This is the command validns that can be run in the OnWorks free hosting provider using one of our multiple free online workstations such as Ubuntu Online, Fedora Online, Windows online emulator or MAC OS online emulator
PROGRAM:
NAME
validns - DNS and DSNSEC zone file validator
VERSION
This document describes validns version 0.8
SYNOPSIS
validns -h validns [options] zone-file
For validating stdin, specify "-" in place of zone-file.
DESCRIPTION
Coming soon.
OPTIONS
-h Produce usage text and quit.
-f Quit on first validation error. Normally, validns continues working on a zone
after encountering a parsing or validation error.
-p name
Activate policy check name. By default, only basic checks and DNSSEC checks are
performed. This option can be specified multiple times. See POLICY CHECKS, below,
for details. The following names are understood:
· single-ns
· cname-other-data
· dname
· dnskey
· nsec3param-not-apex
· mx-alias
· ns-alias
· rp-txt-exists
· tlsa-host
· all
-n N Use N worker threads for parallelizable operations. The default is 0, meaning no
parallelization. Currently only signature verification is parallelizable.
-q quiet - do not produce any output
-s print validation summary/stats
-v be extra verbose
-I path
use this path for $INCLUDE files
-z origin
use this origin as initial $ORIGIN
-t epoch-time
Use specified time instead of the current time when verifying validity of the
signatures. This option may be specified multiple times, in which case every
signature is checked against all specified times.
BASIC CHECKS
Every record and every supported directive should be parsable, which consitutes the most
basic check of all. The validns program will report the exact reason why it cannot parse
a record or a directive.
Other basic checks include:
· there could only be one SOA in a zone;
· the first record in the zone must be an SOA record;
· a record outside the apex;
· TTL values differ within an RR set (excepting RRSIG);
DNSSEC CHECKS
· type exists, but NSEC does not mention it for name;
· NSEC mentions type, but no such record found for name;
· NSEC says x is the last name, but z exists;
· NSEC says z comes after x, but nothing does;
· NSEC says z comes after x, but y does;
· signature is too new;
· signature is too old;
· RRSIG exists for non-existing type type;
· RRSIG's original TTL differs from corresponding record's;
· RRSIG(type): cannot find a signer key;
· RRSIG(type): cannot verify the signature;
· RRSIG(type): cannot find the right signer key;
· NSEC3 record name is not valid;
· multiple NSEC3 with the same record name;
· no corresponding NSEC3 found for name;
· type exists, but NSEC3 does not mention it for name;
· NSEC3 mentions type, but no such record found for name;
· there are more record types than NSEC3 mentions for name;
· broken NSEC3 chain, expected name, but nothing found;
· broken NSEC3 chain, expected name1, but found name2;
· NSEC3 without a corresponding record (or empty non-terminal).
POLICY CHECKS
· there should be at least two NS records per name (or zero);
· CNAME and other data (excluding possible RRSIG and NSEC);
· DNAME checks: no multiple DNAMEs, no descendants of a node with a DNAME; please note
that DNAME/CNAME clash is handled by CNAME and other data check already;
· DNSKEY checks: public key too short, leading zero octets in public key exponent or
modulus;
· NSEC3PARAM, if present, should only be at the zone apex.
· MX exchange should not be an alias
· NS nsdname should not be an alias
· TXT domain name mentioned in RP record must have a corresponding TXT record if it is
within the zone
· domain name of a TLSA record must be a proper prefixed DNS name
Use validns online using onworks.net services
