diff options
author | erwin <erwin@FreeBSD.org> | 2013-08-22 08:15:03 +0000 |
---|---|---|
committer | erwin <erwin@FreeBSD.org> | 2013-08-22 08:15:03 +0000 |
commit | 6a288ef517fece2ca5a21d081efd7b4a81da0053 (patch) | |
tree | 37271fd86c9be9a6bab12a7aebd85ccfbb8a7b62 /contrib/bind9/bin/dnssec/dnssec-verify.html | |
parent | 0b46e38a09fbccfdfd7bca0f387c66b2c64fa5b6 (diff) | |
parent | f32b4abce98c97ee6e51b7aa8f8fde6e4cab7f28 (diff) | |
download | FreeBSD-src-6a288ef517fece2ca5a21d081efd7b4a81da0053.zip FreeBSD-src-6a288ef517fece2ca5a21d081efd7b4a81da0053.tar.gz |
Update Bind to 9.9.3-P2
Notable new features:
* Elliptic Curve Digital Signature Algorithm keys and signatures in
DNSSEC are now supported per RFC 6605. [RT #21918]
* Introduces a new tool "dnssec-verify" that validates a signed zone,
checking for the correctness of signatures and NSEC/NSEC3 chains.
[RT #23673]
* BIND now recognizes the TLSA resource record type, created to
support IETF DANE (DNS-based Authentication of Named Entities)
[RT #28989]
* The new "inline-signing" option, in combination with the
"auto-dnssec" option that was introduced in BIND 9.7, allows
named to sign zones completely transparently.
Approved by: delphij (mentor)
MFC after: 3 days
Sponsored by: DK Hostmaster A/S
Diffstat (limited to 'contrib/bind9/bin/dnssec/dnssec-verify.html')
-rw-r--r-- | contrib/bind9/bin/dnssec/dnssec-verify.html | 117 |
1 files changed, 117 insertions, 0 deletions
diff --git a/contrib/bind9/bin/dnssec/dnssec-verify.html b/contrib/bind9/bin/dnssec/dnssec-verify.html new file mode 100644 index 0000000..135556f --- /dev/null +++ b/contrib/bind9/bin/dnssec/dnssec-verify.html @@ -0,0 +1,117 @@ +<!-- + - Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC") + - + - Permission to use, copy, modify, and/or distribute this software for any + - purpose with or without fee is hereby granted, provided that the above + - copyright notice and this permission notice appear in all copies. + - + - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + - PERFORMANCE OF THIS SOFTWARE. +--> +<!-- $Id$ --> +<html> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> +<title>dnssec-verify</title> +<meta name="generator" content="DocBook XSL Stylesheets V1.71.1"> +</head> +<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"> +<a name="man.dnssec-verify"></a><div class="titlepage"></div> +<div class="refnamediv"> +<h2>Name</h2> +<p><span class="application">dnssec-verify</span> — DNSSEC zone verification tool</p> +</div> +<div class="refsynopsisdiv"> +<h2>Synopsis</h2> +<div class="cmdsynopsis"><p><code class="command">dnssec-verify</code> [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-x</code>] [<code class="option">-z</code>] {zonefile}</p></div> +</div> +<div class="refsect1" lang="en"> +<a name="id2543390"></a><h2>DESCRIPTION</h2> +<p><span><strong class="command">dnssec-verify</strong></span> + verifies that a zone is fully signed for each algorithm found + in the DNSKEY RRset for the zone, and that the NSEC / NSEC3 + chains are complete. + </p> +</div> +<div class="refsect1" lang="en"> +<a name="id2543402"></a><h2>OPTIONS</h2> +<div class="variablelist"><dl> +<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt> +<dd><p> + Specifies the DNS class of the zone. + </p></dd> +<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt> +<dd><p> + The format of the input zone file. + Possible formats are <span><strong class="command">"text"</strong></span> (default) + and <span><strong class="command">"raw"</strong></span>. + This option is primarily intended to be used for dynamic + signed zones so that the dumped zone file in a non-text + format containing updates can be verified independently. + The use of this option does not make much sense for + non-dynamic zones. + </p></dd> +<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt> +<dd><p> + The zone origin. If not specified, the name of the zone file + is assumed to be the origin. + </p></dd> +<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt> +<dd><p> + Sets the debugging level. + </p></dd> +<dt><span class="term">-x</span></dt> +<dd><p> + Only verify that the DNSKEY RRset is signed with key-signing + keys. Without this flag, it is assumed that the DNSKEY RRset + will be signed by all active keys. When this flag is set, + it will not be an error if the DNSKEY RRset is not signed + by zone-signing keys. This corresponds to the <code class="option">-x</code> + option in <span><strong class="command">dnssec-signzone</strong></span>. + </p></dd> +<dt><span class="term">-z</span></dt> +<dd> +<p> + Ignore the KSK flag on the keys when determining whether + the zone if correctly signed. Without this flag it is + assumed that there will be a non-revoked, self-signed + DNSKEY with the KSK flag set for each algorithm and + that RRsets other than DNSKEY RRset will be signed with + a different DNSKEY without the KSK flag set. + </p> +<p> + With this flag set, we only require that for each algorithm, + there will be at least one non-revoked, self-signed DNSKEY, + regardless of the KSK flag state, and that other RRsets + will be signed by a non-revoked key for the same algorithm + that includes the self-signed key; the same key may be used + for both purposes. This corresponds to the <code class="option">-z</code> + option in <span><strong class="command">dnssec-signzone</strong></span>. + </p> +</dd> +<dt><span class="term">zonefile</span></dt> +<dd><p> + The file containing the zone to be signed. + </p></dd> +</dl></div> +</div> +<div class="refsect1" lang="en"> +<a name="id2543543"></a><h2>SEE ALSO</h2> +<p> + <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>, + <em class="citetitle">BIND 9 Administrator Reference Manual</em>, + <em class="citetitle">RFC 4033</em>. + </p> +</div> +<div class="refsect1" lang="en"> +<a name="id2543637"></a><h2>AUTHOR</h2> +<p><span class="corpauthor">Internet Systems Consortium</span> + </p> +</div> +</div></body> +</html> |