named-rrchecker(1) BIND 9 named-rrchecker(1)
NAME
named-rrchecker - syntax checker for individual DNS resource records
SYNOPSIS
named-rrchecker [-h] [-o origin] [-p] [-u] [-C] [-T] [-P]
DESCRIPTION
named-rrchecker reads a single DNS resource record (RR) from standard
input and checks whether it is syntactically correct.
The input format is a minimal subset of the DNS zone file format. The
entire input must be:
CLASS TYPE RDATA
o Input must not start with an owner (domain) name
o The CLASS field is mandatory (typically IN).
o The TTL field must not be present.
o RDATA format is specific to each RRTYPE.
o Leading and trailing whitespace in each field is ignored.
Format details can be found in RFC 1035 Section 5.1 <https://
datatracker.ietf.org/doc/html/rfc1035.html#section-5.1> under <rr>
specification. RFC 3597 <https://datatracker.ietf.org/doc/html/rfc3597
.html> format is also accepted in any of the input fields. See
Examples.
OPTIONS
-o origin
This option specifies the origin to be used when interpreting
names in the record: it defaults to root (.). The specified
origin is always taken as an absolute name.
-p This option prints out the resulting record in canonical form.
If there is no canonical form defined, the record is printed in
RFC 3597 <https://datatracker.ietf.org/doc/html/rfc3597.html>
unknown record format.
-u This option prints out the resulting record in RFC 3597
<https://datatracker.ietf.org/doc/html/rfc3597.html> unknown
record format.
-C, -T, -P
These options do not read input. They print out known classes,
standard types, and private type mnemonics. Each item is printed
on a separate line. The resulting list of private types may be
empty
-h This option prints out the help menu.
EXAMPLES
Pay close attention to the echo command line options -e and -n, as they
affect whitespace in the input to named-rrchecker.
echo -n 'IN A 192.0.2.1' | named-rrchecker
o Valid input is in RFC 1035 <https://datatracker.ietf.org/doc/
html/rfc1035.html> format with no newline at the end of the
input.
o Return code 0.
echo -e '\n \n IN\tA 192.0.2.1 \t \n\n ' | named-rrchecker -p
o Valid input with leading and trailing whitespace.
o Output: IN A 192.0.2.1
o Leading and trailing whitespace is not part of the output.
Relative names and origin
echo 'IN CNAME target' | named-rrchecker -p
o Valid input with a relative name as the CNAME target.
o Output: IN CNAME target.
o Relative name target from the input is converted to an
absolute name using the default origin . (root).
echo 'IN CNAME target' | named-rrchecker -p -o origin.test
o Valid input with a relative name as the CNAME target.
o Output: IN CNAME target.origin.test.
o Relative name target from the input is converted to an
absolute name using the specified origin origin.test
echo 'IN CNAME target.' | named-rrchecker -p -o origin.test
o Valid input with an absolute name as the CNAME target.
o Output: IN CNAME target.
o The specified origin has no influence if target from the input
is already absolute.
Special characters
Special characters allowed in zone files by RFC 1035 Section 5.1
<https://datatracker.ietf.org/doc/html/rfc1035.html#section-5.1> are
accepted.
echo 'IN CNAME t\097r\get\.' | named-rrchecker -p -o origin.test
o Valid input with backslash escapes.
o Output: IN CNAME target\..origin.test.
o \097 denotes an ASCII value in decimal, which, in this
example, is the character a.
o \g is converted to a plain g because the g character does not
have a special meaning and so the \ prefix does nothing in
this case.
o \. denotes a literal ASCII dot (here as a part of the CNAME
target name). Special meaning of . as the DNS label separator
was disabled by the preceding \ prefix.
echo 'IN CNAME @' | named-rrchecker -p -o origin.test
o Valid input with @ used as a reference to the specified
origin.
o Output: IN CNAME origin.test.
echo 'IN CNAME \@' | named-rrchecker -p -o origin.test
o Valid input with a literal @ character (escaped).
o Output: IN CNAME \@.origin.test.
echo 'IN CNAME prefix.@' | named-rrchecker -p -o origin.test
o Valid input with @ used as a reference to the specifed origin.
o Output: IN CNAME prefix.\@.origin.test.
o @ has special meaning only if it is free-standing.
echo 'IN A 192.0.2.1; comment' | named-rrchecker -p
o Valid input with a trailing comment. Note the lack of
whitespace before the start of the comment.
o Output: IN A 192.0.2.1
For multi-line examples see the next section.
