validns - Man Page

DNS and DSNSEC zone file validator


This document describes validns version 0.8


validns -h validns [options] zone-file

For validating stdin, specify "-" in place of zone-file.


Coming soon.



Produce usage text and quit.


Quit on first validation error. Normally, validns continues working on a zone after encountering a parsing or validation error.

-p name

Activate policy check name. By default, only basic checks and DNSSEC checks are performed. This option can be specified multiple times. See Policy Checks, below, for details. The following names are understood:

  • single-ns
  • cname-other-data
  • dname
  • dnskey
  • nsec3param-not-apex
  • mx-alias
  • ns-alias
  • rp-txt-exists
  • tlsa-host
  • ksk-exists
  • all
-n N

Use N worker threads for parallelizable operations. The default is 0, meaning no parallelization. Currently only signature verification is parallelizable.


quiet - do not produce any output


print validation summary/stats


skip printing timing summary/stats


be extra verbose


use SOA MINTTL as the default TTL when no TTL specified

-I path

use this path for $INCLUDE files

-z origin

use this origin as initial $ORIGIN

-t epoch-time

Use specified time instead of the current time when verifying validity of the signatures. This option may be specified multiple times, in which case every signature is checked against all specified times.

Basic Checks

Every record and every supported directive should be parsable, which consitutes the most basic check of all. The validns program will report the exact reason why it cannot parse a record or a directive.

Other basic checks include:

Dnssec Checks

Policy Checks


If at least one NSEC3 record uses opt-out flag, validns assumes it is used as much as possible, that is, every unsigned delegation does not have a corresponding NSEC3 record. This is done for reasons of efficiency, to avoid calculating cryptographic hashes of every unsigned delegation. If this assumption is wrong for a zone, validns will produce spurious validation errors.


Thanks go to Andy Holdaway, Daniel Stirnimann, Dennis Kjaer Jensen, Goran Bengtson, Hirohisa Yamaguchi, Hugo Salgado, Jake Zack, Jakob Schlyter, Koh-ichi Ito, Mathieu Arnold, Miek Gieben, Patrik Wallstrom, Paul Wouters, Ryan Eby, Tony Finch, Willem Toorop, and YAMAGUCHI Takanori for bug reports, testing, discussions, and occasional patches.

Special thanks to Stephane Bortzmeyer and Phil Regnauld.

Thanks for AFNIC which funded major portion of the development. Thanks for SWITCH for additional funding.


Anton Berezin.


April 2011