The semantic-checks
statement turns on extra zone file semantic
checks. Several checks are enabled by default and cannot be turned
off. If an error is found using these mandatory checks, the zone file
will not be loaded. Upon loading a zone file, occurred
errors and counts of their occurrence will be logged to stderr.
These checks are the following:
- An extra record together with CNAME record (except for RRSIG and DS) - CNAME link chain length greater than 10 (including infinite cycles) - DNAME and CNAME records under the same owner (RFC 2672) - CNAME and DNAME wildcards pointing to themselves - SOA record missing in the zone (RFC 1034) - DNAME records having records under it (DNAME children) (RFC 2672)
Following checks have to be turned on using semantic-checks
and
a zone containing following errors will be
loaded even upon discovering an error:
- Missing NS record at the zone apex - Missing glue A or AAAA records - Broken or non-cyclic NSEC(3) chain - Wrong NSEC(3) type bitmap - Multiple NSEC records at the same node - Missing NSEC records at authoritative nodes - Extra record types under same name as NSEC3 record (this is RFC-valid, but Knot will not serve such a zone correctly) - NSEC3-unsecured delegation that is not part of Opt-out span - Wrong original TTL value in NSEC3 records - Wrong RDATA TTL value in RRSIG record - Signer name in RRSIG RR not the same as in DNSKEY - Signed RRSIG - Not all RRs in node are signed - Wrong key flags or wrong key in RRSIG record (not the same as ZSK)