named-checkzone [-d] [-j] [-q] [-v] [-c ] [class-k ] [mode-n ] [mode-o ] [filename-t ] [directory-w ] [directory-D] [-W ] {zonename} {filename}mode
named-checkzone [-d] [-j] [-q] [-v] [-c ] [class-i ] [mode-k ] [mode-m ] [mode-n ] [mode-o ] [filename-t ] [directory-w ] [directory-D] [-W ] {zonename} {filename}mode
named-checkzone checks the syntax and integrity of a zone file. It performs the same checks as named does when loading a @@ -41,7 +41,7 @@
@@ -64,6 +64,39 @@
Specify the class of the zone. If not specified "IN" is assumed.
mode+ Perform post load zone integrity checks. Possible modes are + "full" (default), + "local" and + "none". +
++ Mode "full" checks that MX records + refer to A or AAAA record (both in-zone and out-of-zone + hostnames). Mode "local" only + checks MX records which refer to in-zone hostnames. +
++ Mode "full" checks that SRV records + refer to A or AAAA record (both in-zone and out-of-zone + hostnames). Mode "local" only + checks SRV records which refer to in-zone hostnames. +
++ Mode "full" checks that delegation NS + records refer to A or AAAA record (both in-zone and out-of-zone + hostnames). It also checks that glue addresses records + in the zone match those advertised by the child. + Mode "local" only checks NS records which + refer to in-zone hostnames or that some required glue exists, + that is when the nameserver is in a child zone. +
++ Mode "none" disables the checks. +
+modePerform "check-name" checks with @@ -72,6 +105,13 @@ "warn" (default) and "ignore".
mode+ Specify whether MX records should be checked to see if they + are addresses. Possible modes are "fail", + "warn" (default) and + "ignore". +
modeSpecify whether NS records should be checked to see if they @@ -122,21 +162,21 @@
named-checkzone returns an exit status of 1 if errors were detected and 0 otherwise.
size_no_default;boolean;quoted_string;boolean; // not yet implementedstring;
view string optional_class {
match-clients { address_match_element; ... };
@@ -342,6 +344,8 @@ view
max-cache-size size_no_default;
check-names ( master | slave | response )
( fail | warn | ignore );
+ check-mx ( fail | warn | ignore );
+ integrity-check boolean;
cache-file quoted_string;
suppress-initial-notify boolean; // not yet implemented
preferred-glue string;
@@ -413,7 +417,7 @@ view
zone string optional_class {
type ( master | slave | stub | hint |
@@ -429,6 +433,8 @@ zone
database string;
delegation-only boolean;
check-names ( fail | warn | ignore );
+ check-mx ( fail | warn | ignore );
+ integrity-check boolean;
dialup dialuptype;
ixfr-from-differences boolean;
journal quoted_string;
@@ -491,12 +497,12 @@ zone
named(8), rndc(8), BIND 9 Administrator Reference Manual. diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html index d2faab1a1c..0ef364eeac 100644 --- a/doc/arm/Bv9ARM.ch06.html +++ b/doc/arm/Bv9ARM.ch06.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - +
@@ -77,23 +77,23 @@ip_addr [port ip_port] ; [ ip_addr [port ip_port] ; ... ] }; ]
[ dual-stack-servers [port ip_port] { ( domain_name [port ip_port] | ip_addr [port ip_port] ) ; ... }; ]
[ check-names ( master | slave | response )( warn | fail | ignore ); ]
+ [ check-mx ( warn | fail | ignore ); ]
[ check-wildcard yes_or_no; ]
+ [ integrity-checks yes_or_no; ]
[ allow-notify { address_match_list }; ]
[ allow-query { address_match_list }; ]
[ allow-query-cache { address_match_list }; ]
@@ -2657,6 +2659,13 @@ options {
IN-ADDR.ARPA, IP6.ARPA, IP6.INT).
++ Check whether the MX record appears to refer to a IP address. + The default is to warn. Other possible + values are fail and + ignore. +
This option is used to check for non-terminal wildcards. @@ -2667,11 +2676,24 @@ options { affects master zones. The default (yes) is to check for non-terminal wildcards and issue a warning.
