diff --git a/bin/python/dnssec-checkds.docbook b/bin/python/dnssec-checkds.docbook
index 113e47ceb0..bc18b616f6 100644
--- a/bin/python/dnssec-checkds.docbook
+++ b/bin/python/dnssec-checkds.docbook
@@ -67,8 +67,26 @@
 
   <refsection><info><title>OPTIONS</title></info>
 
-
     <variablelist>
+
+      <varlistentry>
+	<term>-a <replaceable class="parameter">algorithm</replaceable></term>
+	<listitem>
+	  <para>
+	    Specify a digest algorithm to use when converting the
+	    zone's DNSKEY records to expected DS or DLV records. This
+	    option can be repeated, so that multiple records are
+	    checked for each DNSKEY record.
+          </para>
+          <para>
+            The <replaceable>algorithm</replaceable> must be one of
+            SHA-1, SHA-256, or SHA-384.  These values are case insensitive,
+            and the hyphen may be omitted.  If no algorithm is specified,
+            the default is SHA-256.
+	  </para>
+	</listitem>
+      </varlistentry>
+
       <varlistentry>
         <term>-f <replaceable class="parameter">file</replaceable></term>
         <listitem>
diff --git a/bin/python/isc/checkds.py.in b/bin/python/isc/checkds.py.in
index 1f1963f3ae..f20d6bf564 100644
--- a/bin/python/isc/checkds.py.in
+++ b/bin/python/isc/checkds.py.in
@@ -114,19 +114,19 @@ def check(zone, args):
 
     klist = []
 
+    cmd = [args.dsfromkey]
+    for algo in args.algo:
+        cmd += ['-a', algo]
+    if args.lookaside:
+        cmd += ["-l", args.lookaside]
+
     if args.masterfile:
-        cmd = [args.dsfromkey, "-12f", args.masterfile]
-        if args.lookaside:
-            cmd += ["-l", args.lookaside]
-        cmd.append(zone)
+        cmd += ["-f", args.masterfile, zone]
         fp, _ = Popen(cmd, stdout=PIPE).communicate()
     else:
         intods, _ = Popen([args.dig, "+noall", "+answer", "-t", "dnskey",
                            "-q", zone], stdout=PIPE).communicate()
-        cmd = [args.dsfromkey, "-12f", "-"]
-        if args.lookaside:
-            cmd += ["-l", args.lookaside]
-        cmd.append(zone)
+        cmd += ["-f", "-", zone]
         fp, _ = Popen(cmd, stdin=PIPE, stdout=PIPE).communicate(intods)
 
     for line in fp.splitlines():
@@ -138,23 +138,27 @@ def check(zone, args):
         print("No DNSKEY records found in zone apex")
         return False
 
-    found = False
+    match = True
+    for rr in rrlist:
+        if rr not in klist:
+            print("KSK for %s %s/%03d/%05d (%s) missing from child" %
+                  (rr.rrtype, rr.rrname.strip('.'), rr.keyalg,
+                   rr.keyid, SECRR.hashalgs[rr.hashalg]))
+            match = False
+    for rr in klist:
+        if rr not in rrlist:
+            print("%s for KSK %s/%03d/%05d (%s) missing from parent" %
+                  (rr.rrtype, rr.rrname.strip('.'), rr.keyalg,
+                   rr.keyid, SECRR.hashalgs[rr.hashalg]))
+            match = False
     for rr in klist:
         if rr in rrlist:
             print("%s for KSK %s/%03d/%05d (%s) found in parent" %
                   (rr.rrtype, rr.rrname.strip('.'), rr.keyalg,
                    rr.keyid, SECRR.hashalgs[rr.hashalg]))
-            found = True
-        else:
-            print("%s for KSK %s/%03d/%05d (%s) missing from parent" %
-                  (rr.rrtype, rr.rrname.strip('.'), rr.keyalg,
-                   rr.keyid, SECRR.hashalgs[rr.hashalg]))
 
