dnssec-checkds Command
Purpose
Verifies consistency of DS resource records.
Syntax
dnssec-checkds [-d dig path] [-D dsfromkey path] [-f file] [-l domain] [-s file] {zone}
Description
The dnssec-checkds command is a high-level Python3 wrapper that verifies the correctness of Delegation Signer (DS) resource records for keys in a specified zone.
Flags
- -a algorithm
-
Specify a digest algorithm that must be used when converting the zone's DNSKEY records to expected DS records. This option can be used multiple times, so that multiple records are checked for each DNSKEY record.
The algorithm must be one of the following values: SHA-1, SHA-256, or SHA-384. These values are case insensitive, and the hyphen may be omitted. If an algorithm is not specified, the default value is SHA-256.
- -f file
-
If a file is specified, zone is read from that file to find DNSKEY records. Otherwise the DNSKEY records for the zone are looked up in the DNS.
- -s file
-
Specifies a prepared dsset file, as generated by the dnssec-signzone command, used as a source for the DS RRset instead of querying the parent zone.
- -d dig path
-
Specifies dig binary path. This flag is used only for testing purposes.
- -D dsfromkey path
-
Specifies the dnssec-dsfromkey binary path. This flag is used only for testing purposes.