delv.html 22.2 KB
Newer Older
1
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
Evan Hunt's avatar
Evan Hunt committed
2
<!--
Tinderbox User's avatar
Tinderbox User committed
3
 - Copyright (C) 2014-2019 Internet Systems Consortium, Inc. ("ISC")
Tinderbox User's avatar
Tinderbox User committed
4
 - 
Tinderbox User's avatar
Tinderbox User committed
5 6 7
 - This Source Code Form is subject to the terms of the Mozilla Public
 - License, v. 2.0. If a copy of the MPL was not distributed with this
 - file, You can obtain one at http://mozilla.org/MPL/2.0/.
Evan Hunt's avatar
Evan Hunt committed
8
-->
9
<html lang="en">
Evan Hunt's avatar
Evan Hunt committed
10 11
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
Tinderbox User's avatar
Tinderbox User committed
12
<title>delv</title>
Tinderbox User's avatar
Tinderbox User committed
13
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
Evan Hunt's avatar
Evan Hunt committed
14
</head>
Tinderbox User's avatar
Tinderbox User committed
15
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
Tinderbox User's avatar
Tinderbox User committed
16
<a name="man.delv"></a><div class="titlepage"></div>
Tinderbox User's avatar
Tinderbox User committed
17 18 19 20 21 22
  
  

  

  <div class="refnamediv">
Evan Hunt's avatar
Evan Hunt committed
23
<h2>Name</h2>
Tinderbox User's avatar
Tinderbox User committed
24 25 26 27
<p>
    delv
     &#8212; DNS lookup and validation utility
  </p>
Evan Hunt's avatar
Evan Hunt committed
28
</div>
Tinderbox User's avatar
Tinderbox User committed
29 30 31 32

  

  <div class="refsynopsisdiv">
Evan Hunt's avatar
Evan Hunt committed
33
<h2>Synopsis</h2>
Tinderbox User's avatar
Tinderbox User committed
34 35 36
    <div class="cmdsynopsis"><p>
      <code class="command">delv</code> 
       [@server]
Tinderbox User's avatar
Tinderbox User committed
37 38 39 40
       [
	[<code class="option">-4</code>]
	 |  [<code class="option">-6</code>]
      ]
Tinderbox User's avatar
Tinderbox User committed
41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74
       [<code class="option">-a <em class="replaceable"><code>anchor-file</code></em></code>]
       [<code class="option">-b <em class="replaceable"><code>address</code></em></code>]
       [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
       [<code class="option">-d <em class="replaceable"><code>level</code></em></code>]
       [<code class="option">-i</code>]
       [<code class="option">-m</code>]
       [<code class="option">-p <em class="replaceable"><code>port#</code></em></code>]
       [<code class="option">-q <em class="replaceable"><code>name</code></em></code>]
       [<code class="option">-t <em class="replaceable"><code>type</code></em></code>]
       [<code class="option">-x <em class="replaceable"><code>addr</code></em></code>]
       [name]
       [type]
       [class]
       [queryopt...]
    </p></div>

    <div class="cmdsynopsis"><p>
      <code class="command">delv</code> 
       [<code class="option">-h</code>]
    </p></div>

    <div class="cmdsynopsis"><p>
      <code class="command">delv</code> 
       [<code class="option">-v</code>]
    </p></div>

    <div class="cmdsynopsis"><p>
      <code class="command">delv</code> 
       [queryopt...]
       [query...]
    </p></div>
  </div>

  <div class="refsection">
Tinderbox User's avatar
Tinderbox User committed
75
<a name="id-1.7"></a><h2>DESCRIPTION</h2>
Tinderbox User's avatar
Tinderbox User committed
76 77

