summaryrefslogtreecommitdiffstats
path: root/bin/python/dnssec-checkds.rst
diff options
context:
space:
mode:
Diffstat (limited to 'bin/python/dnssec-checkds.rst')
-rw-r--r--bin/python/dnssec-checkds.rst68
1 files changed, 68 insertions, 0 deletions
diff --git a/bin/python/dnssec-checkds.rst b/bin/python/dnssec-checkds.rst
new file mode 100644
index 0000000..aa239fa
--- /dev/null
+++ b/bin/python/dnssec-checkds.rst
@@ -0,0 +1,68 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. highlight: console
+
+.. _man_dnssec-checkds:
+
+dnssec-checkds - DNSSEC delegation consistency checking tool
+------------------------------------------------------------
+
+Synopsis
+~~~~~~~~
+
+``dnssec-checkds`` [**-d**\ *dig path*] [**-D**\ *dsfromkey path*]
+[**-f**\ *file*] [**-l**\ *domain*] [**-s**\ *file*] {zone}
+
+Description
+~~~~~~~~~~~
+
+``dnssec-checkds`` verifies the correctness of Delegation Signer (DS)
+resource records for keys in a specified zone.
+
+Options
+~~~~~~~
+
+**-a** *algorithm*
+
+ Specify a digest algorithm to use when converting the zones DNSKEY
+ records to expected DS records. This option can be repeated, so that
+ multiple records are checked for each DNSKEY record.
+
+ The *algorithm* must be one of SHA-1, SHA-256, or SHA-384. These
+ values are case insensitive, and the hyphen may be omitted. If no
+ algorithm is specified, the default is SHA-256.
+
+**-f** *file*
+
+ If a ``file`` is specified, then the zone is read from that file to
+ find the DNSKEY records. If not, then the DNSKEY records for the zone
+ are looked up in the DNS.
+
+**-s** *file*
+
+ Specifies a prepared dsset file, such as would be generated by
+ ``dnssec-signzone``, to use as a source for the DS RRset instead of
+ querying the parent.
+
+**-d** *dig path*
+
+ Specifies a path to a ``dig`` binary. Used for testing.
+
+**-D** *dsfromkey path*
+
+ Specifies a path to a ``dnssec-dsfromkey`` binary. Used for testing.
+
+See Also
+~~~~~~~~
+
+``dnssec-dsfromkey``\ (8), ``dnssec-keygen``\ (8),
+``dnssec-signzone``\ (8),
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-12 13:12:00 +0000