Group :: Networking/DNS
RPM: dlint
Navigation
Main Changelog Spec Patches Sources Download Gear Bugs and FR Repocop
dlint1.4.1/�����������������������������������������������������������������������������������������0000755�0000000�0000000�00000000000�10774026274�0012561�5����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������dlint1.4.1/BUGS�������������������������������������������������������������������������������������0000644�0000000�0000000�00000003627�10774026274�0013254�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������ Known Bugs in Dlint 1.4.1
* Dlint reports error in some cases for when A rec's IP addr doesn't have a
PTR rec pointing back to the exact same name. This is not an error.
It should be a warning, at the most. Maybe make it optionally a warning.
There's many reasons now why people would want to use A recs with wrong
domain names.
* Dlint checks the reverse records on your local machine's default nameserver.
(Dlint 1.3.1 and earlier asked forward-query zone's nameserver).
Neither solution seems right to me, we should determine the list of
authoritative name servers for the reverse domain name to do the query.
However doing so would slot down Dlint a _lot_.
Example: if dlint is linting zone "bbb.com" and the nameserver is ns.bbb.com
and sees the record "aaa.bbb.com. IN A 1.2.3.4", it wants to check for a
PTR record from the IP back to the domain name - what nameserver should it
query to do that? We should really figure out the zone of 4.3.2.1.in-addr.arpa.
and find the nameservers from that, and query _them_ for the PTR record
rather than asking your local host. But this would be very slow.
* There is some redundancy in checking for the illegal "#" character
(using the wrong comment symbol in zone files): the A and PTR records
occasionally will be checked twice, and can generate errors twice
(all RRs are checked by TEST 2, then some RRs are checked again in TEST 3a
and TEST 3b).
OTHER REASONS DLINT MAY NOT WORK RIGHT
* Dlint doesn't work behind some firewalls - it needs to talk to a root
nameserver to get started.
* Dlint uses the zone transfer mechanism (AXFR), which some nameservers deny to
unauthorized hosts. If dlint is denied, it won't work. Some vendor's DNS servers
have the misconfiguration that when they don't want to answer AXFR queries,
they happily return zero records with no error message or exit code!
That is a bug that should be fixed.
---
���������������������������������������������������������������������������������������������������������dlint1.4.1/CHANGES����������������������������������������������������������������������������������0000644�0000000�0000000�00000010632�10774026274�0013556�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������ DLINT VERSION CHANGE LIST
Version 1.4.1 released June 10, 2007
* Changed arg syntax of "tail" and "sort", for wider platform support.
Previous syntax did not work properly on Fedora and related Linux platforms.
[bugs & fixes reported by Chris Stokes <chrisstokes@comcast.net>]
Version 1.4.0 released November 19, 2000
* Added support for BIND 9 (Dig 9.0.1).
Version 1.3.4 released July 1, 2000
* Fixed exit status on 2 warning messages and 1 error message.
[bug reported by Jens Schweikhardt <schweikh@noc.dfn.de>]
Version 1.3.3 released August 16, 1999
* Bug fix: grep -v changed to grep -iv (compare domains caselessly).
[fix submitted by Aurobindo Sundaram]
* Bug fix: nameservers now sorted in SOA serial number order, largest first.
This way you can dlint the primary server immediately after making changes
to it (previously had to wait for secondaries to do their update).
[suggested by don@mars.dgrc.crc.ca (Donald McLachlan)]
* Optimization: if any nameserver does not return an SOA record in Test 1,
it is removed from the list of nameservers and a warning is reported.
This way dlint won't use broken nameservers during the rest of the run.
* Sanity check domain names of nameservers themselves: any nameserver with
in-addr.arpa. in its name generates a warning and is skipped.
[suggested by don@mars.dgrc.crc.ca (Donald McLachlan)]
* Message about using CNAMEs instead of A RRs except for name servers
now mentions MX hosts (mail servers) too, as hosts not to use CNAMEs.
[thanks to Domain Admin <domain@uni2.dk>]
Version 1.3.2 released September 26, 1998
* Bug fix: when looking up reverse domain name or IP, use default nameserver
instead of specifying the zone nameserver, because there's a good chance
it's served by some other nameserver.
* Bug fix: two WARNING situations didn't set the proper exit code.
* Bug fix: digparse didn't always handle "@" correctly in regular RRs
when using DiG 8.1.
* Bug fix: signal interrupt handler now forces dlint to exit.
* Bug fix: signal interrupt handler now properly removes temp files.
* Bug fix: recursive dlint: parent now handles child interruptions and
usage errors properly.
* Man page now documents all exit statuses (statii?)
Version 1.3.1 released July 18, 1998
* Gnu General Public Licensing
Version 1.3.0 released May 17, 1998
* Compares SOA serial numbers across all nameservers (warning if dissimilar).
* Generate error if any zone has no nameservers.
* Generate warning if any zone has only 1 nameserver (needs 2 or more).
* Fixed localhost/127.0.0.1 processing and added some special conditions.
* Prints number of PTR or A records found, so you can tell if it's 0.
* Proper use of phrase "zone" instead of "domain" where applicable.
* When recommending CNAME RR instead of A RR for duplicate host names for one
IP address, we now mention _not_ to use CNAME if host is a nameserver.
* All zone records now checked for illegal '#' character at begin of record
(previously was only checking A RRs).
Version 1.2.0 released Dec 16, 1997
* DiG 8.1 support (from BIND 8.1.1).
* External utility digparse included in distribution.
* Special error when host name has "#" as first char (wrong comment symbol).
* More platforms tested on (HP/UX).
* Adds to existing PATH now instead of overwriting it.
* Trapping signals to remove temporary files.
* Temporary files now stored in /var/tmp instead of /tmp (they get big).
Version 1.1.3 released never
* Improved error message when domain specified is not a zone.
* New email address for author.
Version 1.1.2 released Feb 20, 1997
* Added missing single quote on line 254 [thanks to Chris Wedgwood, Bernhard Weisshuhn]
* Makefile now includes CHANGES file in distribution.
* Man-page extension character has its own variable in Makefile.
Version 1.1.1 released Jan 21, 1997
* Fixed some echos with vars, needed double quotes, not single.
* Missing end-single-quote on one line causing a syntax error [thanks to
David Osborn, Chris Wedgwood].
* Fixed bug when multiple PTR recs are returned for a given inaddr.arpa.
(we report that as an error, then loop thru each PTR rec for compares).
* Suggests CNAME instead of A record when PTR rec points someplace else.
* Miscellaneous coding improvements.
* Miscellaneous output improvements.
* README: Added Installation, Running, See Also sections, and URL to BIND package.
Version 1.1 released Jan 5, 1995
* First release.
-----
������������������������������������������������������������������������������������������������������dlint1.4.1/COPYING����������������������������������������������������������������������������������0000644�0000000�0000000�00000043076�10774026274�0013626�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������ GNU GENERAL PUBLIC LICENSE
Version 2, June 1991
Copyright (C) 1989, 1991 Free Software Foundation, Inc.
675 Mass Ave, Cambridge, MA 02139, USA
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
Preamble
The licenses for most software are designed to take away your
freedom to share and change it. By contrast, the GNU General Public
License is intended to guarantee your freedom to share and change free
software--to make sure the software is free for all its users. This
General Public License applies to most of the Free Software
Foundation's software and to any other program whose authors commit to
using it. (Some other Free Software Foundation software is covered by
the GNU Library General Public License instead.) You can apply it to
your programs, too.
