DNSSEC-CHECKDS(8) | BIND 9 | DNSSEC-CHECKDS(8) |
NAME¶
dnssec-checkds - DNSSEC delegation consistency checking tool
SYNOPSIS¶
dnssec-checkds [-ddig path] [-Ddsfromkey path] [-ffile] [-ldomain] [-sfile] {zone}
DESCRIPTION¶
dnssec-checkds verifies the correctness of Delegation Signer (DS) resource records for keys in a specified zone.
OPTIONS¶
-a algorithm
Specify a digest algorithm to use when converting the
zones DNSKEY records to expected DS records. This option can be repeated, so
that multiple records are checked for each DNSKEY record.
The algorithm must be one of SHA-1, SHA-256, or SHA-384. These values are case insensitive, and the hyphen may be omitted. If no algorithm is specified, the default is SHA-256.
-f file
If a file is specified, then the zone is read from
that file to find the DNSKEY records. If not, then the DNSKEY records for the
zone are looked up in the DNS.
-s file
Specifies a prepared dsset file, such as would be
generated by dnssec-signzone, to use as a source for the DS RRset
instead of querying the parent.
-d dig path
Specifies a path to a dig binary. Used for
testing.
-D dsfromkey path
Specifies a path to a dnssec-dsfromkey binary.
Used for testing.
SEE ALSO¶
AUTHOR¶
Internet Systems Consortium
COPYRIGHT¶
2021, Internet Systems Consortium
9.16.23-RH |