YAZVS — Yet Another Zone Validation Script

yazvs.pl is one of the utilities that VeriSign uses daily to validate new versions of the root and arpa zones before they are published to the distribution masters.

It performs the following steps:

  1. Read a candidate zone file from disk
  2. Validate KSKs using a locally configured trust anchor
  3. Validate ZSKs using KSKs
  4. Validate RRSIGs using ZSKs
  5. Retrieve the current zone data via AXFR
  6. Print a summary of the number of KSKs, ZSKs, DS, and RRSIG records that have changed
  7. Optionally produce a Unix diff of the two zones, excluding RRSIG/NSEC/NSEC3 records

Sample Output

Crypto Validation of root 2010071501
OK: 2 trusted KSKs found
OK: Apex DNSKEY RRset validated
OK: 0 expiring RRSIGs found
OK: 0 bad RRSIGs found
OK: 299 good RRSIGs found

Comparison to current zone
OK: Received 3655 RRs from
OK: Current serial 2010071500
DIFF: KSK 1 added, 1 removed, 0 unchanged
DIFF: ZSK 1 added, 1 removed, 0 unchanged
DIFF: RRSIG 1 added, 1 removed, 298 unchanged
DIFF: DS 0 added, 0 removed, 10 unchanged

Validation for root 2010071501 PASSED, 0 problems


usage: yazvs.pl -c -d -r -u -a file -e days -t key -n keyname -m master zonefile
	-c		zonefile is already "clean" so use alternate parsing
	-d		enable debugging
	-r		reverse (axfr is current, disk file is old)
	-u		unix diff of zone files at the end
	-a file		file containing trust anchors
	-e days		complain about RRSIGs that expire within days days
	-t key		TSIG filename or hash string
	-n keyname	TSIG name if not otherwise given
	-m master	hidden master nameserver

The default value for the -e option is 3 days.

The trust anchor file (-a option) may contain either DNSKEY or DS records as they would appear in a zone file.

If the -m option is omitted, AXFR will be attempted from the authoritative nameservers given in the zone file.


yazvs.pl uses the Net::DNS, Net::DNS::SEC, Net::DNS::ZoneFile::Fast, and List::Compare perl modules.

Due to a bug in Net-DNS-ZoneFile-Fast-1.12, you'll need to apply this patch so that DS records are correctly parsed.

Zone Diff

zonediff.pl is a similar utility that produces a Unix diff of two zone files after optionally excluding certain record types.

Copyright and License

yazvs.pl and zonediff.pl are Copyright 2014 by VeriSign, Inc and licensed under the terms of the GNU General Public License, version 2.