+ Perform post load zone integrity checks on master + zones. This checks that MX and SRV records refer + to address (A or AAAA) records and that glue + address records exist for delegated zones. For + MX and SRV records only in-zone hostnames are + checked (for out-of-zone hostnames use named-checkzone). + For NS records only names below top of zone are + checked (for out-of-zone names and glue consistancy + checks use named-checkzone). The default is + yes. +
The forwarding facility can be used to create a large site-wide cache on a few servers, reducing traffic over links to external @@ -2715,7 +2737,7 @@ options {
Dual-stack servers are used as servers of last resort to work around @@ -2880,7 +2902,7 @@ options {
The interfaces and ports that the server will answer queries from may be specified using the listen-on option. listen-on takes @@ -2960,7 +2982,7 @@ listen-on-v6 port 1234 { !2001:db8::/32; any; };
If the server doesn't know the answer to a question, it will query other name servers. query-source specifies @@ -3204,7 +3226,7 @@ query-source-v6 address * port *;
avoid-v4-udp-ports and avoid-v6-udp-ports specify a list of IPv4 and IPv6 UDP ports that will not be used as system @@ -3218,7 +3240,7 @@ query-source-v6 address * port *;
The server's usage of many system resources can be limited. Scaled values are allowed when specifying resource limits. For @@ -3278,7 +3300,7 @@ query-source-v6 address * port *;
The following options set limits on the server's resource consumption that are enforced internally by the @@ -3357,7 +3379,7 @@ query-source-v6 address * port *;
@@ -4181,7 +4203,7 @@ query-source-v6 address * port *;
trusted-keys {
string number number number string ;
[ string number number number string ; [...]]
@@ -4190,7 +4212,7 @@ query-source-v6 address * port *;
The trusted-keys statement defines
@@ -4229,7 +4251,7 @@ query-source-v6 address * port *;
The view statement is a powerful
new feature
@@ -4359,7 +4381,9 @@ view "external" {
[ allow-update-forwarding { address_match_list } ; ]
[ also-notify { ip_addr [port ip_port] ; [ ip_addr [port ip_port] ; ... ] }; ]
[ check-names (warn|fail|ignore) ; ]
+ [ check-mx (warn|fail|ignore) ; ]
[ check-wildcard yes_or_no; ]
+ [ integrity-checks yes_or_no ; ]
[ dialup dialup_option ; ]
[ delegation-only yes_or_no ; ]
[ file string ; ]
@@ -4399,10 +4423,10 @@ view "external" {
The zone's name may optionally be followed by a class. If
a class is not specified, class IN (for Internet),
@@ -4633,7 +4657,7 @@ view "external" {
- journal
@@ -4700,11 +4724,21 @@ view "external" {
network. The default varies according to zone type. For master zones the default is fail. For slave
zones the default is warn.
- check-mx
+
+ See the description of
+ check-mx in the section called “Boolean Options”.
+
- check-wildcard
See the description of
check-wildcard in the section called “Boolean Options”.
- integrity-check
+
+ See the description of
+ integrity-check in the section called “Boolean Options”.
