validns.1

.SH NAME
.PP
validns \- DNS and DSNSEC zone file validator
.SH VERSION
.PP
This document describes validns version 0.8
.SH SYNOPSIS
.PP
validns \f[I]\-h\f[] validns [\f[I]options\f[]] \f[I]zone\-file\f[]
.PP
For validating stdin, specify "\-" in place of \f[I]zone\-file\f[].
.SH DESCRIPTION
.PP
Coming soon.
.SH OPTIONS
.TP
.B \-h
Produce usage text and quit.
.RS
.RE
.TP
.B \-f
Quit on first validation error.
Normally, \f[C]validns\f[] continues working on a zone after
encountering a parsing or validation error.
.RS
.RE
.TP
.B \-p \f[I]name\f[]
Activate policy check \f[I]name\f[].
By default, only basic checks and DNSSEC checks are performed.
This option can be specified multiple times.
See \f[B]POLICY CHECKS\f[], below, for details.
.RS
.RE
.TP
.B \-n \f[I]N\f[]
Use N worker threads for parallelizable operations.
The default is 0, meaning no parallelization.
Currently only signature verification is parallelizable.
.RS
.RE
.TP
.B \-q
quiet \- do not produce any output
.RS
.RE
.TP
.B \-s
Print validation summary/stats.
If specified twice, also print record counts by type.
.RS
.RE
.TP
.B \-v
be extra verbose
.RS
.RE
.TP
.B \-M
use SOA MINTTL as the default TTL when no TTL specified
.RS
.RE
.TP
.B \-I \f[I]path\f[]
use this path for $INCLUDE files
.RS
.RE
.TP
.B \-z \f[I]origin\f[]
use this origin as initial $ORIGIN
.RS
.RE
.TP
.B \-t \f[I]epoch\-time\f[]
Use specified time instead of the current time when verifying validity
of the signatures.
This option may be specified multiple times, in which case every
signature is checked against all specified times.
.RS
.RE
.SH BASIC CHECKS
.PP
Every record and every supported directive should be parsable, which
consitutes the most basic check of all.
The \f[C]validns\f[] program will report the exact reason why it cannot
parse a record or a directive.
.PP
Other basic checks include:
.IP \[bu] 2
there could only be one SOA in a zone;
.IP \[bu] 2
the first record in the zone must be an SOA record;
.IP \[bu] 2
a record outside the apex;
.IP \[bu] 2
TTL values differ within an RR set (excepting \f[I]RRSIG\f[]);
.SH DNSSEC CHECKS
.IP \[bu] 2
\f[I]type\f[] exists, but NSEC does not mention it for \f[I]name\f[];
.IP \[bu] 2
NSEC mentions \f[I]type\f[], but no such record found for \f[I]name\f[];
.IP \[bu] 2
NSEC says \f[I]x\f[] is the last name, but \f[I]z\f[] exists;
.IP \[bu] 2
NSEC says \f[I]z\f[] comes after \f[I]x\f[], but nothing does;
.IP \[bu] 2
NSEC says \f[I]z\f[] comes after \f[I]x\f[], but \f[I]y\f[] does;
.IP \[bu] 2
signature is too new;
.IP \[bu] 2
signature is too old;
.IP \[bu] 2
RRSIG exists for non\-existing type \f[I]type\f[];
.IP \[bu] 2
RRSIG\[aq]s original TTL differs from corresponding record\[aq]s;
.IP \[bu] 2
RRSIG(\f[I]type\f[]): cannot find a signer key;
.IP \[bu] 2
RRSIG(\f[I]type\f[]): cannot verify the signature;
.IP \[bu] 2
RRSIG(\f[I]type\f[]): cannot find the right signer key;
.IP \[bu] 2
NSEC3 record name is not valid;
.IP \[bu] 2
multiple NSEC3 with the same record name;
.IP \[bu] 2
no corresponding NSEC3 found for \f[I]name\f[];
.IP \[bu] 2
\f[I]type\f[] exists, but NSEC3 does not mention it for \f[I]name\f[];
.IP \[bu] 2
NSEC3 mentions \f[I]type\f[], but no such record found for
\f[I]name\f[];
.IP \[bu] 2
there are more record types than NSEC3 mentions for \f[I]name\f[];
.IP \[bu] 2
broken NSEC3 chain, expected \f[I]name\f[], but nothing found;
.IP \[bu] 2
broken NSEC3 chain, expected \f[I]name1\f[], but found \f[I]name2\f[];
.IP \[bu] 2
NSEC3 without a corresponding record (or empty non\-terminal).
