summaryrefslogtreecommitdiffstats
path: root/doc/man/dnssec-verify.8in
diff options
context:
space:
mode:
Diffstat (limited to 'doc/man/dnssec-verify.8in')
-rw-r--r--doc/man/dnssec-verify.8in113
1 files changed, 113 insertions, 0 deletions
diff --git a/doc/man/dnssec-verify.8in b/doc/man/dnssec-verify.8in
new file mode 100644
index 0000000..6413884
--- /dev/null
+++ b/doc/man/dnssec-verify.8in
@@ -0,0 +1,113 @@
+.\" Man page generated from reStructuredText.
+.
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.TH "DNSSEC-VERIFY" "8" "@RELEASE_DATE@" "@BIND9_VERSION@" "BIND 9"
+.SH NAME
+dnssec-verify \- DNSSEC zone verification tool
+.SH SYNOPSIS
+.sp
+\fBdnssec\-verify\fP [\fB\-c\fP class] [\fB\-E\fP engine] [\fB\-I\fP input\-format] [\fB\-o\fP origin] [\fB\-q\fP] [\fB\-v\fP level] [\fB\-V\fP] [\fB\-x\fP] [\fB\-z\fP] {zonefile}
+.SH DESCRIPTION
+.sp
+\fBdnssec\-verify\fP verifies that a zone is fully signed for each
+algorithm found in the DNSKEY RRset for the zone, and that the
+NSEC/NSEC3 chains are complete.
+.SH OPTIONS
+.INDENT 0.0
+.TP
+.B \fB\-c class\fP
+This option specifies the DNS class of the zone.
+.TP
+.B \fB\-E engine\fP
+This option specifies the cryptographic hardware to use, when applicable.
+.sp
+When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
+engine identifier that drives the cryptographic accelerator or
+hardware service module (usually \fBpkcs11\fP). When BIND is
+built with native PKCS#11 cryptography (\fB\-\-enable\-native\-pkcs11\fP), it
+defaults to the path of the PKCS#11 provider library specified via
+\fB\-\-with\-pkcs11\fP\&.
+.TP
+.B \fB\-I input\-format\fP
+This option sets the format of the input zone file. Possible formats are \fBtext\fP
+(the default) and \fBraw\fP\&. This option is primarily intended to be used
+for dynamic signed zones, so that the dumped zone file in a non\-text
+format containing updates can be verified independently.
+This option is not useful for non\-dynamic zones.
+.TP
+.B \fB\-o origin\fP
+This option indicates the zone origin. If not specified, the name of the zone file is
+assumed to be the origin.
+.TP
+.B \fB\-v level\fP
+This option sets the debugging level.
+.TP
+.B \fB\-V\fP
+This option prints version information.
+.TP
+.B \fB\-q\fP
+This option sets quiet mode, which suppresses output. Without this option, when \fBdnssec\-verify\fP
+is run it prints to standard output the number of keys in use, the
+algorithms used to verify the zone was signed correctly, and other status
+information. With this option, all non\-error output is suppressed, and only the exit
+code indicates success.
+.TP
+.B \fB\-x\fP
+This option verifies only that the DNSKEY RRset is signed with key\-signing keys.
+Without this flag, it is assumed that the DNSKEY RRset is signed
+by all active keys. When this flag is set, it is not an error if
+the DNSKEY RRset is not signed by zone\-signing keys. This corresponds
+to the \fB\-x\fP option in \fBdnssec\-signzone\fP\&.
+.TP
+.B \fB\-z\fP
+This option indicates that the KSK flag on the keys should be ignored when determining whether the zone is
+correctly signed. Without this flag, it is assumed that there is
+a non\-revoked, self\-signed DNSKEY with the KSK flag set for each
+algorithm, and that RRsets other than DNSKEY RRset are signed with
+a different DNSKEY without the KSK flag set.
+.sp
+With this flag set, BIND 9 only requires that for each algorithm, there
+be at least one non\-revoked, self\-signed DNSKEY, regardless of
+the KSK flag state, and that other RRsets be signed by a
+non\-revoked key for the same algorithm that includes the self\-signed
+key; the same key may be used for both purposes. This corresponds to
+the \fB\-z\fP option in \fBdnssec\-signzone\fP\&.
+.TP
+.B \fBzonefile\fP
+This option indicates the file containing the zone to be signed.
+.UNINDENT
+.SH SEE ALSO
+.sp
+\fBdnssec\-signzone(8)\fP, BIND 9 Administrator Reference Manual, \fI\%RFC 4033\fP\&.
+.SH AUTHOR
+Internet Systems Consortium
+.SH COPYRIGHT
+2023, Internet Systems Consortium
+.\" Generated by docutils manpage writer.
+.