1VALIDNS(1) VALIDNS(1)
2
6 validns - DNS and DSNSEC zone file validator
7
9 This document describes validns version 0.8
10
12 validns -h validns [options] zone-file
13 For validating stdin, specify "-" in place of zone-file.
15
17 Coming soon.
18
20 -h Produce usage text and quit.
21 -f Quit on first validation error. Normally, validns continues
23 working on a zone after encountering a parsing or validation
24 error.
25 -p name
27 Activate policy check name. By default, only basic checks and
28 DNSSEC checks are performed. This option can be specified mul‐
29 tiple times. See POLICY CHECKS, below, for details. The fol‐
30 lowing names are understood:
31 · single-ns
33 · cname-other-data
35 · dname
37 · dnskey
39 · nsec3param-not-apex
41 · mx-alias
43 · ns-alias
45 · rp-txt-exists
47 · tlsa-host
49 · ksk-exists
51 · all
53 -n N Use N worker threads for parallelizable operations. The default
55 is 0, meaning no parallelization. Currently only signature ver‐
56 ification is parallelizable.
57 -q quiet - do not produce any output
59 -s print validation summary/stats
61 -x skip printing timing summary/stats
63 -v be extra verbose
65 -M use SOA MINTTL as the default TTL when no TTL specified
67 -I path
69 use this path for $INCLUDE files
70 -z origin
72 use this origin as initial $ORIGIN
73 -t epoch-time
75 Use specified time instead of the current time when verifying
76 validity of the signatures. This option may be specified multi‐
77 ple times, in which case every signature is checked against all
78 specified times.
79
81 Every record and every supported directive should be parsable, which
82 consitutes the most basic check of all. The validns program will
83 report the exact reason why it cannot parse a record or a directive.
84 Other basic checks include:
86 · there could only be one SOA in a zone;
88 · the first record in the zone must be an SOA record;
90 · a record outside the apex;
92 · TTL values differ within an RR set (excepting RRSIG);
94
96 · type exists, but NSEC does not mention it for name;
97 · NSEC mentions type, but no such record found for name;
99 · NSEC says x is the last name, but z exists;
101 · NSEC says z comes after x, but nothing does;
103 · NSEC says z comes after x, but y does;
105 · signature is too new;
107 · signature is too old;
109 · RRSIG exists for non-existing type type;
111 · RRSIG's original TTL differs from corresponding record's;
113 · RRSIG(type): cannot find a signer key;
115 · RRSIG(type): cannot verify the signature;
117 · RRSIG(type): cannot find the right signer key;
119 · NSEC3 record name is not valid;
121 · multiple NSEC3 with the same record name;
123 · no corresponding NSEC3 found for name;
125 · type exists, but NSEC3 does not mention it for name;
127 · NSEC3 mentions type, but no such record found for name;
129 · there are more record types than NSEC3 mentions for name;
131 · broken NSEC3 chain, expected name, but nothing found;
133 · broken NSEC3 chain, expected name1, but found name2;
135 · NSEC3 without a corresponding record (or empty non-terminal).
137
139 · there should be at least two NS records per name (or zero);
140 · CNAME and other data (excluding possible RRSIG and NSEC);
142 · DNAME checks: no multiple DNAMEs, no descendants of a node with a
144 DNAME; please note that DNAME/CNAME clash is handled by CNAME and
145 other data check already;
146 · DNSKEY checks: public key too short, leading zero octets in public
148 key exponent or modulus;
149 · NSEC3PARAM, if present, should only be at the zone apex.
151 · MX exchange should not be an alias
153 · NS nsdname should not be an alias
155 · TXT domain name mentioned in RP record must have a corresponding TXT
157 record if it is within the zone
158 · domain name of a TLSA record must be a proper prefixed DNS name
160 · a KSK key must exist in a signed zone
162
164 · textual segments in TXT and HINFO must be enclosed in double quotes;
165 · a dot within a label is not currently supported;
167 If at least one NSEC3 record uses opt-out flag, validns assumes it is
169 used as much as possible, that is, every unsigned delegation does not
170 have a corresponding NSEC3 record. This is done for reasons of effi‐
171 ciency, to avoid calculating cryptographic hashes of every unsigned
172 delegation. If this assumption is wrong for a zone, validns will pro‐
173 duce spurious validation errors.
174
176 Thanks go to Andy Holdaway, Daniel Stirnimann, Dennis Kjaer Jensen,
177 Goran Bengtson, Hirohisa Yamaguchi, Hugo Salgado, Jake Zack, Jakob
178 Schlyter, Koh-ichi Ito, Mathieu Arnold, Miek Gieben, Patrik Wallstrom,
179 Paul Wouters, Ryan Eby, Tony Finch, Willem Toorop, and YAMAGUCHI
180 Takanori for bug reports, testing, discussions, and occasional patches.
181 Special thanks to Stephane Bortzmeyer and Phil Regnauld.
183 Thanks for AFNIC which funded major portion of the development. Thanks
185 for SWITCH for additional funding.
186
188 Anton Berezin.
189 April 2011 VALIDNS(1)