DNS Zone File Validator

Zone origin:

Use the authoritative zone name, such as example.com or 2.0.192.in-addr.arpa.

Validation target:

Choose the system that must accept the pasted file.

Review profile:

Public and mail profiles add delegation and policy checks; internal and migration profiles are less strict about private data.

Record type policy:

Use warn for normal imports, fail for strict CI, or allow for RFC3597 and provider-specific records.

Zone file:

Paste the complete zone text or browse for a .zone, .db, or .txt file. Validation updates locally as the text changes.

Finding threshold:

Advisory keeps warnings lightweight; strict treats warnings as release blockers.

Fallback TTL:

This does not rewrite the source; it keeps inherited TTL checks deterministic when $TTL is absent.

seconds

TTL warning ceiling:

Keep this near one day for change windows; raise it for stable static zones.

seconds

Normalized owner format:

Expanded owner names are easier to diff across imports; relative owner names are closer to the pasted file.

DNS zone validation issue ledger
Severity	Line	Check	Finding	Next action	Copy
{{ issue.severityLabel }}	{{ issue.lineLabel }}	{{ issue.check }}	{{ issue.finding }}	{{ issue.fix }}
No blocking findings or warnings were found for the selected profile.

Parsed DNS record ledger
Line	Owner	Type	TTL	RDATA	Notes	Copy
{{ record.line }}	{{ record.owner }}	{{ record.type }}	{{ record.ttlLabel }}	{{ record.rdata }}	{{ record.note }}
Paste a zone file with resource records to populate the ledger.

{{ normalizedZone }}

Embed:

Customize

Include current inputs

Size

Advanced

Width

Height

Aspect ratio

Max height

Collapsible embed

Allow fullscreen

Referrer policy

Sandbox tokens

A DNS zone file turns a domain plan into the records an authoritative nameserver or DNS provider is expected to serve. The same text can decide where a website resolves, which hosts receive mail, how certificate authorities are restricted, which nameservers are authoritative, and how long resolvers may keep old answers. Because those records are copied into caches and sometimes imported into provider systems, a small mistake can last much longer than the edit that created it.

BIND-style master files are compact by design. Operators can use @ for the current origin, leave owner names relative, inherit the previous owner on indented lines, set a default $TTL, and split long records across parentheses. Those shortcuts make real zone files readable, but they also mean the text a person reviews is not always the fully expanded record set a server will load.

Origin: The base zone name used to expand relative owners, such as example.com..
Authority: The SOA and apex NS records that identify the zone's administrative source and authoritative nameservers.
TTL: The cache lifetime attached to an answer. Long values reduce repeat lookups but slow migrations and rollback.
RDATA: The record-specific value after the owner, TTL, class, and type, such as an address, host target, or TXT policy.

The apex deserves special care. A normal zone needs exactly one Start of Authority record at the top of the zone and authoritative nameserver records at the apex. In-bailiwick nameservers usually need address records and parent glue planning. Provider-managed zones may hide or rewrite some of that authority data, which is why import files and raw BIND master files are not always judged by the same rules.

CNAME handling is a common source of false confidence. A name with a CNAME is an alias and should not carry ordinary address, mail, or text records at the same owner name. That makes an apex CNAME invalid in a normal zone, because the apex already needs SOA and NS records. Provider features such as ALIAS, ANAME, or CNAME flattening can solve some apex-alias cases, but those are provider behaviors rather than plain CNAME rows in a master file.

Mail and certificate records add operational checks beyond syntax. MX targets should resolve to hosts with address records, not aliases. SPF is normally a single TXT policy per owner. DMARC lives below _dmarc, and CAA records can constrain certificate issuance. A zone can parse successfully while still being weak for mail delivery, migration, certificate issuance, or DNSSEC handoff.

Zone-file review is a pre-flight step, not proof of live delegation. A text check can catch malformed rows, risky relationships, and mismatched policy, but final confidence still comes from loading the zone with the receiving nameserver or provider, checking parent delegation, and querying the served records after deployment.

How to Use This Tool:

Use the validator before importing, loading, or handing off a complete BIND-style zone file.

