ZONECHECK(1)ZONECHECK(1)NAMEzonecheck - DNS zone checking tool
SYNOPSISzonecheck [ -hqV ] [ -voet opt ] [ -46 ] [ -c conf ]
[ -n nslist ] [ -s key ] domainname
DESCRIPTION
The DNS is a critical resource for every network application, quite
important to ensure that a zone or domain name is correctly configured
in the DNS.
ZoneCheck is intended to help solving misconfigurations or inconsisten‐
cies usually revealed by an increase in the latency of the application,
up to the output of unexpected/inconsistant results.
OPTIONS
NOTE: It doesn't necessary make sense to combine some options
together, if that case happens the most recent option will be
taken into account, silently discarding the others.
--lang lang
Select another language (en, fr, ...). The syntax is the same as
for the environment variable LANG.
--debug, -d lvl
Select the debugging messages to print or activate debugging
code. This parameter will override the value of the environment
variable ZC_DEBUG.
The available options are:
0x0001 : Initialisation
0x0002 : Localization / Internationalisation
0x0004 : Configuration
0x0008 : Autoconf
0x0010 : Loading tests
0x0020 : Tests performed
0x0040 : Debugging messages from tests
0x0400 : Information about cached object
0x0800 : Debugger itself
0x1000 : Crazy Debug, don't try this at home!
0x2000 : Dnsruby library debugging messages
0x4000 : Disable caching
0x8000 : Don't try to rescue exceptions
--help, -h
Show a short description of the different options available in
ZoneCheck.
--version, -V
Display the version and exit.
--batch, -B filename
Depreciated option. You can use this script instead :
for domain in `cat list_dom`; do
echo "Testing $domain"
zonecheck $domain
done
--config, -c filename
Specify the location of the configuration file (default is
zc.conf).
--testdir directory
Location of the directory holding the tests definition.
--profile, -P profilename
Force uses of profile profilename.
--category, -C catlist
Limit the test to perform to the categories specified by
catlist. The syntax for the catgory description is as follow:
allow=[+|] disallow=[-|!] subcomponent=: separator=,
ex: dns:soa,!dns,+
don't perform DNS tests that are not SOA related
--test, -T testname
testname is the test to perform. In this case failing to pass
the test is considered as fatal.
--testlist
List all the tests available.
--testdesc desctype
Give a description of the test, the possible values for desctype
are name, success, failure, explanation.
--resolver, -r resolver
Resolver to use (only IP address is accepted) for finding the
information about the tested zone, by default the name servers
used are the one specified in /etc/resolv.conf. Note that for
finding the name servers the zone should already have been dele‐
gated.
--ns, -n nslist
List of nameservers for the domain. Nameservers name are sepa‐
rated by a semicolon, the name can be followed by the equal sign
and its IP addresses separated by a colon.
This can give the following example: ns1;ns2=ip1,ip2;ns3=ip3
--securedelegation, -s [dsordnskey]
Force the execution of the full DNSSEC profile. Arguments are
optional. You can precise the Trust Anchor of your zone by giv‐
ing the DNSKEY or the DS and the algorithm used to hash your
key. Several Trust Anchors can be specified, separated by commas
(in that case, they _all_ have to match.)
This can give the following example:
DNSKEY:af1Bs0F+4rg-g19,DS:eAg7P4J1qfMg:SHA-1
DS:eAg7P4J1qfMg:SHA-1
DS-RDATA:5991 8 2
46DB8A99F9125B1F88AAC74DF7EC3FFCCC13CE7412C3BEBB2CB93BED4A05A960
DNSKEY:af1Bs0F+4rg-g19
--quiet, -q
Don't display extra titles.
--one, -1
Only display the most relevant message in a compact format.
--tagonly, -g
Display only tag. This option should be used for scripting.
--verbose, -v options
Display extra information, they can be prefix by '-' or '!' to
remove the effect, available options are:
intro, i
Print a short summary about the domain name and its name‐
servers.
testname, n
Print the name of the test when reporting a test status.
explain, x
Print an explanation for failed tests (reference to RFC,
...).
details, d
Print a detailed description of the failure (name or
value of the resource involved).
reportok, o
Report test even if they passed.
fatalonly, f
Only print fatal errors.
testdesc, t
Print the test description before performing it.
counter, c
Display a test progression bar (this option is not always
available according to the output media).
NOTE: testdesc and counter are mutually exclusive.
--output, -o options
Output rendering/format selection, avalaible options are:
byseverity, bs [default]
Output is sorted/merged by severity.
byhost, bh
Output is sorted/merged by host.
text, t [default]
Output plain text.
html, h
Output HTML.
xml, x
Output XML. (experimental)
NOTE: The following set are mutually exclusive: [bysever‐
ity|byhost] and [text|html].
--error, -e options
Behaviour in case of error, available options are:
allfatal, af
All error are considered as fatals.
allwarning, aw
All error are considered as warnings.
dfltseverity, ds [default]
Use the severity associated with the test.
stop, s [default]
Stop on the first fatal error.
WARNING: the current implementation stop on the first
error but for each server.
nostop, ns
Never stop (even on fatal error). This generally result
in a lot of errors or unexpected results due to the pre‐
vious fatal error.
NOTE: The following set are mutually exclusive: [allfatal|all‐
warning|dfltseverity] and [stop|nostop].
--transp, -t options
Transport/routing layer selection, available options are:
ipv4, 4 [default]
Use the IPv4 routing protocol.
ipv6, 6 [default]
Use the IPv6 routing protocol.
udp, u Use the UDP transport layer.
tcp, t Use the TCP transport layer.
std, s [default]
Use the UDP with fallback to TCP for truncated messages.