When we speak of free software, we are referring to freedom, not
price. Our General Public Licenses are designed to make sure that you
have the freedom to distribute copies of free software (and charge for
this service if you wish), that you receive source code or can get it
if you want it, that you can change the software or use pieces of it
in new free programs; and that you know you can do these things.
To protect your rights, we need to make restrictions that forbid
anyone to deny you these rights or to ask you to surrender the rights.
These restrictions translate to certain responsibilities for you if you
distribute copies of the software, or if you modify it.
For example, if you distribute copies of such a program, whether
gratis or for a fee, you must give the recipients all the rights that
you have. You must make sure that they, too, receive or can get the
source code. And you must show them these terms so they know their
rights.
We protect your rights with two steps: (1) copyright the software, and
(2) offer you this license which gives you legal permission to copy,
distribute and/or modify the software.
Also, for each author's protection and ours, we want to make certain
that everyone understands that there is no warranty for this free
software. If the software is modified by someone else and passed on, we
want its recipients to know that what they have is not the original, so
that any problems introduced by others will not reflect on the original
authors' reputations.
Finally, any free program is threatened constantly by software
patents. We wish to avoid the danger that redistributors of a free
program will individually obtain patent licenses, in effect making the
program proprietary. To prevent this, we have made it clear that any
patent must be licensed for everyone's free use or not licensed at all.
The precise terms and conditions for copying, distribution and
modification follow.
GNU GENERAL PUBLIC LICENSE
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
0. This License applies to any program or other work which contains
a notice placed by the copyright holder saying it may be distributed
under the terms of this General Public License. The "Program", below,
refers to any such program or work, and a "work based on the Program"
means either the Program or any derivative work under copyright law:
that is to say, a work containing the Program or a portion of it,
either verbatim or with modifications and/or translated into another
language. (Hereinafter, translation is included without limitation in
the term "modification".) Each licensee is addressed as "you".
Activities other than copying, distribution and modification are not
covered by this License; they are outside its scope. The act of
running the Program is not restricted, and the output from the Program
is covered only if its contents constitute a work based on the
Program (independent of having been made by running the Program).
Whether that is true depends on what the Program does.
1. You may copy and distribute verbatim copies of the Program's
source code as you receive it, in any medium, provided that you
conspicuously and appropriately publish on each copy an appropriate
copyright notice and disclaimer of warranty; keep intact all the
notices that refer to this License and to the absence of any warranty;
and give any other recipients of the Program a copy of this License
along with the Program.
You may charge a fee for the physical act of transferring a copy, and
you may at your option offer warranty protection in exchange for a fee.
2. You may modify your copy or copies of the Program or any portion
of it, thus forming a work based on the Program, and copy and
distribute such modifications or work under the terms of Section 1
above, provided that you also meet all of these conditions:
a) You must cause the modified files to carry prominent notices
stating that you changed the files and the date of any change.
b) You must cause any work that you distribute or publish, that in
whole or in part contains or is derived from the Program or any
part thereof, to be licensed as a whole at no charge to all third
parties under the terms of this License.
c) If the modified program normally reads commands interactively
when run, you must cause it, when started running for such
interactive use in the most ordinary way, to print or display an
announcement including an appropriate copyright notice and a
notice that there is no warranty (or else, saying that you provide
a warranty) and that users may redistribute the program under
these conditions, and telling the user how to view a copy of this
License. (Exception: if the Program itself is interactive but
does not normally print such an announcement, your work based on
the Program is not required to print an announcement.)
These requirements apply to the modified work as a whole. If
identifiable sections of that work are not derived from the Program,
and can be reasonably considered independent and separate works in
themselves, then this License, and its terms, do not apply to those
sections when you distribute them as separate works. But when you
distribute the same sections as part of a whole which is a work based
on the Program, the distribution of the whole must be on the terms of
this License, whose permissions for other licensees extend to the
entire whole, and thus to each and every part regardless of who wrote it.
Thus, it is not the intent of this section to claim rights or contest
your rights to work written entirely by you; rather, the intent is to
exercise the right to control the distribution of derivative or
collective works based on the Program.
In addition, mere aggregation of another work not based on the Program
with the Program (or with a work based on the Program) on a volume of
a storage or distribution medium does not bring the other work under
the scope of this License.
3. You may copy and distribute the Program (or a work based on it,
under Section 2) in object code or executable form under the terms of
Sections 1 and 2 above provided that you also do one of the following:
a) Accompany it with the complete corresponding machine-readable
source code, which must be distributed under the terms of Sections
1 and 2 above on a medium customarily used for software interchange; or,
b) Accompany it with a written offer, valid for at least three
years, to give any third party, for a charge no more than your
cost of physically performing source distribution, a complete
machine-readable copy of the corresponding source code, to be
distributed under the terms of Sections 1 and 2 above on a medium
customarily used for software interchange; or,
c) Accompany it with the information you received as to the offer
to distribute corresponding source code. (This alternative is
allowed only for noncommercial distribution and only if you
received the program in object code or executable form with such
an offer, in accord with Subsection b above.)
The source code for a work means the preferred form of the work for
making modifications to it. For an executable work, complete source
code means all the source code for all modules it contains, plus any
associated interface definition files, plus the scripts used to
control compilation and installation of the executable. However, as a
special exception, the source code distributed need not include
anything that is normally distributed (in either source or binary
form) with the major components (compiler, kernel, and so on) of the
operating system on which the executable runs, unless that component
itself accompanies the executable.
If distribution of executable or object code is made by offering
access to copy from a designated place, then offering equivalent
access to copy the source code from the same place counts as
distribution of the source code, even though third parties are not
compelled to copy the source along with the object code.
4. You may not copy, modify, sublicense, or distribute the Program
except as expressly provided under this License. Any attempt
otherwise to copy, modify, sublicense or distribute the Program is
void, and will automatically terminate your rights under this License.
However, parties who have received copies, or rights, from you under
this License will not have their licenses terminated so long as such
parties remain in full compliance.
5. You are not required to accept this License, since you have not
signed it. However, nothing else grants you permission to modify or
distribute the Program or its derivative works. These actions are
prohibited by law if you do not accept this License. Therefore, by
modifying or distributing the Program (or any work based on the
Program), you indicate your acceptance of this License to do so, and
all its terms and conditions for copying, distributing or modifying
the Program or works based on it.
6. Each time you redistribute the Program (or any work based on the
Program), the recipient automatically receives a license from the
original licensor to copy, distribute or modify the Program subject to
these terms and conditions. You may not impose any further
restrictions on the recipients' exercise of the rights granted herein.
You are not responsible for enforcing compliance by third parties to
this License.
7. If, as a consequence of a court judgment or allegation of patent
infringement or for any other reason (not limited to patent issues),
conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not
excuse you from the conditions of this License. If you cannot
distribute so as to satisfy simultaneously your obligations under this
License and any other pertinent obligations, then as a consequence you
may not distribute the Program at all. For example, if a patent
license would not permit royalty-free redistribution of the Program by
all those who receive copies directly or indirectly through you, then
the only way you could satisfy both it and this License would be to
refrain entirely from distribution of the Program.
If any portion of this section is held invalid or unenforceable under
any particular circumstance, the balance of the section is intended to
apply and the section as a whole is intended to apply in other
circumstances.
It is not the purpose of this section to induce you to infringe any
patents or other property right claims or to contest validity of any
such claims; this section has the sole purpose of protecting the
integrity of the free software distribution system, which is
implemented by public license practices. Many people have made
generous contributions to the wide range of software distributed
through that system in reliance on consistent application of that
system; it is up to the author/donor to decide if he or she is willing
to distribute software through any other system and a licensee cannot
impose that choice.