Enter Zone origin with the authoritative zone name, such as example.com or 2.0.192.in-addr.arpa. The summary and record ledger should then show owners expanded inside that origin instead of drifting into another zone.
Choose Validation target. BIND master file and Internal BIND view expect SOA and apex NS records, Provider import file tolerates provider-managed authority, and Signed DNSSEC handoff adds DNSKEY and RRSIG expectations.
Select Review profile for the zone purpose. Public and mail-ready profiles add routable-address, delegation, SPF, DMARC, CAA, and mail-host checks; internal and migration profiles reduce public-zone assumptions.
Set Record type policy to warn, fail, or allow unknown types. Use fail for strict CI or provider imports, warn for mixed modern DNS records, and allow only when RFC3597-style or provider-specific rows are intentional.
Paste the Zone file, browse a .zone, .db, or .txt file, or load the sample. If syntax rows appear immediately, fix unclosed quotes, unmatched parentheses, missing owners, or missing RDATA before judging the cross-record findings.
Open Advanced when cache or output policy matters. Finding threshold changes warning weight, Fallback TTL supplies a deterministic inherited TTL when $TTL is absent, TTL warning ceiling flags long cache lifetimes, and Normalized owner format controls expanded or relative output.
Read Issue Ledger first, then use Record Ledger and Normalized Zone to verify the parsed record set. The chart tabs help summarize severity and record-type mix, while JSON is useful when another review system needs the diagnostics.

Interpreting Results:

The issue ledger matters more than the score. A single error can block a zone load or create an invalid record relationship, while several notes may simply document intentional choices. Treat errors as release blockers, warnings as review items, and notes as context that should be acknowledged before handoff.

DNS zone validator result cues
Result cue	What it means	Verification step
Error	The source has invalid syntax, missing required authority, bad RDATA, or a conflict such as CNAME plus other records.	Fix before import, `named-checkzone`, or provider load.
Warning	The row may load, but the selected target sees operational risk, such as one public NS, missing MX address records, high TTL, or unexpanded directives.	Confirm intent, change the profile only if the zone purpose is different, or update the source.
Note	The finding is informational, such as zero TTL, provider-managed SOA context, uncommon CAA tag, or missing CAA under a public profile.	Document the reason when the note survives final review.
Normalized Zone	Parsed records are rewritten with consistent owner, TTL, class, type, and normalized RDATA.	Diff it against the intended handoff record set, not just the pasted formatting.

Do not treat a clean parse as a live DNS result. After source issues are fixed, load the zone with the receiving nameserver or provider checker, confirm parent delegation and glue, and query served A, AAAA, MX, NS, TXT, CAA, DNSKEY, or RRSIG records from the resolvers that matter for the change.

Technical Details:

Zone validation starts by turning raw master-file text into logical DNS statements. Comments are removed while quoted strings are preserved, parenthesized records are joined, quoted strings and parentheses are checked for closure, and indented statements can inherit the previous owner. Directives such as $ORIGIN and $TTL update parsing context for the records that follow.

Rule Core

DNS zone validation rule core
Rule area	Checks performed	Why it matters
Master-file directives	`$ORIGIN`, `$TTL`, `$INCLUDE`, `$GENERATE`, unknown directives, and origin changes outside the base zone.	Directives change inherited context, and unexpanded include or generate statements are risky for provider imports.
Record syntax	Owner name, class, TTL, type, RDATA presence, out-of-zone owners, and record TTL values from 0 to 2147483647 seconds.	Syntax errors can suppress a zone load or publish data under the wrong owner.
Record-specific shape	A and AAAA address format, SOA field count and timers, MX preference 0 to 65535, SRV numeric fields, CAA flags 0 to 255, TXT chunk length, and DNSSEC field counts.	Valid text still has to satisfy the expected RDATA shape for each RR type.
Authority checks	Exactly one SOA when required, apex NS presence, single public nameserver warning, and address readiness for in-zone nameservers.	Authority mistakes affect delegation, secondary service, and whether other servers can find glue data.
Relationship checks	CNAME exclusivity, apex CNAME, duplicate records, MX targets that are CNAMEs, missing MX address records, multiple SPF policies, and mail-profile gaps.	Cross-record errors often survive line-by-line syntax review and fail only after the zone is served.
Target and profile policy	Provider-managed authority notes, DNSSEC handoff records, public-address warnings, mail readiness, and public CAA advisory findings.	The same source can be acceptable for an internal view but risky for a public authoritative or mail-ready zone.

Score Formula

The health score is a compact triage number built from issue counts. It is useful for comparing repeat checks of the same zone, but it should not override a blocking error.

score = \max (0, 100 - 22 E - w W - I)

In the formula, E is the error count, W is the warning count, I is the note count, and w is the selected warning weight. Strict review uses 9, standard review uses 6, and advisory scan uses 3. Errors always subtract 22, notes subtract 1, and the final score is rounded and floored at zero.

