validns man page

validns — DNS and DSNSEC zone file validator

Version

This document describes validns version 0.8

Synopsis

validns -h validns [options] zone-file

For validating stdin, specify "-" in place of zone-file.

Description

Coming soon.

Options

-h

Produce usage text and quit.

-f

Quit on first validation error. Normally, validns continues working on a zone after encountering a parsing or validation error.

-p name

Activate policy check name. By default, only basic checks and DNSSEC checks are performed. This option can be specified multiple times. See Policy Checks, below, for details. The following names are understood:

  • single-ns
  • cname-other-data
  • dname
  • dnskey
  • nsec3param-not-apex
  • mx-alias
  • ns-alias
  • rp-txt-exists
  • tlsa-host
  • all
-n N

Use N worker threads for parallelizable operations. The default is 0, meaning no parallelization. Currently only signature verification is parallelizable.

-q

quiet - do not produce any output

-s

print validation summary/stats

-x

skip printing timing summary/stats

-v

be extra verbose

-I path

use this path for $INCLUDE files

-z origin

use this origin as initial $ORIGIN

-t epoch-time

Use specified time instead of the current time when verifying validity of the signatures. This option may be specified multiple times, in which case every signature is checked against all specified times.

Basic Checks

Every record and every supported directive should be parsable, which consitutes the most basic check of all. The validns program will report the exact reason why it cannot parse a record or a directive.

Other basic checks include:

Dnssec Checks

Policy Checks

Bugs

If at least one NSEC3 record uses opt-out flag, validns assumes it is used as much as possible, that is, every unsigned delegation does not have a corresponding NSEC3 record. This is done for reasons of efficiency, to avoid calculating cryptographic hashes of every unsigned delegation. If this assumption is wrong for a zone, validns will produce spurious validation errors.

Acknowledgements

Thanks go to Andy Holdaway, Daniel Stirnimann, Dennis Kjaer Jensen, Goran Bengtson, Hirohisa Yamaguchi, Hugo Salgado, Jake Zack, Jakob Schlyter, Koh-ichi Ito, Mathieu Arnold, Miek Gieben, Patrik Wallstrom, Paul Wouters, Ryan Eby, Tony Finch, Willem Toorop, and YAMAGUCHI Takanori for bug reports, testing, discussions, and occasional patches.

Special thanks to Stephane Bortzmeyer and Phil Regnauld.

Thanks for AFNIC which funded major portion of the development. Thanks for SWITCH for additional funding.

Authors

Anton Berezin.

Info

April 2011