Go to main content

man pages section 8: System Administration Commands

Exit Print View

Updated: Wednesday, July 27, 2022

dnssec-verify (8)


dnssec-verify - DNSSEC zone verification tool


dnssec-verify [-c class] [-E engine] [-I input-format] [-o origin] [-q]
[-v level] [-V] [-x] [-z] {zonefile}


DNSSEC-VERIFY(8)                    BIND 9                    DNSSEC-VERIFY(8)

       dnssec-verify - DNSSEC zone verification tool

       dnssec-verify [-c class] [-E engine] [-I input-format] [-o origin] [-q]
       [-v level] [-V] [-x] [-z] {zonefile}

       dnssec-verify verifies that a zone is fully signed for  each  algorithm
       found  in the DNSKEY RRset for the zone, and that the NSEC/NSEC3 chains
       are complete.

       -c class
              This option specifies the DNS class of the zone.

       -E engine
              This option specifies the cryptographic hardware  to  use,  when

              When  BIND  9 is built with OpenSSL, this needs to be set to the
              OpenSSL engine identifier that drives the cryptographic acceler-
              ator  or  hardware service module (usually pkcs11). When BIND is
              built with native PKCS#11 cryptography (--enable-native-pkcs11),
              it  defaults  to the path of the PKCS#11 provider library speci-
              fied via --with-pkcs11.

       -I input-format
              This option sets the format of the  input  zone  file.  Possible
              formats are text (the default) and raw. This option is primarily
              intended to be used for dynamic signed zones, so that the dumped
              zone  file  in a non-text format containing updates can be veri-
              fied independently.  This option is not useful  for  non-dynamic

       -o origin
              This  option  indicates  the  zone origin. If not specified, the
              name of the zone file is assumed to be the origin.

       -v level
              This option sets the debugging level.

       -V     This option prints version information.

       -q     This option sets quiet mode, which suppresses  output.   Without
              this  option,  when  dnssec-verify  is run it prints to standard
              output the number of keys in use, the algorithms used to  verify
              the  zone  was  signed  correctly, and other status information.
              With this option, all non-error output is suppressed,  and  only
              the exit code indicates success.

       -x     This  option  verifies only that the DNSKEY RRset is signed with
              key-signing keys.  Without this flag, it  is  assumed  that  the
              DNSKEY  RRset  is  signed  by all active keys. When this flag is
              set, it is not an error if the DNSKEY RRset  is  not  signed  by
              zone-signing   keys.  This  corresponds  to  the  -x  option  in

       -z     This option indicates that the KSK flag on the  keys  should  be
              ignored  when  determining whether the zone is correctly signed.
              Without this flag, it is assumed that there  is  a  non-revoked,
              self-signed DNSKEY with the KSK flag set for each algorithm, and
              that RRsets other than DNSKEY RRset are signed with a  different
              DNSKEY without the KSK flag set.

              With  this  flag  set,  BIND 9 only requires that for each algo-
              rithm, there be at least one  non-revoked,  self-signed  DNSKEY,
              regardless  of  the  KSK  flag  state,  and that other RRsets be
              signed by a non-revoked key for the same algorithm that includes
              the self-signed key; the same key may be used for both purposes.
              This corresponds to the -z option in dnssec-signzone.

              This option indicates the file containing the zone to be signed.

       See attributes(7) for descriptions of the following attributes:

       |Availability   | network/dns/bind         |
       |Stability      | Pass-through uncommitted |

       dnssec-signzone(8), BIND 9 Administrator Reference Manual, RFC 4033.

       Internet Systems Consortium

       2022, Internet Systems Consortium

       Source code for open source software components in Oracle  Solaris  can
       be found at https://www.oracle.com/downloads/opensource/solaris-source-

       This    software    was    built    from    source     available     at
       https://github.com/oracle/solaris-userland.    The  original  community
       source                was                downloaded                from

       Further information about this software can be found on the open source
       community website at http://www.isc.org/software/bind/.

9.16.29                           2022-05-10                  DNSSEC-VERIFY(8)