dnssec-checkds.html revision 0a330c717a298b60fb357999baac7c08dfc29046
5cd4555ad444fd391002ae32450572054369fd42Rob Austein - Copyright (C) 2012 Internet Systems Consortium, Inc. ("ISC")
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington - Permission to use, copy, modify, and/or distribute this software for any
39844d471080b2de4f8bb9d81f7e136ef80f0ae2Automatic Updater - purpose with or without fee is hereby granted, provided that the above
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews - copyright notice and this permission notice appear in all copies.
ec5347e2c775f027573ce5648b910361aa926c01Automatic Updater - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - PERFORMANCE OF THIS SOFTWARE.
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews<!-- $Id$ -->
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
8e4f3f1cbceef520ba889270c993de0ac376a2a7Evan Hunt<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
6a550cb83cc2196f8af0592a258f75985cdcb5ebJeremy Reed<a name="man.dnssec-checkds"></a><div class="titlepage"></div>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington<p><span class="application">dnssec-checkds</span> — A DNSSEC delegation consistency checking tool.</p>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington<div class="cmdsynopsis"><p><code class="command">dnssec-checkds</code> [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-f <em class="replaceable"><code>file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>dig path</code></em></code>] [<code class="option">-D <em class="replaceable"><code>dsfromkey path</code></em></code>] {zone}</p></div>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-f <em class="replaceable"><code>file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>dig path</code></em></code>] [<code class="option">-D <em class="replaceable"><code>dsfromkey path</code></em></code>] {zone}</p></div>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington<a name="id2543419"></a><h2>DESCRIPTION</h2>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington<p><span><strong class="command">dnssec-checkds</strong></span>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington verifies the correctness of Delegation Signer (DS) or DNSSEC
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Lookaside Validation (DLV) resource records for keys in a specified
39844d471080b2de4f8bb9d81f7e136ef80f0ae2Automatic Updater<dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein If a <code class="option">file</code> is specified, then the zone is
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein read from that file to find the DNSKEY records. If not,
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein then the DNSKEY records for the zone are looked up in the DNS.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
f5d30e2864e048a42c4dc1134993ae7efdb5d6c3Mark Andrews Check for a DLV record in the specified lookaside domain,
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein instead of checking for a DS record in the zone's parent.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein For example, to check for DLV records for "example.com"
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein in ISC's DLV zone, use:
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <span><strong class="command">dnssec-checkds -l dlv.isc.org example.com</strong></span>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington<dt><span class="term">-d <em class="replaceable"><code>dig path</code></em></span></dt>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Specifies a path to a <span><strong class="command">dig</strong></span> binary. Used
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington<dt><span class="term">-D <em class="replaceable"><code>dsfromkey path</code></em></span></dt>
b0c15bd9792112fb47f6d956e580e4369e92f4e7Mark Andrews Specifies a path to a <span><strong class="command">dnssec-dsfromkey</strong></span> binary.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Used for testing.
6e8a8077faf96d8da0b6cf738913f5f1f86e4008Mark Andrews<p><span class="citerefentry"><span class="refentrytitle">dnssec-dsfromkey</span>(8)</span>,
6ed53e5949d9fcd9715b440015b56e5a896d63dfDavid Hankins <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt<p><span class="corpauthor">Internet Systems Consortium</span>