Digital Mages - zone-lint(1)

ZONE-LINT

Section: User Contributed Perl Documentation (1)
Updated: 2018-04-24
Index

NAME

zone-lint - DNS zone lint checker

VERSION

$Id: bin/zone-lint, 1.0.1 2018/04/24 12:05:48 acorliss Exp $

USAGE

zone-lint [-hvS] [-s {host}] {zone(s)}

  -e    --explain   Quote relevant RFC text
  -h    --help      Show help (this text)
  -p    --print     Prints the contents of the zone
  -S    --strict    Strictest RFC compliance mode
  -s    --server    Check zone from this server
  -v    --verbose   Verbose debug output

DESCRIPTION

zone-lint is tool that verifies the specified zone for RFC-compliance and points out potential problems. It can also simply dump the contents of a zone.

This tool doesn't operate by parsing BIND config files, or what have you, but by performing DNS requests (beginning with a zone transfer request) to validate what's currently published. While this does have the detriment of not being able to check changes before they're published, it has the advantage of validating not only the zones in question, but any DNS records referenced that lie outside of the zone(s).

REQUIRED ARGUMENTS

The only required arguments is a list of the zones to check. For example:

    zone-lint foo.com 0.168.192.in-addr.arpa
    zone-lint d.c.8.9.b.0.0.0.0.2.a.0.1.0.0.2.ip6.arpa

OPTIONS

-e/--explain

This option outputs the relevant excerpt of RFC detailing the requirements the highlighted records should adhere to.

-h/--help

This option prints a brief usage statement.

-p/--print

This option causes the utility to simply print the contents of the zone(s) rather than validate them.

-S/--strict

This option enables additional checks suggested by the RFCs. While these checks do urge best practices there may be legitimate reasons for not adhering to them or they are not practical to check. In those circumstances you may not want to use this option.

At this time, the only tests enabled by the use of strict are:

    SOA refresh value
    SOA expire value
    NS record count
    NS lame delegation

-s/--server

    zone-lint -s ns1.foo.com bar.com

This option sets a specific DNS server to perform the zone transfer from, and sets it to the preferred recursive server. This can be useful when the published SOA server doesn't allow zone transfers.

-v/--verbose

    zone-lint -vvv

This option provides some debugging information which is, perhaps, more useful to me than you. It supports multiple levels of debug, to a maximum of four, which also triggers debugging output from the Net::DNS resolver as well.

DNS TESTS

The level of testing is rather rudimentary at this time, consisting primarily of the more important items from RFC 1035 and RFC 1912. Additional RFCs are listed below that may provide tests that will be implemented in the future.

SOA

SOA serial format and interval ranges are all checked against RFC best practices.

NS

NS records are checked to see if they resolve to a valid A/AAAA records, have at least two NS targets per zone, and no lame delegations.

MX

NS records are checked to see if they resolve to valid A/AAAA records.

CNAME

CNAME records are checked to see if they resolve to valid A/AAAA records.

PTR

PTR records are check to see if they resolve to valid A/AAAA records. Allowances are made for DNS-based round-robin addresses.

A/AAAA

A/AAAA records are check to see if they resolve to valid (and matching) PTR record. Allowances are made for obvious glue and DNS round-robin records.

Label Size/Format

Label sizes and formats are checked for correctness, but they are currently only tested against A, AAAA, and CNAME records.

DIAGNOSTICS

Diagnostics can be provided by enabled verbose mode. There are four levels of verbosity, all of which write to STDERR:

    zone-lint -vvv foo.com

EXIT STATUS

This tool returns a non-zero exit value if any errors are found or communications issue occur.

CONFIGURATION

Not applicable.

BUGS AND LIMITATIONS

Glue records are always allowed as redundant A records that contrast with the PTR record. If they exist, however, to provide glue for NS/MX/etc records that lie outside of the zone being validated there really is no way for this tool to recognize that and suppress any warnings. There is no fix for this beyond adhering to better DNS practices, such as keeping glue records only within the zone that needs the glue.

Report bugs to <corliss@digitalmages.com> with a subject line of ``BUG: zone-lint''.