    <p><span class="command"><strong>delv</strong></span>
Tinderbox User's avatar
Tinderbox User committed
78
      is a tool for sending
Tinderbox User's avatar
Tinderbox User committed
79
      DNS queries and validating the results, using the same internal
Tinderbox User's avatar
Tinderbox User committed
80
      resolver and validator logic as <span class="command"><strong>named</strong></span>.
Evan Hunt's avatar
Evan Hunt committed
81
    </p>
Tinderbox User's avatar
Tinderbox User committed
82
    <p>
Tinderbox User's avatar
Tinderbox User committed
83
      <span class="command"><strong>delv</strong></span> will send to a specified name server all
Evan Hunt's avatar
Evan Hunt committed
84 85
      queries needed to fetch and validate the requested data; this
      includes the original requested query, subsequent queries to follow
Tinderbox User's avatar
Tinderbox User committed
86
      CNAME or DNAME chains, and queries for DNSKEY and DS records
Evan Hunt's avatar
Evan Hunt committed
87 88 89 90 91
      to establish a chain of trust for DNSSEC validation.
      It does not perform iterative resolution, but simulates the
      behavior of a name server configured for DNSSEC validating and
      forwarding.
    </p>
Tinderbox User's avatar
Tinderbox User committed
92
    <p>
Evan Hunt's avatar
Evan Hunt committed
93
      By default, responses are validated using built-in DNSSEC trust
Tinderbox User's avatar
Tinderbox User committed
94
      anchor for the root zone (".").  Records returned by
Tinderbox User's avatar
Tinderbox User committed
95
      <span class="command"><strong>delv</strong></span> are either fully validated or
Evan Hunt's avatar
Evan Hunt committed
96 97
      were not signed.  If validation fails, an explanation of
      the failure is included in the output; the validation process
Tinderbox User's avatar
Tinderbox User committed
98
      can be traced in detail.  Because <span class="command"><strong>delv</strong></span> does
Evan Hunt's avatar
Evan Hunt committed
99 100 101 102
      not rely on an external server to carry out validation, it can
      be used to check the validity of DNS responses in environments
      where local name servers may not be trustworthy.
    </p>
Tinderbox User's avatar
Tinderbox User committed
103
    <p>
Evan Hunt's avatar
Evan Hunt committed
104
      Unless it is told to query a specific name server,
Tinderbox User's avatar
Tinderbox User committed
105
      <span class="command"><strong>delv</strong></span> will try each of the servers listed in
Evan Hunt's avatar
Evan Hunt committed
106
      <code class="filename">/etc/resolv.conf</code>. If no usable server
Tinderbox User's avatar
Tinderbox User committed
107
      addresses are found, <span class="command"><strong>delv</strong></span> will send
Evan Hunt's avatar
Evan Hunt committed
108 109 110
      queries to the localhost addresses (127.0.0.1 for IPv4, ::1
      for IPv6).
    </p>
Tinderbox User's avatar
Tinderbox User committed
111
    <p>
Evan Hunt's avatar
Evan Hunt committed
112
      When no command line arguments or options are given,
Tinderbox User's avatar
Tinderbox User committed
113
      <span class="command"><strong>delv</strong></span> will perform an NS query for "."
Evan Hunt's avatar
Evan Hunt committed
114 115
      (the root zone).
    </p>
Tinderbox User's avatar
Tinderbox User committed
116 117 118
  </div>

  <div class="refsection">
Tinderbox User's avatar
Tinderbox User committed
119
<a name="id-1.8"></a><h2>SIMPLE USAGE</h2>
Tinderbox User's avatar
Tinderbox User committed
120 121 122


    <p>
Tinderbox User's avatar
Tinderbox User committed
123
      A typical invocation of <span class="command"><strong>delv</strong></span> looks like:
Evan Hunt's avatar
Evan Hunt committed
124
      </p>
Tinderbox User's avatar
Tinderbox User committed
125
<pre class="programlisting"> delv @server name type </pre>
Evan Hunt's avatar
Evan Hunt committed
126 127 128 129
<p>
      where:

      </p>
Tinderbox User's avatar
Tinderbox User committed
130
<div class="variablelist"><dl class="variablelist">
Evan Hunt's avatar
Evan Hunt committed
131 132
<dt><span class="term"><code class="constant">server</code></span></dt>
<dd>
Tinderbox User's avatar
Tinderbox User committed
133
	    <p>
Evan Hunt's avatar
Evan Hunt committed
134 135 136 137
	      is the name or IP address of the name server to query.  This
	      can be an IPv4 address in dotted-decimal notation or an IPv6
	      address in colon-delimited notation.  When the supplied
	      <em class="parameter"><code>server</code></em> argument is a hostname,
Tinderbox User's avatar
Tinderbox User committed
138
	      <span class="command"><strong>delv</strong></span> resolves that name before
Evan Hunt's avatar
Evan Hunt committed
139 140 141 142
	      querying that name server (note, however, that this
	      initial lookup is <span class="emphasis"><em>not</em></span> validated
	      by DNSSEC).
	    </p>
Tinderbox User's avatar
Tinderbox User committed
143
	    <p>
Evan Hunt's avatar
Evan Hunt committed
144
	      If no <em class="parameter"><code>server</code></em> argument is
Tinderbox User's avatar
Tinderbox User committed
145
	      provided, <span class="command"><strong>delv</strong></span> consults
Evan Hunt's avatar
Evan Hunt committed
146 147 148 149 150 151
	      <code class="filename">/etc/resolv.conf</code>; if an
	      address is found there, it queries the name server at
	      that address. If either of the <code class="option">-4</code> or
	      <code class="option">-6</code> options are in use, then
	      only addresses for the corresponding transport
	      will be tried.  If no usable addresses are found,
Tinderbox User's avatar
Tinderbox User committed
152
	      <span class="command"><strong>delv</strong></span> will send queries to
Evan Hunt's avatar
Evan Hunt committed
153 154 155
	      the localhost addresses (127.0.0.1 for IPv4,
	      ::1 for IPv6).
	    </p>
Tinderbox User's avatar
Tinderbox User committed
156
	  </dd>
Evan Hunt's avatar
Evan Hunt committed
157
<dt><span class="term"><code class="constant">name</code></span></dt>
Tinderbox User's avatar
Tinderbox User committed
158 159
<dd>
	    <p>
Evan Hunt's avatar
Evan Hunt committed
160
	      is the domain name to be looked up.
Tinderbox User's avatar
Tinderbox User committed
161 162
	    </p>
	  </dd>
Evan Hunt's avatar
Evan Hunt committed
163
<dt><span class="term"><code class="constant">type</code></span></dt>
Tinderbox User's avatar
Tinderbox User committed
164 165
<dd>
	    <p>
Evan Hunt's avatar
Evan Hunt committed
166 167 168 169 170
	      indicates what type of query is required &#8212;
	      ANY, A, MX, etc.
	      <em class="parameter"><code>type</code></em> can be any valid query
	      type.  If no
	      <em class="parameter"><code>type</code></em> argument is supplied,
Tinderbox User's avatar
Tinderbox User committed
171
	      <span class="command"><strong>delv</strong></span> will perform a lookup for an
Evan Hunt's avatar
Evan Hunt committed
172
	      A record.
Tinderbox User's avatar
Tinderbox User committed
173 174
	    </p>
	  </dd>
Evan Hunt's avatar
Evan Hunt committed
175 176 177
</dl></div>
<p>
    </p>
Tinderbox User's avatar
Tinderbox User committed
178 179 180 181

