||FreeBSD General Commands Manual
zonecheck - DNS zone checking tool
] [ -voet opt
] [ -46
[ -n nslist
] [ -s key
The DNS is a critical resource for every network application, quite important to
ensure that a zone or domain name is correctly configured in the DNS.
is intended to help solving misconfigurations or
inconsistencies usually revealed by an increase in the latency of the
application, up to the output of unexpected/inconsistant results.
- It doesn't necessary make sense to combine some options together, if that
case happens the most recent option will be taken into account, silently
discarding the others.
- --lang lang
- Select another language (en, fr, ...). The syntax is the same as for the
environment variable LANG.
- --debug, -d lvl
- Select the debugging messages to print or activate debugging code. This
parameter will override the value of the environment variable
The available options are:
0x0001 : Initialisation
0x0002 : Localization / Internationalisation
0x0004 : Configuration
0x0008 : Autoconf
0x0010 : Loading tests
0x0020 : Tests performed
0x0040 : Debugging messages from tests
0x0400 : Information about cached object
0x0800 : Debugger itself
0x1000 : Crazy Debug, don't try this at home!
0x2000 : Dnsruby library debugging messages
0x4000 : Disable caching
0x8000 : Don't try to rescue exceptions
- --help, -h
- Show a short description of the different options available in
- --version, -V
- Display the version and exit.
- --batch, -B filename
- Depreciated option. You can use this script instead :
for domain in `cat list_dom`; do
echo "Testing $domain"
- --config, -c filename
- Specify the location of the configuration file (default is
- --testdir directory
- Location of the directory holding the tests definition.
- --profile, -P profilename
- Force uses of profile profilename.
- --category, -C catlist
- Limit the test to perform to the categories specified by catlist.
The syntax for the catgory description is as follow:
allow=[+|] disallow=[-|!] subcomponent=: separator=,
don't perform DNS tests that are not SOA related
- --test, -T testname
- testname is the test to perform. In this case failing to pass the
test is considered as fatal.
- List all the tests available.
- --testdesc desctype
- Give a description of the test, the possible values for desctype
are name, success, failure, explanation.
- --resolver, -r resolver
- Resolver to use (only IP address is accepted) for finding the information
about the tested zone, by default the name servers used are the one
specified in /etc/resolv.conf. Note that for finding the name
servers the zone should already have been delegated.
- --ns, -n nslist
- List of nameservers for the domain. Nameservers name are separated by a
semicolon, the name can be followed by the equal sign and its IP addresses
separated by a colon.
This can give the following example: ns1;ns2=ip1,ip2;ns3=ip3
- --securedelegation, -s [dsordnskey]
- Force the execution of the full DNSSEC profile. Arguments are optional.
You can precise the Trust Anchor of your zone by giving the DNSKEY or the
DS and the algorithm used to hash your key. Several Trust Anchors can be
specified, separated by commas (in that case, they _all_ have to match.)
This can give the following example:
DS-RDATA:5991 8 2
- --quiet, -q
- Don't display extra titles.
- --one, -1
- Only display the most relevant message in a compact format.
- --tagonly, -g
- Display only tag. This option should be used for scripting.
- --verbose, -v options
- Display extra information, they can be prefix by '-' or '!' to remove the
effect, available options are:
- intro, i
- Print a short summary about the domain name and its nameservers.
- testname, n
- Print the name of the test when reporting a test status.
- explain, x
- Print an explanation for failed tests (reference to RFC, ...).
- details, d
- Print a detailed description of the failure (name or value of the resource
- reportok, o
- Report test even if they passed.
- fatalonly, f
- Only print fatal errors.
- testdesc, t
- Print the test description before performing it.
- counter, c
- Display a test progression bar (this option is not always available
according to the output media).
- testdesc and counter are mutually exclusive.
- --output, -o options
- Output rendering/format selection, avalaible options are:
- byseverity, bs [default]
- Output is sorted/merged by severity.
- byhost, bh
- Output is sorted/merged by host.
- text, t [default]
- Output plain text.
- html, h
- Output HTML.
- xml, x
Output XML. (experimental)
- The following set are mutually exclusive:
[byseverity|byhost] and [ text|html].
- --error, -e options
- Behaviour in case of error, available options are:
- allfatal, af
- All error are considered as fatals.
- allwarning, aw
- All error are considered as warnings.
- dfltseverity, ds [default]
- Use the severity associated with the test.
- stop, s [default]
- Stop on the first fatal error.
WARNING: the current implementation stop on the first error but for
- nostop, ns
- Never stop (even on fatal error). This generally result in a lot of errors
or unexpected results due to the previous fatal error.
- The following set are mutually exclusive:
[allfatal|allwarning| dfltseverity] and
- --transp, -t options
- Transport/routing layer selection, available options are:
- ipv4, 4 [default]
- Use the IPv4 routing protocol.
