dnsight dnssec
DNSSEC chain and negative-response validation.
Options
| Option | Type | Default | Required | Description |
|---|---|---|---|---|
domains |
text | — | no | One or more domains; omit to use config manifest targets. |
--config |
file | — | no | YAML path (overrides global --config for this command). |
--require-ds / --no-require-ds |
bool | — | no | Require DS at parent delegation. |
--signature-expiry-days-warning |
integer range | — | no | Warn when RRSIG expires within this many days. |
--disallowed-algorithms |
text | — | no | Comma-separated weak DNSSEC algorithms (tab suggests common weak values). |
--validate-negative-responses / --no-validate-negative-responses |
bool | — | no | Probe NXDOMAIN and verify NSEC/NSEC3. |
--validate-nodata-proofs / --no-validate-nodata-proofs |
bool | — | no | Probe NODATA and verify proofs. |
--nxdomain-probe-label |
text | — | no | Leftmost label for NXDOMAIN probe (optional). |
--require-ns / --no-require-ns |
bool | — | no | Require NS at zone apex. |
--nodata-probe-name |
text | — | no | FQDN for NODATA proof probe (optional). |