.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0.  If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.

.. highlight: console

.. _man_dnssec-checkds:

dnssec-checkds - DNSSEC delegation consistency checking tool
------------------------------------------------------------

Synopsis
~~~~~~~~

``dnssec-checkds`` [**-d**\ *dig path*] [**-D**\ *dsfromkey path*]
[**-f**\ *file*] [**-l**\ *domain*] [**-s**\ *file*] {zone}

Description
~~~~~~~~~~~

``dnssec-checkds`` verifies the correctness of Delegation Signer (DS)
resource records for keys in a specified zone.

Options
~~~~~~~

**-a** *algorithm*

   Specify a digest algorithm to use when converting the zones DNSKEY
   records to expected DS records. This option can be repeated, so that
   multiple records are checked for each DNSKEY record.

   The *algorithm* must be one of SHA-1, SHA-256, or SHA-384. These
   values are case insensitive, and the hyphen may be omitted. If no
   algorithm is specified, the default is SHA-256.

**-f** *file*

   If a ``file`` is specified, then the zone is read from that file to
   find the DNSKEY records. If not, then the DNSKEY records for the zone
   are looked up in the DNS.

**-s** *file*

   Specifies a prepared dsset file, such as would be generated by
   ``dnssec-signzone``, to use as a source for the DS RRset instead of
   querying the parent.

**-d** *dig path*

   Specifies a path to a ``dig`` binary. Used for testing.

**-D** *dsfromkey path*

   Specifies a path to a ``dnssec-dsfromkey`` binary. Used for testing.

See Also
~~~~~~~~

``dnssec-dsfromkey``\ (8), ``dnssec-keygen``\ (8),
``dnssec-signzone``\ (8),