delv.docbook 23.2 KB
Newer Older
Evan Hunt's avatar
Evan Hunt committed
1 2
<!DOCTYPE book [
<!ENTITY mdash "&#8212;">]>
Evan Hunt's avatar
Evan Hunt committed
3
<!--
4
 - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
Evan Hunt's avatar
Evan Hunt committed
5
 -
6 7 8
 - This Source Code Form is subject to the terms of the Mozilla Public
 - License, v. 2.0. If a copy of the MPL was not distributed with this
 - file, You can obtain one at http://mozilla.org/MPL/2.0/.
9 10 11
 -
 - See the COPYRIGHT file distributed with this work for additional
 - information regarding copyright ownership.
Evan Hunt's avatar
Evan Hunt committed
12
-->
13

Evan Hunt's avatar
Evan Hunt committed
14
<!-- Converted by db4-upgrade version 1.0 -->
15
<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.delv">
Evan Hunt's avatar
Evan Hunt committed
16 17 18
  <info>
    <date>2014-04-23</date>
  </info>
Evan Hunt's avatar
Evan Hunt committed
19
  <refentryinfo>
Evan Hunt's avatar
Evan Hunt committed
20 21
    <corpname>ISC</corpname>
    <corpauthor>Internet Systems Consortium, Inc.</corpauthor>
Evan Hunt's avatar
Evan Hunt committed
22 23 24
  </refentryinfo>

  <refmeta>
25
    <refentrytitle>delv</refentrytitle>
Evan Hunt's avatar
Evan Hunt committed
26 27 28 29 30
    <manvolnum>1</manvolnum>
    <refmiscinfo>BIND9</refmiscinfo>
  </refmeta>

  <refnamediv>
31
    <refname>delv</refname>
Evan Hunt's avatar
Evan Hunt committed
32 33 34 35 36 37
    <refpurpose>DNS lookup and validation utility</refpurpose>
  </refnamediv>

  <docinfo>
    <copyright>
      <year>2014</year>
38
      <year>2015</year>
Mark Andrews's avatar
Mark Andrews committed
39
      <year>2016</year>
40
      <year>2017</year>
41
      <year>2018</year>
Mark Andrews's avatar
Mark Andrews committed
42
      <year>2019</year>
Evan Hunt's avatar
Evan Hunt committed
43 44 45 46 47
      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
    </copyright>
  </docinfo>

  <refsynopsisdiv>
Evan Hunt's avatar
Evan Hunt committed
48
    <cmdsynopsis sepchar=" ">
49
      <command>delv</command>
Evan Hunt's avatar
Evan Hunt committed
50
      <arg choice="opt" rep="norepeat">@server</arg>
51 52 53 54
      <group choice="opt" rep="norepeat">
	<arg choice="opt" rep="norepeat"><option>-4</option></arg>
	<arg choice="opt" rep="norepeat"><option>-6</option></arg>
      </group>
Evan Hunt's avatar
Evan Hunt committed
55 56 57 58 59 60 61 62 63 64 65 66 67
      <arg choice="opt" rep="norepeat"><option>-a <replaceable class="parameter">anchor-file</replaceable></option></arg>
      <arg choice="opt" rep="norepeat"><option>-b <replaceable class="parameter">address</replaceable></option></arg>
      <arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>
      <arg choice="opt" rep="norepeat"><option>-d <replaceable class="parameter">level</replaceable></option></arg>
      <arg choice="opt" rep="norepeat"><option>-i</option></arg>
      <arg choice="opt" rep="norepeat"><option>-m</option></arg>
      <arg choice="opt" rep="norepeat"><option>-p <replaceable class="parameter">port#</replaceable></option></arg>
      <arg choice="opt" rep="norepeat"><option>-q <replaceable class="parameter">name</replaceable></option></arg>
      <arg choice="opt" rep="norepeat"><option>-t <replaceable class="parameter">type</replaceable></option></arg>
      <arg choice="opt" rep="norepeat"><option>-x <replaceable class="parameter">addr</replaceable></option></arg>
      <arg choice="opt" rep="norepeat">name</arg>
      <arg choice="opt" rep="norepeat">type</arg>
      <arg choice="opt" rep="norepeat">class</arg>
Evan Hunt's avatar
Evan Hunt committed
68 69 70
      <arg choice="opt" rep="repeat">queryopt</arg>
    </cmdsynopsis>

Evan Hunt's avatar
Evan Hunt committed
71
    <cmdsynopsis sepchar=" ">
72
      <command>delv</command>
Evan Hunt's avatar
Evan Hunt committed
73
      <arg choice="opt" rep="norepeat"><option>-h</option></arg>
Evan Hunt's avatar
Evan Hunt committed
74 75
    </cmdsynopsis>

