Skip to content


Subversion checkout URL

You can clone with
Download ZIP
Look for issues across multiple zone files
Branch: master

Fetching latest commit…

Cannot retrieve the latest commit at this time

Failed to load latest commit information.


Look for records that are in one zone file, but should be in another.


sudo yum install fakeroot
mkdir dnsscopecheck
cd dnsscopecheck
virtualenv venv
source venv/bin/activate
pip install -e git://
pip install -e git://
git clone git://
cd dnsscopecheck
python --help

If you want an rpm use:

python bdist_rpm --requires dnspython,iscpy,argparse


usage: [-h] --named-path NAMED_PATH [--debug] [--use-signed]
                 [--show-corrected SHOW_CORRECTED]
                 [--config-file CONFIG_FILE | --config-files CONFIG_FILES | --view-file VIEW_FILE]

Detect broken records

optional arguments:
  -h, --help            show this help message and exit
  --named-path NAMED_PATH
                        A full path to where named would be running.
  --debug               Print more things than usual
  --use-signed          Check signed zone files for errors (False by default)
  --show-corrected SHOW_CORRECTED
                        Suggest the correct zone file when a violation is
                        found (True by default)
  --config-file CONFIG_FILE
                        A file containing bare zone statements
  --config-files CONFIG_FILES
                        A file containing full paths to other config files
  --view-file VIEW_FILE
                        A full file path to a view file

Example Output

[uberj@leo dnsscopecheck]$ export PYTHONPATH=.:$PYTHONPATH
[uberj@leo dnsscopecheck]$ ./bin/dnsscopecheck --debug --named-path $(pwd)/dnsscopecheck/tests/chroot/var/run/named --view-file $(pwd)/dnsscopecheck/tests/chroot/var/run/named/config/view.conf
--Processing is a child zone of is a child zone of
--Processing is a child zone of
--Processing is a child zone of
--Processing is a child zone of
### shouldn't be in:
# should be in 0 IN A 0 IN A
# should be in 0 IN A 0 IN A
### shouldn't be in:
# should be in 0 IN A 0 IN A


A lot of dirty hacks happen because named runs in a chroot and this script does not. There is a file called '' that contains tuples of paths that are swapped whenever a file is loaded. This swapping is an attempt to replicate the chroot environment.

Some zone statements reference files that are signed (files that end in a '.signed' suffix), by default this script attempts to not use signed zone files and will strip a '.signed' suffix from a file path when a zone's data is being loaded. You can control this behavior with the --use-signed flag.

Something went wrong with that request. Please try again.