summaryrefslogtreecommitdiffstats
path: root/doc/man/dnssec-checkds.8in
blob: 045f1578925e29f1c70427dc4f89cdd82e4aca97 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
.\" Man page generated from reStructuredText.
.
.
.nr rst2man-indent-level 0
.
.de1 rstReportMargin
\\$1 \\n[an-margin]
level \\n[rst2man-indent-level]
level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
-
\\n[rst2man-indent0]
\\n[rst2man-indent1]
\\n[rst2man-indent2]
..
.de1 INDENT
.\" .rstReportMargin pre:
. RS \\$1
. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
. nr rst2man-indent-level +1
.\" .rstReportMargin post:
..
.de UNINDENT
. RE
.\" indent \\n[an-margin]
.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
.nr rst2man-indent-level -1
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
.TH "DNSSEC-CHECKDS" "8" "@RELEASE_DATE@" "@BIND9_VERSION@" "BIND 9"
.SH NAME
dnssec-checkds \- DNSSEC delegation consistency checking tool
.SH SYNOPSIS
.sp
\fBdnssec\-checkds\fP [\fB\-d\fP\fIdig path\fP] [\fB\-D\fP\fIdsfromkey path\fP]
[\fB\-f\fP\fIfile\fP] [\fB\-l\fP\fIdomain\fP] [\fB\-s\fP\fIfile\fP] {zone}
.SH DESCRIPTION
.sp
\fBdnssec\-checkds\fP verifies the correctness of Delegation Signer (DS)
resource records for keys in a specified zone.
.SH OPTIONS
.sp
\fB\-a\fP \fIalgorithm\fP
.INDENT 0.0
.INDENT 3.5
Specify a digest algorithm to use when converting the zones DNSKEY
records to expected DS records. This option can be repeated, so that
multiple records are checked for each DNSKEY record.
.sp
The \fIalgorithm\fP must be one of SHA\-1, SHA\-256, or SHA\-384. These
values are case insensitive, and the hyphen may be omitted. If no
algorithm is specified, the default is SHA\-256.
.UNINDENT
.UNINDENT
.sp
\fB\-f\fP \fIfile\fP
.INDENT 0.0
.INDENT 3.5
If a \fBfile\fP is specified, then the zone is read from that file to
find the DNSKEY records. If not, then the DNSKEY records for the zone
are looked up in the DNS.
.UNINDENT
.UNINDENT
.sp
\fB\-s\fP \fIfile\fP
.INDENT 0.0
.INDENT 3.5
Specifies a prepared dsset file, such as would be generated by
\fBdnssec\-signzone\fP, to use as a source for the DS RRset instead of
querying the parent.
.UNINDENT
.UNINDENT
.sp
\fB\-d\fP \fIdig path\fP
.INDENT 0.0
.INDENT 3.5
Specifies a path to a \fBdig\fP binary. Used for testing.
.UNINDENT
.UNINDENT
.sp
\fB\-D\fP \fIdsfromkey path\fP
.INDENT 0.0
.INDENT 3.5
Specifies a path to a \fBdnssec\-dsfromkey\fP binary. Used for testing.
.UNINDENT
.UNINDENT
.SH SEE ALSO
.sp
\fBdnssec\-dsfromkey\fP(8), \fBdnssec\-keygen\fP(8),
\fBdnssec\-signzone\fP(8),
.SH AUTHOR
Internet Systems Consortium
.SH COPYRIGHT
2024, Internet Systems Consortium
.\" Generated by docutils manpage writer.
.