dnssec-checkds Command

Purpose

Verifies consistency of DS resource records.

Syntax

dnssec-checkds [-d dig path] [-D dsfromkey path] [-f file] [-l domain] [-s file] {zone}

Description

The dnssec-checkds command is a high-level Python3 wrapper that verifies the correctness of Delegation Signer (DS) resource records for keys in a specified zone.

Flags

-a algorithm

Specify a digest algorithm that must be used when converting the zone's DNSKEY records to expected DS records. This option can be used multiple times, so that multiple records are checked for each DNSKEY record.

The algorithm must be one of the following values: SHA-1, SHA-256, or SHA-384. These values are case insensitive, and the hyphen may be omitted. If an algorithm is not specified, the default value is SHA-256.

-f file

If a file is specified, zone is read from that file to find DNSKEY records. Otherwise the DNSKEY records for the zone are looked up in the DNS.

-s file

Specifies a prepared dsset file, as generated by the dnssec-signzone command, used as a source for the DS RRset instead of querying the parent zone.

-d dig path

Specifies dig binary path. This flag is used only for testing purposes.

-D dsfromkey path

Specifies the dnssec-dsfromkey binary path. This flag is used only for testing purposes.