  </div>

  <div class="refsection">
Tinderbox User's avatar
Tinderbox User committed
182
<a name="id-1.9"></a><h2>OPTIONS</h2>
Tinderbox User's avatar
Tinderbox User committed
183 184

    <div class="variablelist"><dl class="variablelist">
Tinderbox User's avatar
Tinderbox User committed
185
<dt><span class="term">-a <em class="replaceable"><code>anchor-file</code></em></span></dt>
Evan Hunt's avatar
Evan Hunt committed
186
<dd>
Tinderbox User's avatar
Tinderbox User committed
187
	  <p>
Evan Hunt's avatar
Evan Hunt committed
188 189 190
	    Specifies a file from which to read DNSSEC trust anchors.
	    The default is <code class="filename">/etc/bind.keys</code>, which
	    is included with <acronym class="acronym">BIND</acronym> 9 and contains
Tinderbox User's avatar
Tinderbox User committed
191
	    one or more trust anchors for the root zone (".").
Evan Hunt's avatar
Evan Hunt committed
192
	  </p>
Tinderbox User's avatar
Tinderbox User committed
193
	  <p>
Tinderbox User's avatar
Tinderbox User committed
194 195
	    Keys that do not match the root zone name are ignored.
            An alternate key name can be specified using the
Tinderbox User's avatar
Tinderbox User committed
196
	    <code class="option">+root=NAME</code> options.
Evan Hunt's avatar
Evan Hunt committed
197
	  </p>
Tinderbox User's avatar
Tinderbox User committed
198
	  <p>
Evan Hunt's avatar
Evan Hunt committed
199
	    Note: When reading the trust anchor file,
Tinderbox User's avatar
Tinderbox User committed
200 201 202 203 204 205 206 207 208 209 210
	    <span class="command"><strong>delv</strong></span> treats <code class="option">dnssec-keys</code>
	    <code class="option">initial-key</code> and <code class="option">static-key</code>
	    entries identically.  That is, even if a key is configured
	    with <span class="command"><strong>initial-key</strong></span>, indicating that it is
	    meant to be used only as an initializing key for RFC 5011
	    key maintenance, it is still treated by <span class="command"><strong>delv</strong></span>
	    as if it had been configured as a <span class="command"><strong>static-key</strong></span>.
	    <span class="command"><strong>delv</strong></span> does not consult the managed keys
	    database maintained by <span class="command"><strong>named</strong></span>. This means
	    that if either of the keys in
	    <code class="filename">/etc/bind.keys</code> is revoked
Evan Hunt's avatar
Evan Hunt committed
211 212
	    and rolled over, it will be necessary to update
	    <code class="filename">/etc/bind.keys</code> to use DNSSEC
Tinderbox User's avatar
Tinderbox User committed
213
	    validation in <span class="command"><strong>delv</strong></span>.
Evan Hunt's avatar
Evan Hunt committed
214
	  </p>
Tinderbox User's avatar
Tinderbox User committed
215
	</dd>
Tinderbox User's avatar
Tinderbox User committed
216
<dt><span class="term">-b  <em class="replaceable"><code>address</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
217 218
<dd>
	  <p>
Evan Hunt's avatar
Evan Hunt committed
219 220 221 222 223
	    Sets the source IP address of the query to
	    <em class="parameter"><code>address</code></em>.  This must be a valid address
	    on one of the host's network interfaces or "0.0.0.0" or "::".
	    An optional source port may be specified by appending
	    "#&lt;port&gt;"
Tinderbox User's avatar
Tinderbox User committed
224 225
	  </p>
	</dd>
Tinderbox User's avatar
Tinderbox User committed
226
<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
227 228
<dd>
	  <p>
Evan Hunt's avatar
Evan Hunt committed
229
	    Sets the query class for the requested data. Currently,
Tinderbox User's avatar
Tinderbox User committed
230
	    only class "IN" is supported in <span class="command"><strong>delv</strong></span>
Evan Hunt's avatar
Evan Hunt committed
231
	    and any other value is ignored.
Tinderbox User's avatar
Tinderbox User committed
232 233
	  </p>
	</dd>
Tinderbox User's avatar
Tinderbox User committed
234
<dt><span class="term">-d <em class="replaceable"><code>level</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
235 236
<dd>
	  <p>
Tinderbox User's avatar
Tinderbox User committed
237 238 239
	    Set the systemwide debug level to <code class="option">level</code>.
	    The allowed range is from 0 to 99.
	    The default is 0 (no debugging).
Tinderbox User's avatar
Tinderbox User committed
240
	    Debugging traces from <span class="command"><strong>delv</strong></span> become
Tinderbox User's avatar
Tinderbox User committed
241 242 243 244
	    more verbose as the debug level increases.
	    See the <code class="option">+mtrace</code>, <code class="option">+rtrace</code>,
	    and <code class="option">+vtrace</code> options below for additional
	    debugging details.
Tinderbox User's avatar
Tinderbox User committed
245 246
	  </p>
	</dd>
Tinderbox User's avatar
Tinderbox User committed
247
<dt><span class="term">-h</span></dt>
Tinderbox User's avatar
Tinderbox User committed
248 249
<dd>
	  <p>
Tinderbox User's avatar
Tinderbox User committed
250
	    Display the <span class="command"><strong>delv</strong></span> help usage output and exit.
Tinderbox User's avatar
Tinderbox User committed
251 252
	  </p>
	</dd>
Evan Hunt's avatar
Evan Hunt committed
253
<dt><span class="term">-i</span></dt>
Tinderbox User's avatar
Tinderbox User committed
254 255
<dd>
	  <p>
Evan Hunt's avatar
Evan Hunt committed
256 257 258 259
	    Insecure mode. This disables internal DNSSEC validation.
