ldns-verify-zone - read a DNSSEC signed zone and verify it.
reads a DNS zone file and verifies it.
RRSIG resource records are checked against the DNSKEY set at the zone apex.
Each name is checked for an NSEC(3), if appropriate.
- Show usage and exit
- Apex only, check only the zone apex
- -e period
- Signatures may not expire within this period. Default no period is used.
- -i period
- Signatures must have been valid at least this long. Default signatures
should just be valid now.
- -k file
- A file that contains a trusted DNSKEY or DS rr. This option may be given
more than once.
Alternatively, if -k is not specified, and a default trust anchor
(/etc/unbound/root.key) exists and contains a valid DNSKEY or DS record,
it will be used as the trust anchor.
- -p [0-100]
- Only check this percentage of the zone. Which names to check is determined
randomly. Defaults to 100.
- Chase signature(s) to a known key. The network may be accessed to validate
the zone's DNSKEYs. (implies -k)
- -t YYYYMMDDhhmmss | [+|-]offset
- Set the validation time either by an absolute time value or as an offset
in seconds from the current time.
- Show the version and exit
- -V number
- Set the verbosity level (default 3):
0: Be silent
1: Print result, and any errors
2: Same as 1 for now
3: Print result, any errors, and the names that are
4: Same as 3 for now
5: Print the zone after it has been read, the result,
any errors, and the names that are being checked
s are given in ISO 8601 duration format:
If no file is given standard input is read.
- The file from which trusted keys are loaded for signature chasing, when no
-k option is given.
Written by the ldns team as an example for ldns usage.
Report bugs to <firstname.lastname@example.org>.
Copyright (C) 2008 NLnet Labs. This is free software. There is NO warranty; not
even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.