1.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") 2.. 3.. SPDX-License-Identifier: MPL-2.0 4.. 5.. This Source Code Form is subject to the terms of the Mozilla Public 6.. License, v. 2.0. If a copy of the MPL was not distributed with this 7.. file, you can obtain one at https://mozilla.org/MPL/2.0/. 8.. 9.. See the COPYRIGHT file distributed with this work for additional 10.. information regarding copyright ownership. 11 12.. highlight: console 13 14.. BEWARE: Do not forget to edit also named-compilezone.rst! 15 16.. iscman:: named-checkzone 17.. program:: named-checkzone 18.. _man_named-checkzone: 19 20named-checkzone - zone file validation tool 21------------------------------------------- 22 23Synopsis 24~~~~~~~~ 25 26:program:`named-checkzone` [**-d**] [**-h**] [**-j**] [**-q**] [**-v**] [**-c** class] [**-C** mode] [**-f** format] [**-F** format] [**-J** filename] [**-i** mode] [**-k** mode] [**-m** mode] [**-M** mode] [**-n** mode] [**-l** ttl] [**-L** serial] [**-o** filename] [**-r** mode] [**-s** style] [**-S** mode] [**-t** directory] [**-T** mode] [**-w** directory] [**-D**] [**-W** mode] {zonename} {filename} 27 28Description 29~~~~~~~~~~~ 30 31:program:`named-checkzone` checks the syntax and integrity of a zone file. It 32performs the same checks as :iscman:`named` does when loading a zone. This 33makes :program:`named-checkzone` useful for checking zone files before 34configuring them into a name server. 35 36Options 37~~~~~~~ 38 39.. option:: -d 40 41 This option enables debugging. 42 43.. option:: -h 44 45 This option prints the usage summary and exits. 46 47.. option:: -q 48 49 This option sets quiet mode, which only sets an exit code to indicate 50 successful or failed completion. 51 52.. option:: -v 53 54 This option prints the version of the :program:`named-checkzone` program and exits. 55 56.. option:: -j 57 58 When loading a zone file, this option tells :iscman:`named` to read the journal if it exists. The journal 59 file name is assumed to be the zone file name with the 60 string ``.jnl`` appended. 61 62.. option:: -J filename 63 64 When loading the zone file, this option tells :iscman:`named` to read the journal from the given file, if 65 it exists. This implies :option:`-j`. 66 67.. option:: -c class 68 69 This option specifies the class of the zone. If not specified, ``IN`` is assumed. 70 71.. option:: -C mode 72 73 This option controls check mode on zone files when loading. 74 Possible modes are ``check-svcb:fail`` and ``check-svcb:ignore``. 75 76 ``check-svcb:fail`` turns on additional checks on ``_dns`` SVCB 77 records and ``check-svcb:ignore`` disables these checks. The 78 default is ``check-svcb:fail``. 79 80.. option:: -i mode 81 82 This option performs post-load zone integrity checks. Possible modes are 83 ``full`` (the default), ``full-sibling``, ``local``, 84 ``local-sibling``, and ``none``. 85 86 Mode ``full`` checks that MX records refer to A or AAAA records 87 (both in-zone and out-of-zone hostnames). Mode ``local`` only 88 checks MX records which refer to in-zone hostnames. 89 90 Mode ``full`` checks that SRV records refer to A or AAAA records 91 (both in-zone and out-of-zone hostnames). Mode ``local`` only 92 checks SRV records which refer to in-zone hostnames. 93 94 Mode ``full`` checks that delegation NS records refer to A or AAAA 95 records (both in-zone and out-of-zone hostnames). It also checks that 96 glue address records in the zone match those advertised by the child. 97 Mode ``local`` only checks NS records which refer to in-zone 98 hostnames or verifies that some required glue exists, i.e., when the 99 name server is in a child zone. 100 101 Modes ``full-sibling`` and ``local-sibling`` disable sibling glue 102 checks, but are otherwise the same as ``full`` and ``local``, 103 respectively. 104 105 Mode ``none`` disables the checks. 106 107.. option:: -f format 108 109 This option specifies the format of the zone file. Possible formats are 110 ``text`` (the default), and ``raw``. 111 112.. option:: -F format 113 114 This option specifies the format of the output file specified. For 115 :program:`named-checkzone`, this does not have any effect unless it dumps 116 the zone contents. 