nslint(8) nslint(8)
20 March 2001
NAME
nslint - perform consistency checks on dns files
SYNOPSIS
nslint [ -d ] [ -b named.boot ] [ -B nslint.boot ]
nslint [ -d ] [ -c named.conf ] [ -C nslint.conf ]
DESCRIPTION
Nslint reads the nameserver configuration files and performs a number
of consistency checks on the dns records. If any problems are
discovered, error messages are displayed on stderr and nslint exits
with a non-zero status. Here is a short list of errors nslint
detects:
Records that are malformed.
Names that contain dots but are missing a trailing dot.
PTR records with names that are missing a trailing dot.
Names that contain illegal characters (rfc1034).
A records without matching PTR records
PTR records without matching A records
Names with more than one address on the same subnet.
Addresses in use by more than one name.
Names with CNAME and other records (rfc1033).
Unknown service and/or protocol keywords in WKS records.
Missing quotes.
OPTIONS
-b Specify an alternate named.boot file. The default is
/etc/named.boot.
-c Specify an alternate named.conf file. The default is
/etc/named.conf.
-B Specify an alternate nslint.boot file. The default is nslint.boot
in the last directory line processed in named.boot (or the
current working directory). This file is processed like a second
named.boot. The most common use is to tell nslint about A
records that match PTR records that point outside the domains
listed in named.boot.
- 1 - Formatted: May 23, 2012
nslint(8) nslint(8)
20 March 2001
-C Specify an alternate nslint.conf file. The default is nslint.conf
in the last directory line processed in named.conf (or the
current working directory). This file is processed like a second
named.conf.
-d Raise the debugging level. Debugging information is displayed on
stdout. Nslint knows how to read old style named.boot and BIND
8's new named.conf files. If both files exist, nslint will prefer
named.conf (on the theory that you forgot to delete named.boot
when you upgraded to BIND 8).
ADVANCED CONFIGURATION
There are some cases where it is necessary to use the advanced
configuration features of nslint. Advanced configuration is done with
the nslint.boot file. The most common is when a site has a
demilitarized zone (DMZ). The problem here is that the DMZ network
will have PTR records for hosts outside its domain. For example lets
say we have 128.0.rev with:
1.1 604800 in ptr gateway.lbl.gov.
2.1 604800 in ptr gateway.es.net.
Obviously we will define an A record for gateway.lbl.gov pointing to
128.0.1.1 but we will get errors because there is no A record defined
for gateway.es.net. The solution is to create a nslint.boot file (in
the same directory as the other dns files) with:
primary es.net nslint.es.net
And then create the file nslint.es.net with:
gateway 1 in a 128.0.1.2
Another problem occurs when there is a CNAME that points to a host
outside the local domains. Let's say we have info.lbl.gov pointing to
larry.es.net:
info 604800 in cname larry.es.net.
In this case we would need:
primary es.net nslint.es.net
in nslint.boot and:
larry 1 in txt "place holder"
nslint.es.net. One last problem when a pseudo host is setup to allow
two more more actual hosts provide a service. For, let's say that
lbl.gov contains:
server 604800 in a 128.0.6.6
server 604800 in a 128.0.6.94
;
tom 604800 in a 128.0.6.6
tom 604800 in mx 0 lbl.gov.
;
- 2 - Formatted: May 23, 2012
nslint(8) nslint(8)
20 March 2001
jerry 604800 in a 128.0.6.94
jerry 604800 in mx 0 lbl.gov.
In this case nslint would complain about missing PTR records and ip
addresses in use by more than one host. To suppress these warnings,
add you would the lines:
primary lbl.gov nslint.lbl.gov
primary 0.128.in-addr.arpa nslint.128.0.rev
to nslint.boot and create nslint.lbl.gov with:
server 1 in allowdupa 128.0.6.6
server 1 in allowdupa 128.0.6.94
and create nslint.128.0.rev with:
6.6 604800 in ptr server.lbl.gov.
94.6 604800 in ptr server.lbl.gov.
In this example, the allowdupa keyword tells nslint that it's ok for
128.0.6.6 and 128.0.6.94 to be shared by server.lbl.gov, tom.lbl.gov,
and jerry.lbl.gov. One last nslint feature helps detect hosts that
have mistakenly had two ip addresses assigned on the same subnet. This
can happen when two different people request an ip address for the
same hostname or when someone forgets an address has been assigned and
requests a new number. To detect such A records, add a nslint section
to your nslint.conf containing something similar to:
nslint {
network "128.0.6/22";
network "128.0.6 255.255.252.0";
};
The two network lines in this example are equivalent ways of saying
the same thing; that subnet 128.0.6 has a 22 bit wide subnet mask. If
you are using nslint.boot, the syntax would be:
network 128.0.6/22
network 128.0.6 255.255.252.0
Again this shows two ways of saying the same thing. Using information
from the above network statement, nslint would would flag the
following A records as being in error:
server 1 in a 128.0.6.48
server 1 in a 128.0.7.16
Note that if you specify any network lines in your nslint.conf or
nslint.boot files, nslint requires you to include lines for all
networks; otherwise you might forget to add network lines for new
networks.
FILES
/etc/named.boot - default named configuration file
nslint.boot - default nslint configuration file
- 3 - Formatted: May 23, 2012
nslint(8) nslint(8)
20 March 2001
SEE ALSO
named(8), rfc1033, rfc1034
AUTHOR
Craig Leres of the Lawrence Berkeley National Laboratory, University
of California, Berkeley, CA. The current version is available via
anonymous ftp:
ftp://ftp.ee.lbl.gov/nslint.tar.gz
BUGS
Please send bug reports to nslint@ee.lbl.gov. Not everyone is
guaranteed to agree with all the checks done.
- 4 - Formatted: May 23, 2012
|
