NAME

       dnssec-checkds - DNSSEC delegation consistency checking tool

SYNOPSIS

       dnssec-checkds [-ddig path] [-Ddsfromkey path] [-ffile] [-ldomain] [-sfile] {zone}

DESCRIPTION

       dnssec-checkds  verifies  the  correctness  of Delegation Signer (DS) resource records for
       keys in a specified zone.

OPTIONS

       -a algorithm
          Specify a digest algorithm to use when converting the zones DNSKEY records to  expected
          DS  records. This option can be repeated, so that multiple records are checked for each
          DNSKEY record.

          The algorithm must be one  of  SHA-1,  SHA-256,  or  SHA-384.  These  values  are  case
          insensitive,  and  the hyphen may be omitted. If no algorithm is specified, the default
          is SHA-256.

       -f file
          If a file is specified, then the zone is  read  from  that  file  to  find  the  DNSKEY
          records. If not, then the DNSKEY records for the zone are looked up in the DNS.

       -s file
          Specifies  a prepared dsset file, such as would be generated by dnssec-signzone, to use
          as a source for the DS RRset instead of querying the parent.

       -d dig path
          Specifies a path to a dig binary. Used for testing.

       -D dsfromkey path
          Specifies a path to a dnssec-dsfromkey binary. Used for testing.

SEE ALSO

       dnssec-dsfromkey(8), dnssec-keygen(8), dnssec-signzone(8),

AUTHOR

       Internet Systems Consortium

COPYRIGHT

       2024, Internet Systems Consortium