DNSSEC-CHECKDS(8)                   BIND 9                   DNSSEC-CHECKDS(8)

NAME
       dnssec-checkds - DNSSEC delegation consistency checking tool

SYNOPSIS
       dnssec-checkds [-ddig path] [-Ddsfromkey path] [-ffile] [-ldomain]
       [-sfile] {zone}

DESCRIPTION
       dnssec-checkds verifies the correctness of Delegation Signer (DS)
       resource records for keys in a specified zone.

OPTIONS
       -a algorithm
          Specify a digest algorithm to use when converting the zones DNSKEY
          records to expected DS records. This option can be repeated, so that
          multiple records are checked for each DNSKEY record.

          The algorithm must be one of SHA-1, SHA-256, or SHA-384. These
          values are case insensitive, and the hyphen may be omitted. If no
          algorithm is specified, the default is SHA-256.

       -f file
          If a file is specified, then the zone is read from that file to find
          the DNSKEY records. If not, then the DNSKEY records for the zone are
          looked up in the DNS.

       -s file
          Specifies a prepared dsset file, such as would be generated by
          dnssec-signzone, to use as a source for the DS RRset instead of
          querying the parent.

       -d dig path
          Specifies a path to a dig binary. Used for testing.

       -D dsfromkey path
          Specifies a path to a dnssec-dsfromkey binary. Used for testing.

SEE ALSO
       dnssec-dsfromkey(8), dnssec-keygen(8), dnssec-signzone(8),

AUTHOR
       Internet Systems Consortium

COPYRIGHT
       2021, Internet Systems Consortium

9.16.18                           2021-06-18                 DNSSEC-CHECKDS(8)