[dns-operations] Alternatives to ldns-verify-zone

[Peter van Dijk]

Hello Kareem,

On 22 Sep 2016, at 11:18, Abdulkareem H. Ali wrote:

> We've been using ldns-verify-zone to check and validate our zones
> including DNSSEC validation. It's a great tool and we've been using it
> for years, but the latest stable release is Jan/2014.
>
> I'm wondering if anyone would recommend any other tool that can
> verify/validate zones and be fully DNSSEC aware that might be good to
> use alongside ldns-verify-zone?

I’ve had useful results from:
- ldns-verify-zone -V2 $TFILE
- validns $TFILE
- jdnssec-verifyzone $TFILE
- named-checkzone -i local $zone $TFILE | grep -v 'addnode: NSEC node 
already exists'

[this assumes TFILE=$(mktemp tmp.XXXXXXXXXX); drill -p $port axfr $zone 
@$nameserver | ldns-read-zone -z > $TFILE]

We run these tools after every PowerDNS commit to confirm that our 
signed output is correct. (Although currently we skip validns and 
jdnssec because they do not support ECDSA yet).

A tip from experience: if you get weird failures (I think 
ldns-verify-zone calls them ‘memory error’ or something, not sure 
any of the other tools needed help), pre-process your zone with 
‘ldns-read-zone -z’, as above. I don’t know why ldns-read-zone can 
fix a file that verify-zone cannot parse, but this is my experience.

I have not looked at YAVZS or kzonecheck yet.

Kind regards,
-- 
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/