dnssec-verify Command

Purpose

Verifies the Domain name system security extensions (DNSSEC) zone.

Syntax

dnssec-verify [-c class] [-E engine] [-I input-format] [-o origin] [-q] [-v level] [-V] [-x] [-z] {zonefile}

Description

The dnssec-verify command verifies that a zone is fully signed for each algorithm in the Domain Name System Key (DNSKEY) resource record (RR) set for the zone. The next secure record (NSEC) or NSEC3 chains are complete.

Flags

Table 1. Flags
Item	Description
-c `class`	Specifies the Domain Name System (DNS) class of the zone.
-E `engine`	Specifies the cryptographic hardware to use, when applicable. When BIND 9 is built with OpenSSL, this flag needs to be set to the OpenSSL engine identifier that drives the cryptographic accelerator or hardware service module (usually pkcs11).
-I `input-format`	Sets the format of the input zone file. Possible formats are `text` (the default) and `raw`. This option is used for dynamic signed zones so that the dumped zone file that contains the updates in a non-text format can be verified independently. This option is not useful for nondynamic zones.
-o `origin`	Indicates the zone origin. If this flag is not specified, the name of the zone file is assumed to be the origin.
-v `level`	Sets the debugging level.
-V	Prints the version information.
-q	Sets a quiet mode, which suppresses the output. Without this option, when the dnssec-verify command is run, it prints the following information to the standard output: The number of keys in use. The algorithms used to verify that the zone is signed correctly. Other status information. With this option, all the non-error output is suppressed, and the exit code indicates success.
-x	Verifies that the DNSKEY RR set is signed with key-signing keys (KSK). Without this flag, it is assumed that all the active keys sign DNSKEY RR set. When this flag is set, it is not an error if the zone-signing keys do not sign the DNSKEY RR set. This option corresponds to the -x option in the dnssec-signzone command.
-z	Indicates that the KSK flag in all the active keys must be ignored when determining whether the zone is correctly signed. Without the -z flag, it is assumed that a nonrevoked, self-signed DNSKEY in which the KSK flag is set is available for each algorithm. The RR sets other than the DNSKEY RR set are signed with a different DNSKEY in which the KSK flag is not set. With this flag set, BIND 9 requires at least one nonrevoked, self-signed DNSKEY for each algorithm, regardless of the KSK flag state. Other RR sets must be signed by a nonrevoked key for the same algorithm that includes the self-signed key. The same key can be used for both purposes. This option corresponds to the -z option in the dnssec-signzone command.

Parameter

Table 2. Parameter
Item	Description
`zonefile`	Indicates the file that contains the zone to be signed.