named-checkzone Explained

What BIND validates before it accepts a zone file

named-checkzone is the BIND utility used to validate DNS master files. It parses a zone file the way BIND would parse it, checks record syntax, and reports whether the zone can be loaded. checkzone.dev uses this style of validation so the browser result matches the checks a BIND operator would normally run on a server.

Basic Command

When running locally, the command takes the zone origin first and the zone file path second:

named-checkzone example.test /etc/bind/db.example.test

The origin must match the zone file. If the file is for example.test, validate it as example.test, not as a subdomain or a different domain.

Successful Output

A clean zone usually reports the loaded serial followed by OK:

zone example.test/IN: loaded serial 2026051501
OK

The serial shown is the value from the SOA record. If the command exits successfully, BIND considers the file syntactically loadable for that origin.

Error Output

When validation fails, BIND usually prints the file name, line number, and a short reason. For example, a CNAME conflict may appear as:

example.test:12: www.example.test: CNAME and other data
zone example.test/IN: loading from master file example.test failed: CNAME and other data
zone example.test/IN: not loaded due to errors.

Start with the first reported line, then continue through later messages. Later errors are sometimes side effects of an earlier syntax problem.

What It Checks

Master file syntax, comments, parentheses, and field order
SOA and NS record requirements
Record-specific data such as IPv4, IPv6, MX priority, and SRV fields
CNAME conflicts with other records at the same owner name
Owner names that are outside the zone origin
Some integrity checks around in-zone nameserver and mail exchanger targets

What It Cannot Prove

named-checkzone does not test live delegation, registrar glue, DNSSEC signing chains, firewall access to nameservers, or whether HTTP, SMTP, SIP, or other services are actually running. Passing validation means the file can be loaded by BIND; it does not mean the public DNS path is fully configured.

Installing It Locally

If your zone contains internal hostnames or private addresses, run the check locally rather than pasting the file into a web tool. Package names vary by operating system:

# Debian or Ubuntu
sudo apt install bind9-utils

# RHEL, Fedora, or compatible distributions
sudo dnf install bind-utils

# macOS with Homebrew
brew install bind

Need a quick browser check? Paste the same zone into checkzone.dev and compare the result with local BIND output.

Open the Validator