-    if not found:
-        print("No %s records were found for any DNSKEY" %
-                ("DLV" if args.lookaside else "DS"))
+    return match
 
-    return found
 
 ############################################################################
 # parse_args:
@@ -167,6 +171,8 @@ def parse_args():
     sbindir = 'bin' if os.name == 'nt' else 'sbin'
 
     parser.add_argument('zone', type=str, help='zone to check')
+    parser.add_argument('-a', '--algo', dest='algo', action='append',
+                        default=[], type=str, help='DS digest algorithm')
     parser.add_argument('-d', '--dig', dest='dig',
                         default=os.path.join(prefix(bindir), 'dig'),
                         type=str, help='path to \'dig\'')
@@ -196,5 +202,5 @@ def parse_args():
 ############################################################################
 def main():
     args = parse_args()
-    found = check(args.zone, args)
-    exit(0 if found else 1)
+    match = check(args.zone, args)
+    exit(0 if match else 1)
diff --git a/bin/tests/system/checkds/tests.sh b/bin/tests/system/checkds/tests.sh
index 2d2faba9cd..1d46bc53c4 100644
--- a/bin/tests/system/checkds/tests.sh
+++ b/bin/tests/system/checkds/tests.sh
@@ -15,10 +15,10 @@ SYSTEMTESTTOP=..
 if [ "$CYGWIN" ]; then
     DIG=".\dig.bat"
     WINDSFROMKEY=`cygpath -w $DSFROMKEY`
-    CHECKDS="$CHECKDS -d $DIG -D $WINDSFROMKEY"
+    CHECKDS="$CHECKDS -a sha1 -a sha256 -d $DIG -D $WINDSFROMKEY"
 else
     DIG="./dig.sh"
-    CHECKDS="$CHECKDS -d $DIG -D $DSFROMKEY"
+    CHECKDS="$CHECKDS -a sha1 -a sha256 -d $DIG -D $DSFROMKEY"
 fi
 chmod +x $DIG
 
@@ -61,7 +61,7 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
-echo_i "checking for incorrect DS, lowronging up key via 'dig' ($n)"
+echo_i "checking for incorrect DS, looking up key via 'dig' ($n)"
 ret=0
 $CHECKDS wrong.example > checkds.out.$n 2>&1 || ret=1
 grep 'SHA-1' checkds.out.$n > /dev/null 2>&1 || ret=1
@@ -79,7 +79,7 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
-echo_i "checking for incorrect DLV, lowronging up key via 'dig' ($n)"
+echo_i "checking for incorrect DLV, looking up key via 'dig' ($n)"
 ret=0
 $CHECKDS -l dlv.example wrong.example > checkds.out.$n 2>&1 || ret=1
 grep 'SHA-1' checkds.out.$n > /dev/null 2>&1 || ret=1
@@ -97,10 +97,9 @@ n=`expr $n + 1`
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
 
-
 echo_i "checking for partially missing DS, looking up key via 'dig' ($n)"
 ret=0
-$CHECKDS missing.example > checkds.out.$n 2>&1 || ret=1
+$CHECKDS missing.example > checkds.out.$n 2>&1 && ret=1
 grep 'SHA-1.*found' checkds.out.$n > /dev/null 2>&1 || ret=1
 grep 'SHA-256.*found' checkds.out.$n > /dev/null 2>&1 || ret=1
 grep 'SHA-1.*missing' checkds.out.$n > /dev/null 2>&1 || ret=1
@@ -111,7 +110,7 @@ status=`expr $status + $ret`
 
 echo_i "checking for partially missing DS, obtaining key from file ($n)"
 ret=0
-$CHECKDS -f missing.example.dnskey.db missing.example > checkds.out.$n 2>&1 || ret=1
+$CHECKDS -f missing.example.dnskey.db missing.example > checkds.out.$n 2>&1 && ret=1
 grep 'SHA-1.*found' checkds.out.$n > /dev/null 2>&1 || ret=1
 grep 'SHA-256.*found' checkds.out.$n > /dev/null 2>&1 || ret=1
 grep 'SHA-1.*missing' checkds.out.$n > /dev/null 2>&1 || ret=1
@@ -122,7 +121,7 @@ status=`expr $status + $ret`
 