This section is intended to make thoroughly clear what is believed to
be a consequence of the rest of this License.
8. If the distribution and/or use of the Program is restricted in
certain countries either by patents or by copyrighted interfaces, the
original copyright holder who places the Program under this License
may add an explicit geographical distribution limitation excluding
those countries, so that distribution is permitted only in or among
countries not thus excluded. In such case, this License incorporates
the limitation as if written in the body of this License.
9. The Free Software Foundation may publish revised and/or new versions
of the General Public License from time to time. Such new versions will
be similar in spirit to the present version, but may differ in detail to
address new problems or concerns.
Each version is given a distinguishing version number. If the Program
specifies a version number of this License which applies to it and "any
later version", you have the option of following the terms and conditions
either of that version or of any later version published by the Free
Software Foundation. If the Program does not specify a version number of
this License, you may choose any version ever published by the Free Software
Foundation.
10. If you wish to incorporate parts of the Program into other free
programs whose distribution conditions are different, write to the author
to ask for permission. For software which is copyrighted by the Free
Software Foundation, write to the Free Software Foundation; we sometimes
make exceptions for this. Our decision will be guided by the two goals
of preserving the free status of all derivatives of our free software and
of promoting the sharing and reuse of software generally.
NO WARRANTY
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
REPAIR OR CORRECTION.
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.
END OF TERMS AND CONDITIONS
Appendix: How to Apply These Terms to Your New Programs
If you develop a new program, and you want it to be of the greatest
possible use to the public, the best way to achieve this is to make it
free software which everyone can redistribute and change under these terms.
To do so, attach the following notices to the program. It is safest
to attach them to the start of each source file to most effectively
convey the exclusion of warranty; and each file should have at least
the "copyright" line and a pointer to where the full notice is found.
<one line to give the program's name and a brief idea of what it does.>
Copyright (C) 19yy <name of author>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
Also add information on how to contact you by electronic and paper mail.
If the program is interactive, make it output a short notice like this
when it starts in an interactive mode:
Gnomovision version 69, Copyright (C) 19yy name of author
Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
This is free software, and you are welcome to redistribute it
under certain conditions; type `show c' for details.
The hypothetical commands `show w' and `show c' should show the appropriate
parts of the General Public License. Of course, the commands you use may
be called something other than `show w' and `show c'; they could even be
mouse-clicks or menu items--whatever suits your program.
You should also get your employer (if you work as a programmer) or your
school, if any, to sign a "copyright disclaimer" for the program, if
necessary. Here is a sample; alter the names:
Yoyodyne, Inc., hereby disclaims all copyright interest in the program
`Gnomovision' (which makes passes at compilers) written by James Hacker.
<signature of Ty Coon>, 1 April 1989
Ty Coon, President of Vice
This General Public License does not permit incorporating your program into
proprietary programs. If your program is a subroutine library, you may
consider it more useful to permit linking proprietary applications with the
library. If this is what you want to do, use the GNU Library General
Public License instead of this License.
������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������dlint1.4.1/COPYRIGHT��������������������������������������������������������������������������������0000644�0000000�0000000�00000001374�10774026274�0014061�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������Copyright (C) 1993-1999 Paul A. Balyoz <pab@domtools.com>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������dlint1.4.1/INSTALL����������������������������������������������������������������������������������0000644�0000000�0000000�00000004162�10774026274�0013615�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������
Installing Dlint 1.4.1
Copyright (C) 1993-1999 Paul A. Balyoz <pab@domtools.com>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
REQUIREMENTS
* DiG 2.1 or newer
* Perl 5 or newer
To see what version of DiG you have, just type "dig". The version line is
near the top of the output and looks like: ; <<>> DiG 8.1 <<>>
If you don't see it, you probably have a very recent version.
Type "dig localhost any" and look again.
The latest version of DiG is always available with the latest BIND nameserver
package: http://www.isc.org/bind.html
Perl 5 is required for the digparse script, though some later versions of
Perl 4 may also work (4.0PL36 does not work). To see what version of Perl
you have, type "perl -v".
INSTALLATION
1. Edit the first line of digparse to be the path to your perl binary.
Likely places: /usr/local/bin/perl, /usr/bin/perl, /bin/perl
2. Edit dlint and change the variable "rrfilt" to the correct path to
where digparse will be installed on your system. /usr/local/bin is
recommended.
3. Edit Makefile to set the paths of where everything will be installed,
/usr/local is recommended.
4. Type "make install" to install dlint. Or, you can simply run dlint
from this directory.
RUNNING DLINT, READING ITS OUTPUT
See README file for details.
--
Paul Balyoz, Unix Sysadmin and Programmer
Domtools Consulting pab@domtools.com
Phoenix Arizona, USA pbalyoz@jammed.com
��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������dlint1.4.1/Makefile���������������������������������������������������������������������������������0000644�0000000�0000000�00000002144�10774026274�0014222�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������#
# Dlint Makefile
#
VERSION=1.4.1
# Basic area to install things in:
DEST=$(DESTROOT)/usr/local
BIN=$(DEST)/bin
MANEXT=1
MAN=$(DEST)/man/man$(MANEXT)
# How to run BSD-style install prog:
INSTALL=install # Linux, BSD, SunOS 4.x
#INSTALL=ginstall # Gnu Install is good, it might be named this
#INSTALL=/usr/ucb/install # SysV, Solaris 2.x
all:
@echo 'nothing to make; see INSTALL for instructions.'
install:
$(INSTALL) -c -m 755 -o bin -g bin dlint $(BIN)
$(INSTALL) -c -m 755 -o bin -g bin digparse $(BIN)
$(INSTALL) -c -m 644 -o bin -g bin dlint.1 $(MAN)/dlint.$(MANEXT)
clean:
-rm -f *.shar core
#
# Developer's section ---------------------------------
#
PUB=/home/wwwtest/html/pub
dist: clean
d=`pwd`; d=`basename $$d`; cd ..; tar czf /tmp/$$d.tar.gz \
--exclude RCS \
--exclude Old \
$$d; echo "done. distribution file is /tmp/$$d.tar.gz"
dist-install: dist
$(INSTALL) -c -m 664 -o pab -g www /tmp/dlint$(VERSION).tar.gz $(PUB)
$(INSTALL) -c -m 664 -o pab -g www README $(PUB)/dlint$(VERSION)-readme.txt
$(INSTALL) -c -m 664 -o pab -g www CHANGES $(PUB)/dlint$(VERSION)-changes.txt
#---
����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������dlint1.4.1/README�����������������������������������������������������������������������������������0000644�0000000�0000000�00000015211�10774026274�0013441�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������
Dlint version 1.4.1
A Domain Name Server Zone Verification Utility
Copyright (C) 1993-1999 Paul A. Balyoz <pab@domtools.com>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
DESCRIPTION
This program analyzes any DNS zone you specify, and reports any problems it
finds by displaying errors and warnings. Then it descends recursively to
examine all zones below the given one (this can be disabled with a command-
line option). Designed for Unix, dlint is written in Bourne Shell and Perl.
Dlint is also available on the Internet from your web browser:
http://www.domtools.com/dlint/
(this server imposes a timeout period; to lint a big zone, you should
install dlint yourself and use it locally - that's what this package is for).
WHAT DLINT REALLY CHECKS
* for each nameserver of the given zone, if its domain name ends in
"in-addr.arpa." then give a warning & ignore it. This can happen
in in-addr.arpa. zones when an NS record contains just a host name
instead of the fully-qualified domain name.
