Provided by: dnssec-tools_2.2-2_all 
NAME
getds - Create a DS record from DNSKEYing information
SYNOPSIS
getds <domain>
DESCRIPTION
getds will create a DS record from DNSKEYs for the specified DNS domain. It does this by converting
DNSKEYs to DS records using the specified hashing algorithm. The results can then be passed to upstream
DNSSEC-supporting parents or to DLV registries.
getds will also pull the parent's published DS records and compare them against the existing keys. It
will then list any DS records not published in the parent, as well as any DS records that are published
in the parent but which don't match an existing key.
OPTIONS
getds takes the following options:
-a ALGORITHMS
--hash-algorithm algorithm ALGORITHMS
This option specifies the hash algorithm to use when converting DNSKEYs to DS records. It may be a
comma-separated list if multiple algorithms are desired. The algorithms to choose from may be either
SHA256 or SHA1.
The default is SHA256,SHA1
-f KEYFILE
--read-key-file KEYFILE
This option specifies a file with a DNSKEY stored in it (such as created by bind's dnssec-keygen
program). This is helpful for comparing a known good key file against something that is actually
published.
-z
--print-zsks
This option causes getds to print ZSK DS records, as well as KSK records.
-p
--dont-check-parent
Instructs getds to not check the records in the parent for their published DS records.
-q
--quiet
Produces quiet output with no explanatory headers. In other words, it only prints the DS records
generated from the DNSKEYs.
Note: Running with -q implies -p.
SECURITY CONSIDERATIONS
By default, getds pulls data from the live DNS. If your DNS resolver isn't configured so that this is
pulled securely, then the results can't be trusted.
COPYRIGHT
Copyright 2008-2014 SPARTA, Inc. All rights reserved. See the COPYING file included with the DNSSEC-
Tools package for details.
AUTHOR
Wes Hardaker, hardaker AT AT AT users.sourceforge.net