dnssec-checkds — DNSSEC delegation consistency checking tool


dnssec-checkds [-d dig path] [-D dsfromkey path] [-f file] [-l domain] [-s file] {zone}


dnssec-checkds verifies the correctness of Delegation Signer (DS) or DNSSEC Lookaside Validation (DLV) resource records for keys in a specified zone.


-f file

If a file is specified, then the zone is read from that file to find the DNSKEY records. If not, then the DNSKEY records for the zone are looked up in the DNS.

-l domain

Check for a DLV record in the specified lookaside domain, instead of checking for a DS record in the zone's parent.

-s file

Specifies a prepared dsset file, such as would be generated by dnssec-signzone, to use as a source for the DS RRset instead of querying the parent.

-d dig path

Specifies a path to a dig binary. Used for testing.

-D dsfromkey path

Specifies a path to a dnssec-dsfromkey binary. Used for testing.


dnssec-dsfromkey(8) , dnssec-keygen(8) , dnssec-signzone(8) ,

BIND 9.14.6 (Stable Release)