* for each host with an "A" resource record containing an IP address,
there should be an equivalent PTR record pointing from the address
back to the host. Missing records and IP address mismatches are
reported. (exception: when it's really a domain instead of a host,
there may not be a PTR record).
* for each PTR resource record in an in-addr.arpa zone pointing to a host,
there should be an equivalent "A" record for that host listing the same
IP address. Missing records and IP address mismatches are reported.
* special warning if it detects a pound-sign on the front of a record
(a common mistake: using "#" for comment symbol instead of ";").
Dlint will notice if there are subdomains (subzones), and recursively traverse
them, too, looking for problems. This recursion can be disabled with a
command-line option.
You can run dlint on your own domains, or on somebody else's, because it uses
the standard DNS network protocol. Dlint is very useful since most nameservers
do no more than syntax-check your database files. Dlint's messages are very
informative and suggest ways to fix the problems, not just complain about them.
Dlint doesn't catch every kind of problem, just the ones listed here which
can cause strange host-access problems for you and for other sites trying
to reach your computer systems over the Internet.
REQUIREMENTS
* DiG 2.1 or newer
* Perl 5 or newer
INSTALLATION
See file "INSTALL" for details.
RUNNING DLINT, READING ITS OUTPUT
Make sure "dig" is in your path. Type "which dig" to see if it is.
If not, go and get DiG and install it now! (see below)
% dlint your.dom.ain.
or:
% dlint 4.3.2.1.in-addr.arpa.
Dlint is fairly verbose; comment lines are preceded by semicolons (";").
Any line not commented out is something important: a warning or an error.
Not all warnings and errors are really problems - you need to use your best
judgment when considering making changes to your DNS database. One warning you
might see which you can ignore is:
WARNING: "localhost.cse.nau.edu. A 127.0.0.1": the PTR record for 1.0.0.127.in-addr.arpa. says "localhost."
(one of the above two records might be wrong.)
This is not really a problem because Unix systems sometimes use records like
"localhost.cse.nau.edu." in their local domain to speed up "localhost"
address queries. Every zone containing Unix machines should have one of
these fake "localhost" hosts in it with an address of 127.0.0.1.
Another warning that may not be a problem looks like this:
WARNING: csenet.cse.nau.edu. has no A record, but that's OK only if it's a network or other special name instead of a host.
If that domain name is the name of a network or subnet at your site
and _not_ the name of an actual host (no single IP address is associated
with it), then ignore it. If you know it's supposed to be a host, then
an A resource-record should be added to the zone it lives in.
If you see different output at different times for the same zone that you
know is not being modified, then get and run the Doc utility (see below)
over your domain first. Some authoritative nameservers for the zone have
different copies of the zone database (check their SOA records).
FUTURE ENHANCEMENTS
* Rewrite in Perl using Net::DNS
* Lame delegation checking
* CIDR support
* IPv6 support
* Character-set checking on all domain names
* Detect duplicate domain components and report "missing end-period in zone
file". Example: host.cse.nau.edu.cse.nau.edu. should be host.cse.nau.edu.
* Let user specify what server to query (command-line option)
SEE ALSO
* Domain Obscurity Checker (DOC), which comes with BIND. It checks for
lame delegations and other problems with just your primary/secondary
nameservers. Solve those problems first, then run Dlint to get the best
results. If a zone is sufficiently misconfigured, Dlint has trouble
producing useful information. BIND comes from:
http://www.isc.org/bind.html
* FYI 27 - Tools for DNS Debugging. http://www.landfield.com/rfcs/fyi/fyi27.html
* RFC's on DNS, available at http://www.landfield.com/rfcs/
RFC 1032 - Domain Administrators Guide
RFC 1033 - Domain Operations Administrators Guide
RFC 1034 - Domain Names Concepts and Facilities
RFC 1035 - Domain Names Implementation and Specification
RFC 1101 - DNS Encoding of Network Names and Other Types
RFC 1123 - Requirements for Internet Hosts
RFC 1536 - Common DNS Implementation Errors and Fixes
RFC 1713 - Tools for DNS Debugging
RFC 1912 - Common DNS Operational and Configuration Errors
RFC 2181 - Clarifications to the DNS Specification
RFC 2182 - Selection and Operation of Secondary DNS Servers
DISTRIBUTION
The latest version of Dlint can be found at the master site:
http://www.domtools.com/dns/dlint.shtml
--
Paul Balyoz, Unix Sysadmin and Programmer
Domtools Consulting pab@domtools.com
Phoenix Arizona, USA pbalyoz@jammed.com
���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������dlint1.4.1/TESTCASES��������������������������������������������������������������������������������0000644�0000000�0000000�00000002005�10774026274�0014037�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������ Good Zones for Testing Dlint
Some nameservers are set up to disallow AXFR's by non authorized hosts.
What's worse, some of them return _zero_records_ rather than an error!
All nameservers USWest has set up for DHCP-serving IP addresses to their
customers have this "bug" as of Feb 1998:
csh# dig @ns2.uswest.net. 190.225.207.in-addr.arpa. axfr
; <<>> DiG 2.2 <<>> @ns2.uswest.net. 190.225.207.in-addr.arpa. axfr
; (1 server found)
;; Received 0 answers (0 records).
;; FROM: fire.domtools.com to SERVER: 206.196.128.1
;; WHEN: Sun May 17 01:01:41 1998
csh# echo $status
0
This happens with these servers:
ns1.uswest.net.
ns2.uswest.net.
ns3.uswest.net.
----
earthlink.net. Really huge domain with numerous subdomains.
Took >4 hours run-time to lint on a Pentium 166 using
a direct 256KB (ADSL) connection to the Internet.
vix.com. Really good test zone: weird domains & sub-sub-domains,
nonexistent nameservers, multiple levels in 1 zone, etc.
wormhole.p-c-net.net.
defiant.p-c-net.net.
----
���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������dlint1.4.1/digparse���������������������������������������������������������������������������������0000755�0000000�0000000�00000014340�10774026274�0014307�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������#!/usr/bin/perl
#
# digparse
#
# Perl code that converts DiG output (version 2.x, 8.x, 9.x) into
# the easily parsable form:
#
# HOST RR RR-ARGS
# i.e.
# fire.domtools.com. A 10.0.0.10
# fire.domtools.com. MX 10 flame.domtools.com.
#
# It understands $ORIGIN and @ and can expand @, blank LHS's, and non-dot-terminated
# LHS and RHSs. No comments or blank lines are printed.
#
# Usage with Dig 2 thru 8: dig @server.dom.ain. AXFR dom.ain. +ret=2 +noauthor +noaddit \
# +noques +noHeader +noheader +cl +noqr +nostats +nocmd | \
# digparse > file
#
# Usage with Dig 9: dig @server.dom.ain. AXFR dom.ain. +ret=2 +noauthority \
# +noadditional +noquestion +nostats +nocmd | digparse > file
#
# There are many differences in output between DiG 2.x, 8.x, and 9.x.
# 2.x doesn't display the class ("IN").
# 8.x abbreviates time fields with letters like "h"=hours, "m"=minutes, "s"=seconds,
# and uses "@" for default origin and sometimes leaves domain off entirely so you
# have to carry forward the current domain name from lines above.
# 9.x output is perfect in every way.
#
# Example inputs that Digparse can parse (using options above) --
#
# Dig 9.x: domtools.com. 86400 IN SOA fire.domtools.com. hostmaster.domtools.com. ( 2000111600 28815 3615 2073600 86400 )