 echo_i "checking for partially missing DLV, looking up key via 'dig' ($n)"
 ret=0
-$CHECKDS -l dlv.example missing.example > checkds.out.$n 2>&1 || ret=1
+$CHECKDS -l dlv.example missing.example > checkds.out.$n 2>&1 && ret=1
 grep 'SHA-1.*found' checkds.out.$n > /dev/null 2>&1 || ret=1
 grep 'SHA-256.*found' checkds.out.$n > /dev/null 2>&1 || ret=1
 grep 'SHA-1.*missing' checkds.out.$n > /dev/null 2>&1 || ret=1
@@ -133,7 +132,7 @@ status=`expr $status + $ret`
 
 echo_i "checking for partially missing DLV, obtaining key from file ($n)"
 ret=0
-$CHECKDS -l dlv.example -f missing.example.dnskey.db missing.example > checkds.out.$n 2>&1 || ret=1
+$CHECKDS -l dlv.example -f missing.example.dnskey.db missing.example > checkds.out.$n 2>&1 && ret=1
 grep 'SHA-1.*found' checkds.out.$n > /dev/null 2>&1 || ret=1
 grep 'SHA-256.*found' checkds.out.$n > /dev/null 2>&1 || ret=1
 grep 'SHA-1.*missing' checkds.out.$n > /dev/null 2>&1 || ret=1
@@ -145,7 +144,8 @@ status=`expr $status + $ret`
 echo_i "checking for entirely missing DS, looking up key via 'dig' ($n)"
 ret=0
 $CHECKDS none.example > checkds.out.$n 2>&1 && ret=1
-grep 'No DS' checkds.out.$n > /dev/null 2>&1 || ret=1
+grep 'SHA-1.*found' checkds.out.$n > /dev/null 2>&1 && ret=1
+grep 'SHA-256.*found' checkds.out.$n > /dev/null 2>&1 && ret=1
 n=`expr $n + 1`
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
@@ -153,7 +153,8 @@ status=`expr $status + $ret`
 echo_i "checking for entirely missing DS, obtaining key from file ($n)"
 ret=0
 $CHECKDS -f none.example.dnskey.db none.example > checkds.out.$n 2>&1 && ret=1
-grep 'No DS' checkds.out.$n > /dev/null 2>&1 || ret=1
+grep 'SHA-1.*found' checkds.out.$n > /dev/null 2>&1 && ret=1
+grep 'SHA-256.*found' checkds.out.$n > /dev/null 2>&1 && ret=1
 n=`expr $n + 1`
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
@@ -161,7 +162,8 @@ status=`expr $status + $ret`
 echo_i "checking for entirely missing DLV, looking up key via 'dig' ($n)"
 ret=0
 $CHECKDS -l dlv.example none.example > checkds.out.$n 2>&1 && ret=1
-grep 'No DLV' checkds.out.$n > /dev/null 2>&1 || ret=1
+grep 'SHA-1.*found' checkds.out.$n > /dev/null 2>&1 && ret=1
+grep 'SHA-256.*found' checkds.out.$n > /dev/null 2>&1 && ret=1
 n=`expr $n + 1`
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`
@@ -169,7 +171,8 @@ status=`expr $status + $ret`
 echo_i "checking for entirely missing DLV, obtaining key from file ($n)"
 ret=0
 $CHECKDS -l dlv.example -f none.example.dnskey.db none.example > checkds.out.$n 2>&1 && ret=1
-grep 'No DLV' checkds.out.$n > /dev/null 2>&1 || ret=1
+grep 'SHA-1.*found' checkds.out.$n > /dev/null 2>&1 && ret=1
+grep 'SHA-256.*found' checkds.out.$n > /dev/null 2>&1 && ret=1
 n=`expr $n + 1`
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=`expr $status + $ret`