	    (Note, however, this does not set the CD bit on upstream
	    queries. If the server being queried is performing DNSSEC
	    validation, then it will not return invalid data; this
Tinderbox User's avatar
Tinderbox User committed
260
	    can cause <span class="command"><strong>delv</strong></span> to time out. When it
Evan Hunt's avatar
Evan Hunt committed
261
	    is necessary to examine invalid data to debug a DNSSEC
Tinderbox User's avatar
Tinderbox User committed
262
	    problem, use <span class="command"><strong>dig +cd</strong></span>.)
Tinderbox User's avatar
Tinderbox User committed
263 264
	  </p>
	</dd>
Evan Hunt's avatar
Evan Hunt committed
265
<dt><span class="term">-m</span></dt>
Tinderbox User's avatar
Tinderbox User committed
266 267
<dd>
	  <p>
Evan Hunt's avatar
Evan Hunt committed
268
	    Enables memory usage debugging.
Tinderbox User's avatar
Tinderbox User committed
269 270
	  </p>
	</dd>
Tinderbox User's avatar
Tinderbox User committed
271
<dt><span class="term">-p <em class="replaceable"><code>port#</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
272 273
<dd>
	  <p>
Evan Hunt's avatar
Evan Hunt committed
274 275 276 277
	    Specifies a destination port to use for queries instead of
	    the standard DNS port number 53.  This option would be used
	    with a name server that has been configured to listen
	    for queries on a non-standard port number.
Tinderbox User's avatar
Tinderbox User committed
278 279
	  </p>
	</dd>
Tinderbox User's avatar
Tinderbox User committed
280
<dt><span class="term">-q <em class="replaceable"><code>name</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
281 282
<dd>
	  <p>
Evan Hunt's avatar
Evan Hunt committed
283 284 285 286 287 288
	    Sets the query name to <em class="parameter"><code>name</code></em>.
	    While the query name can be specified without using the
	    <code class="option">-q</code>, it is sometimes necessary to disambiguate
	    names from types or classes (for example, when looking up the
	    name "ns", which could be misinterpreted as the type NS,
	    or "ch", which could be misinterpreted as class CH).
Tinderbox User's avatar
Tinderbox User committed
289 290
	  </p>
	</dd>
Tinderbox User's avatar
Tinderbox User committed
291
<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
Evan Hunt's avatar
Evan Hunt committed
292
<dd>
Tinderbox User's avatar
Tinderbox User committed
293
	  <p>
Evan Hunt's avatar
Evan Hunt committed
294 295 296 297 298 299 300
	    Sets the query type to <em class="parameter"><code>type</code></em>, which
	    can be any valid query type supported in BIND 9 except
	    for zone transfer types AXFR and IXFR. As with
	    <code class="option">-q</code>, this is useful to distinguish
	    query name type or class when they are ambiguous.
	    it is sometimes necessary to disambiguate names from types.
	  </p>
Tinderbox User's avatar
Tinderbox User committed
301
	  <p>
Evan Hunt's avatar
Evan Hunt committed
302 303 304 305
	    The default query type is "A", unless the <code class="option">-x</code>
	    option is supplied to indicate a reverse lookup, in which case
	    it is "PTR".
	  </p>
Tinderbox User's avatar
Tinderbox User committed
306
	</dd>
Tinderbox User's avatar
Tinderbox User committed
307
<dt><span class="term">-v</span></dt>
Tinderbox User's avatar
Tinderbox User committed
308 309
<dd>
	  <p>
Tinderbox User's avatar
Tinderbox User committed
310
	    Print the <span class="command"><strong>delv</strong></span> version and exit.
Tinderbox User's avatar
Tinderbox User committed
311 312
	  </p>
	</dd>
Tinderbox User's avatar
Tinderbox User committed
313
<dt><span class="term">-x <em class="replaceable"><code>addr</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
314 315
<dd>
	  <p>
Evan Hunt's avatar
Evan Hunt committed
316 317 318 319 320
	    Performs a reverse lookup, mapping an addresses to
	    a name.  <em class="parameter"><code>addr</code></em> is an IPv4 address in
	    dotted-decimal notation, or a colon-delimited IPv6 address.
	    When <code class="option">-x</code> is used, there is no need to provide
	    the <em class="parameter"><code>name</code></em> or <em class="parameter"><code>type</code></em>
Tinderbox User's avatar
Tinderbox User committed
321
	    arguments.  <span class="command"><strong>delv</strong></span> automatically performs a
Evan Hunt's avatar
Evan Hunt committed
322 323 324
	    lookup for a name like <code class="literal">11.12.13.10.in-addr.arpa</code>
	    and sets the query type to PTR.  IPv6 addresses are looked up
	    using nibble format under the IP6.ARPA domain.
Tinderbox User's avatar
Tinderbox User committed
325 326
	  </p>
	</dd>
Tinderbox User's avatar
Tinderbox User committed
327
<dt><span class="term">-4</span></dt>
Tinderbox User's avatar
Tinderbox User committed
328 329
<dd>
	  <p>
Tinderbox User's avatar
Tinderbox User committed
330
	    Forces <span class="command"><strong>delv</strong></span> to only use IPv4.
Tinderbox User's avatar
Tinderbox User committed
331 332
	  </p>
	</dd>
Tinderbox User's avatar
Tinderbox User committed
333
<dt><span class="term">-6</span></dt>
Tinderbox User's avatar
Tinderbox User committed
334 335
<dd>
	  <p>
Tinderbox User's avatar
Tinderbox User committed
336
	    Forces <span class="command"><strong>delv</strong></span> to only use IPv6.
Tinderbox User's avatar
Tinderbox User committed
337 338
	  </p>
	</dd>
Evan Hunt's avatar
Evan Hunt committed
339
</dl></div>
Tinderbox User's avatar
Tinderbox User committed
340 341 342
  </div>