Normalization Core

Normalized output is rebuilt from parsed records instead of source formatting. Owners can be expanded to fully qualified names or expressed relative to the origin. Effective TTLs are written from explicit record TTLs, the active $TTL, or the selected fallback TTL. Host-valued RDATA in NS, CNAME, DNAME, PTR, MX, SRV, and SOA records is expanded where applicable, while TXT and CAA values are quoted consistently.

For fair comparisons, keep the same zone origin, validation target, review profile, record type policy, fallback TTL, TTL warning ceiling, and normalized owner format between runs. Changing those settings can change both issue severity and the normalized handoff text.

Limitations and Privacy Notes:

The zone text is analyzed locally in the browser. The validator does not query live DNS, contact registries, expand external include files, verify DNSSEC signatures, run a nameserver's full loader, or prove that a provider will accept every record type.

$INCLUDE and $GENERATE are reported because their final records need to be expanded by another process before production validation.
DNSSEC handoff checks look for record presence and basic field counts, not cryptographic proof or chain-of-trust state.
Provider features such as ALIAS, ANAME, flattening, hidden SOA/NS handling, and proprietary record types can behave differently from a plain master file.

Advanced Tips:

Lower TTL warning ceiling during migration planning so long-lived records stand out before the cutover window starts.
Use Provider import file when the receiving DNS service manages SOA and apex NS records, but keep a stricter BIND pass for zones that will be loaded by named.
Choose Fail on unknown types for conservative import gates. Use a warning or allow policy only when the receiver supports RFC3597-style TYPE#### records or documented provider-specific types.
Compare expanded and relative normalized owner formats when reviewing a migration. Expanded names are easier to diff across providers, while relative names stay closer to traditional zone-file style.
Before sharing ledgers or normalized output, remove internal hostnames, private addresses, customer names, and unpublished DNSSEC material when those details are sensitive.

Worked Examples:

These examples show how common zone-file patterns should be read before the source is sent to a provider or authoritative server.

Public authoritative handoff

A zone contains one apex SOA, two apex NS records, address records for in-zone nameservers, A and AAAA records for service names, an MX host with an address record, one SPF TXT policy, a _dmarc TXT policy, and a CAA record. The issue ledger should be clear or limited to expected notes, and the normalized zone should be ready for a final nameserver-side check.

Apex CNAME during a vendor migration

A migration file sets @ IN CNAME vendor.example.. The issue ledger reports an apex CNAME error because the apex also needs SOA and NS records. The practical fix is to use provider-level aliasing if available, publish address records at the apex, or move the CNAME to a host such as www.

Mail-ready cleanup

A mail-ready profile finds apex MX records but no _dmarc TXT policy and two SPF TXT rows at the same owner. The rows may be syntactically valid, but the review should merge SPF into one policy and add DMARC before treating the zone as ready for mail handoff.

FAQ:

Does this replace named-checkzone?

No. Use it as a browser-side pre-flight review, then validate the final expanded file with the authoritative nameserver or provider checker that will actually load the zone.

Why does the provider import target allow missing SOA and NS records?

Many DNS providers manage SOA and authoritative NS records themselves. The provider target still warns or errors on source patterns that commonly break imports, such as unexpanded directives and record conflicts.

Why are private addresses warned in public profiles?

Private, loopback, link-local, documentation, and unique-local addresses are usually wrong in public authoritative zones. Internal and split-horizon profiles reduce those warnings because private addresses can be intentional there.

Why does a missing $TTL still produce an effective TTL?

Records need a cache lifetime for deterministic review. When the file lacks $TTL and a record has no explicit TTL, the selected fallback TTL is used and the issue ledger warns that inherited behavior should be made explicit.

Can a score of 100 still fail after deployment?

Yes. A perfect local review does not prove parent delegation, provider import policy, DNSSEC signing, secondary transfer, resolver cache state, or the records currently served from public authoritative nameservers.

Glossary:

Zone origin: The base domain used to expand @ and relative owner names in a zone file.
SOA: Start of Authority, the apex record that carries the primary nameserver, responsible mailbox, serial, and zone timer values.
TTL: Time to live, the number of seconds a resolver may cache an answer before asking again.
RDATA: The record-specific data after owner, TTL, class, and type.
In-bailiwick nameserver: A nameserver whose name is inside the zone it serves, often requiring address records and parent glue planning.
DNSSEC handoff: A transfer or review point where signed-zone records such as DNSKEY and RRSIG need to be present for the selected workflow.