117 118 Possible formats are ``text`` (the default), which is the standard 119 textual representation of the zone, and ``raw`` and ``raw=N``, which 120 store the zone in a binary format for rapid loading by :iscman:`named`. 121 ``raw=N`` specifies the format version of the raw zone file: if ``N`` is 122 0, the raw file can be read by any version of :iscman:`named`; if N is 1, the 123 file can only be read by release 9.9.0 or higher. The default is 1. 124 125.. option:: -k mode 126 127 This option performs ``check-names`` checks with the specified failure mode. 128 Possible modes are ``fail``, ``warn`` (the default), and ``ignore``. 129 130.. option:: -l ttl 131 132 This option sets a maximum permissible TTL for the input file. Any record with a 133 TTL higher than this value causes the zone to be rejected. This 134 is similar to using the ``max-zone-ttl`` option in :iscman:`named.conf`. 135 136.. option:: -L serial 137 138 When compiling a zone to ``raw`` format, this option sets the "source 139 serial" value in the header to the specified serial number. This is 140 expected to be used primarily for testing purposes. 141 142.. option:: -m mode 143 144 This option specifies whether MX records should be checked to see if they are 145 addresses. Possible modes are ``fail``, ``warn`` (the default), and 146 ``ignore``. 147 148.. option:: -M mode 149 150 This option checks whether a MX record refers to a CNAME. Possible modes are 151 ``fail``, ``warn`` (the default), and ``ignore``. 152 153.. option:: -n mode 154 155 This option specifies whether NS records should be checked to see if they are 156 addresses. Possible modes are ``fail``, ``warn`` (the default), and ``ignore``. 157 158.. option:: -o filename 159 160 This option writes the zone output to ``filename``. If ``filename`` is ``-``, then 161 the zone output is written to standard output. 162 163.. option:: -r mode 164 165 This option checks for records that are treated as different by DNSSEC but are 166 semantically equal in plain DNS. Possible modes are ``fail``, 167 ``warn`` (the default), and ``ignore``. 168 169.. option:: -s style 170 171 This option specifies the style of the dumped zone file. Possible styles are 172 ``full`` (the default) and ``relative``. The ``full`` format is most 173 suitable for processing automatically by a separate script. 174 The relative format is more human-readable and is thus 175 suitable for editing by hand. This does not have any effect unless it dumps 176 the zone contents. It also does not have any meaning if the output format 177 is not text. 178 179.. option:: -S mode 180 181 This option checks whether an SRV record refers to a CNAME. Possible modes are 182 ``fail``, ``warn`` (the default), and ``ignore``. 183 184.. option:: -t directory 185 186 This option tells :iscman:`named` to chroot to ``directory``, so that ``include`` directives in the 187 configuration file are processed as if run by a similarly chrooted 188 :iscman:`named`. 189 190.. option:: -T mode 191 192 This option checks whether Sender Policy Framework (SPF) records exist and issues a 193 warning if an SPF-formatted TXT record is not also present. Possible 194 modes are ``warn`` (the default) and ``ignore``. 195 196.. option:: -w directory 197 198 This option instructs :iscman:`named` to chdir to ``directory``, so that relative filenames in master file 199 ``$INCLUDE`` directives work. This is similar to the directory clause in 200 :iscman:`named.conf`. 201 202.. option:: -D 203 204 This option dumps the zone file in canonical format. 205 206.. option:: -W mode 207 208 This option specifies whether to check for non-terminal wildcards. Non-terminal 209 wildcards are almost always the result of a failure to understand the 210 wildcard matching algorithm (:rfc:`4592`). Possible modes are ``warn`` 211 (the default) and ``ignore``. 212 213.. option:: zonename 214 215 This indicates the domain name of the zone being checked. 216 217.. option:: filename 218 219 This is the name of the zone file. 220 221Return Values 222~~~~~~~~~~~~~ 223 224:program:`named-checkzone` returns an exit status of 1 if errors were detected 225and 0 otherwise. 226 227See Also 228~~~~~~~~ 229 230:iscman:`named(8) <named>`, :iscman:`named-checkconf(8) <named-checkconf>`, :iscman:`named-compilezone(8) <named-compilezone>`, :rfc:`1035`, BIND 9 Administrator Reference 231Manual. 232