++ed by:

7 PAUSE user(s)
4 non-PAUSE user(s).

NLnet Labs
and 1 contributors


check_zone - Check a DNS zone for errors


check_zone [ -r ][ -v ] domain [ class ]


Checks a DNS zone for errors. Current checks are:

  • Checks the domain's SOA from each of the domain's name servers. The SOA serial numbers should match. This program's output cannot be trusted if they do not.

  • Tries to perform an AXFR from each of the domain's name servers. This test helps to detect whether the name server is blocking AXFR.

  • Checks that all A records have corresponding PTR records. For each A record its PTR's name is match checked.

  • Checks that all PTR records match an A record (sometimes they match a CNAME). Check the PTR's name against the A record.

  • Checks that hosts listed in NS, MX, and CNAME records have A records. Checks for NS and CNAME records not pointing to another CNAME (i.e., they must directly resolve to an A record). That test may be somewhat controversial because, in many cases, a MX to a CNAME or a CNAME to another CNAME will resolve; however, in DNS circles it isn't a recommended practise.

  • Check each record processed for being with the class requested. This is an internal integrity check.



Perform a recursive check on subdomains.



-a alternate_domain

Treat <alternate_domain> as equal to <domain>. This is useful when supporting a change of domain names (eg from myolddomain.example.net to mynewdomain.example.net) where the PTR records can point to only one of the two supported domains (which are otherwise identical).

-e exception_file

Ignore exceptions in file <exception_file>. File format can be space-separated domain pairs, one pair per line, or it can be straight output from this program itself (for simple cut-and-paste functionality). This allows for skipping entries that are odd or unusual, but not causing problems. Note: this only works with A - PTR checks.


Originally developed by Michael Fuhr (mfuhr@dimensional.com) and hacked--with furor--by Dennis Glatting (dennis.glatting@software-munitions.com).

"-a" and "-e" options added by Paul Archer



perl(1), axfr, check_soa, mx, perldig, Net::DNS


A query for an A RR against a name that is a CNAME may not follow the CNAME to an A RR.

There isn't a mechanism to insure records are returned from an authoritative source.

There appears to be a bug in the resolver AXFR routine where, if one server cannot be contacted, the routine doesn't try another in its list.

2 POD Errors

The following errors were encountered while parsing the POD:

Around line 51:

'=item' outside of any '=over'

Around line 68:

You forgot a '=back' before '=head1'