bind/doc/design/verify

<!--
Copyright (C) Internet Systems Consortium, Inc. ("ISC")

SPDX-License-Identifier: MPL-2.0

This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0.  If a copy of the MPL was not distributed with this
file, you can obtain one at https://mozilla.org/MPL/2.0/.

See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
-->

	dnssec-verify a tool to verify a zone is correctly signed.

* check that every record that should be signed has a valid RRSIG set.
* check that every record that shouldn't be signed isn't.
* check that each RRSIG set has a valid RRSIG and that all DNSKEY algorithms
	in use are checked.
* provide a mechanism to mark DNSKEY algorithms to be ignored to support
	verification of zones that are in the process of adding/removing
	support for a algorithm.
* provide a mechanism to check the zone as of a specified date and time.
* check that RRSIG won't expire within the TTL interval.
* check that original TTL matches.

NSEC:
* check that every node with data within the zone has a NSEC RRset.
* check that empty nodes don't have a NSEC record.
* check that nodes outside the zone do not have a NSEC record.
* check that the NSEC chain is valid.

NSEC3: for each NSEC3 chain
* check that every node with data within the zone has a NSEC3 RRset.
* check that empty nodes within the zone have a NSEC3 record.
* check that nodes outside the zone do not have a NSEC3 record.
* check that each NSEC3 in the NSEC3PARAM record is valid.
Update the copyright information in all files in the repository This commit converts the license handling to adhere to the REUSE specification. It specifically: 1. Adds used licnses to LICENSES/ directory 2. Add "isc" template for adding the copyright boilerplate 3. Changes all source files to include copyright and SPDX license header, this includes all the C sources, documentation, zone files, configuration files. There are notes in the doc/dev/copyrights file on how to add correct headers to the new files. 4. Handle the rest that can't be modified via .reuse/dep5 file. The binary (or otherwise unmodifiable) files could have license places next to them in <foo>.license file, but this would lead to cluttered repository and most of the files handled in the .reuse/dep5 file are system test files. 2021-06-03 08:37:05 +02:00			`<!--`
3341. [func] New "dnssec-verify" command checks a signed zone to ensure correctness of signatures and of NSEC/NSEC3 chains. [RT #23673] 2012-06-25 13:57:32 +10:00			`Copyright (C) Internet Systems Consortium, Inc. ("ISC")`
4401. [misc] Change LICENSE to MPL 2.0. 2016-06-27 14:56:38 +10:00
Update the copyright information in all files in the repository This commit converts the license handling to adhere to the REUSE specification. It specifically: 1. Adds used licnses to LICENSES/ directory 2. Add "isc" template for adding the copyright boilerplate 3. Changes all source files to include copyright and SPDX license header, this includes all the C sources, documentation, zone files, configuration files. There are notes in the doc/dev/copyrights file on how to add correct headers to the new files. 4. Handle the rest that can't be modified via .reuse/dep5 file. The binary (or otherwise unmodifiable) files could have license places next to them in <foo>.license file, but this would lead to cluttered repository and most of the files handled in the .reuse/dep5 file are system test files. 2021-06-03 08:37:05 +02:00			`SPDX-License-Identifier: MPL-2.0`

3341. [func] New "dnssec-verify" command checks a signed zone to ensure correctness of signatures and of NSEC/NSEC3 chains. [RT #23673] 2012-06-25 13:57:32 +10:00			`This Source Code Form is subject to the terms of the Mozilla Public`
			`License, v. 2.0. If a copy of the MPL was not distributed with this`
			`file, you can obtain one at https://mozilla.org/MPL/2.0/.`
Update the copyright information in all files in the repository This commit converts the license handling to adhere to the REUSE specification. It specifically: 1. Adds used licnses to LICENSES/ directory 2. Add "isc" template for adding the copyright boilerplate 3. Changes all source files to include copyright and SPDX license header, this includes all the C sources, documentation, zone files, configuration files. There are notes in the doc/dev/copyrights file on how to add correct headers to the new files. 4. Handle the rest that can't be modified via .reuse/dep5 file. The binary (or otherwise unmodifiable) files could have license places next to them in <foo>.license file, but this would lead to cluttered repository and most of the files handled in the .reuse/dep5 file are system test files. 2021-06-03 08:37:05 +02:00
3341. [func] New "dnssec-verify" command checks a signed zone to ensure correctness of signatures and of NSEC/NSEC3 chains. [RT #23673] 2012-06-25 13:57:32 +10:00			`See the COPYRIGHT file distributed with this work for additional`
			`information regarding copyright ownership.`
Update the copyright information in all files in the repository This commit converts the license handling to adhere to the REUSE specification. It specifically: 1. Adds used licnses to LICENSES/ directory 2. Add "isc" template for adding the copyright boilerplate 3. Changes all source files to include copyright and SPDX license header, this includes all the C sources, documentation, zone files, configuration files. There are notes in the doc/dev/copyrights file on how to add correct headers to the new files. 4. Handle the rest that can't be modified via .reuse/dep5 file. The binary (or otherwise unmodifiable) files could have license places next to them in <foo>.license file, but this would lead to cluttered repository and most of the files handled in the .reuse/dep5 file are system test files. 2021-06-03 08:37:05 +02:00			`-->`
Update license headers to not include years in copyright in all applicable files 2018-02-23 09:53:12 +01:00
3341. [func] New "dnssec-verify" command checks a signed zone to ensure correctness of signatures and of NSEC/NSEC3 chains. [RT #23673] 2012-06-25 13:57:32 +10:00			`dnssec-verify a tool to verify a zone is correctly signed.`

			`* check that every record that should be signed has a valid RRSIG set.`
			`* check that every record that shouldn't be signed isn't.`
			`* check that each RRSIG set has a valid RRSIG and that all DNSKEY algorithms`
			`in use are checked.`
			`* provide a mechanism to mark DNSKEY algorithms to be ignored to support`
some Fossies-reported spelling errors were accidentally left unfixed 2020-02-21 14:12:42 -08:00			`verification of zones that are in the process of adding/removing`
3341. [func] New "dnssec-verify" command checks a signed zone to ensure correctness of signatures and of NSEC/NSEC3 chains. [RT #23673] 2012-06-25 13:57:32 +10:00			`support for a algorithm.`
			`* provide a mechanism to check the zone as of a specified date and time.`
			`* check that RRSIG won't expire within the TTL interval.`
			`* check that original TTL matches.`

			`NSEC:`
			`* check that every node with data within the zone has a NSEC RRset.`
			`* check that empty nodes don't have a NSEC record.`
			`* check that nodes outside the zone do not have a NSEC record.`
			`* check that the NSEC chain is valid.`

			`NSEC3: for each NSEC3 chain`
			`* check that every node with data within the zone has a NSEC3 RRset.`
			`* check that empty nodes within the zone have a NSEC3 record.`
			`* check that nodes outside the zone do not have a NSEC3 record.`
			`* check that each NSEC3 in the NSEC3PARAM record is valid.`