1DONUTS(1) User Contributed Perl Documentation DONUTS(1)
2
6 donuts - analyze DNS zone files for errors and warnings
7
9 donuts [-v] [-l LEVEL] [-r RULEFILES] [-i IGNORELIST]
10 [-C] [-c configfile] [-h] [-H] ZONEFILE DOMAINNAME...
11
13 donuts is a DNS lint application that examines DNS zone files looking
14 for particular problems. This is especially important for zones making
15 use of DNSSEC security records, since many subtle problems can occur.
16 The default mode of operation assumes you want to check for DNSSEC-
17 related issues; to turn off the invocation of the DNSSEC-related rules
18 run donuts with "-i DNSSEC".
19 If the Text::Wrap Perl module is installed, donuts will give better
21 output formatting.
22
24 Rule Set Configuration:
25 -l LEVEL
26 --level=LEVEL
27 Sets the level of errors to be displayed. The default is level 5.
28 The maximum value is level 9, which displays many debugging
29 results. You probably want to run no higher than level 8.
30 -r RULEFILES
32 --rules=RULEFILES
33 A comma-separated list of rule files to load. The strings will be
34 passed to glob() so * wildcards can be used to specify multiple
35 files.
36 Defaults to /usr/local/share/dnssec-tools/donuts/rules/*.txt and
38 $HOME/.dnssec-tools/donuts/rules/*.txt.
39 -i IGNORELIST
41 --ignore=IGNORELIST
42 A comma-separated list of regex patterns which are checked against
43 rule names to determine if some should be ignored. Run with -v to
44 figure out rule names if you're not sure which rule is generating
45 errors you don't wish to see.
46 -f LIST
48 --features=LIST
49 The --features option specifies additional rule features that
50 should be executed. Some rules are turned off by default because
51 they are more intensive or require a live network connection, for
52 instance. Use the --features flag to turn them on. The LIST
53 argument should be a comma-separated list. Example usage:
54 --features live,nsec_check
56 Features available in the default rule set distributed with donuts:
58 live
60 The live feature allows rules that need to perform live DNS
61 queries to run. Most of these live rules query parent and
62 children of the current zone, when appropriate, to see that the
63 parent/child relationships have been built properly. For
64 example, if you have a DS record which authenticates the key
65 used in a child zone the live feature will let a rule run which
66 checks to see if the child is actually publishing the DNSKEY
67 that corresponds to the test zone's DS record.
68 nsec_check
70 This checks all the NSEC or NSEC3 records (as appropriate for
71 the zone) to ensure the chain is complete and that no-overlaps
72 exist. It is fairly memory- and cpu-intensive in large zones.
73 Configuration File Options:
75 -c CONFIGFILE
76 --config-file=CONFIGFILE
77 Parse a configuration file to change constraints specified by
78 rules. This defaults to $HOME/.donuts.conf.
79 -C
81 --no-config
82 Don't read user configuration files at all, such as those specified
83 by the -c option or the $HOME/.donuts.conf file.
84 Extra Live Query Options:
86 Live Queries are enabled through the use of the -f live arguments.
87 These options are only useful if that feature has been enabled.
88 -t INTERFACE
90 --tcpdump-capture=INTERFACE
91 Specifies that tcpdump should be started on INTERFACE (e.g.,
92 "eth0") just before donuts begins its run of rules for each domain
93 and will stop it just after it has processed the rules. This is
94 useful when you wish to capture the traffic generated by the live
95 feature, described above.
96 -T FILTER
98 --tcpdump-filter=FILTER
99 When tcpdump is run, this FILTER is passed to it for purposes of
100 filtering traffic. By default, this is set to port 53 || ip[6:2] &
101 0x1fff != 0, which limits the traffic to traffic destined to port
102 53 (DNS) or fragmented packets.
103 -o FILE
105 --tcpdump-output-file=FILE
106 Saves the tcpdump-captured packets to FILE. The following special
107 fields can be used to help generate unique file names:
108 %d This is replaced with the current domain name being analyzed
110 (e.g., "example.com").
111 %t This is replaced with the current epoch time (i.e., the number
113 of seconds since Jan 1, 1970).
114 This field defaults to %d.%t.pcap.
116 --show-gui
118 [alpha code]
119 Displays a browsable GUI screen showing the results of the donuts
121 tests.
122 The QWizard and Gtk2 Perl modules must be installed for this to
124 work.
125 Help Options
127 -H Displays the personal configuration file rules and tokens that are
128 acceptable in a configuration file. The output will consist of a
129 rule name, a token, and a description of its meaning.
130 Your configuration file (e.g., $HOME/.donuts.conf) may have lines
132 in it that look like this:
133 # change the default minimum number of legal NS records from 2 to 1
135 name: DNS_MULTIPLE_NS
136 minnsrecords: 1
137 # change the level of the following rule from 8 to 5
139 name: DNS_REASONABLE_TTLS
140 level: 5
141 This allows you to override certain aspects of how rules are
143 executed.
144 -R Displays a list of all known rules along with their description (if
146 available).
147 -h Displays a help message.
149 --help
151 Displays a help message more tailored to people who prefer long-
152 style options.
153 -q Turns on a quieter output mode. This only affects one case: if no
155 errors are found, it will not print out "0 errors found".
156 -q is ignored if a -v argument is present.
158 -v Turns on more verbose output. Multiple -v's will turn on
160 increasing amounts of output. The number of -v's will dictate
161 output:
162 1. Describes which rules are being loaded and extra detail for
164 rules that found errors (rule Level and extra text detail)
165 2. Even more detail about rules that found errors: file name, file
167 line number, rule type.
168 3. Shows extra detail on the record text being analyzed (the
170 detail is not always available, however).
171 4. Even more detail about rules that found errors: dumps the rule
173 code itself.
174 5. Even more detail about rules that found errors: dumps the
176 internal rule structure.
177 Obsolete Options
179 -L Obsolete command line option. Please use --features live instead.
180
182 Run donuts in its default mode on the example.com zone which is
183 contained in the db.example.com file:
184 % donuts db.example.com example.com
186 Run donuts with significantly more output, both in terms of verbosity
188 and in terms of the number of rules that are run to analyze the file:
189 % donuts -v -v --level 9 db.example.com example.com
191
193 Copyright 2004-2011 SPARTA, Inc. All rights reserved. See the COPYING
194 file included with the DNSSEC-Tools package for details.
195
197 Wes Hardaker <hardaker@users.sourceforge.net>
198
200 For more information on the dnssec-tools project:
201 http://www.dnssec-tools.org/
203 For writing rules that can be loaded by donuts:
205 B<Net::DNS::SEC::Tools::Donuts::Rule>,
207 General DNS and DNSSEC usage:
209 B<Net::DNS>, B<Net::DNS::SEC>
211perl v5.12.4 2011-10-12 DONUTS(1)