134 lines
4.3 KiB
Text
134 lines
4.3 KiB
Text
.\" Man page generated from reStructuredText.
|
|
.
|
|
.
|
|
.nr rst2man-indent-level 0
|
|
.
|
|
.de1 rstReportMargin
|
|
\\$1 \\n[an-margin]
|
|
level \\n[rst2man-indent-level]
|
|
level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
|
|
-
|
|
\\n[rst2man-indent0]
|
|
\\n[rst2man-indent1]
|
|
\\n[rst2man-indent2]
|
|
..
|
|
.de1 INDENT
|
|
.\" .rstReportMargin pre:
|
|
. RS \\$1
|
|
. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
|
|
. nr rst2man-indent-level +1
|
|
.\" .rstReportMargin post:
|
|
..
|
|
.de UNINDENT
|
|
. RE
|
|
.\" indent \\n[an-margin]
|
|
.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
|
|
.nr rst2man-indent-level -1
|
|
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
|
|
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
|
|
..
|
|
.TH "DNSSEC-VERIFY" "1" "@RELEASE_DATE@" "@PACKAGE_VERSION@" "BIND 9"
|
|
.SH NAME
|
|
dnssec-verify \- DNSSEC zone verification tool
|
|
.SH SYNOPSIS
|
|
.sp
|
|
\fBdnssec\-verify\fP [\fB\-c\fP class] [\fB\-E\fP engine] [\fB\-I\fP input\-format] [\fB\-J\fP filename] [\fB\-o\fP origin] [\fB\-q\fP] [\fB\-v\fP level] [\fB\-V\fP] [\fB\-x\fP] [\fB\-z\fP] {zonefile}
|
|
.SH DESCRIPTION
|
|
.sp
|
|
\fBdnssec\-verify\fP verifies that a zone is fully signed for each
|
|
algorithm found in the DNSKEY RRset for the zone, and that the
|
|
NSEC/NSEC3 chains are complete.
|
|
.SH OPTIONS
|
|
.INDENT 0.0
|
|
.TP
|
|
.B \-c class
|
|
This option specifies the DNS class of the zone.
|
|
.UNINDENT
|
|
.INDENT 0.0
|
|
.TP
|
|
.B \-E engine
|
|
This option specifies the cryptographic hardware to use, when applicable.
|
|
.sp
|
|
When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
|
|
engine identifier that drives the cryptographic accelerator or
|
|
hardware service module (usually \fBpkcs11\fP).
|
|
.UNINDENT
|
|
.INDENT 0.0
|
|
.TP
|
|
.B \-I input\-format
|
|
This option sets the format of the input zone file. Possible formats are \fBtext\fP
|
|
(the default) and \fBraw\fP\&. This option is primarily intended to be used
|
|
for dynamic signed zones, so that the dumped zone file in a non\-text
|
|
format containing updates can be verified independently.
|
|
This option is not useful for non\-dynamic zones.
|
|
.UNINDENT
|
|
.INDENT 0.0
|
|
.TP
|
|
.B \-J filename
|
|
This option tells \fBdnssec\-verify\fP to read the journal from the given file
|
|
when loading the zone file.
|
|
.UNINDENT
|
|
.INDENT 0.0
|
|
.TP
|
|
.B \-o origin
|
|
This option indicates the zone origin. If not specified, the name of the zone file is
|
|
assumed to be the origin.
|
|
.UNINDENT
|
|
.INDENT 0.0
|
|
.TP
|
|
.B \-v level
|
|
This option sets the debugging level.
|
|
.UNINDENT
|
|
.INDENT 0.0
|
|
.TP
|
|
.B \-V
|
|
This option prints version information.
|
|
.UNINDENT
|
|
.INDENT 0.0
|
|
.TP
|
|
.B \-q
|
|
This option sets quiet mode, which suppresses output. Without this option, when \fBdnssec\-verify\fP
|
|
is run it prints to standard output the number of keys in use, the
|
|
algorithms used to verify the zone was signed correctly, and other status
|
|
information. With this option, all non\-error output is suppressed, and only the exit
|
|
code indicates success.
|
|
.UNINDENT
|
|
.INDENT 0.0
|
|
.TP
|
|
.B \-x
|
|
This option verifies only that the DNSKEY RRset is signed with key\-signing keys.
|
|
Without this flag, it is assumed that the DNSKEY RRset is signed
|
|
by all active keys. When this flag is set, it is not an error if
|
|
the DNSKEY RRset is not signed by zone\-signing keys. This corresponds
|
|
to the \fI\%\-x option in dnssec\-signzone\fP\&.
|
|
.UNINDENT
|
|
.INDENT 0.0
|
|
.TP
|
|
.B \-z
|
|
This option indicates that the KSK flag on the keys should be ignored when determining whether the zone is
|
|
correctly signed. Without this flag, it is assumed that there is
|
|
a non\-revoked, self\-signed DNSKEY with the KSK flag set for each
|
|
algorithm, and that RRsets other than DNSKEY RRset are signed with
|
|
a different DNSKEY without the KSK flag set.
|
|
.sp
|
|
With this flag set, BIND 9 only requires that for each algorithm, there
|
|
be at least one non\-revoked, self\-signed DNSKEY, regardless of
|
|
the KSK flag state, and that other RRsets be signed by a
|
|
non\-revoked key for the same algorithm that includes the self\-signed
|
|
key; the same key may be used for both purposes. This corresponds to
|
|
the \fI\%\-z option in dnssec\-signzone\fP\&.
|
|
.UNINDENT
|
|
.INDENT 0.0
|
|
.TP
|
|
.B zonefile
|
|
This option indicates the file containing the zone to be signed.
|
|
.UNINDENT
|
|
.SH SEE ALSO
|
|
.sp
|
|
\fI\%dnssec\-signzone(8)\fP, BIND 9 Administrator Reference Manual, \X'tty: link https://datatracker.ietf.org/doc/html/rfc4033.html'\fI\%RFC 4033\fP\X'tty: link'\&.
|
|
.SH AUTHOR
|
|
Internet Systems Consortium
|
|
.SH COPYRIGHT
|
|
2025, Internet Systems Consortium
|
|
.\" Generated by docutils manpage writer.
|
|
.
|