Provided by: validns_0.8+git20160720-3_amd64 bug

NAME

       validns - DNS and DSNSEC zone file validator

VERSION

       This document describes validns version 0.8

SYNOPSIS

       validns -h validns [options] zone-file

       For validating stdin, specify "-" in place of zone-file.

DESCRIPTION

       Coming soon.

OPTIONS

       -h     Produce usage text and quit.

       -f     Quit  on  first  validation  error.   Normally, validns continues working on a zone
              after encountering a parsing or validation error.

       -p name
              Activate policy check name.  By default, only basic checks and  DNSSEC  checks  are
              performed.  This option can be specified multiple times.  See POLICY CHECKS, below,
              for details.  The following names are understood:

              • single-ns

              • cname-other-data

              • dname

              • dnskey

              • nsec3param-not-apex

              • mx-alias

              • ns-alias

              • rp-txt-exists

              • tlsa-host

              • ksk-exists

              • all

       -n N   Use N worker threads for parallelizable operations.  The default is 0,  meaning  no
              parallelization.  Currently only signature verification is parallelizable.

       -q     quiet - do not produce any output

       -s     print validation summary/stats

       -v     be extra verbose

       -M     use SOA MINTTL as the default TTL when no TTL specified

       -I path
              use this path for $INCLUDE files

       -z origin
              use this origin as initial $ORIGIN

       -t epoch-time
              Use  specified  time  instead  of  the  current time when verifying validity of the
              signatures.  This option may be specified  multiple  times,  in  which  case  every
              signature is checked against all specified times.

BASIC CHECKS

       Every  record  and every supported directive should be parsable, which consitutes the most
       basic check of all.  The validns program will report the exact reason why it cannot  parse
       a record or a directive.

       Other basic checks include:

       • there could only be one SOA in a zone;

       • the first record in the zone must be an SOA record;

       • a record outside the apex;

       • TTL values differ within an RR set (excepting RRSIG);

DNSSEC CHECKS

type exists, but NSEC does not mention it for name;

       • NSEC mentions type, but no such record found for name;

       • NSEC says x is the last name, but z exists;

       • NSEC says z comes after x, but nothing does;

       • NSEC says z comes after x, but y does;

       • signature is too new;

       • signature is too old;

       • RRSIG exists for non-existing type type;

       • RRSIG's original TTL differs from corresponding record's;

       • RRSIG(type): cannot find a signer key;

       • RRSIG(type): cannot verify the signature;

       • RRSIG(type): cannot find the right signer key;

       • NSEC3 record name is not valid;

       • multiple NSEC3 with the same record name;

       • no corresponding NSEC3 found for name;

       • type exists, but NSEC3 does not mention it for name;

       • NSEC3 mentions type, but no such record found for name;

       • there are more record types than NSEC3 mentions for name;

       • broken NSEC3 chain, expected name, but nothing found;

       • broken NSEC3 chain, expected name1, but found name2;

       • NSEC3 without a corresponding record (or empty non-terminal).

POLICY CHECKS

       • there should be at least two NS records per name (or zero);

       • CNAME and other data (excluding possible RRSIG and NSEC);

       • DNAME  checks:  no  multiple  DNAMEs, no descendants of a node with a DNAME; please note
         that DNAME/CNAME clash is handled by CNAME and other data check already;

       • DNSKEY checks: public key too short, leading zero  octets  in  public  key  exponent  or
         modulus;

       • NSEC3PARAM, if present, should only be at the zone apex.

       • MX exchange should not be an alias

       • NS nsdname should not be an alias

       • TXT  domain  name  mentioned  in RP record must have a corresponding TXT record if it is
         within the zone

       • domain name of a TLSA record must be a proper prefixed DNS name

       • a KSK key must exist in a signed zone

BUGS

       • textual segments in TXT and HINFO must be enclosed in double quotes;

       • a dot within a label is not currently supported;

       If at least one NSEC3 record uses opt-out flag, validns assumes it  is  used  as  much  as
       possible,  that  is, every unsigned delegation does not have a corresponding NSEC3 record.
       This is done for reasons of efficiency, to avoid calculating cryptographic hashes of every
       unsigned  delegation.   If  this  assumption  is  wrong  for  a zone, validns will produce
       spurious validation errors.

ACKNOWLEDGEMENTS

       Thanks go to Andy Holdaway,  Daniel  Stirnimann,  Dennis  Kjaer  Jensen,  Goran  Bengtson,
       Hirohisa Yamaguchi, Hugo Salgado, Jake Zack, Jakob Schlyter, Koh-ichi Ito, Mathieu Arnold,
       Miek Gieben, Patrik Wallstrom, Paul Wouters, Ryan Eby,  Tony  Finch,  Willem  Toorop,  and
       YAMAGUCHI Takanori for bug reports, testing, discussions, and occasional patches.

       Special thanks to Stephane Bortzmeyer and Phil Regnauld.

       Thanks  for  AFNIC  which  funded major portion of the development.  Thanks for SWITCH for
       additional funding.

AUTHORS

       Anton Berezin.

                                            April 2011                                 VALIDNS(1)