Evan Hunt's avatar
Evan Hunt committed
76
    <cmdsynopsis sepchar=" ">
77
      <command>delv</command>
Evan Hunt's avatar
Evan Hunt committed
78
      <arg choice="opt" rep="norepeat"><option>-v</option></arg>
79 80
    </cmdsynopsis>

Evan Hunt's avatar
Evan Hunt committed
81
    <cmdsynopsis sepchar=" ">
82
      <command>delv</command>
Evan Hunt's avatar
Evan Hunt committed
83 84 85 86 87
      <arg choice="opt" rep="repeat">queryopt</arg>
      <arg choice="opt" rep="repeat">query</arg>
    </cmdsynopsis>
  </refsynopsisdiv>

Evan Hunt's avatar
Evan Hunt committed
88
  <refsection><info><title>DESCRIPTION</title></info>
89

90
    <para><command>delv</command>
91
      is a tool for sending
92
      DNS queries and validating the results, using the same internal
Evan Hunt's avatar
Evan Hunt committed
93 94 95
      resolver and validator logic as <command>named</command>.
    </para>
    <para>
96
      <command>delv</command> will send to a specified name server all
Evan Hunt's avatar
Evan Hunt committed
97 98 99 100 101 102 103 104 105 106
      queries needed to fetch and validate the requested data; this
      includes the original requested query, subsequent queries to follow
      CNAME or DNAME chains, and queries for DNSKEY, DS and DLV records
      to establish a chain of trust for DNSSEC validation.
      It does not perform iterative resolution, but simulates the
      behavior of a name server configured for DNSSEC validating and
      forwarding.
    </para>
    <para>
      By default, responses are validated using built-in DNSSEC trust
Evan Hunt's avatar
Evan Hunt committed
107
      anchor for the root zone (".").  Records returned by
108
      <command>delv</command> are either fully validated or
Evan Hunt's avatar
Evan Hunt committed
109 110
      were not signed.  If validation fails, an explanation of
      the failure is included in the output; the validation process
111
      can be traced in detail.  Because <command>delv</command> does
Evan Hunt's avatar
Evan Hunt committed
112 113 114 115 116 117
      not rely on an external server to carry out validation, it can
      be used to check the validity of DNS responses in environments
      where local name servers may not be trustworthy.
    </para>
    <para>
      Unless it is told to query a specific name server,
118
      <command>delv</command> will try each of the servers listed in
Evan Hunt's avatar
Evan Hunt committed
119
      <filename>/etc/resolv.conf</filename>. If no usable server
120
      addresses are found, <command>delv</command> will send
Evan Hunt's avatar
Evan Hunt committed
121 122 123 124 125
      queries to the localhost addresses (127.0.0.1 for IPv4, ::1
      for IPv6).
    </para>
    <para>
      When no command line arguments or options are given,
126
      <command>delv</command> will perform an NS query for "."
Evan Hunt's avatar
Evan Hunt committed
127 128
      (the root zone).
    </para>
Evan Hunt's avatar
Evan Hunt committed
129
  </refsection>
Evan Hunt's avatar
Evan Hunt committed
130

Evan Hunt's avatar
Evan Hunt committed
131
  <refsection><info><title>SIMPLE USAGE</title></info>
132

Evan Hunt's avatar
Evan Hunt committed
133 134

    <para>
135 136
      A typical invocation of <command>delv</command> looks like:
      <programlisting> delv @server name type </programlisting>
Evan Hunt's avatar
Evan Hunt committed
137 138 139 140 141 142 143 144 145 146 147
      where:

      <variablelist>
	<varlistentry>
	  <term><constant>server</constant></term>
	  <listitem>
	    <para>
	      is the name or IP address of the name server to query.  This
	      can be an IPv4 address in dotted-decimal notation or an IPv6
	      address in colon-delimited notation.  When the supplied
	      <parameter>server</parameter> argument is a hostname,
148
	      <command>delv</command> resolves that name before
Evan Hunt's avatar
Evan Hunt committed
149 150 151 152 153 154
	      querying that name server (note, however, that this
	      initial lookup is <emphasis>not</emphasis> validated
	      by DNSSEC).
	    </para>
	    <para>
	      If no <parameter>server</parameter> argument is
155
	      provided, <command>delv</command> consults
Evan Hunt's avatar
Evan Hunt committed
156 157 158 159 160 161
	      <filename>/etc/resolv.conf</filename>; if an
	      address is found there, it queries the name server at
	      that address. If either of the <option>-4</option> or
	      <option>-6</option> options are in use, then
	      only addresses for the corresponding transport
	      will be tried.  If no usable addresses are found,
162
	      <command>delv</command> will send queries to
Evan Hunt's avatar
Evan Hunt committed
163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186
	      the localhost addresses (127.0.0.1 for IPv4,
	      ::1 for IPv6).
	    </para>
	  </listitem>
	</varlistentry>