# domtools.com. 86400 IN NS ns0.domtools.com.
#
# Dig 8.x: $ORIGIN domtools.com.
# @ 1D IN SOA fire hostmaster (
# 2000111600 ; serial
# 8h15s ; refresh
# 1h15s ; retry
# 3w3d ; expiry
# 1D ) ; minimum
#
# 1D IN NS ns0
#
# Dig 2.x: domtools.com. 86400 SOA fire.domtools.com. hostmaster.domtools.com. (
# 2000111600 ; serial
# 28815 ; refresh (8 hours 15 secs)
# 3615 ; retry (1 hour 15 secs)
# 2073600 ; expire (24 days)
# 86400 ) ; minimum (1 day)
# domtools.com. 86400 NS ns0.domtools.com.
#
# Output from digparse for all above inputs:
#
# domtools.com. SOA fire.domtools.com. hostmaster.domtools.com. 2000111600 28815 3615 2073600 86400
# domtools.com. NS ns0.domtools.com.
#
# However the seconds are left as-is, so they'll contain h,m,s abbreviations
# when using BIND 8 (but not 2, or 9!) We don't care because Dlint doesn't use them.
#
# Paul Balyoz <pab@domtools.com>
#
# RRs that have a domain name for their rightmost field
# (we tack the default domain onto domains that don't end in ".")
%rhs_is_domain = (
"NS"=>1,
"PTR"=>1,
"MX"=>1,
"CNAME"=>1,
);
# DNS Class Table
%classes = (
"IN"=>1, # Internet
"CH"=>1, # Chaos
);
# Main Loop - input lines from stdin, handle them.
while (<>) {
chop;
next if /^\s*;/; # skip blank & comment lines
next if /^\s*$/;
@f = split;
if ($f[0] eq '$ORIGIN') { # literally the string '$ORIGIN'
$origin = $f[1];
$origin .= "." if $origin !~ /\.$/; # append "." if missing
$origin = "" if $origin eq "."; # use "" for root domain
next;
}
elsif ($f[0] !~ /\.$/) { # record name is missing its ending period!
if ($f[0] eq "@") {
$f[0] = "$origin"; # expand "@" into domain name
} else {
$f[0] .= ".$origin"; # append domain name onto name
}
}
if (/^\s/) { # empty LHS, use curr. domain name
unshift @f, $domain;
}
else {
$domain = $f[0]; # memorize this LHS for future lines
}
splice(@f,2,1) if $classes{uc($f[2])}; # Get rid of Class if exists (DiG 8 & newer)
# By this point the records have been standardized like this --
# $f[0] = LHS (canonical domain name)
# $f[1] = TTL
# $f[2] = RRTYPE
# $f[3]..$f[$#f] = data (1 or more fields)
$rr = uc($f[2]);
if ($rhs_is_domain{$rr} && $f[$#f] !~ /\.$/) { # empty RHS domain name
if ($f[$#f] eq "@") {
$f[$#f] = "$origin"; # "@" is just the origin
} else {
$f[$#f] .= ".$origin"; # otherwise append origin
}
}
# By this point any domain names in the data fields have been canonicalized.
# (we expanded Dig 2.x's "@" symbols and unqualified names to fqdn's)
#
# If we see a RR continuation marker (left-paren)
# then read and parse the rest of the continuation lines.
# The line looked like this:
# @ 4H IN SOA pallas hostmaster.pallas (
#
if (/\(\s*$/) {
undef($f[$#f]); # remove the "(" thing
while (<STDIN>) {
chop;
# Remove comments from the line. DiG 2.1 puts parentheses in the comments!
s/;.*//;
# Next, handle all other data lines in the continuation,
# including the right-paren line. Expect no comments.
# Those lines look like this:
# 712120828 ; serial
# 1H ; refresh
# 5M ; retry
# 1W ; expiry
# 4H ) ; minimum
# if (/\s*([^\);\s]+)\s*\)?\s*;?.*/) {
#} ugh
if (/\s*([^\)\s]+)\s*\)?.*/) {
$f[$#f+1] = $1;
}
last if /\)/; # end continuation line
}
}
if ($rr eq "SOA") {
if ($f[3] !~ /\.$/) { # record name is missing its ending period!
if ($f[3] eq "@") {
$f[3] = "$origin"; # expand "@" into domain name
} else {
$f[3] .= ".$origin"; # append domain name onto name
}
}
if ($f[4] !~ /\.$/) { # record name is missing its ending period!
if ($f[4] eq "@") {
$f[4] = "$origin"; # expand "@" into domain name
} else {
$f[4] .= ".$origin"; # append domain name onto name
}
}
if ($f[5] eq "(") {
splice(@f,5,1); # remove grouping symbols (BIND 9)
}
if ($f[$#f] eq ")") {
splice(@f,$#f,1); # remove grouping symbols (BIND 9)
}
}
# Print resulting data line
$nspaces = 32 - length($f[0]);
$nspaces = 1 if $nspaces < 1;
print $f[0], " " x $nspaces;
#$str = "$f[1] $f[2]";
$str = "$f[2]"; # don't bother printing TTL
$nspaces = 8 - length($str);
$nspaces = 1 if $nspaces < 1;
print "$str", " " x $nspaces;
for ($i=3; $i<=$#f; $i++) {
print " ",$f[$i];
}
print "\n";
}
exit 0;
������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������dlint1.4.1/dlint������������������������������������������������������������������������������������0000755�0000000�0000000�00000046647�10774026274�0013642�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������#!/bin/sh
#
# program: dlint
# usage: dlint [-n] zone
# options: -n no recursion
# purpose: To scan through a DNS zone domain hierarchy and report certain
# possible configuration problems found therein.
# output: A verbose description of what was found in comments,
# with warnings and error messages of any problems.
# Output is intended to be computer-parsable.
# Usage message gets printed on stderr.
# exit value: 0 if everything looks right
# 1 if nothing worse than a warning was found
# 2 if any errors were found
# 3 for usage error (i.e., incorrect command line options)
#
# Copyright (C) 1993-1998 Paul A. Balyoz <pab@domtools.com>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
#
#
# NOTES
#
# * Handling localhost (127.0.0.1) is hard, how should it really be done?
# If you define localhost.<domain> in many domains, you are screwed when you
# look up 1.0.0.127.in-addr.arpa because it can only point to one of them.
# Now maybe you think that 1.0.0.127.in-addr.arpa should point to "localhost."
# But will all software on all computers really query "localhost." (in the root
# domain), or will they actually be querying "localhost" (no dot, so resolver
# considers it in the current domain)?
# Current Solution: special-case "localhost" 127.0.0.1.
# The only localhost-related things we check now are:
# * 1.0.0.127.in-addr.arpa. points to some host that doesn't point back to
# 127.0.0.1 (normal TEST 3a checking),
# * if hostname "localhost" in any domain maps to an IP address other than
# 127.0.0.1 (or host has address 127.0.0.1 but isn't named localhost),
# * 1.0.0.127.in-addr.arpa. doesn't point to hostname "localhost" in any
# domain (or it has host "localhost" but wrong in-addr.arpa address).
#
# Path to standard bin dirs on many platforms.
# Be sure this path includes the directory that holds your dig executable:
if test x"$PATH" = x""; then # for security purposes
PATH="/usr/ucb:/usr/bsd:/bin:/usr/bin:/usr/local/bin:/usr/share/bin:/usr/com/bin"
else
PATH="${PATH}:/usr/ucb:/usr/bsd:/bin:/usr/bin:/usr/local/bin:/usr/share/bin:/usr/com/bin"
