YAZVS — Yet Another Zone Validation Script

yazvs.pl is one of the utilities that Verisign uses daily to validate new versions of the root and arpa zones before they are published to the distribution masters.

It performs the following steps:

  1. Read a candidate zone file from disk
  2. Validate KSKs using a locally configured trust anchor
  3. Validate ZSKs using KSKs
  4. Validate RRSIGs using ZSKs
  5. Retrieve the current zone data via AXFR
  6. Print a summary of the number of KSKs, ZSKs, DS, and RRSIG records that have changed
  7. Optionally produce a Unix diff of the two zones, excluding RRSIG/NSEC/NSEC3 records

Sample Output

Crypto Validation of root 2010071501
OK: 2 trusted KSKs found
OK: Apex DNSKEY RRset validated
OK: 0 expiring RRSIGs found
OK: 0 bad RRSIGs found
OK: 299 good RRSIGs found

Comparison to current zone
OK: Received 3655 RRs from
OK: Current serial 2010071500
DIFF: KSK 1 added, 1 removed, 0 unchanged
DIFF: ZSK 1 added, 1 removed, 0 unchanged
DIFF: RRSIG 1 added, 1 removed, 298 unchanged
DIFF: DS 0 added, 0 removed, 10 unchanged

Validation for root 2010071501 PASSED, 0 problems


usage: yazvs.pl -c -d -r -u -a file -e days -t key -n keyname -m master zonefile
	-c		zonefile is already "clean" so use alternate parsing
	-d		enable debugging
	-r		reverse (axfr is current, disk file is old)
	-u		unix diff of zone files at the end
	-a file		file containing trust anchors
	-A url          URL containing IANA-style trust anchors
	-e days		complain about RRSIGs that expire within days days
	-t key		TSIG filename or hash string
	-n keyname	TSIG name if not otherwise given
	-m master	hidden master nameserver

The default value for the -e option is 10 days.

The trust anchor file (-a option) may contain either DNSKEY or DS records as they would appear in a zone file.

If the -m option is omitted, AXFR will be attempted from the authoritative nameservers given in the zone file.

If the -A option is given, the script fetches the URL expected to contain XML-formatted trust anchors, such as the one IANA publishes for the root zone. The in-zone KSKs are then further validated against the XML trust anchors.


yazvs.pl uses the Net::DNS, Net::DNS::SEC, Net::DNS::ZoneFile::Fast or Net::DNS::ZoneFile, and List::Compare or Set::Object perl modules.

The following modules are required if the -A option is used: LWP, XML::Simple.

Zone Diff

zonediff.pl is a similar utility that produces a Unix diff of two zone files after optionally excluding certain record types.

Copyright and License

yazvs.pl and zonediff.pl are Copyright 2017 by Verisign, Inc and licensed under the terms of the BSD 3-Clause License.