Manpages - dnssec-checkds.8

Table of Contents


dnssec-checkds - DNSSEC delegation consistency checking tool


dnssec-checkds [*-d*/dig path/] [*-D*/dsfromkey path/] [*-f*/file/] [*-l*/domain/] [*-s*/file/] {zone}


dnssec-checkds verifies the correctness of Delegation Signer (DS) resource records for keys in a specified zone.


-a algorithm

#+begin_quote Specify a digest algorithm to use when converting the zones DNSKEY records to expected DS records. This option can be repeated, so that multiple records are checked for each DNSKEY record.

The algorithm must be one of SHA-1, SHA-256, or SHA-384. These values are case insensitive, and the hyphen may be omitted. If no algorithm is specified, the default is SHA-256.


-f file

#+begin_quote If a file is specified, then the zone is read from that file to find the DNSKEY records. If not, then the DNSKEY records for the zone are looked up in the DNS.


-s file

#+begin_quote Specifies a prepared dsset file, such as would be generated by dnssec-signzone, to use as a source for the DS RRset instead of querying the parent.


-d dig path

#+begin_quote Specifies a path to a dig binary. Used for testing.


-D dsfromkey path

#+begin_quote Specifies a path to a dnssec-dsfromkey binary. Used for testing.



*dnssec-dsfromkey*(8), *dnssec-keygen*(8), *dnssec-signzone*(8),


Internet Systems Consortium


2021, Internet Systems Consortium

Author: dt

Created: 2022-02-20 Sun 09:52