  <div class="refsection">
Tinderbox User's avatar
Tinderbox User committed
343
<a name="id-1.10"></a><h2>QUERY OPTIONS</h2>
Tinderbox User's avatar
Tinderbox User committed
344 345 346


    <p><span class="command"><strong>delv</strong></span>
Evan Hunt's avatar
Evan Hunt committed
347 348 349
      provides a number of query options which affect the way results are
      displayed, and in some cases the way lookups are performed.
    </p>
Tinderbox User's avatar
Tinderbox User committed
350 351

    <p>
Evan Hunt's avatar
Evan Hunt committed
352 353 354 355 356 357 358 359 360
      Each query option is identified by a keyword preceded by a plus sign
      (<code class="literal">+</code>).  Some keywords set or reset an
      option.  These may be preceded by the string
      <code class="literal">no</code> to negate the meaning of that keyword.
      Other keywords assign values to options like the timeout interval.
      They have the form <code class="option">+keyword=value</code>.
      The query options are:

      </p>
Tinderbox User's avatar
Tinderbox User committed
361
<div class="variablelist"><dl class="variablelist">
Evan Hunt's avatar
Evan Hunt committed
362
<dt><span class="term"><code class="option">+[no]cdflag</code></span></dt>
Tinderbox User's avatar
Tinderbox User committed
363 364
<dd>
	    <p>
Evan Hunt's avatar
Evan Hunt committed
365
	      Controls whether to set the CD (checking disabled) bit in
Tinderbox User's avatar
Tinderbox User committed
366
	      queries sent by <span class="command"><strong>delv</strong></span>. This may be useful
Evan Hunt's avatar
Evan Hunt committed
367 368 369 370
	      when troubleshooting DNSSEC problems from behind a validating
	      resolver. A validating resolver will block invalid responses,
	      making it difficult to retrieve them for analysis. Setting
	      the CD flag on queries will cause the resolver to return
Tinderbox User's avatar
Tinderbox User committed
371
	      invalid responses, which <span class="command"><strong>delv</strong></span> can then
Evan Hunt's avatar
Evan Hunt committed
372
	      validate internally and report the errors in detail.
Tinderbox User's avatar
Tinderbox User committed
373 374
	    </p>
	  </dd>
Evan Hunt's avatar
Evan Hunt committed
375
<dt><span class="term"><code class="option">+[no]class</code></span></dt>
Tinderbox User's avatar
Tinderbox User committed
376 377
<dd>
	    <p>
Evan Hunt's avatar
Evan Hunt committed
378 379
	      Controls whether to display the CLASS when printing
	      a record. The default is to display the CLASS.
Tinderbox User's avatar
Tinderbox User committed
380 381
	    </p>
	  </dd>
Evan Hunt's avatar
Evan Hunt committed
382
<dt><span class="term"><code class="option">+[no]ttl</code></span></dt>
Tinderbox User's avatar
Tinderbox User committed
383 384
<dd>
	    <p>
Evan Hunt's avatar
Evan Hunt committed
385 386
	      Controls whether to display the TTL when printing
	      a record. The default is to display the TTL.
Tinderbox User's avatar
Tinderbox User committed
387 388
	    </p>
	  </dd>
Evan Hunt's avatar
Evan Hunt committed
389 390
<dt><span class="term"><code class="option">+[no]rtrace</code></span></dt>
<dd>
Tinderbox User's avatar
Tinderbox User committed
391
	    <p>
Evan Hunt's avatar
Evan Hunt committed
392
	      Toggle resolver fetch logging. This reports the
Tinderbox User's avatar
Tinderbox User committed
393
	      name and type of each query sent by <span class="command"><strong>delv</strong></span>
Evan Hunt's avatar
Evan Hunt committed
394 395 396 397 398
	      in the process of carrying out the resolution and validation
	      process: this includes including the original query and
	      all subsequent queries to follow CNAMEs and to establish a
	      chain of trust for DNSSEC validation.
	    </p>
Tinderbox User's avatar
Tinderbox User committed
399
	    <p>
Evan Hunt's avatar
Evan Hunt committed
400 401 402 403 404 405
	      This is equivalent to setting the debug level to 1 in
	      the "resolver" logging category. Setting the systemwide
	      debug level to 1 using the <code class="option">-d</code> option will
	      product the same output (but will affect other logging
	      categories as well).
	    </p>
Tinderbox User's avatar
Tinderbox User committed
406
	  </dd>
Evan Hunt's avatar
Evan Hunt committed
407 408
<dt><span class="term"><code class="option">+[no]mtrace</code></span></dt>
<dd>
Tinderbox User's avatar
Tinderbox User committed
409
	    <p>
Evan Hunt's avatar
Evan Hunt committed
410
	      Toggle message logging. This produces a detailed dump of
Tinderbox User's avatar
Tinderbox User committed
411
	      the responses received by <span class="command"><strong>delv</strong></span> in the
