DNSSEC-VERIFY(8) | BIND9 | DNSSEC-VERIFY(8) |
NAME¶
dnssec-verify - DNSSEC zone verification tool
SYNOPSIS¶
dnssec-verify [-c class] [-E engine] [-I input-format] [-o origin] [-v level] [-V] [-x] [-z] {zonefile}
DESCRIPTION¶
dnssec-verify verifies that a zone is fully signed for each algorithm found in the DNSKEY RRset for the zone, and that the NSEC / NSEC3 chains are complete.
OPTIONS¶
-c class
-E engine
When BIND is built with OpenSSL PKCS#11 support, this defaults to the string "pkcs11", which identifies an OpenSSL engine that can drive a cryptographic accelerator or hardware service module. When BIND is built with native PKCS#11 cryptography (--enable-native-pkcs11), it defaults to the path of the PKCS#11 provider library specified via "--with-pkcs11".
-I input-format
-o origin
-v level
-V
-x
-z
With this flag set, we only require that for each algorithm, there will be at least one non-revoked, self-signed DNSKEY, regardless of the KSK flag state, and that other RRsets will be signed by a non-revoked key for the same algorithm that includes the self-signed key; the same key may be used for both purposes. This corresponds to the -z option in dnssec-signzone.
zonefile
SEE ALSO¶
dnssec-signzone(8), BIND 9 Administrator Reference Manual, RFC 4033.
AUTHOR¶
Internet Systems Consortium, Inc.
COPYRIGHT¶
Copyright © 2012, 2014-2016, 2018-2021 Internet Systems Consortium, Inc. ("ISC")
2014-01-15 | ISC |