[dns-operations] Announcing the availability of 'validns', a DNS and DNSSEC zone file validator

Anton Berezin tobez at tobez.org
Mon May 16 14:14:23 UTC 2011

I would like to announce the availability of 'validns'.

It is suitable for validating DNS/DNSSEC zone files.  So far it has been
tested with zones in the single-digit millions of records, with DNSSEC.

Major features:

- can parse most RFC 1035-compliant zone files;
- supports most of the standard record types;
- does not stop at the first validation error unless instructed to do so;
- informs the user precisely where and what the errors are;
- if requested, provides validation statistics summary;
- verifies RRSIG signatures;
- does NSEC/NSEC3 validation;
- supports signature validation in the future or in the past;
- supports a small number of optional policy checks

For an idea of the performance, here are the statistics for two
delegation-centric TLD zones, gathered on a Core i7 2.6 GHz
FreeBSD amd64 host (single threaded):

                         TLD1          TLD2
      records found:    4166839       4348244
  record sets found:    2153600       1974169
 unique names found:    1809158       1974131
  delegations found:    1121268       1966673
      nsec3 records:     343333            17
signatures verified:     515276            37
         time taken:    50.009s        7.720s
           RAM used:    ~950 MB       ~700 MB

Note that the performance falls with many signatures, but there's work being
done to address this, too.

There is no version release yet, as there is still a number of improvements
to be made:

- (better) user documentation;
- finish implementing support for all standard record types;
- support for non-standard record types;
- multithreaded support;

Possible future directions:

- separate policy validation engine using LUA;
- GPU crypto offload

For now, grab it from github at https://github.com/tobez/validns 

Our society can survive even a large amount of irrational regulation.
  -- John McCarthy

More information about the dns-operations mailing list