fi
export PATH
VERSION=1.4.1
# ----------- BEGIN CONFIGURATIONS -------------------------
# RR filter from DiG output format to all FQDN on every line format.
# Change this path for your site! See Makefile.
rrfilt="/usr/local/bin/digparse"
# ------------- END CONFIGURATIONS -------------------------
TMPNS=/var/tmp/dlintns.$$
TMPZONE=/var/tmp/dlintzone.$$
TMPPTR=/var/tmp/dlintptr.$$
TMPA=/var/tmp/dlinta.$$
TMPSUBDOMS=/var/tmp/dlintsubdoms.$$
TMPERR=/var/tmp/dlinterr.$$
TMPERR2=/var/tmp/dlinterr2.$$
TMPSERIALS=/var/tmp/dlintserials.$$
trap "rm -f $TMPNS $TMPZONE $TMPPTR $TMPA $TMPSUBDOMS $TMPERR $TMPERR2; exit 4" 1 2 3 15
usage() {
echo 'usage: dlint [-n] zone' 2>&1
echo ' example zones: yoursite.com. 3.2.1.in-addr.arpa.' 2>&1
exit 3
}
if test $# -lt 1 -o $# -gt 2; then
usage
fi
#
# Configure for System V echo or BSD echo, whichever we have.
#
if test `echo -n hello|wc -l` -eq 0; then
echoc=''
echon='-n'
else
echoc='\c'
echon=''
fi
#
# Check if dig is installed and get the version number.
# If version < 2.1, fail. If version 9 or greater, set special settings.
#
ver=`dig localhost any | grep DiG | head -1 | sed -e 's/.*DiG \([0-9.]*\).*/\1/'`
ans=`echo $ver | awk '$1 >= 2.1 {print "ok"; exit}'` # floating point math
if test x"$ans" != x"ok"; then
echo ';; This program requires DiG version 2.1 or newer, which I cannot find.'
exit 3
fi
dig9=`echo $ver | awk '$1 >= 9.0 {print "yes"; exit}'` # floating point math
#
# Options - why'd they change so many of these in BIND 9?
# The +nostats option is not documented in BIND 9.0.1 but works.
#
if test x"$dig9" = x"yes"; then
digopts='+ret=2 +noauthority +noadditional +noquestion +nostats +nocmd'
else
digopts='+ret=2 +noauthor +noaddit +noques +noHeader +noheader +cl +noqr +nostats +nocmd'
fi
#
# Other things you might need to change
#
# Filter that converts input to lowercase
tolower='tr A-Z a-z'
#
# Initialize flags (leave these alone)
#
exitcode=0 norecurse=false silent=false domain='' inaddrdomain=false
#
# Determine type of domain (forward or inverse)
# arg 1 = domain name with ending period.
# returns: "inverse" or "forward" on stdout
#
domaintype () {
lcdom=`echo "$1" | $tolower`
case $lcdom in
*in-addr.arpa.)
echo "inverse"
;;
*)
echo "forward"
;;
esac
}
#
# Parse command-line arguments
#
for i do
case "$i" in
-n) norecurse=true
;;
-silent) silent=true
;;
*) if test x"$domain" = x""; then
domain="$i"
else
usage
fi
;;
esac
done
# Reverse-sense flags
if $silent; then
notsilent=false
else
notsilent=true
fi
if $norecurse; then
recurse=false
else
recurse=true
fi
# No domain or empty domain specified
if test x"$domain" = x""; then
usage
fi
# Determine if domain is inverse-address or not
ans=`echo $domain | $tolower | awk '/.in-addr.arpa/ {print "ok"; exit}'`
if test x"$ans" = x"ok"; then
inaddrdomain=true
fi
#
# Print welcome message if not calling self recursively
#
if $notsilent; then
echo ";; dlint version $VERSION, Copyright (C) 1998 Paul A. Balyoz <pab@domtools.com>"
echo ";; Dlint comes with ABSOLUTELY NO WARRANTY."
echo ";; This is free software, and you are welcome to redistribute it"
echo ";; under certain conditions. Type 'man dlint' for details."
echo ";; command line: $0 $*"
echo $echon ";; flags:$echoc"
if $inaddrdomain; then
echo $echon " inaddr-domain$echoc"
else
echo $echon " normal-domain$echoc"
fi
if $norecurse; then
echo $echon " not-recursive$echoc"
else
echo $echon " recursive$echoc"
fi
echo "."
echo ";; using dig version $ver"
echo ";; run starting: `date`"
fi
echo ";; ============================================================"
echo ";; Now linting $domain"
#
# Identify all nameservers for this zone
#
#echo "XX $domain NS"
dig $domain NS $digopts | $rrfilt | awk '$2=="NS" {print $3}' > $TMPNS
if test ! -s $TMPNS; then
echo "ERROR: no name servers found for domain $domain"
echo " That domain is probably not a zone. Remove the leftmost portion of the name and try again."
echo ";; ============================================================"
echo ";; dlint of $domain run ending with errors."
echo ";; run ending: `date`"
rm -f $TMPNS $TMPZONE $TMPPTR $TMPA $TMPSUBDOMS $TMPERR $TMPERR2
exit 2
fi
#
# TEST 1
# Check all zone nameservers' SOA RRs for serial number similarity.
# If they have < 2 nameservers, complain.
#
responding=
if test `wc -l < $TMPNS` -eq 1; then
echo "WARNING: only 1 nameserver found for zone $domain"
echo " Every zone should have 2 or more nameservers at all times."
test $exitcode -lt 1 && exitcode=1
else
echo ";; Checking serial numbers per nameserver"
rm -f $TMPSERIALS
for ns in `cat $TMPNS`; do
# Sanity check nameserver's name
if test x`domaintype $ns` = x"inverse"; then
echo "WARNING: nameserver $ns has in-addr.arpa. in its name which is bad; skipping."
echo " I'll bet you left off its full domain name on the NS record, as in:"
echo " $domain IN NS someserver"
echo " You should append the fully qualified domain name with ending period, as in:"
echo " $domain IN NS someserver.your.domain.com."
test $exitcode -lt 1 && exitcode=1
continue
fi
# Ask this nameserver for domain's SOA record
#echo "XX @$ns $domain SOA"
serial=`dig @$ns $domain SOA $digopts 2> $TMPERR | $rrfilt | \
awk '$2=="SOA" {print $5; exit}'`
# Ignore run-time errors that aren't real errors:
# (BIND 9.0.1 default build in RedHat Linux 7.0)
grep -v setsockopt $TMPERR > $TMPERR2
mv $TMPERR2 $TMPERR
# Eliminate nameservers that couldn't return an SOA for zone $ns
if test ! -s $TMPERR; then
echo ";; $serial $ns";
echo "$serial $ns" >> $TMPSERIALS
else
echo "WARNING: nameserver $ns returned an error when asked for SOA of $domain; skipping."
test $exitcode -lt 1 && exitcode=1
responding=" responding"
fi
done
if test ! -s $TMPSERIALS; then
echo "ERROR: no good name servers found for domain $domain"
echo " Aborting run."
echo ";; ============================================================"
echo ";; dlint of $domain run ending with errors."
echo ";; run ending: `date`"
rm -f $TMPNS $TMPZONE $TMPPTR $TMPA $TMPSUBDOMS $TMPERR $TMPERR2 $TMPSERIALS
exit 2
fi
if test `awk '{print $1}' < $TMPSERIALS | sort -u | wc -l` -gt 1; then
echo "WARNING: nameservers don't seem to agree on the zone's serial number."
