Skip to content

moritzmyrz/zonecheck

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
cmd/zonecheck
cmd/zonecheck
 
 
internal
internal
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 

Repository files navigation

zonecheck

Fast CLI for auditing a domain's DNS delegation and authoritative behavior.

Overview

zonecheck is a focused DNS validation tool for developers and infrastructure teams.
It checks whether a domain's delegation and authoritative DNS responses look healthy, and reports clear findings for both humans and automation.

The goal is practical DNS hygiene checks, not a full DNS platform.

Features (MVP)

  • Validates NS presence from both parent delegation and child zone lookup
  • Queries authoritative nameservers directly for SOA, NS, A, AAAA, and MX
  • Detects common failure patterns:
    • missing NS or SOA
    • delegation mismatch (parent vs child)
    • lame delegation behavior
    • missing in-bailiwick glue
    • authoritative inconsistency for core answers
  • Outputs:
    • concise human-readable report
    • stable JSON for machine processing
  • Exit codes:
    • 0: no failing checks
    • 1: one or more failing checks
    • 2: invalid input or runtime error

CLI Usage

zonecheck example.com
zonecheck example.com --short
zonecheck example.com --json
zonecheck example.com --timeout 5s

Example Human Output

zonecheck example.com
Checks: 7  Pass: 5  Warn: 2  Fail: 0

[PASS] NS records present: NS records found in parent delegation and child lookup.
[WARN] Delegation consistency: Parent delegation NS set differs from child NS set.
[PASS] Lame delegation: All authoritative nameservers responded authoritatively.
...

Example JSON Output

{
  "domain": "example.com",
  "generated_at": "2026-03-11T12:00:00Z",
  "duration": 123456789,
  "summary": {
    "pass": 5,
    "warn": 2,
    "fail": 0,
    "total": 7
  },
  "checks": [
    {
      "id": "ns_presence",
      "name": "NS records present",
      "status": "pass",
      "message": "NS records found in parent delegation and child lookup."
    }
  ]
}

Architecture

  • cmd/zonecheck: CLI entrypoint and flag handling
  • internal/app: orchestration and evidence collection
  • internal/dnsclient: DNS wire queries and resolver helpers
  • internal/checks: isolated DNS audit checks
  • internal/runner: deterministic check execution
  • internal/report: report models and renderers
  • testdata/fixtures: fixture directory for test inputs

Installation

Build from source

go build -o zonecheck ./cmd/zonecheck
./zonecheck example.com

Development

go test ./...
go run ./cmd/zonecheck example.com --short

Scope and Limitations

  • zonecheck is a validator, not a DNS server or zone management platform.
  • It favors clear signals over exhaustive protocol edge handling.
  • Current checks focus on delegation, authoritative responses, and basic record hygiene.
  • Live DNS behavior can vary with anycast and propagation timing.

Roadmap

  • DNSSEC presence/status
  • DMARC/SPF/DKIM discovery
  • apex CNAME warning
  • TTL sanity observations
  • optional informational AXFR attempt reporting

License

MIT, see LICENSE.

About

Fast CLI for auditing DNS delegation, records, glue, and zone hygiene.

Topics

go dns infrastructure cli devops networking diagnostics domain-names

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 1

v0.1.0 Latest
Mar 11, 2026

Contributors

Languages