NAME
check_zone - Check a DNS zone for errors
SYNOPSIS
check_zone
[ -r
][ -v
] domain [ class ]
DESCRIPTION
Checks a DNS zone for errors. Current checks are:
Checks the domain's SOA from each of the domain's name servers. The SOA serial numbers should match. This program's output cannot be trusted if they do not.
Tries to perform an AXFR from each of the domain's name servers. This test helps to detect whether the name server is blocking AXFR.
Checks that all A records have corresponding PTR records. For each A record its PTR's name is match checked.
Checks that all PTR records match an A record (sometimes they match a CNAME). Check the PTR's name against the A record.
Checks that hosts listed in NS, MX, and CNAME records have A records. Checks for NS and CNAME records not pointing to another CNAME (i.e., they must directly resolve to an A record). That test may be somewhat controversial because, in many cases, a MX to a CNAME or a CNAME to another CNAME will resolve; however, in DNS circles it isn't a recommended practise.
Check each record processed for being with the class requested. This is an internal integrity check.
OPTIONS
-r
-
Perform a recursive check on subdomains.
-v
-
Verbose.
-a alternate_domain
-
Treat <alternate_domain> as equal to <domain>. This is useful when supporting a change of domain names (eg from myolddomain.example.net to mynewdomain.example.net) where the PTR records can point to only one of the two supported domains (which are otherwise identical).
-e exception_file
-
Ignore exceptions in file <exception_file>. File format can be space-separated domain pairs, one pair per line, or it can be straight output from this program itself (for simple cut-and-paste functionality). This allows for skipping entries that are odd or unusual, but not causing problems. Note: this only works with A - PTR checks.
AUTHORS
Originally developed by Michael Fuhr (mfuhr@dimensional.com) and hacked--with furor--by Dennis Glatting (dennis.glatting@software-munitions.com).
"-a" and "-e" options added by Paul Archer
SEE ALSO
perl(1), axfr, check_soa, mx, perldig, Net::DNS
BUGS
A query for an A RR against a name that is a CNAME may not follow the CNAME to an A RR.
There isn't a mechanism to insure records are returned from an authoritative source.
There appears to be a bug in the resolver AXFR routine where, if one server cannot be contacted, the routine doesn't try another in its list.