yazvs.pl is one of the utilities that VeriSign uses daily to validate new versions of the root and arpa zones before they are published to the distribution masters.
It performs the following steps:
Crypto Validation of root 2010071501 ---------------------------------------------------------------------- OK: 2 trusted KSKs found OK: Apex DNSKEY RRset validated OK: 0 expiring RRSIGs found OK: 0 bad RRSIGs found OK: 299 good RRSIGs found Comparison to current zone ---------------------------------------------------------------------- OK: Received 3655 RRs from 10.0.0.1 OK: Current serial 2010071500 DIFF: KSK 1 added, 1 removed, 0 unchanged DIFF: ZSK 1 added, 1 removed, 0 unchanged DIFF: RRSIG 1 added, 1 removed, 298 unchanged DIFF: DS 0 added, 0 removed, 10 unchanged Validation for root 2010071501 PASSED, 0 problems
usage: yazvs.pl -c -d -r -u -a file -e days -t key -n keyname -m master zonefile -c zonefile is already "clean" so use alternate parsing -d enable debugging -r reverse (axfr is current, disk file is old) -u unix diff of zone files at the end -a file file containing trust anchors -e days complain about RRSIGs that expire within days days -t key TSIG filename or hash string -n keyname TSIG name if not otherwise given -m master hidden master nameserver
The default value for the -e option is 3 days.
The trust anchor file (-a option) may contain either DNSKEY or DS records as they would appear in a zone file.
If the -m option is omitted, AXFR will be attempted from the authoritative nameservers given in the zone file.
yazvs.pl uses the Net::DNS, Net::DNS::SEC, Net::DNS::ZoneFile::Fast, and List::Compare perl modules.
Due to a bug in Net-DNS-ZoneFile-Fast-1.12, you'll need to apply this patch so that DS records are correctly parsed.
yazvs.pl and zonediff.pl are Copyright 2010 by VeriSign, Inc and licensed under the terms of the GNU General Public License, version 2.