1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
|
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
.. highlight: console
.. _man_dnssec-checkds:
dnssec-checkds - DNSSEC delegation consistency checking tool
------------------------------------------------------------
Synopsis
~~~~~~~~
``dnssec-checkds`` [**-d**\ *dig path*] [**-D**\ *dsfromkey path*]
[**-f**\ *file*] [**-l**\ *domain*] [**-s**\ *file*] {zone}
Description
~~~~~~~~~~~
``dnssec-checkds`` verifies the correctness of Delegation Signer (DS)
resource records for keys in a specified zone.
Options
~~~~~~~
**-a** *algorithm*
Specify a digest algorithm to use when converting the zones DNSKEY
records to expected DS records. This option can be repeated, so that
multiple records are checked for each DNSKEY record.
The *algorithm* must be one of SHA-1, SHA-256, or SHA-384. These
values are case insensitive, and the hyphen may be omitted. If no
algorithm is specified, the default is SHA-256.
**-f** *file*
If a ``file`` is specified, then the zone is read from that file to
find the DNSKEY records. If not, then the DNSKEY records for the zone
are looked up in the DNS.
**-s** *file*
Specifies a prepared dsset file, such as would be generated by
``dnssec-signzone``, to use as a source for the DS RRset instead of
querying the parent.
**-d** *dig path*
Specifies a path to a ``dig`` binary. Used for testing.
**-D** *dsfromkey path*
Specifies a path to a ``dnssec-dsfromkey`` binary. Used for testing.
See Also
~~~~~~~~
``dnssec-dsfromkey``\ (8), ``dnssec-keygen``\ (8),
``dnssec-signzone``\ (8),
|
