  RRsets  will  be
              signed by a non-revoked key for the same algorithm that includes
              the self-signed key; the same key may be used for both purposes.
              This corresponds to the -z option in dnssec-signzone.

       zonefile
              The file containing the zone to be signed.

SEE ALSO
       dnssec-signzone(8), BIND 9 Administrator Reference Manual, RFC 4033.

AUTHOR
       Internet Systems Consortium

COPYRIGHT
       2020, Internet Systems Consortium

9.16.8-Debian                     2020-10-13                  DNSSEC-VERIFY(8)

Man(1) output converted with man2html
list of all man pages