From 6e6f5e3e1111680cff3ef4a4fa27923548c88f70 Mon Sep 17 00:00:00 2001
From: Tinderbox User <tbox@isc.org>
Date: Thu, 23 Aug 2012 07:49:17 +0000
Subject: [PATCH] man.dnssec-verify.html

---
 doc/arm/man.dnssec-verify.html | 156 +++++++++++++++++++++++++++++++++
 1 file changed, 156 insertions(+)
 create mode 100644 doc/arm/man.dnssec-verify.html

diff --git a/doc/arm/man.dnssec-verify.html b/doc/arm/man.dnssec-verify.html
new file mode 100644
index 0000000000..e0d58d5684
--- /dev/null
+++ b/doc/arm/man.dnssec-verify.html
@@ -0,0 +1,156 @@
+<!--
+ - Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2003 Internet Software Consortium.
+ - 
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ - 
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+<!-- $Id$ -->
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>dnssec-verify</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
+<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
+<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
+<link rel="prev" href="man.dnssec-signzone.html" title="dnssec-signzone">
+<link rel="next" href="man.named-checkconf.html" title="named-checkconf">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
+<div class="navheader">
+<table width="100%" summary="Navigation header">
+<tr><th colspan="3" align="center"><span class="application">dnssec-verify</span></th></tr>
+<tr>
+<td width="20%" align="left">
+<a accesskey="p" href="man.dnssec-signzone.html">Prev</a> </td>
+<th width="60%" align="center">Manual pages</th>
+<td width="20%" align="right"> <a accesskey="n" href="man.named-checkconf.html">Next</a>
+</td>
+</tr>
+</table>
+<hr>
+</div>
+<div class="refentry" lang="en">
+<a name="man.dnssec-verify"></a><div class="titlepage"></div>
+<div class="refnamediv">
+<h2>Name</h2>
+<p><span class="application">dnssec-verify</span> &#8212; DNSSEC zone verification tool</p>
+</div>
+<div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+<div class="cmdsynopsis"><p><code class="command">dnssec-verify</code>  [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-x</code>] [<code class="option">-z</code>] {zonefile}</p></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2620620"></a><h2>DESCRIPTION</h2>
+<p><span><strong class="command">dnssec-verify</strong></span>
+      verifies that a zone is fully signed for each algorithm found
+      in the DNSKEY RRset for the zone, and that the NSEC / NSEC3
+      chains are complete.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2620634"></a><h2>OPTIONS</h2>
+<div class="variablelist"><dl>
+<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
+<dd><p>
+            Specifies the DNS class of the zone.
+          </p></dd>
+<dt><span class="term">-I <em class="replaceable"><code>input-format</code></em></span></dt>
+<dd><p>
+            The format of the input zone file.
+	    Possible formats are <span><strong class="command">"text"</strong></span> (default)
+	    and <span><strong class="command">"raw"</strong></span>.
+	    This option is primarily intended to be used for dynamic
+            signed zones so that the dumped zone file in a non-text
+            format containing updates can be verified independently.
+	    The use of this option does not make much sense for
+	    non-dynamic zones.
+          </p></dd>
+<dt><span class="term">-o <em class="replaceable"><code>origin</code></em></span></dt>
+<dd><p>
+            The zone origin.  If not specified, the name of the zone file
+            is assumed to be the origin.
+          </p></dd>
+<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
+<dd><p>
+            Sets the debugging level.
+          </p></dd>
+<dt><span class="term">-x</span></dt>
+<dd><p>
+            Only verify that the DNSKEY RRset is signed with key-signing
+            keys.  Without this flag, it is assumed that the DNSKEY RRset
+            will be signed by all active keys.  When this flag is set,
+            it will not be an error if the DNSKEY RRset is not signed
+            by zone-signing keys.  This corresponds to the <code class="option">-x</code>
+            option in <span><strong class="command">dnssec-signzone</strong></span>.
+          </p></dd>
+<dt><span class="term">-z</span></dt>
+<dd>
+<p>
+	    Ignore the KSK flag on the keys when determining whether
+            the zone if correctly signed.  Without this flag it is
+	    assumed that there will be a non-revoked, self-signed
+	    DNSKEY with the KSK flag set for each algorithm and
+	    that RRsets other than DNSKEY RRset will be signed with
+            a different DNSKEY without the KSK flag set.
+	  </p>
+<p>
+	    With this flag set, we only require that for each algorithm,
+            there will be at least one non-revoked, self-signed DNSKEY,
+            regardless of the KSK flag state, and that other RRsets
+	    will be signed by a non-revoked key for the same algorithm
+            that includes the self-signed key; the same key may be used
+            for both purposes.  This corresponds to the <code class="option">-z</code>
+            option in <span><strong class="command">dnssec-signzone</strong></span>.
+	  </p>
+</dd>
+<dt><span class="term">zonefile</span></dt>
+<dd><p>
+            The file containing the zone to be signed.
+          </p></dd>
+</dl></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2620784"></a><h2>SEE ALSO</h2>
+<p>
+      <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
+      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
+      <em class="citetitle">RFC 4033</em>.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2620809"></a><h2>AUTHOR</h2>
+<p><span class="corpauthor">Internet Systems Consortium</span>
+    </p>
+</div>
+</div>
+<div class="navfooter">
+<hr>
+<table width="100%" summary="Navigation footer">
+<tr>
+<td width="40%" align="left">
+<a accesskey="p" href="man.dnssec-signzone.html">Prev</a> </td>
+<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
+<td width="40%" align="right"> <a accesskey="n" href="man.named-checkconf.html">Next</a>
+</td>
+</tr>
+<tr>
+<td width="40%" align="left" valign="top">
+<span class="application">dnssec-signzone</span> </td>
+<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
+<td width="40%" align="right" valign="top"> <span class="application">named-checkconf</span>
+</td>
+</tr>
+</table>
+</div>
+</body>
+</html>