forked from tobez/validns
-
Notifications
You must be signed in to change notification settings - Fork 0
/
validns.1
126 lines (126 loc) · 2.76 KB
/
validns.1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
.TH VALIDNS 1 "April 2011"
.SH NAME
.PP
validns - DNS and DSNSEC zone file validator
.SH SYNOPSIS
.PP
validns \f[I]-h\f[] validns [\f[I]options\f[]] \f[I]zone-file\f[]
.SH DESCRIPTION
.PP
Coming soon.
.SH OPTIONS
.TP
.B -h
Produce usage text and quit.
.RS
.RE
.TP
.B -f
Quit on first validation error.
Normally, \f[C]validns\f[] continues working on a zone after
encountering a parsing or validation error.
.RS
.RE
.TP
.B -p \f[I]name\f[]
Activate policy check \f[I]name\f[].
By default, only basic checks and DNSSEC checks are performed.
This option can be specified multiple times.
See \f[B]POLICY CHECKS\f[], below, for details.
The following names are understood:
.RS
.IP \[bu] 2
single-ns
.IP \[bu] 2
cname-other-data
.IP \[bu] 2
all
.RE
.TP
.B -q
quiet - do not produce any output
.RS
.RE
.TP
.B -s
print validation summary/stats
.RS
.RE
.TP
.B -v
be extra verbose
.RS
.RE
.TP
.B -I \f[I]path\f[]
use this path for $INCLUDE files
.RS
.RE
.TP
.B -z \f[I]origin\f[]
use this origin as initial $ORIGIN
.RS
.RE
.TP
.B -t \f[I]epoch-time\f[]
Use specified time instead of the current time when verifying
validity of the signatures.
.RS
.RE
.SH BASIC CHECKS
.PP
Every record and every supported directive should be parsable,
which consitutes the most basic check of all.
The \f[C]validns\f[] program will report an exact reason why it
cannot parse a record or a directive.
.PP
Other basic checks include:
.IP \[bu] 2
there could only be one SOA in a zone;
.IP \[bu] 2
the first record in the zone must be an SOA record;
.IP \[bu] 2
a record outside the apex;
.IP \[bu] 2
TTL values differ within an RR set (excepting \f[I]RRSIG\f[]);
.SH DNSSEC CHECKS
.IP \[bu] 2
there are more record types than NSEC mentions;
.IP \[bu] 2
NSEC says \f[I]x\f[] is the last name, but \f[I]z\f[] exists;
.IP \[bu] 2
NSEC says \f[I]z\f[] comes after \f[I]x\f[], but nothing does;
.IP \[bu] 2
NSEC says \f[I]z\f[] comes after \f[I]x\f[], but \f[I]y\f[] does;
.IP \[bu] 2
signature is too new;
.IP \[bu] 2
signature is too old;
.IP \[bu] 2
RRSIG exists for non-existing type \f[I]type\f[];
.IP \[bu] 2
RRSIG's original TTL differs from corresponding record's;
.IP \[bu] 2
RRSIG(\f[I]type\f[]): cannot find a signer key;
.IP \[bu] 2
RRSIG(\f[I]type\f[]): cannot verify the signature;
.IP \[bu] 2
RRSIG(\f[I]type\f[]): cannot find the right signer key.
.SH POLICY CHECKS
.IP \[bu] 2
there should be at least two NS records per name (or zero);
.IP \[bu] 2
CNAME and other data (excluding possible RRSIG and NSEC).
.SH BUGS
.IP \[bu] 2
textual segments in \f[I]TXT\f[] and \f[I]HINFO\f[] must be
enclosed in double quotes;
.IP \[bu] 2
there cannot be more than 20 textual segments in a \f[I]TXT\f[]
record;
.IP \[bu] 2
\f[I]$INCLUDE\f[] directive is not implemented;
.IP \[bu] 2
no backslash escapes in names are supported.
.SH AUTHORS
Anton Berezin.