diff options
Diffstat (limited to 'doc/man/dnssec-verify.8in')
| -rw-r--r-- | doc/man/dnssec-verify.8in | 113 |
1 files changed, 113 insertions, 0 deletions
diff --git a/doc/man/dnssec-verify.8in b/doc/man/dnssec-verify.8in new file mode 100644 index 0000000..6413884 --- /dev/null +++ b/doc/man/dnssec-verify.8in @@ -0,0 +1,113 @@ +.\" Man page generated from reStructuredText. +. +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.TH "DNSSEC-VERIFY" "8" "@RELEASE_DATE@" "@BIND9_VERSION@" "BIND 9" +.SH NAME +dnssec-verify \- DNSSEC zone verification tool +.SH SYNOPSIS +.sp +\fBdnssec\-verify\fP [\fB\-c\fP class] [\fB\-E\fP engine] [\fB\-I\fP input\-format] [\fB\-o\fP origin] [\fB\-q\fP] [\fB\-v\fP level] [\fB\-V\fP] [\fB\-x\fP] [\fB\-z\fP] {zonefile} +.SH DESCRIPTION +.sp +\fBdnssec\-verify\fP verifies that a zone is fully signed for each +algorithm found in the DNSKEY RRset for the zone, and that the +NSEC/NSEC3 chains are complete. +.SH OPTIONS +.INDENT 0.0 +.TP +.B \fB\-c class\fP +This option specifies the DNS class of the zone. +.TP +.B \fB\-E engine\fP +This option specifies the cryptographic hardware to use, when applicable. +.sp +When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL +engine identifier that drives the cryptographic accelerator or +hardware service module (usually \fBpkcs11\fP). When BIND is +built with native PKCS#11 cryptography (\fB\-\-enable\-native\-pkcs11\fP), it +defaults to the path of the PKCS#11 provider library specified via +\fB\-\-with\-pkcs11\fP\&. +.TP +.B \fB\-I input\-format\fP +This option sets the format of the input zone file. Possible formats are \fBtext\fP +(the default) and \fBraw\fP\&. This option is primarily intended to be used +for dynamic signed zones, so that the dumped zone file in a non\-text +format containing updates can be verified independently. +This option is not useful for non\-dynamic zones. +.TP +.B \fB\-o origin\fP +This option indicates the zone origin. If not specified, the name of the zone file is +assumed to be the origin. +.TP +.B \fB\-v level\fP +This option sets the debugging level. +.TP +.B \fB\-V\fP +This option prints version information. +.TP +.B \fB\-q\fP +This option sets quiet mode, which suppresses output. Without this option, when \fBdnssec\-verify\fP +is run it prints to standard output the number of keys in use, the +algorithms used to verify the zone was signed correctly, and other status +information. With this option, all non\-error output is suppressed, and only the exit +code indicates success. +.TP +.B \fB\-x\fP +This option verifies only that the DNSKEY RRset is signed with key\-signing keys. +Without this flag, it is assumed that the DNSKEY RRset is signed +by all active keys. When this flag is set, it is not an error if +the DNSKEY RRset is not signed by zone\-signing keys. This corresponds +to the \fB\-x\fP option in \fBdnssec\-signzone\fP\&. +.TP +.B \fB\-z\fP +This option indicates that the KSK flag on the keys should be ignored when determining whether the zone is +correctly signed. Without this flag, it is assumed that there is +a non\-revoked, self\-signed DNSKEY with the KSK flag set for each +algorithm, and that RRsets other than DNSKEY RRset are signed with +a different DNSKEY without the KSK flag set. +.sp +With this flag set, BIND 9 only requires that for each algorithm, there +be at least one non\-revoked, self\-signed DNSKEY, regardless of +the KSK flag state, and that other RRsets be signed by a +non\-revoked key for the same algorithm that includes the self\-signed +key; the same key may be used for both purposes. This corresponds to +the \fB\-z\fP option in \fBdnssec\-signzone\fP\&. +.TP +.B \fBzonefile\fP +This option indicates the file containing the zone to be signed. +.UNINDENT +.SH SEE ALSO +.sp +\fBdnssec\-signzone(8)\fP, BIND 9 Administrator Reference Manual, \fI\%RFC 4033\fP\&. +.SH AUTHOR +Internet Systems Consortium +.SH COPYRIGHT +2023, Internet Systems Consortium +.\" Generated by docutils manpage writer. +. |