NAME
dnssec-verify - DNSSEC zone verification tool

SYNOPSIS
dnssec-verify [-c class] [-E engine] [-I input-format] [-o origin] [-v level] [-x] [-z] {zonefile}

DESCRIPTION
dnssec-verify verifies that a zone is fully signed for each algorithm found in the DNSKEY RRset for the zone, and that the NSEC / NSEC3 chains are complete.

Options: (default value in parenthesis)
-v debuglevel (0)
-o origin:
zone origin (name of zonefile)
-I format:
file format of input zonefile (text)
-c class (IN)
-E engine:
name of an OpenSSL engine to use
-x:     DNSKEY record signed with KSKs only, not ZSKs
-z:     All records signed with KSKs

[root@test ~]# dnssec-verify -o apricot2003.net.tw -I raw /var/named/apricot2003.net.tw.3LD.signed
Loading zone 'apricot2003.net.tw' from file '/var/named/apricot2003.net.tw.3LD.signed'
Verifying the zone using the following algorithms: RSASHA1.
Zone fully signed:
Algorithm: RSASHA1: KSKs: 1 active, 2 stand-by, 0 revoked
ZSKs: 1 active, 1 stand-by, 0 revoked