Evan Hunt's avatar
Evan Hunt committed
412 413
	      process of carrying out the resolution and validation process.
	    </p>
Tinderbox User's avatar
Tinderbox User committed
414
	    <p>
Evan Hunt's avatar
Evan Hunt committed
415
	      This is equivalent to setting the debug level to 10
Tinderbox User's avatar
Tinderbox User committed
416
	      for the "packets" module of the "resolver" logging
Evan Hunt's avatar
Evan Hunt committed
417 418 419 420
	      category. Setting the systemwide debug level to 10 using
	      the <code class="option">-d</code> option will produce the same output
	      (but will affect other logging categories as well).
	    </p>
Tinderbox User's avatar
Tinderbox User committed
421
	  </dd>
Evan Hunt's avatar
Evan Hunt committed
422 423
<dt><span class="term"><code class="option">+[no]vtrace</code></span></dt>
<dd>
Tinderbox User's avatar
Tinderbox User committed
424
	    <p>
Evan Hunt's avatar
Evan Hunt committed
425 426 427 428
	      Toggle validation logging. This shows the internal
	      process of the validator as it determines whether an
	      answer is validly signed, unsigned, or invalid.
	    </p>
Tinderbox User's avatar
Tinderbox User committed
429
	    <p>
Evan Hunt's avatar
Evan Hunt committed
430
	      This is equivalent to setting the debug level to 3
Tinderbox User's avatar
Tinderbox User committed
431
	      for the "validator" module of the "dnssec" logging
Evan Hunt's avatar
Evan Hunt committed
432 433 434 435
	      category. Setting the systemwide debug level to 3 using
	      the <code class="option">-d</code> option will produce the same output
	      (but will affect other logging categories as well).
	    </p>
Tinderbox User's avatar
Tinderbox User committed
436
	  </dd>
Evan Hunt's avatar
Evan Hunt committed
437
<dt><span class="term"><code class="option">+[no]short</code></span></dt>
Tinderbox User's avatar
Tinderbox User committed
438 439
<dd>
	    <p>
Evan Hunt's avatar
Evan Hunt committed
440 441
	      Provide a terse answer.  The default is to print the answer in a
	      verbose form.
Tinderbox User's avatar
Tinderbox User committed
442 443
	    </p>
	  </dd>
Evan Hunt's avatar
Evan Hunt committed
444
<dt><span class="term"><code class="option">+[no]comments</code></span></dt>
Tinderbox User's avatar
Tinderbox User committed
445 446
<dd>
	    <p>
Evan Hunt's avatar
Evan Hunt committed
447 448
	      Toggle the display of comment lines in the output.  The default
	      is to print comments.
Tinderbox User's avatar
Tinderbox User committed
449 450
	    </p>
	  </dd>
Evan Hunt's avatar
Evan Hunt committed
451
<dt><span class="term"><code class="option">+[no]rrcomments</code></span></dt>
Tinderbox User's avatar
Tinderbox User committed
452 453
<dd>
	    <p>
Evan Hunt's avatar
Evan Hunt committed
454 455 456
	      Toggle the display of per-record comments in the output (for
	      example, human-readable key information about DNSKEY records).
	      The default is to print per-record comments.
Tinderbox User's avatar
Tinderbox User committed
457 458
	    </p>
	  </dd>
Evan Hunt's avatar
Evan Hunt committed
459
<dt><span class="term"><code class="option">+[no]crypto</code></span></dt>
Tinderbox User's avatar
Tinderbox User committed
460 461
<dd>
	    <p>
Evan Hunt's avatar
Evan Hunt committed
462 463 464 465 466 467 468
	      Toggle the display of cryptographic fields in DNSSEC records.
	      The contents of these field are unnecessary to debug most DNSSEC
	      validation failures and removing them makes it easier to see
	      the common failures.  The default is to display the fields.
	      When omitted they are replaced by the string "[omitted]" or
	      in the DNSKEY case the key id is displayed as the replacement,
	      e.g. "[ key id = value ]".
Tinderbox User's avatar
Tinderbox User committed
469 470
	    </p>
	  </dd>
Evan Hunt's avatar
Evan Hunt committed
471
<dt><span class="term"><code class="option">+[no]trust</code></span></dt>
Tinderbox User's avatar
Tinderbox User committed
472 473
<dd>
	    <p>
Evan Hunt's avatar
Evan Hunt committed
474 475
	      Controls whether to display the trust level when printing
	      a record. The default is to display the trust level.
Tinderbox User's avatar
Tinderbox User committed
476 477
	    </p>
	  </dd>
Evan Hunt's avatar
Evan Hunt committed
478
<dt><span class="term"><code class="option">+[no]split[=W]</code></span></dt>
Tinderbox User's avatar
Tinderbox User committed
479 480
<dd>
	    <p>
Evan Hunt's avatar
Evan Hunt committed
481 482 483 484 485 486 487 488
	      Split long hex- or base64-formatted fields in resource
	      records into chunks of <em class="parameter"><code>W</code></em> characters
