Annotation of src/external/mpl/bind/dist/doc/arm/man.dnssec-verify.html, Revision 1.1.1.4.4.2
1.1 christos 1: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
2: <!--
1.1.1.3 christos 3: - Copyright (C) 2000-2019 Internet Systems Consortium, Inc. ("ISC")
1.1 christos 4: -
5: - This Source Code Form is subject to the terms of the Mozilla Public
6: - License, v. 2.0. If a copy of the MPL was not distributed with this
7: - file, You can obtain one at http://mozilla.org/MPL/2.0/.
8: -->
9: <html lang="en">
10: <head>
11: <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
12: <title>dnssec-verify</title>
13: <meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
14: <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
15: <link rel="up" href="Bv9ARM.ch12.html" title="Manual pages">
16: <link rel="prev" href="man.dnssec-signzone.html" title="dnssec-signzone">
17: <link rel="next" href="man.dnstap-read.html" title="dnstap-read">
18: </head>
19: <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
20: <div class="navheader">
21: <table width="100%" summary="Navigation header">
22: <tr><th colspan="3" align="center"><span class="application">dnssec-verify</span></th></tr>
23: <tr>
24: <td width="20%" align="left">
25: <a accesskey="p" href="man.dnssec-signzone.html">Prev</a> </td>
26: <th width="60%" align="center">Manual pages</th>
27: <td width="20%" align="right"> <a accesskey="n" href="man.dnstap-read.html">Next</a>
28: </td>
29: </tr>
30: </table>
31: <hr>
32: </div>
33: <div class="refentry">
34: <a name="man.dnssec-verify"></a><div class="titlepage"></div>
35:
36:
37:
38:
39:
40: <div class="refnamediv">
41: <h2>Name</h2>
42: <p>
43: <span class="application">dnssec-verify</span>
44: — DNSSEC zone verification tool
45: </p>
46: </div>
47:
48:
49:
50: <div class="refsynopsisdiv">
51: <h2>Synopsis</h2>
52: <div class="cmdsynopsis"><p>
53: <code class="command">dnssec-verify</code>
54: [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
55: [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>]
56: [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>]
57: [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>]
58: [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
59: [<code class="option">-V</code>]
60: [<code class="option">-x</code>]
61: [<code class="option">-z</code>]
62: {zonefile}
63: </p></div>
64: </div>
65:
66: <div class="refsection">
67: <a name="id-1.13.17.7"></a><h2>DESCRIPTION</h2>
68:
69: <p><span class="command"><strong>dnssec-verify</strong></span>
70: verifies that a zone is fully signed for each algorithm found
71: in the DNSKEY RRset for the zone, and that the NSEC / NSEC3
72: chains are complete.
73: </p>
74: </div>
75:
76: <div class="refsection">
77: <a name="id-1.13.17.8"></a><h2>OPTIONS</h2>
78:
79:
80: <div class="variablelist"><dl class="variablelist">
81: <dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
82: <dd>
83: <p>
84: Specifies the DNS class of the zone.
85: </p>
86: </dd>
87: <dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
88: <dd>
89: <p>
90: Specifies the cryptographic hardware to use, when applicable.
91: </p>
92: <p>
93: When BIND is built with OpenSSL PKCS#11 support, this defaults
94: to the string "pkcs11", which identifies an OpenSSL engine
95: that can drive a cryptographic accelerator or hardware service
96: module. When BIND is built with native PKCS#11 cryptography
97: (--enable-native-pkcs11), it defaults to the path of the PKCS#11
98: provider library specified via "--with-pkcs11".
99: </p>
100: </dd>
101: <dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
102: <dd>
103: <p>
104: The format of the input zone file.
105: Possible formats are <span class="command"><strong>"text"</strong></span> (default)
106: and <span class="command"><strong>"raw"</strong></span>.
107: This option is primarily intended to be used for dynamic
108: signed zones so that the dumped zone file in a non-text
109: format containing updates can be verified independently.
110: The use of this option does not make much sense for
111: non-dynamic zones.
112: </p>
113: </dd>
114: <dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
115: <dd>
116: <p>
117: The zone origin. If not specified, the name of the zone file
118: is assumed to be the origin.
119: </p>
120: </dd>
121: <dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
122: <dd>
123: <p>
124: Sets the debugging level.
125: </p>
126: </dd>
127: <dt><span class="term">-V</span></dt>
128: <dd>
129: <p>
130: Prints version information.
131: </p>
132: </dd>
133: <dt><span class="term">-x</span></dt>
134: <dd>
135: <p>
136: Only verify that the DNSKEY RRset is signed with key-signing
137: keys. Without this flag, it is assumed that the DNSKEY RRset
138: will be signed by all active keys. When this flag is set,
139: it will not be an error if the DNSKEY RRset is not signed
140: by zone-signing keys. This corresponds to the <code class="option">-x</code>
141: option in <span class="command"><strong>dnssec-signzone</strong></span>.
142: </p>
143: </dd>
144: <dt><span class="term">-z</span></dt>
145: <dd>
146: <p>
147: Ignore the KSK flag on the keys when determining whether
148: the zone if correctly signed. Without this flag it is
149: assumed that there will be a non-revoked, self-signed
150: DNSKEY with the KSK flag set for each algorithm and
151: that RRsets other than DNSKEY RRset will be signed with
152: a different DNSKEY without the KSK flag set.
153: </p>
154: <p>
155: With this flag set, we only require that for each algorithm,
156: there will be at least one non-revoked, self-signed DNSKEY,
157: regardless of the KSK flag state, and that other RRsets
158: will be signed by a non-revoked key for the same algorithm
159: that includes the self-signed key; the same key may be used
160: for both purposes. This corresponds to the <code class="option">-z</code>
161: option in <span class="command"><strong>dnssec-signzone</strong></span>.
162: </p>
163: </dd>
164: <dt><span class="term">zonefile</span></dt>
165: <dd>
166: <p>
167: The file containing the zone to be signed.
168: </p>
169: </dd>
170: </dl></div>
171: </div>
172:
173: <div class="refsection">
174: <a name="id-1.13.17.9"></a><h2>SEE ALSO</h2>
175:
176: <p>
177: <span class="citerefentry">
178: <span class="refentrytitle">dnssec-signzone</span>(8)
179: </span>,
180: <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
181: <em class="citetitle">RFC 4033</em>.
182: </p>
183: </div>
184:
185: </div>
186: <div class="navfooter">
187: <hr>
188: <table width="100%" summary="Navigation footer">
189: <tr>
190: <td width="40%" align="left">
191: <a accesskey="p" href="man.dnssec-signzone.html">Prev</a> </td>
192: <td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch12.html">Up</a></td>
193: <td width="40%" align="right"> <a accesskey="n" href="man.dnstap-read.html">Next</a>
194: </td>
195: </tr>
196: <tr>
197: <td width="40%" align="left" valign="top">
198: <span class="application">dnssec-signzone</span> </td>
199: <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
200: <td width="40%" align="right" valign="top"> <span class="application">dnstap-read</span>
201: </td>
202: </tr>
203: </table>
204: </div>
1.1.1.4.4.2! martin 205: <p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.7 (Stable Release)</p>
1.1 christos 206: </body>
207: </html>
CVSweb <webmaster@jp.NetBSD.org>