1DNSSEC-CHECKDS(8) BIND 9 DNSSEC-CHECKDS(8)
2
3
4
6 dnssec-checkds - DNSSEC delegation consistency checking tool
7
9 dnssec-checkds [-ddig path] [-Ddsfromkey path] [-ffile] [-ldomain]
10 [-sfile] {zone}
11
13 dnssec-checkds verifies the correctness of Delegation Signer (DS) re‐
14 source records for keys in a specified zone.
15
17 -a algorithm
18 Specify a digest algorithm to use when converting the zones DNSKEY
19 records to expected DS records. This option can be repeated, so that
20 multiple records are checked for each DNSKEY record.
21
22 The algorithm must be one of SHA-1, SHA-256, or SHA-384. These val‐
23 ues are case insensitive, and the hyphen may be omitted. If no algo‐
24 rithm is specified, the default is SHA-256.
25
26 -f file
27 If a file is specified, then the zone is read from that file to find
28 the DNSKEY records. If not, then the DNSKEY records for the zone are
29 looked up in the DNS.
30
31 -s file
32 Specifies a prepared dsset file, such as would be generated by
33 dnssec-signzone, to use as a source for the DS RRset instead of
34 querying the parent.
35
36 -d dig path
37 Specifies a path to a dig binary. Used for testing.
38
39 -D dsfromkey path
40 Specifies a path to a dnssec-dsfromkey binary. Used for testing.
41
43 dnssec-dsfromkey(8), dnssec-keygen(8), dnssec-signzone(8),
44
46 Internet Systems Consortium
47
49 2022, Internet Systems Consortium
50
51
52
53
549.16.30-RH DNSSEC-CHECKDS(8)