NOTE: udp, tcp and std are mutually exclusive.
--edns [always|never|auto]
Activate/Deactivate the use of EDNS for all queries. Three pos‐
sible values: always, never, auto. Auto : automatically deter‐
mine if the domain and the route to name servers can carry EDNS
queries.
--ipv4, -4
Only check the zone with IPv4 connectivity.
--ipv6, -6
Only check the zone with IPv6 connectivity.
--preset name
Use of a preset configuration defined in the zc.conf configura‐
tion file.
--option options
Set extra options. The syntax is: -,-opt,opt,opt=foo
ihtml Generate HTML pages that are suitable for inclusion (for
HTML output).
nojavascript
Remove generation of javascript (for HTML output).
ENVIRONMENT
LANG Specify the lang and eventually the encoding to use to display
messages. For examples: fr, fr_CA, fr.latin1, fr_CA.utf8, ...
ZC_CONFIG_DIR
Directory where the configuration file and the different pro‐
files are located.
ZC_CONFIG_FILE
Name of the configuration file to use (defaul to zc.conf), it is
override by the --config option.
ZC_LOCALIZATION_DIR
Directory where all the localization files are located.
ZC_TEST_DIR
Directory where all the tests are located, it is override by the
--testdir option.
ZC_HTML_PATH
Path relative to the web server to use when generating HTML
pages.
ZC_DEBUG
The variable as the same effect as the debug parameter, but its
main advantage is that it is taken into account from the begin‐
ning of the program.
ZC_INPUT
The variable as the same effect as the undocumented INPUT param‐
eter, it allows to chose the input interface used by ZoneCheck,
the currently supported values are: cli, cgi and inetd. But
other interfaces doesn't accept the same parameters as the one
described here.
ZC_IP_STACK
Restrict the IP stack available to IPv4 or IPv6, for that set it
respectively to 4 or 6. This is particularly useful if you have
an IPv6 stack on your computer but don't have the connectivity,
in that case define ZC_IP_STACK=4.
ZC_XML_PARSER
If ruby-libxml is installed, this parser will be used instead of
rexml for speed improvement, but you can force the use of rexml
by setting ZC_XML_PARSER to rexml.
NOTE: The following variables are mainly useful when it is not
possible for the user to specify alternative value with
the selected input interface: ZC_CONFIG_DIR, ZC_CON‐
FIG_FILE, ZC_LOCALIZATION_DIR, ZC_TEST_DIR. Such a case
happen when using the cgi interface, and you don't want
the user to read an arbitrary configuration file, but as
the provider of the service you want to use another con‐
figuration.
EXIT STATUS
The following exit status can be reported by ZoneCheck:
0 Everything went fine, no fatal errors were reported, the
domain configuration is correct.
1 The program completed but some tests failed with a fatal
severity, the domain is NOT correctly configured.
2 The program completed but some tests failed due with a
fatal severity due to timeout occuring, the domain has
been considered as NOT correctly configured, but you
could want to check again later. This is currently not
implemented.
3 The user aborted the program before it's completion.
4 An error which is not directly related to the tests per‐
formed has occured (ie: something went wrong).
9 The user (you?) didn't bother reading the man page...
FILES
/usr/local/etc/zonecheck/zc.conf
The default configuration file.
/usr/local/etc/zonecheck/*.profile
The test sequence to use for different domains.
/usr/local/libexec/zc/test
Contains the code of the tests performed by ZoneCheck.
/usr/local/libexec/zc/locale
Contains the different translations.
/usr/local/libexec/zc/www
Contains a website sample for the web interface.
EXAMPLES
Test the domain_name with IPv6 only connectivity, print a sum‐
mary information about the tested domain as well as explanations
and details of failed tests.
zonecheck-6 --verbose=i,x,d domain_name
Ask for the 'error' message associated with the test 'soa'.
zonecheck--testdesc error -T soa
Only print tests which have failed and the result (suc‐
ceed/failed), this would be ideal for giving people, through
email fir example, a short description of why their domains are
not correctly configured.
zonecheck-q -vn,d,x,f domain_name
If you want to test your domain, you will certainly like to use
these parameters (the use of IPv4 only as been forced because
now people have computer with IPv6 stack but very few have the
IPv6 connectivity, so autodetection will failed).
zonecheck-4 -vi,x,d,c domain_name
SEE ALSO
RFC 1033, RFC 1034, RFC 1035, dig(1)AUTHORS
Stephane D'Alu with the help of people working at AFNIC is the
author of this version, but don't forget also to take a look at
the CREDITS file available in the distribution.
HISTORY
ZoneCheck was initiated and developed by engineers working at
NIC France (INRIA's service) to check the correct configuration
of a zone before delegating a domain name under .fr. Its devel‐
opment continued at AFNIC, which took over the activities of NIC
France on January 1 1998.
ZoneCheck-1.* was created in 1995 by Benoit Grange and has been
maintained by him until 1997. The prototype was a script using
the dig command, which evolved into a perl program based on the
DNS resolver Resolv5. Vincent Gillet maintained the programme in
1998. This task has been taken over by Erwan Mas and Philippe
Lubrano from 1998 until now.
ZoneCheck-2.* is a rewrite from scratch done in ruby at the end
of 2002 by Stephane D'Alu, so as to create a modular and exten‐
sible version. And is the current version of ZoneCheck.
BUGS
Please send problems, bugs, questions, desirable enhancements,
source code contributions, by using the interface provided by:
http://savannah.nongnu.org/projects/zonecheck
You can also consult the ZoneCheck homepage for more informa‐
tion:
http://www.zonecheck.fr/
26 January 2003 ZONECHECK(1)
