Validns is a standalone command line RFC 1034/1035 zone file validation tool that, in addition to basic syntactic and semantic zone checks, includes DNSSEC signature verification and NSEC/NSEC3 chain validation, as well a number of optional policy checks on the zone.
The utility was developed with the goal of it being the last verification step in the chain of production and publication of one or more zones containing up to many thousands (or millions) of signed records, making the speed of operation a primary focus, and reflect on validns’ design.
The utility is currently being used by several major DNS operators.
Currently, validns offers the following features:
- parse RFC 1035-compliant zone files (so called “BIND” file format)
- supports most of the standard record types
- informs the user precisely where and what the errors are
- verifies RRSIG signatures
- NSEC/NSEC3 chain validation
- supports signature validation in the future or in the past
- built-in policy checks