	      (where <em class="parameter"><code>W</code></em> is rounded up to the nearest
	      multiple of 4).
	      <em class="parameter"><code>+nosplit</code></em> or
	      <em class="parameter"><code>+split=0</code></em> causes fields not to be
	      split at all.  The default is 56 characters, or 44 characters
	      when multiline mode is active.
Tinderbox User's avatar
Tinderbox User committed
489 490
	    </p>
	  </dd>
Evan Hunt's avatar
Evan Hunt committed
491
<dt><span class="term"><code class="option">+[no]all</code></span></dt>
Tinderbox User's avatar
Tinderbox User committed
492 493
<dd>
	    <p>
Evan Hunt's avatar
Evan Hunt committed
494
	      Set or clear the display options
Mark Andrews's avatar
Mark Andrews committed
495
	      <code class="option">+[no]comments</code>,
Evan Hunt's avatar
Evan Hunt committed
496 497
	      <code class="option">+[no]rrcomments</code>, and
	      <code class="option">+[no]trust</code> as a group.
Tinderbox User's avatar
Tinderbox User committed
498 499
	    </p>
	  </dd>
Evan Hunt's avatar
Evan Hunt committed
500
<dt><span class="term"><code class="option">+[no]multiline</code></span></dt>
Tinderbox User's avatar
Tinderbox User committed
501 502
<dd>
	    <p>
Evan Hunt's avatar
Evan Hunt committed
503 504 505
	      Print long records (such as RRSIG, DNSKEY, and SOA records)
	      in a verbose multi-line format with human-readable comments.
	      The default is to print each record on a single line, to
Tinderbox User's avatar
Tinderbox User committed
506
	      facilitate machine parsing of the <span class="command"><strong>delv</strong></span>
Evan Hunt's avatar
Evan Hunt committed
507
	      output.
Tinderbox User's avatar
Tinderbox User committed
508 509
	    </p>
	  </dd>
Evan Hunt's avatar
Evan Hunt committed
510
<dt><span class="term"><code class="option">+[no]dnssec</code></span></dt>
Tinderbox User's avatar
Tinderbox User committed
511 512
<dd>
	    <p>
Evan Hunt's avatar
Evan Hunt committed
513
	      Indicates whether to display RRSIG records in the
Tinderbox User's avatar
Tinderbox User committed
514 515
	      <span class="command"><strong>delv</strong></span> output.  The default is to
	      do so.  Note that (unlike in <span class="command"><strong>dig</strong></span>)
Evan Hunt's avatar
Evan Hunt committed
516 517 518 519
	      this does <span class="emphasis"><em>not</em></span> control whether to
	      request DNSSEC records or whether to validate them.
	      DNSSEC records are always requested, and validation
	      will always occur unless suppressed by the use of
Tinderbox User's avatar
Tinderbox User committed
520
	      <code class="option">-i</code> or <code class="option">+noroot</code>.
Tinderbox User's avatar
Tinderbox User committed
521 522
	    </p>
	  </dd>
Evan Hunt's avatar
Evan Hunt committed
523
<dt><span class="term"><code class="option">+[no]root[=ROOT]</code></span></dt>
Tinderbox User's avatar
Tinderbox User committed
524 525
<dd>
	    <p>
Tinderbox User's avatar
Tinderbox User committed
526
	      Indicates whether to perform conventional
Tinderbox User's avatar
Tinderbox User committed
527
	      DNSSEC validation, and if so, specifies the
Evan Hunt's avatar
Evan Hunt committed
528 529 530 531 532
	      name of a trust anchor.  The default is to validate using
	      a trust anchor of "." (the root zone), for which there is
	      a built-in key.  If specifying a different trust anchor,
	      then <code class="option">-a</code> must be used to specify a file
	      containing the key.
Tinderbox User's avatar
Tinderbox User committed
533 534
	    </p>
	  </dd>
Tinderbox User's avatar
Tinderbox User committed
535
<dt><span class="term"><code class="option">+[no]tcp</code></span></dt>
Tinderbox User's avatar
Tinderbox User committed
536 537
<dd>
	    <p>
Tinderbox User's avatar
Tinderbox User committed
538 539 540
	      Controls whether to use TCP when sending queries.
	      The default is to use UDP unless a truncated
	      response has been received.
Tinderbox User's avatar
Tinderbox User committed
541 542
	    </p>
	  </dd>
Tinderbox User's avatar
Tinderbox User committed
543
<dt><span class="term"><code class="option">+[no]unknownformat</code></span></dt>
Tinderbox User's avatar
Tinderbox User committed
544 545
<dd>
	    <p>
Tinderbox User's avatar
Tinderbox User committed
546 547 548
	      Print all RDATA in unknown RR type presentation format
	      (RFC 3597). The default is to print RDATA for known types
	      in the type's presentation format.
Tinderbox User's avatar
Tinderbox User committed
549 550
	    </p>
	  </dd>
Evan Hunt's avatar
Evan Hunt committed
551 552 553 554
</dl></div>
<p>