.SH POLICY CHECKS
.PP
The following policy checks are understood:
.TP
.B \f[B]single\-ns\f[]
Checks that there are at least two NS records per name (or zero).
.RS
.RE
.TP
.B \f[B]cname\-other\-data\f[]
Checks for CNAME and other data condition (excluding possible and NSEC).
.RS
.RE
.TP
.B \f[B]dname\f[]
DNAME checks: no multiple DNAMEs, no descendants of a node with a DNAME.
Please note that DNAME/CNAME clash is handled by CNAME and other data
check already.
.RS
.RE
.TP
.B \f[B]dnskey\f[]
DNSKEY checks: public key too short, leading zero octets in public key
exponent or modulus.
.RS
.RE
.TP
.B \f[B]nsec3param\-not\-apex\f[]
NSEC3PARAM, if present, should only be at the zone apex.
.RS
.RE
.TP
.B \f[B]mx\-alias\f[]
MX exchange should not be an alias.
.RS
.RE
.TP
.B \f[B]ns\-alias\f[]
NS nsdname should not be an alias.
.RS
.RE
.TP
.B \f[B]rp\-txt\-exists\f[]
TXT domain name mentioned in RP record must have a corresponding TXT
record if it is within the zone.
.RS
.RE
.TP
.B \f[B]tlsa\-host\f[]
Domain name of a TLSA record must be a proper prefixed DNS name.
.RS
.RE
.TP
.B \f[B]ksk\-exists\f[]
A KSK key must exist in a signed zone.
.RS
.RE
.TP
.B \f[B]smimea\-host\f[]
Domain name must have the form which is proper for an SMIMEA record.
.RS
.RE
.TP
.B \f[B]all\f[]
Activates all of the above policy checks (but not the ones described
below).
.RS
.RE
.TP
.B \f[B]permit\-starting\-hyphen\f[]
Starting hyphen (normally disallowed) is permitted in names.
.RS
.RE
.SH BUGS
.IP \[bu] 2
textual segments in \f[I]TXT\f[] and \f[I]HINFO\f[] must be enclosed in
double quotes;
.IP \[bu] 2
a dot within a label is not currently supported;
.PP
If at least one NSEC3 record uses opt\-out flag, \f[C]validns\f[]
assumes it is used as much as possible, that is, every unsigned
delegation does not have a corresponding NSEC3 record.
This is done for reasons of efficiency, to avoid calculating
cryptographic hashes of every unsigned delegation.
If this assumption is wrong for a zone, \f[C]validns\f[] will produce
spurious validation errors.
.SH ACKNOWLEDGEMENTS
.PP
Thanks go to Andy Holdaway, Daniel Stirnimann, Dennis Kjaer Jensen,
Goran Bengtson, Hirohisa Yamaguchi, Hugo Salgado, Jake Zack, Jakob
Schlyter, Koh\-ichi Ito, Mathieu Arnold, Miek Gieben, Patrik Wallstrom,
Paul Wouters, Ryan Eby, Tony Finch, Willem Toorop, and YAMAGUCHI
Takanori for bug reports, testing, discussions, and occasional patches.
.PP
Special thanks to Stephane Bortzmeyer and Phil Regnauld.
.PP
Thanks for AFNIC which funded major portion of the development.
Thanks for SWITCH for additional funding.