nslint(8) nslint(8)
2 May 2002
NAME
nslint - perform consistency checks on dns files
SYNOPSIS
nslint [ -d ] [ -c named.conf ] [ -C nslint.conf ]
nslint [ -d ] [ -b named.boot ] [ -B nslint.boot ]
DESCRIPTION
Nslint reads the nameserver configuration files and performs a number
of consistency checks on the dns records. If any problems are
discovered, error messages are displayed on stderr and nslint exits
with a non-zero status. Here is a partial list of errors nslint
detects:
Records that are malformed.
Names that contain dots but are missing a trailing dot.
PTR records with names that are missing a trailing dot.
Names that contain illegal characters (rfc1034).
A records without matching PTR records
PTR records without matching A records
Names with more than one address on the same subnet.
Addresses in use by more than one name.
Names with CNAME and other records (rfc1033).
Unknown service and/or protocol keywords in WKS records.
Missing semicolons and quotes.
OPTIONS
-b Specify an alternate named.boot file. The default is
/etc/named.boot.
-c Specify an alternate named.conf file. The default is
/etc/named.conf.
-B Specify an alternate nslint.boot file. The default is nslint.boot
in the last directory line processed in named.boot (or the
current working directory). This file is processed like a second
named.boot. The most common use is to tell nslint about A
records that match PTR records that point outside the domains
listed in named.boot.
- 1 - Formatted: April 23, 2024
nslint(8) nslint(8)
2 May 2002
-C Specify an alternate nslint.conf file. The default is nslint.conf
in the last directory line processed in named.conf (or the
current working directory). This file is processed like a second
named.conf.
-d Raise the debugging level. Debugging information is displayed on
stdout. Nslint knows how to read BIND 8 and 9's named.conf
configuration file and also older BIND's named.boot file. If both
files exist, nslint will prefer named.conf (on the theory that
you forgot to delete named.boot when you upgraded BIND).
ADVANCED CONFIGURATION
There are some cases where it is necessary to use the advanced
configuration features of nslint. Advanced configuration is done with
the nslint.conf file. (You can also use nslint.boot which has a syntax
similar to named.boot but is not described here.) The most common is
when a site has a demilitarized zone (DMZ). The problem here is that
the DMZ network will have PTR records for hosts outside its domain.
For example lets say we have 128.0.rev with:
1.1 604800 in ptr gateway.lbl.gov.
2.1 604800 in ptr gateway.es.net.
Obviously we will define an A record for gateway.lbl.gov pointing to
128.0.1.1 but we will get errors because there is no A record defined
for gateway.es.net. The solution is to create a nslint.conf file (in
the same directory as the other dns files) with:
zone "es.net" {
type master;
file "nslint.es.net";
};
And then create the file nslint.es.net with:
gateway 1 in a 128.0.1.2
Another problem occurs when there is a CNAME that points to a host
outside the local domains. Let's say we have info.lbl.gov pointing to
larry.es.net:
info 604800 in cname larry.es.net.
In this case we would need:
zone "es.net" {
type master;
file "nslint.es.net";
};
in nslint.boot and:
larry 1 in txt "place holder"
nslint.es.net. One last problem when a pseudo host is setup to allow
two more more actual hosts provide a service. For, let's say that
lbl.gov contains:
- 2 - Formatted: April 23, 2024
nslint(8) nslint(8)
2 May 2002
server 604800 in a 128.0.6.6
server 604800 in a 128.0.6.94
;
tom 604800 in a 128.0.6.6
tom 604800 in mx 0 lbl.gov.
;
jerry 604800 in a 128.0.6.94
jerry 604800 in mx 0 lbl.gov.
In this case nslint would complain about missing PTR records and ip
addresses in use by more than one host. To suppress these warnings,
add you would the lines:
zone "lbl.gov" {
type master;
file "nslint.lbl.gov";
};
zone "0.128.in-addr.arpa" {
type master;
file "nslint.128.0.rev";
};
to nslint.conf and create nslint.lbl.gov with:
server 1 in allowdupa 128.0.6.6
server 1 in allowdupa 128.0.6.94
and create nslint.128.0.rev with:
6.6 604800 in ptr server.lbl.gov.
94.6 604800 in ptr server.lbl.gov.
In this example, the allowdupa keyword tells nslint that it's ok for
128.0.6.6 and 128.0.6.94 to be shared by server.lbl.gov, tom.lbl.gov,
and jerry.lbl.gov. Another nslint feature helps detect hosts that
have mistakenly had two ip addresses assigned on the same subnet. This
can happen when two different people request an ip address for the
same hostname or when someone forgets an address has been assigned and
requests a new number. To detect such A records, add a nslint section
to your nslint.conf containing something similar to:
nslint {
network "128.0.6/22";
};
or:
nslint {
network "128.0.6 255.255.252.0";
};
These two examples are are equivalent ways of saying the same thing;
that subnet 128.0.6 has a 22 bit wide subnet mask. Using information
from the above network statement, nslint would would flag the
following A records as being in error:
server 1 in a 128.0.6.48
- 3 - Formatted: April 23, 2024
nslint(8) nslint(8)
2 May 2002
server 1 in a 128.0.7.16
Note that if you specify any network lines in your nslint.conf file,
nslint requires you to include lines for all networks; otherwise you
might forget to add network lines for new networks. Sometimes you
have a zone that nslint just can't deal with. A good example is a
dynamic dns zone. To handle this, you can add the following to
nslint.com:
nslint {
ignorezone "dhcp.lbl.gov";
};
This will suppress "name referenced without other records" warnings.
FILES
/etc/named.conf - default named configuration file
/etc/named.boot - old style named configuration file
nslint.conf - default nslint configuration file
nslint.boot - old style nslint configuration file
SEE ALSO
named(8), rfc1033, rfc1034
AUTHOR
Craig Leres of the Lawrence Berkeley National Laboratory, University
of California, Berkeley, CA. The current version is available via
anonymous ftp:
ftp://ftp.ee.lbl.gov/nslint.tar.gz
BUGS
Please send bug reports to nslint@ee.lbl.gov. Not everyone is
guaranteed to agree with all the checks done.
- 4 - Formatted: April 23, 2024
