[dns-operations] Alternatives to ldns-verify-zone

Wessels, Duane dwessels at verisign.com
Thu Sep 22 15:22:18 UTC 2016

> On Sep 22, 2016, at 2:18 AM, Abdulkareem H. Ali <kareem.ali at centralnic.com> wrote:
> Hi Everyone,
> We've been using ldns-verify-zone to check and validate our zones
> including DNSSEC validation. It's a great tool and we've been using it
> for years, but the latest stable release is Jan/2014.
> I'm wondering if anyone would recommend any other tool that can
> verify/validate zones and be fully DNSSEC aware that might be good to
> use alongside ldns-verify-zone?

Hi Kareem,

You and others might be interested in YAZVS — Yet Another Zone Validation Script

yazvs.pl is one of the utilities that Verisign uses daily to validate new versions of the root and arpa zones before they are published to the distribution masters.

It performs the following steps:

	• Read a candidate zone file from disk
	• Validate KSKs using a locally configured trust anchor
	• Validate ZSKs using KSKs
	• Validate RRSIGs using ZSKs
	• Retrieve the current zone data via AXFR
	• Print a summary of the number of KSKs, ZSKs, DS, and RRSIG records that have changed
	• Optionally produce a Unix diff of the two zones, excluding RRSIG/NSEC/NSEC3 records



More information about the dns-operations mailing list