1VALIDNS(1)                                                          VALIDNS(1)
2
3
4

NAME

6       validns - DNS and DSNSEC zone file validator
7

VERSION

9       This document describes validns version 0.8
10

SYNOPSIS

12       validns -h validns [options] zone-file
13
14       For validating stdin, specify "-" in place of zone-file.
15

DESCRIPTION

17       Coming soon.
18

OPTIONS

20       -h     Produce usage text and quit.
21
22       -f     Quit  on  first  validation  error.  Normally, validns continues
23              working on a zone after encountering  a  parsing  or  validation
24              error.
25
26       -p name
27              Activate  policy  check name.  By default, only basic checks and
28              DNSSEC checks are performed.  This option can be specified  mul‐
29              tiple  times.   See POLICY CHECKS, below, for details.  The fol‐
30              lowing names are understood:
31
32              · single-ns
33
34              · cname-other-data
35
36              · dname
37
38              · dnskey
39
40              · nsec3param-not-apex
41
42              · mx-alias
43
44              · ns-alias
45
46              · rp-txt-exists
47
48              · tlsa-host
49
50              · ksk-exists
51
52              · all
53
54       -n N   Use N worker threads for parallelizable operations.  The default
55              is 0, meaning no parallelization.  Currently only signature ver‐
56              ification is parallelizable.
57
58       -q     quiet - do not produce any output
59
60       -s     print validation summary/stats
61
62       -x     skip printing timing summary/stats
63
64       -v     be extra verbose
65
66       -M     use SOA MINTTL as the default TTL when no TTL specified
67
68       -I path
69              use this path for $INCLUDE files
70
71       -z origin
72              use this origin as initial $ORIGIN
73
74       -t epoch-time
75              Use specified time instead of the current  time  when  verifying
76              validity of the signatures.  This option may be specified multi‐
77              ple times, in which case every signature is checked against  all
78              specified times.
79

BASIC CHECKS

81       Every  record  and  every supported directive should be parsable, which
82       consitutes the most basic check  of  all.   The  validns  program  will
83       report the exact reason why it cannot parse a record or a directive.
84
85       Other basic checks include:
86
87       · there could only be one SOA in a zone;
88
89       · the first record in the zone must be an SOA record;
90
91       · a record outside the apex;
92
93       · TTL values differ within an RR set (excepting RRSIG);
94

DNSSEC CHECKS

96       · type exists, but NSEC does not mention it for name;
97
98       · NSEC mentions type, but no such record found for name;
99
100       · NSEC says x is the last name, but z exists;
101
102       · NSEC says z comes after x, but nothing does;
103
104       · NSEC says z comes after x, but y does;
105
106       · signature is too new;
107
108       · signature is too old;
109
110       · RRSIG exists for non-existing type type;
111
112       · RRSIG's original TTL differs from corresponding record's;
113
114       · RRSIG(type): cannot find a signer key;
115
116       · RRSIG(type): cannot verify the signature;
117
118       · RRSIG(type): cannot find the right signer key;
119
120       · NSEC3 record name is not valid;
121
122       · multiple NSEC3 with the same record name;
123
124       · no corresponding NSEC3 found for name;
125
126       · type exists, but NSEC3 does not mention it for name;
127
128       · NSEC3 mentions type, but no such record found for name;
129
130       · there are more record types than NSEC3 mentions for name;
131
132       · broken NSEC3 chain, expected name, but nothing found;
133
134       · broken NSEC3 chain, expected name1, but found name2;
135
136       · NSEC3 without a corresponding record (or empty non-terminal).
137

POLICY CHECKS

139       · there should be at least two NS records per name (or zero);
140
141       · CNAME and other data (excluding possible RRSIG and NSEC);
142
143       · DNAME  checks:  no  multiple  DNAMEs, no descendants of a node with a
144         DNAME; please note that DNAME/CNAME clash is  handled  by  CNAME  and
145         other data check already;
146
147       · DNSKEY  checks:  public  key too short, leading zero octets in public
148         key exponent or modulus;
149
150       · NSEC3PARAM, if present, should only be at the zone apex.
151
152       · MX exchange should not be an alias
153
154       · NS nsdname should not be an alias
155
156       · TXT domain name mentioned in RP record must have a corresponding  TXT
157         record if it is within the zone
158
159       · domain name of a TLSA record must be a proper prefixed DNS name
160
161       · a KSK key must exist in a signed zone
162

BUGS

164       · textual segments in TXT and HINFO must be enclosed in double quotes;
165
166       · a dot within a label is not currently supported;
167
168       If  at  least one NSEC3 record uses opt-out flag, validns assumes it is
169       used as much as possible, that is, every unsigned delegation  does  not
170       have  a  corresponding NSEC3 record.  This is done for reasons of effi‐
171       ciency, to avoid calculating cryptographic  hashes  of  every  unsigned
172       delegation.   If this assumption is wrong for a zone, validns will pro‐
173       duce spurious validation errors.
174

ACKNOWLEDGEMENTS

176       Thanks go to Andy Holdaway, Daniel  Stirnimann,  Dennis  Kjaer  Jensen,
177       Goran  Bengtson,  Hirohisa  Yamaguchi,  Hugo  Salgado, Jake Zack, Jakob
178       Schlyter, Koh-ichi Ito, Mathieu Arnold, Miek Gieben, Patrik  Wallstrom,
179       Paul  Wouters,  Ryan  Eby,  Tony  Finch,  Willem  Toorop, and YAMAGUCHI
180       Takanori for bug reports, testing, discussions, and occasional patches.
181
182       Special thanks to Stephane Bortzmeyer and Phil Regnauld.
183
184       Thanks for AFNIC which funded major portion of the development.  Thanks
185       for SWITCH for additional funding.
186

AUTHORS

188       Anton Berezin.
189
190
191
192                                  April 2011                        VALIDNS(1)
Impressum