Multi-token records
echo -e 'IN TXT two words \n' | named-rrchecker -p
o Valid TXT RR with two unquoted words and trailing whitespace.
o Output: IN TXT "two" "words"
o Two unquoted words in the input are treated as two
<character-string>s per RFC 1035 Section 3.3.14 <https://
datatracker.ietf.org/doc/html/rfc1035.html#section-3.3.14>.
o Trailing whitespace is omitted from the last
<character-string>.
echo -e 'IN TXT "two words" \n' | named-rrchecker -p
o Valid TXT RR with one character-string and trailing
whitespace.
o Output: IN TXT "two words"
echo -e 'IN TXT "problematic newline\n"' | named-rrchecker -p
o Invalid input - the closing " is not detected before the end
of the line.
echo 'IN TXT "with newline\010"' | named-rrchecker -p
o Valid input with an escaped newline character inside
character-string.
o Output: IN TXT "with newline\010"
echo -e 'IN TXT ( two\nwords )' | named-rrchecker -p
o Valid multi-line input with line continuation allowed inside
optional parentheses in the RDATA field.
o Output: IN TXT "two" "words"
echo -e 'IN TXT ( two\nwords ; misplaced comment )' | named-rrchecker
-p
o Invalid input - comments, starting with ";", are ignored by
the parser, so the closing parenthesis should be before the
semicolon.
echo -e 'IN TXT ( two\nwords ; a working comment\n )' | named-rrchecker
-p
o Valid input - the comment is terminated with a newline.
o Output: IN TXT "two" "words"
echo 'IN HTTPS 1 . alpn="h2,h3"' | named-rrchecker -p
o Valid HTTPS record
o Output: IN HTTPS 1 . alpn="h2,h3"
echo -e 'IN HTTPS ( 1 \n . \n alpn="dot")port=853' | named-rrchecker -p
o Valid HTTPS record with individual sub-fields split across
multiple lines using RFC 1035 Section 5.1 <https://datatracker
.ietf.org/doc/html/rfc1035.html#section-5.1> parentheses
syntax to group data that crosses a line boundary.
o Note the missing whitespace between the closing parenthesis
and adjacent tokens.
o Output: IN HTTPS 1 . alpn="dot" port=853
Unknown type handling
echo 'IN A 192.0.2.1' | named-rrchecker -u
o Valid input in RFC 1035 <https://datatracker.ietf.org/doc/
html/rfc1035.html> format.
o Output in RFC 3957 <https://datatracker.ietf.org/doc/html/
rfc3957.html> format: CLASS1 TYPE1 \# 4 C0000201
echo 'CLASS1 TYPE1 \# 4 C0000201' | named-rrchecker -p
o Valid input in RFC 3597 <https://datatracker.ietf.org/doc/
html/rfc3597.html> format.
o Output in RFC 1035 <https://datatracker.ietf.org/doc/html/
rfc1035.html> format: IN A 192.0.2.1
echo 'IN A \# 4 C0000201' | named-rrchecker -p
o Valid input with class and type in RFC 1035 <https://
datatracker.ietf.org/doc/html/rfc1035.html> format and rdata
in RFC 3597 <https://datatracker.ietf.org/doc/html/rfc3597
.html> format.
o Output in RFC 1035 <https://datatracker.ietf.org/doc/html/
rfc1035.html> format: IN A 192.0.2.1
echo 'IN HTTPS 1 . key3=\001\000' | named-rrchecker -p
o Valid input with RFC 9460 <https://datatracker.ietf.org/doc/
html/rfc9460.html> syntax for an unknown key3 field. Syntax
\001\000 produces two octets with values 1 and 0,
respectively.
o Output: IN HTTPS 1 . port=256
o key3 matches the standardized key name port.
o Octets 1 and 0 were decoded as integer values in big-endian
encoding.
echo 'IN HTTPS 1 . key3=\001' | named-rrchecker -p
o Invalid input - the length of the value for key3 (i.e. port)
does not match the known standard format for that parameter in
the SVCB RRTYPE.
echo 'IN HTTPS 1 . port=\001\000' | named-rrchecker -p
o Invalid input - the key port, when specified using its
standard mnemonic name, must use standard key-specific syntax.
Meta values
echo 'IN AXFR' | named-rrchecker
o Invalid input - AXFR is a meta type, not a genuine RRTYPE.
echo 'ANY A 192.0.2.1' | named-rrchecker
o Invalid input - ANY is meta class, not a true class.
echo 'A 192.0.2.1' | named-rrchecker
o Invalid input - the class field is missing, so the parser
would try and fail to interpret the RRTYPE A as the class.
RETURN CODES
0 The whole input was parsed as one syntactically valid resource
record.
1 The input is not a syntactically valid resource record, or the
given type is not supported, or either/both class and type are
meta-values, which should not appear in zone files.
SEE ALSO
RFC 1034 <https://datatracker.ietf.org/doc/html/rfc1034.html>, RFC 1035
<https://datatracker.ietf.org/doc/html/rfc1035.html>, RFC 3957
<https://datatracker.ietf.org/doc/html/rfc3957.html>, named(8) <#std-
iscman-named>.
Author
Internet Systems Consortium
Copyright
2026, Internet Systems Consortium
9.20.21 2026-03-13 named-rrchecker(1)
bind 9.20.21 - Generated Fri Apr 3 14:23:40 CDT 2026