
Langue: en

Version: 2008-01-14 (mandriva - 01/05/08)

Section: 1 (Commandes utilisateur)


donuts - analyze DNS zone files for errors and warnings


   donuts [-h] [-H] [-v] [-l LEVEL] [-r RULEFILES] [-i IGNORELIST]
          [-C] [-c configfile] ZONEFILE DOMAINNAME...


donuts is a DNS Lint application that examines DNS zone files looking for particular problems. This is especially important for zones making use of DNSSEC security records, since many subtle problems can occur.

If the Text::Wrap Perl module is installed, donuts will give better output formatting.


Displays a help message.
Turns on more verbose output.
Turns on more quiet output.
Sets the level of errors to be displayed. The default is level 5. The maximum value is level 9, which displays many debugging results. You probably want to run no higher than level 8.
A comma-separated list of rule files to load. The strings will be passed to glob() so * wildcards can be used to specify multiple files.
A comma-separated list of regex patterns which are checked against rule names to determine if some should be ignored. Run with -v to figure out rule names if you're not sure which rule is generating errors you don't wish to see.
Include rules that require live queries of data. Generally, these rules concentrate on pulling remote DNS data to test; for example, parent/child zone relationships.
Parse a configuration file to change constraints specified by rules. This defaults to $HOME/.donuts.conf.
Don't read user configuration files at all, such as those specified by the -c option or the $HOME/.donuts.conf file.
Specifies that tcpdump should be started on INTERFACE (e.g., ``eth0'') just before donuts begins its run of rules for each domain and will stop it just after it has processed the rules. This is useful when you wish to capture the traffic generated by the live feature, described above.
When tcpdump is run, this FILTER is passed to it for purposes of filtering traffic. By default, this is set to port 53 || ip[6:2] & 0x1fff != 0, which limits the traffic to traffic destined to port 53 (DNS) or fragmented packets.
Saves the tcpdump captured packets to FILE. The following special fields can be used to help generate unique file names:
This is replaced with the current domain name being analyzed (e.g., ``'').
This is replaced with the current epoch time (i.e., the number of seconds since Jan 1, 1970).

This field defaults to %d.%t.pcap.
Displays the personal configuration file rules and tokens that are acceptable in a configuration file. The output will consist of a rule name, a token, and a description of its meaning.

Your configuration file (e.g., $HOME/.donuts.conf) may have lines in it that look like this:

   # change the default minimum number of legal NS records from 2 to 1
   minnsrecords: 1
   # change the level of the following rule from 8 to 5
   level: 5

This allows you to override certain aspects of how rules are executed.

Displays a list of all known rules along with their description (if available).
The --features option specifies additional rule features that should be executed. Some rules are turned off by default because they are more intensive or require a live network connection, for instance. Use the --features flag to turn them on. The LIST argument should be a comma separated list. Example usage:
   --features live,data_check

Features available in the default rule set:

The live feature allows rules that need to perform live DNS queries to run. Most of these live rules query parent and children of the current zone, when appropriate, to see that the parent/child relationships have been built properly. For example, if you have a DS record which authenticates the key used in a child zone the live feature will let a rule run which checks to see if the child is actually publishing the DNSKEY that corresponds to the test zone's DS record.
[alpha code]

Displays a browsable GUI screen showing the results of the donuts tests.

The QWizard and Gtk2 Perl modules must be installed for this to work.

Obsolete command line option. Please use --features live instead.
Copyright 2004-2007 SPARTA, Inc. All rights reserved. See the COPYING file included with the DNSSEC-Tools package for details.


Wes Hardaker <>


For writing rules that can be loaded by donuts:

General DNS and DNSSEC usage:

   B<Net::DNS>, B<Net::DNS::SEC>,