+
- database
-
@@ -5057,7 +5091,7 @@ view "external" {
@@ -5070,7 +5104,7 @@ view "external" {
A domain name identifies a node. Each node has a set of
resource information, which may be empty. The set of resource
@@ -5659,7 +5693,7 @@ view "external" {
RRs are represented in binary form in the packets of the DNS
protocol, and are usually represented in highly encoded form
@@ -5866,7 +5900,7 @@ view "external" {
As described above, domain servers store information as a
series of resource records, each of which contains a particular
@@ -6123,7 +6157,7 @@ view "external" {
Reverse name resolution (that is, translation from IP address
to name) is achieved by means of the in-addr.arpa domain
@@ -6184,7 +6218,7 @@ view "external" {
The Master File Format was initially defined in RFC 1035 and
has subsequently been extended. While the Master File Format
@@ -6199,7 +6233,7 @@ view "external" {
Syntax: $ORIGIN
domain-name
@@ -6227,7 +6261,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
Syntax: $INCLUDE
filename
@@ -6263,7 +6297,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
Syntax: $TTL
default-ttl
@@ -6282,7 +6316,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
Syntax: $GENERATE
range
diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html
index 9feb625b7a..852a6b9c05 100644
--- a/doc/arm/Bv9ARM.ch07.html
+++ b/doc/arm/Bv9ARM.ch07.html
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-
+
@@ -46,11 +46,11 @@
Table of Contents
- Access Control Lists
-- chroot and setuid (for
+
- chroot and setuid (for
UNIX servers)
- Dynamic Update Security
@@ -114,7 +114,7 @@ zone "example.com" {
On UNIX servers, it is possible to run BIND in a chrooted environment
@@ -138,7 +138,7 @@ zone "example.com" {
In order for a chroot() environment
to
@@ -166,7 +166,7 @@ zone "example.com" {
Prior to running the named daemon,
use
diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html
index 0b4a39d2ff..4a18eb8b3e 100644
--- a/doc/arm/Bv9ARM.ch08.html
+++ b/doc/arm/Bv9ARM.ch08.html
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-
+
@@ -45,18 +45,18 @@
Table of Contents
The best solution to solving installation and
configuration issues is to take preventative measures by setting
@@ -68,7 +68,7 @@
Zone serial numbers are just numbers-they aren't date
related. A lot of people set them to a number that represents a
@@ -95,7 +95,7 @@
The Internet Software Consortium
(ISC) offers a wide range
diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html
index da5b133759..d9ac4ff086 100644
--- a/doc/arm/Bv9ARM.ch09.html
+++ b/doc/arm/Bv9ARM.ch09.html
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-
+
@@ -43,24 +43,24 @@
Table of Contents
Although the "official" beginning of the Domain Name
System occurred in 1984 with the publication of RFC 920, the
@@ -469,7 +469,7 @@
Standards
[RFC974] Mail Routing and the Domain System. January 1986.
@@ -592,11 +592,11 @@
DNS and BIND. Copyright © 1998 Sebastopol, CA: O'Reilly and Associates.
diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html
index 3d12b1f6c3..f1b167fc49 100644
--- a/doc/arm/Bv9ARM.html
+++ b/doc/arm/Bv9ARM.html
@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
-
+
@@ -155,54 +155,54 @@
server Statement Grammar
server Statement Definition and
Usage
-trusted-keys Statement Grammar
-trusted-keys Statement Definition
+trusted-keys Statement Grammar
+trusted-keys Statement Definition
and Usage
view Statement Grammar
-view Statement Definition and Usage
+view Statement Definition and Usage
zone
Statement Grammar
-zone Statement Definition and Usage
+zone Statement Definition and Usage
-Zone File
+Zone File
- Types of Resource Records and When to Use Them
-- Discussion of MX Records
+- Discussion of MX Records
- Setting TTLs
-- Inverse Mapping in IPv4
-- Other Zone File Directives
-- BIND Master File Extension: the $GENERATE Directive
+- Inverse Mapping in IPv4
+- Other Zone File Directives
+- BIND Master File Extension: the $GENERATE Directive
7. BIND 9 Security Considerations
8. Troubleshooting
A. Appendices
;
key-directory ;
check-wildcard ;
+ integrity-check ;
+ check-mx ( fail | warn | ignore );
};
controls {
@@ -224,6 +226,8 @@ view {
zone-statistics ;
key-directory ;
check-wildcard ;
+ integrity-check ;
+ check-mx ( fail | warn | ignore );
};
server {
bogus ;
@@ -320,6 +324,8 @@ view {
zone-statistics ;
key-directory ;
check-wildcard ;
+ integrity-check ;
+ check-mx ( fail | warn | ignore );
};
lwres {
@@ -388,6 +394,8 @@ zone {
zone-statistics ;
key-directory ;
check-wildcard ;
+ integrity-check ;
+ check-mx ( fail | warn | ignore );
};
server {