DNSSEC-VERIFY(8) BIND9 DNSSEC-VERIFY(8)NAME
dnssec-verify - DNSSEC zone verification tool
SYNOPSIS
dnssec-verify [-c class] [-E engine] [-I input-format] [-o origin] [-v level] [-x] [-z] {zonefile}
DESCRIPTION
dnssec-verify verifies that a zone is fully signed for each algorithm found in the DNSKEY RRset for the zone, and that the NSEC / NSEC3
chains are complete.
OPTIONS -c class
Specifies the DNS class of the zone.
-I input-format
The format of the input zone file. Possible formats are "text" (default) and "raw". This option is primarily intended to be used for
dynamic signed zones so that the dumped zone file in a non-text format containing updates can be verified independently. The use of
this option does not make much sense for non-dynamic zones.
-o origin
The zone origin. If not specified, the name of the zone file is assumed to be the origin.
-v level
Sets the debugging level.
-x
Only verify that the DNSKEY RRset is signed with key-signing keys. Without this flag, it is assumed that the DNSKEY RRset will be
signed by all active keys. When this flag is set, it will not be an error if the DNSKEY RRset is not signed by zone-signing keys. This
corresponds to the -x option in dnssec-signzone.
-z
Ignore the KSK flag on the keys when determining whether the zone if correctly signed. Without this flag it is assumed that there will
be a non-revoked, self-signed DNSKEY with the KSK flag set for each algorithm and that RRsets other than DNSKEY RRset will be signed
with a different DNSKEY without the KSK flag set.
With this flag set, we only require that for each algorithm, there will be at least one non-revoked, self-signed DNSKEY, regardless of
the KSK flag state, and that other RRsets will be signed by a non-revoked key for the same algorithm that includes the self-signed key;
the same key may be used for both purposes. This corresponds to the -z option in dnssec-signzone.
zonefile
The file containing the zone to be signed.
SEE ALSO dnssec-signzone(8), BIND 9 Administrator Reference Manual, RFC 4033.
AUTHOR
Internet Systems Consortium
COPYRIGHT
Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC")
BIND9 April 12, 2012 DNSSEC-VERIFY(8)
Check Out this Related Man Page
ldns-signzone(1) General Commands Manual ldns-signzone(1)NAME
ldns-signzone - sign a zonefile with DNSSEC data
SYNOPSIS
ldns-signzone [ OPTIONS ] ZONEFILE KEY [KEY [KEY] ... ]
DESCRIPTION
ldns-signzone is used to generate a DNSSEC signed zone. When run it will create a new zonefile that contains RRSIG and NSEC resource
records, as specified in RFC 4033, RFC 4034 and RFC 4035.
Keys must be specified by their base name (i.e. without .private). If the DNSKEY that belongs to the key in the .private file is not
present in the zone, it will be read from the file <base name>.key. If that file does not exist, the DNSKEY value will be generated from
the private key.
Multiple keys can be specified, Key Signing Keys are used as such when they are either already present in the zone, or specified in a .key
file, and have the KSK bit set.
OPTIONS -b Augments the zone and the RR's with extra comment texts for a more readable layout, easier to debug. DS records will have a bubble-
babble version of the data in the comment text, NSEC3 records will have the original NSEC3 in the comment text.
Without this option, only DNSKEY RR's will have their Key Tag annotated in the comment text.
-d Normally, if the DNSKEY RR for a key that is used to sign the zone is not found in the zone file, it will be read from .key, or
derived from the private key (in that order). This option turns that feature off, so that only the signatures are added to the zone.
-e date
Set expiration date of the signatures to this date, the format can be YYYYMMDD[hhmmss], or a timestamp.
-f file
Use this file to store the signed zone in (default <originalfile>.signed)
-i date
Set inception date of the signatures to this date, the format can be YYYYMMDD[hhmmss], or a timestamp.
-o origin
Use this as the origin of the zone
-v Print the version and exit
-A Sign the DNSKEY record with all keys. By default it is signed with a minimal number of keys, to keep the response size for the
DNSKEY query small, and only the SEP keys that are passed are used. If there are no SEP keys, the DNSKEY RRset is signed with the
non-SEP keys. This option turns off the default and all keys are used to sign the DNSKEY RRset.
-E name
Use the EVP cryptographic engine with the given name for signing. This can have some extra options; see ENGINE OPTIONS for more
information.
-k id,int
Use the key with the given id as the signing key for algorithm int as a Zone signing key. This option is used when you use an
OpenSSL engine, see ENGINE OPTIONS for more information.
-K id,int
Use the key with the given id as the signing key for algorithm int as a Key signing key. This options is used when you use an
OpenSSL engine, see ENGINE OPTIONS for more information.
-n Use NSEC3 instead of NSEC.
If you use NSEC3, you can specify the following extra options:
-a algorithm
Algorithm used to create the hashed NSEC3 owner names
-p Opt-out. All NSEC3 records in the zone will have the Opt-out flag set. After signing, you can add insecure delegations to the signed
zone.
-s string
Salt
-t number
Number of hash iterations
ENGINE OPTIONS
You can modify the possible engines, if supported, by setting an OpenSSL configuration file. This is done through the environment variable
OPENSSL_CONF. If you use -E with a non-existent engine name, ldns-signzone will print a list of engines supported by your configuration.
The key options (-k and -K) work as follows; you specify a key id, and a DNSSEC algorithm number (for instance, 5 for RSASHA1). The key id
can be any of the following:
<id>
<slot>:<id>
id_<id>
slot_<slot>-id_<id>
label_<label>
slot_<slot>-label_<label>
Where '<id>' is the PKCS #11 key identifier in hexadecimal notation, '<label>' is the PKCS #11 human-readable label, and '<slot>' is the
slot number where the token is present.
If not already present, a DNSKEY RR is generated from the key data, and added to the zone.
EXAMPLES
ldns-signzone nlnetlabs.nl Knlnetlabs.nl.+005+12273
Sign the zone in the file 'nlnetlabs.nl' with the key in the files 'Knlnetlabs.nl.+005+12273.private'. If the DNSKEY is not present
in the zone, use the key in the file 'Knlnetlabs.nl.+005+12273.key'. If that is not present, generate one with default values from
'Knlnetlabs.nl.+005+12273.private'.
AUTHOR
Written by the ldns team as an example for ldns usage.
REPORTING BUGS
Report bugs to <ldns-team@nlnetlabs.nl>.
COPYRIGHT
Copyright (C) 2005-2008 NLnet Labs. This is free software. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR
PURPOSE.
30 May 2005 ldns-signzone(1)