- ipv6, 6 [default]
- Use the IPv6 routing protocol.
- udp, u
- Use the UDP transport layer.
- tcp, t
- Use the TCP transport layer.
- std, s [default]
- Use the UDP with fallback to TCP for truncated messages.
- udp, tcp and std are mutually exclusive.
- --edns [always|never|auto]
- Activate/Deactivate the use of EDNS for all queries. Three possible
values: always, never, auto. Auto : automatically determine if the domain
and the route to name servers can carry EDNS queries.
- --ipv4, -4
- Only check the zone with IPv4 connectivity.
- --ipv6, -6
- Only check the zone with IPv6 connectivity.
- --preset name
- Use of a preset configuration defined in the zc.conf configuration
- --option options
- Set extra options. The syntax is: -,-opt,opt,opt=foo
- Generate HTML pages that are suitable for inclusion (for HTML
- Specify the lang and eventually the encoding to use to display messages.
For examples: fr, fr_CA, fr.latin1, fr_CA.utf8, ...
- Directory where the configuration file and the different profiles are
- Name of the configuration file to use (defaul to zc.conf), it is override
by the --config option.
- Directory where all the localization files are located.
- Directory where all the tests are located, it is override by the
- Path relative to the web server to use when generating HTML pages.
- The variable as the same effect as the debug parameter, but its
main advantage is that it is taken into account from the beginning of the
- The variable as the same effect as the undocumented INPUT
parameter, it allows to chose the input interface used by
ZoneCheck, the currently supported values are: cli,
cgi and inetd. But other interfaces doesn't accept the same
parameters as the one described here.
- Restrict the IP stack available to IPv4 or IPv6, for that set it
respectively to 4 or 6. This is particularly useful if you have an IPv6
stack on your computer but don't have the connectivity, in that case
- If ruby-libxml is installed, this parser will be used instead of rexml for
speed improvement, but you can force the use of rexml by setting
ZC_XML_PARSER to rexml.
- The following variables are mainly useful when it is not possible for the
user to specify alternative value with the selected input interface:
ZC_CONFIG_DIR, ZC_CONFIG_FILE, ZC_LOCALIZATION_DIR,
ZC_TEST_DIR. Such a case happen when using the cgi interface, and
you don't want the user to read an arbitrary configuration file, but as
the provider of the service you want to use another configuration.
The following exit status can be reported by ZoneCheck
- Everything went fine, no fatal errors were reported, the domain
configuration is correct.
- The program completed but some tests failed with a fatal severity, the
domain is NOT correctly configured.
- The program completed but some tests failed due with a fatal severity due
to timeout occuring, the domain has been considered as NOT
correctly configured, but you could want to check again later. This is
currently not implemented.
- The user aborted the program before it's completion.
- An error which is not directly related to the tests performed has occured
(ie: something went wrong).
- The user (you?) didn't bother reading the man page...
- The default configuration file.
- The test sequence to use for different domains.
- Contains the code of the tests performed by ZoneCheck.
- Contains the different translations.
- Contains a website sample for the web interface.
Test the domain_name with IPv6 only connectivity, print a summary information
about the tested domain as well as explanations and details of failed tests.
zonecheck -6 --verbose=i,x,d domain_name
Ask for the 'error' message associated with the test 'soa'.
zonecheck --testdesc error -T soa
Only print tests which have failed and the result (succeed/failed), this would
be ideal for giving people, through email fir example, a short description of
why their domains are not correctly configured.
zonecheck -q -vn,d,x,f domain_name
If you want to test your domain, you will certainly like to use these parameters
(the use of IPv4 only as been forced because now people have computer with
IPv6 stack but very few have the IPv6 connectivity, so autodetection will
zonecheck -4 -vi,x,d,c domain_name
, RFC 1034
, RFC 1035
Stephane D'Alu with the help of people working at AFNIC is the author of this
version, but don't forget also to take a look at the CREDITS file available in
ZoneCheck was initiated and developed by engineers working at NIC France
(INRIA's service) to check the correct configuration of a zone before
delegating a domain name under .fr. Its development continued at AFNIC, which
took over the activities of NIC France on January 1 1998.
ZoneCheck-1.* was created in 1995 by Benoit Grange and has been maintained by
him until 1997. The prototype was a script using the dig command, which
evolved into a perl program based on the DNS resolver Resolv5. Vincent Gillet
maintained the programme in 1998. This task has been taken over by Erwan Mas
and Philippe Lubrano from 1998 until now.
ZoneCheck-2.* is a rewrite from scratch done in ruby at the end of 2002 by
Stephane D'Alu, so as to create a modular and extensible version. And is the
current version of ZoneCheck.
Please send problems, bugs, questions, desirable enhancements, source code
contributions, by using the interface provided by:
You can also consult the ZoneCheck
homepage for more information:
Visit the GSP FreeBSD Man Page Interface.
Output converted with ManDoc.