    </p>
Tinderbox User's avatar
Tinderbox User committed
555 556 557
  </div>

  <div class="refsection">
Tinderbox User's avatar
Tinderbox User committed
558
<a name="id-1.11"></a><h2>FILES</h2>
Tinderbox User's avatar
Tinderbox User committed
559 560 561 562 563 564

    <p><code class="filename">/etc/bind.keys</code></p>
    <p><code class="filename">/etc/resolv.conf</code></p>
  </div>

  <div class="refsection">
Tinderbox User's avatar
Tinderbox User committed
565
<a name="id-1.12"></a><h2>SEE ALSO</h2>
Tinderbox User's avatar
Tinderbox User committed
566 567 568 569 570 571 572

    <p><span class="citerefentry">
	<span class="refentrytitle">dig</span>(1)
      </span>,
      <span class="citerefentry">
	<span class="refentrytitle">named</span>(8)
      </span>,
Evan Hunt's avatar
Evan Hunt committed
573 574 575 576 577 578
      <em class="citetitle">RFC4034</em>,
      <em class="citetitle">RFC4035</em>,
      <em class="citetitle">RFC4431</em>,
      <em class="citetitle">RFC5074</em>,
      <em class="citetitle">RFC5155</em>.
    </p>
Tinderbox User's avatar
Tinderbox User committed
579 580
  </div>

Evan Hunt's avatar
Evan Hunt committed
581 582
</div></body>
</html>