kzonecheck – Knot DNS zone file checking tool


kzonecheck [options] filename


The utility checks zone file syntax and runs semantic checks on the zone content. The executed checks are the same as the checks run by the Knot DNS server.

Please, refer to the semantic-checks configuration option in knot.conf(5) for the full list of available semantic checks.



Path to the zone file to be checked. For reading from stdin use /dev/stdin or just -.


-o, --origin origin

Zone origin. If not specified, the origin is determined from the file name (possibly removing the .zone suffix).

-d, --dnssec on|off

Also check DNSSEC-related records. The default is to decide based on the existence of a RRSIG for SOA.

-z, --zonemd

Also check the zone hash against a ZONEMD record, which is required to exist.

-t, --time time

Current time specification. Use UNIX timestamp, YYYYMMDDHHmmSS format, or [+/-]time[unit] format, where unit can be Y, M, D, h, m, or s. Default is current UNIX timestamp.

-p, --print

Print the zone on stdout.

-v, --verbose

Enable debug output.

-h, --help

Print the program help.

-V, --version

Print the program version.

Exit values

Exit status of 0 means successful operation. Any other exit status indicates an error.

See Also

knotd(8), knot.conf(5).