ldns-verify-zone (1)
NAME
ldns-verify-zone - read a DNSSEC signed zone and verify it.SYNOPSIS
ldns-verify-zone ZONEFILEDESCRIPTION
ldns-verify-zone reads a DNS zone file and verifies it.
RRSIG resource records are checked against the DNSKEY set at the zone apex.
Each name is checked for an NSEC(3), if appropriate.
OPTIONS
- -h
-
Show usage and exit
- -a
-
Apex only, check only the zone apex
- -e period
-
Signatures may not expire within this period.
Default no period is used.
- -i period
-
Signatures must have been valid at least this long.
Default signatures should just be valid now.
- -k file
-
A file that contains a trusted DNSKEY or DS rr.
This option may be given more than once.
Alternatively, if -k is not specified, and a default trust anchor (/etc/unbound/root.key) exists and contains a valid DNSKEY or DS record, it will be used as the trust anchor. - -p [0-100]
-
Only check this percentage of the zone.
Which names to check is determined randomly.
Defaults to 100.
- -S
-
Chase signature(s) to a known key.
The network may be accessed to validate the zone's DNSKEYs. (implies -k)
- -t YYYYMMDDhhmmss | [+|-]offset
-
Set the validation time either by an absolute time value or as an offset in seconds from the current time.
- -v
-
Show the version and exit
- -V number
-
Set the verbosity level (default 3):
0: Be silent
1: Print result, and any errors
2: Same as 1 for now
3: Print result, any errors, and the names that are
being checked
4: Same as 3 for now
5: Print the zone after it has been read, the result,
any errors, and the names that are being checked
periods are given in ISO 8601 duration format:
- P[n]Y[n]M[n]DT[n]H[n]M[n]S
If no file is given standard input is read.
FILES
- /etc/unbound/root.key
-
The file from which trusted keys are loaded for signature chasing,
when no -k option is given.
SEE ALSO
unbound-anchor(8)