1ldns-verifyzone(1)          General Commands Manual         ldns-verifyzone(1)
2
3
4

NAME

6       ldns-verify-zone - read a DNSSEC signed zone and verify it.
7

SYNOPSIS

9       ldns-verify-zone ZONEFILE
10
11

DESCRIPTION

13       ldns-verify-zone reads a DNS zone file and verifies it.
14
15       RRSIG  resource  records are checked against the DNSKEY set at the zone
16       apex.
17
18       Each name is checked for an NSEC(3), if appropriate.
19
20       If ZONEMD resource records are present, one of them needs to match  the
21       zone content.
22
23

OPTIONS

25       -h     Show usage and exit
26
27
28       -a     Apex only, check only the zone apex
29
30
31       -e period
32              Signatures may not expire within this period.  Default no period
33              is used.
34
35
36       -i period
37              Signatures must have been valid at  least  this  long.   Default
38              signatures should just be valid now.
39
40
41       -k file
42              A file that contains a trusted DNSKEY or DS rr.  This option may
43              be given more than once.
44
45              Alternatively, if -k is not specified, and a default  trust  an‐
46              chor  (/var/lib/unbound/root.key)  exists  and  contains a valid
47              DNSKEY or DS record, it will be used as the trust anchor.
48
49       -p [0-100]
50              Only check this percentage of the zone.  Which names to check is
51              determined randomly.  Defaults to 100.
52
53
54       -S     Chase  signature(s) to a known key.  The network may be accessed
55              to validate the zone's DNSKEYs. (implies -k)
56
57
58       -t YYYYMMDDhhmmss | [+|-]offset
59              Set the validation time either by an absolute time value  or  as
60              an offset in seconds from the current time.
61
62
63       -v     Show the version and exit
64
65
66       -V number
67              Set the verbosity level (default 3):
68
69               0: Be silent
70               1: Print result, and any errors
71               2: Same as 1 for now
72               3: Print result, any errors, and the names that are
73                  being checked
74               4: Same as 3 for now
75               5: Print the zone after it has been read, the result,
76                  any errors, and the names that are being checked
77
78
79       -Z     Requires  a valid ZONEMD RR to be present. When given once, this
80              option will permit verifying only the ZONEMD RR of  an  unsigned
81              zone.  When  given  more than once, the zone needs to be validly
82              DNSSEC signed as well.
83
84
85       -ZZZ   When three times a -Z option is given, the ZONEMD RR to be veri‐
86              fied  is  considered  "detached" and does not need to have valid
87              signatures.
88
89
90       periods are given in ISO 8601 duration format:
91              P[n]Y[n]M[n]DT[n]H[n]M[n]S
92
93       If no file is given standard input is read.
94
95

FILES

97       /var/lib/unbound/root.key
98              The file from which trusted keys are loaded for signature  chas‐
99              ing, when no -k option is given.
100
101

SEE ALSO

103       unbound-anchor(8)
104
105

AUTHOR

107       Written by the ldns team as an example for ldns usage.
108
109

REPORTING BUGS

111       Report bugs to <ldns-team@nlnetlabs.nl>.
112
113

COPYRIGHT

115       Copyright  (C) 2008 NLnet Labs. This is free software. There is NO war‐
116       ranty; not even for MERCHANTABILITY or FITNESS FOR  A  PARTICULAR  PUR‐
117       POSE.
118
119
120
121                                  27 May 2008               ldns-verifyzone(1)