echo " Dlint will query nameserver with largest serial number first."
test $exitcode -lt 1 && exitcode=1
else
echo ";; All$responding nameservers agree on the serial number."
fi
# Re-order nameservers from highest SOA serial number to lowest.
# This also removes bogus nameservers from $TMPNS.
#sort +0nr $TMPSERIALS | awk '{print $2}' > $TMPNS
sort -n -r $TMPSERIALS | awk '{print $2}' > $TMPNS
rm -f $TMPSERIALS
fi
#
# SETUP FOR TESTS 2 AND 3
# Transfer this whole zone to a temporary file
#
echo ";; Now caching whole zone (this could take a minute)"
i=1
badns=true
while test $i -le `wc -l < $TMPNS`; do
badns=false
ns=`tail --lines=+$i $TMPNS | head -1`
echo ";; trying nameserver $ns"
#echo "XX @$ns $domain AXFR"
dig @$ns $domain AXFR $digopts 2> $TMPERR | $rrfilt > $TMPZONE
# Ignore run-time errors that aren't real errors:
# (BIND 9.0.1 default build in RedHat Linux 7.0)
grep -v setsockopt $TMPERR > $TMPERR2
mv $TMPERR2 $TMPERR
if test `wc -l < $TMPERR` -eq 0; then
break
fi
echo "WARNING: nameserver $ns is not responding properly to queries; skipping."
badns=true
test $exitcode -lt 1 && exitcode=1
i=`expr $i + 1`
done
if $badns; then
echo "ERROR: could not find any working nameservers for $domain"
echo ";; ============================================================"
echo ";; dlint of $domain run ending with errors."
echo ";; run ending: `date`"
rm -f $TMPNS $TMPZONE $TMPPTR $TMPA $TMPSUBDOMS $TMPERR $TMPERR2
test $exitcode -lt 2 && exitcode=2
exit $exitcode
fi
#
# TEST 2
# Look for all zone records with "#" as first character (illegal) --
# they probably thought they were commenting out a line!
#
grep '^#' $TMPZONE > $TMPA
if test $? -eq 0; then
echo "ERROR: some zone records begin with '#' character which is illegal."
test $exitcode -lt 2 && exitcode=2
len=`wc -l < $TMPA`
if test $len -lt 5; then
echo " Use ';' for comment symbol, not '#'! Offending records:"
sed -e 's/^/ /' < $TMPA
else
echo " Use ';' for comment symbol, not '#'! First 5 offending records:"
head -5 $TMPA | sed -e 's/^/ /'
fi
fi
#
# TEST 3a (for in-addr.arpa domains)
# All PTR records' hosts must have an A record with the same address,
# unless that PTR rec is a network name instead of a host [RFC1101]
# (see later tests). But we don't know if it's really a network or
# just a host with a missing A record, so we report it.
# Any PTR record for 1.0.0.127.in-addr.arpa should point to a host named
# "localhost" (in any domain), and vice-versa.
#
# BUG: We assume all X.X.X.X.in-addr.arpa format names are those of hosts,
# and all others (less than 4 X's) are networks. But if you happen to
# be doing subnetting such that the number of host bits < 8, then your
# subnets will have 4 octets too, which we don't handle properly.
# Before CIDR, this couldn't be done right without strict RFC1101
# adherance, which nobody really cared about except myself.
# With CIDR it may be possible, I need to sit down and think about it.
#
if $inaddrdomain; then
awk '!/^;/ && $2=="PTR"' < $TMPZONE | sort -u > $TMPPTR
i=0
len=`wc -l < $TMPPTR`
if test $len -gt 0; then
echo ";;" $len "PTR records found."
else
echo "ERROR: no PTR records found."
test $exitcode -lt 2 && exitcode=2
fi
while test $i -lt $len; do
i=`expr $i + 1`
set `tail +$i $TMPPTR | head -1`
inaddr=$1 host=$3
# if not 4 numeric octets, assume it's a network address.
num=`echo $inaddr | tr . '\012' | awk '{r++} /^in-addr$/ {print r - 1}'`
if test 0"$num" -ne 4; then
continue
fi
# this may hold more than one address if host is multihomed or a gateway:
#echo "XX $host A"
addr=`dig $host A $digopts | $rrfilt | awk '$2=="A" {print $3}'`
if test x"$addr" = x""; then
case $inaddr in
'#'*)
echo "ERROR: illegal domain name $inaddr has a PTR record."
echo " Use ';' for zone file comments, not '#'!"
test $exitcode -lt 2 && exitcode=2
;;
*)
echo "WARNING: \"$inaddr PTR $host\", but $host has no A record."
echo " But that's OK only if it's a network or other special name instead of a host."
test $exitcode -lt 1 && exitcode=1
;;
esac
continue
fi
ina=`echo $inaddr | awk -F. '{print $4 "." $3 "." $2 "." $1}'`
a=`echo "$addr" | awk "/^$ina\$/ {print}"`
if test x"$a" != x""; then
# echo ";; $inaddr and $addr match."
:
else
echo "ERROR: \"$inaddr PTR $host\", but the address of $host is really $addr"
test $exitcode -lt 2 && exitcode=2
fi
# If record is 1.0.0.127.in-addr.arpa., make sure hostname is localhost.*
if test x"$ina" = x"127.0.0.1"; then
hostname=`echo $host | awk -F. '{print $1}' | $tolower`
if test x"$hostname" != x"localhost"; then
echo "WARNING: \"$inaddr PTR $host\", but it should point to localhost instead."
echo " This could confuse some computers (particularly Unix) in that domain."
test $exitcode -lt 1 && exitcode=1
fi
fi
# If record has host named localhost.*, make sure PTR rec is 1.0.0.127.in-addr.arpa.
hostname=`echo $host | awk -F. '{print $1}' | $tolower`
if test x"$hostname" = x"localhost"; then
if test x"$ina" != x"127.0.0.1"; then
echo "WARNING: \"$inaddr PTR $host\", but only 1.0.0.127.in-addr.arpa. should point to localhost."
echo " This could confuse some computers (particularly Unix) in that domain."
test $exitcode -lt 1 && exitcode=1
fi
fi
done
#
# TEST 3b (for regular domains)
# All hosts with A records must have reverse in-addr.arpa PTR records
# and they should point back to the same host name.
# Any host named "localhost" in any domain should have IP address 127.0.0.1,
# and vice-versa.
#
# BUG: Sometimes there will be a special host in a domain that has an A record
# pointing to some host which has a different name in _another_ zone.
# Example: info.nau.edu is really pumpkin.ucc.nau.edu in disguise.
# This is currently reported as an error, there's no way to tell it is
# intentional. (not sure how to deal with this)
#
else
awk '!/^;/ && $2=="A"' < $TMPZONE | sort -u > $TMPA
i=0
len=`wc -l < $TMPA`
if test $len -gt 0; then
echo ";;" $len "A records found."
else
echo "ERROR: no A records found."
test $exitcode -lt 2 && exitcode=2
fi
while test $i -lt $len; do
i=`expr $i + 1`
set `tail +$i $TMPA | head -1`
host=$1 addr=$3
inaddr=`echo $addr | awk -F. '{print $4 "." $3 "." $2 "." $1 ".in-addr.arpa."}'`
#echo "XX $inaddr PTR"
inhost=`dig $inaddr PTR $digopts | $rrfilt | awk '$2=="PTR" {print $3}'`
if test x"$inhost" = x""; then
case $host in
'#'*)
echo "ERROR: illegal domain name $host has an A record."
echo " Use ';' for zone file comments, not '#'!"
;;
*)
echo "ERROR: $host has an A record of $addr, but no reverse PTR record for $inaddr can be found on nameserver $ns"
echo " The following resource record should be added:"
echo " $inaddr IN PTR $host"
;;
esac
test $exitcode -lt 2 && exitcode=2
continue
fi
numptrs=`echo "$inhost" | wc -l`
# numptrs ends up with lots of spaces in it, so don't put it inside quotes...
if test $numptrs -gt 1; then
echo "ERROR: $inaddr has" $numptrs "PTR records, but there should be only 1."
test $exitcode -lt 2 && exitcode=2
fi
lhost=`echo $host | $tolower`
multipleinhosts="$inhost"
foundit=0
for inhost in $multipleinhosts; do
linhost=`echo $inhost | $tolower`
if test x"$linhost" = x"$lhost"; then
foundit=1
fi
done
if test x"$addr" != x"127.0.0.1"; then
if test $foundit -eq 0; then
#echo "XX @$ns $host SOA"
soa=`dig @$ns $host SOA $digopts | $rrfilt | awk '$2=="SOA" {print "ok";exit}'`
if test x"$soa" = x"ok"; then
echo "WARNING: the zone $host has an A record but no reverse PTR record. This is probably OK."
test $exitcode -lt 1 && exitcode=1
else
if test $numptrs -eq 1; then
echo "ERROR: \"$host A $addr\", but the PTR record for $inaddr is \"$inhost\""
else
# NOTE: don't remove 2nd "echo", it's necessary:
echo "ERROR: \"$host A $addr\", but the PTR records for $inaddr are \"`echo $multipleinhosts`\""
fi
test $exitcode -lt 2 && exitcode=2
echo " One of the above two records are wrong unless the host is a name server or mail server."
echo " To have 2 names for 1 address on any other hosts, replace the A record"
if test $numptrs -eq 1; then
echo " with a CNAME record:"
else
echo " with a CNAME record referring to the proper host, for example:"
fi
echo " $host IN CNAME $inhost"
continue
fi
fi
else
# IP address is 127.0.0.1 -- make sure hostname is localhost.*
hostname=`echo $lhost | awk -F. '{print $1}'`
if test x"$hostname" != x"localhost"; then
echo "WARNING: \"$host A $addr\", but only localhost should be 127.0.0.1."
echo " This could confuse some computers (particularly Unix) in that domain."
test $exitcode -lt 1 && exitcode=1
fi
fi
# if hostname is localhost.*, make sure IP address is 127.0.0.1
hostname=`echo $lhost | awk -F. '{print $1}'`
if test x"$hostname" = x"localhost" -a x"$addr" != x"127.0.0.1"; then
echo "WARNING: \"$host A $addr\", but localhost should always be 127.0.0.1."
echo " This could confuse some computers (particularly Unix) in that domain."
test $exitcode -lt 1 && exitcode=1
fi
done
fi
##############################
# OTHER TESTS GO HERE
##############################
#
# Recursively traverse all sub-domains beneath this domain
#
if $recurse; then
#echo "XX @$ns $domain AXFR"
dig @$ns $domain AXFR $digopts | $rrfilt | awk '$2=="NS" {print $1}' | grep -iv "^$domain\$" | sort -u > $TMPSUBDOMS
if test -s $TMPSUBDOMS; then
i=1
len=`wc -l < $TMPSUBDOMS`
while test $i -le $len; do
line=`sed -e "$i!d" < $TMPSUBDOMS`
# run ourself to analyze the subdomain
$0 -silent $line
status=$?
case $status in
3) exitcode=$status
break ;;
4) exitcode=$status
break ;;
*) if test $status -gt $exitcode; then
exitcode=$status
fi ;;
esac
i=`expr $i + 1`
done
else
echo ";; no subzones found below $domain, so no recursion will take place."
fi
fi
#
# Quit with proper error code
#
echo ";; ============================================================"
echo $echon ";; dlint of $domain run ending $echoc"
case $exitcode in
0) echo "normally." ;;
1) echo "with warnings." ;;
2) echo "with errors." ;;
3) echo "due to usage error." ;;
4) echo "due to signal interruption." ;;
esac
echo ";; run ending: `date`"
rm -f $TMPNS $TMPZONE $TMPPTR $TMPA $TMPSUBDOMS $TMPERR $TMPERR2
exit $exitcode
�����������������������������������������������������������������������������������������dlint1.4.1/dlint.1����������������������������������������������������������������������������������0000644�0000000�0000000�00000006336�10774026274�0013765�0����������������������������������������������������������������������������������������������������ustar�00root����������������������������root����������������������������0000000�0000000������������������������������������������������������������������������������������������������������������������������������������������������������������������������.TH DLINT 1 "18 July 1998"
.SH NAME
dlint \- Internet Domain Name System (DNS) error checking utility
.SH SYNOPSIS
.B dlint
[
.B \-n
]
.I zone
.SH DESCRIPTION
DNS administrators can use
.B dlint
to scan recursively through the domain records of the fully-qualified
zone
.IR zone ,
to get a report on any errors therein.
You can scan a zone you own, or anyone else's zone on the Internet.
.B dlint
talks directly to a primary or secondary nameserver for the zone,
to make sure it's working with up-to-date information.
.LP
.I dlint
also suggests ways of fixing problems instead of just complaining
about them like other debugging tools.
.LP
The argument
.I zone
should always have an ending period to indicate it is a
fully qualified domain name.
.SH OPTIONS
By default,
.B dlint
recursively traverses the entire hierarchy below the zone specified.
The
.B \-n
option may be used to disable recursive traversal, causing it to
only examine the records in the given zone.
Note that a zone may or may not contain any number of sub-domains
(all of which will be checked with or without this option).
.SH EXAMPLES
.IP
.B example% dlint nau.edu.
.LP
recursively scans the DNS records in zone nau.edu for problems.
.IP
.B example% dlint 64.114.134.in-addr.arpa.
.LP
recursively scans the DNS records associated with IP subnet 134.114.64.0 for problems.
You had to already know that 134.114.0.0 was subnetted.
.SH DIAGNOSTICS
The output from
.B dlint
is computer parsable, each line has a special meaning.
Lines beginning with a semicolon (;) are comments only.
Lines beginning with the phrase ``WARNING'' are useful information
that you should consider.
A warning is not necessarily an error,
but may be a problem.
Lines beginning with the phrase ``ERROR'' are definite errors
and should be dealt with accordingly.
.SH "EXIT STATUS"
.IP 0
Successful run, no problems encountered with zone.
.IP 1
Successful run, worst problem with zone was a WARNING.
.IP 2
Successful run, worst problem with zone was an ERROR.
.IP 3
Usage error.
.IP 4
A signal interrupted the program run
(i.e. user typed interrupt key sequence).
.SH BUGS
.B Dlint
doesn't work behind some firewalls because it needs to talk to a
root nameserver to get started.
.LP
.B Dlint
uses the zone transfer mechanism (AXFR) which some nameservers deny to
unauthorized hosts.
.LP
Other nameservers happily return zero records instead of an error,
in response to an unauthorized AXFR!
That is just wrong.
.SH AUTHOR
Paul Balyoz <pab@domtools.com>
.SH DISTRIBUTION
http://www.domtools.com/dns/dlint.shtml
.SH COPYRIGHT
Copyright (C) 1993-1998 Paul A. Balyoz <pab@domtools.com>
.LP
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
.LP
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
.LP
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������