	<varlistentry>
	  <term><constant>name</constant></term>
	  <listitem>
	    <para>
	      is the domain name to be looked up.
	    </para>
	  </listitem>
	</varlistentry>

	<varlistentry>
	  <term><constant>type</constant></term>
	  <listitem>
	    <para>
	      indicates what type of query is required &mdash;
	      ANY, A, MX, etc.
	      <parameter>type</parameter> can be any valid query
	      type.  If no
	      <parameter>type</parameter> argument is supplied,
187
	      <command>delv</command> will perform a lookup for an
Evan Hunt's avatar
Evan Hunt committed
188 189 190 191 192 193 194 195
	      A record.
	    </para>
	  </listitem>
	</varlistentry>

      </variablelist>
    </para>

Evan Hunt's avatar
Evan Hunt committed
196
  </refsection>
Evan Hunt's avatar
Evan Hunt committed
197

Evan Hunt's avatar
Evan Hunt committed
198
  <refsection><info><title>OPTIONS</title></info>
199

Evan Hunt's avatar
Evan Hunt committed
200
    <variablelist>
201

Evan Hunt's avatar
Evan Hunt committed
202
      <varlistentry>
203
	<term>-a <replaceable class="parameter">anchor-file</replaceable></term>
Evan Hunt's avatar
Evan Hunt committed
204 205 206 207 208
	<listitem>
	  <para>
	    Specifies a file from which to read DNSSEC trust anchors.
	    The default is <filename>/etc/bind.keys</filename>, which
	    is included with <acronym>BIND</acronym> 9 and contains
Evan Hunt's avatar
Evan Hunt committed
209
	    one or more trust anchors for the root zone (".").
Evan Hunt's avatar
Evan Hunt committed
210 211
	  </para>
	  <para>
Evan Hunt's avatar
Evan Hunt committed
212 213 214
	    Keys that do not match the root zone name are ignored.
            An alternate key name can be specified using the
	    <option>+root=NAME</option> options. DNSSEC Lookaside
215
            Validation can also be turned on by using the
Evan Hunt's avatar
Evan Hunt committed
216 217
	    <option>+dlv=NAME</option> to specify the name of a
            zone containing DLV records.
Evan Hunt's avatar
Evan Hunt committed
218 219 220
	  </para>
	  <para>
	    Note: When reading the trust anchor file,
Evan Hunt's avatar
Evan Hunt committed
221 222 223 224 225 226 227 228 229 230 231
	    <command>delv</command> treats <option>dnssec-keys</option>
	    <option>initial-key</option> and <option>static-key</option>
	    entries identically.  That is, even if a key is configured
	    with <command>initial-key</command>, indicating that it is
	    meant to be used only as an initializing key for RFC 5011
	    key maintenance, it is still treated by <command>delv</command>
	    as if it had been configured as a <command>static-key</command>.
	    <command>delv</command> does not consult the managed keys
	    database maintained by <command>named</command>. This means
	    that if either of the keys in
	    <filename>/etc/bind.keys</filename> is revoked
Evan Hunt's avatar
Evan Hunt committed
232 233
	    and rolled over, it will be necessary to update
	    <filename>/etc/bind.keys</filename> to use DNSSEC
234
	    validation in <command>delv</command>.
Evan Hunt's avatar
Evan Hunt committed
235 236 237 238 239
	  </para>
	</listitem>
      </varlistentry>

      <varlistentry>
240
	<term>-b  <replaceable class="parameter">address</replaceable></term>
Evan Hunt's avatar
Evan Hunt committed
241 242 243 244 245 246 247 248 249 250 251 252
	<listitem>
	  <para>
	    Sets the source IP address of the query to
	    <parameter>address</parameter>.  This must be a valid address
	    on one of the host's network interfaces or "0.0.0.0" or "::".
	    An optional source port may be specified by appending
	    "#&lt;port&gt;"
	  </para>
	</listitem>
      </varlistentry>

      <varlistentry>
253
	<term>-c <replaceable class="parameter">class</replaceable></term>
Evan Hunt's avatar
Evan Hunt committed
254 255 256
	<listitem>
	  <para>
	    Sets the query class for the requested data. Currently,
257
	    only class "IN" is supported in <command>delv</command>
Evan Hunt's avatar
Evan Hunt committed
258 259 260 261 262 263
	    and any other value is ignored.
	  </para>
	</listitem>
      </varlistentry>

      <varlistentry>
264
	<term>-d <replaceable class="parameter">level</replaceable></term>
Evan Hunt's avatar
Evan Hunt committed
265 266
	<listitem>
	  <para>
267 268 269
	    Set the systemwide debug level to <option>level</option>.
	    The allowed range is from 0 to 99.
	    The default is 0 (no debugging).
270
	    Debugging traces from <command>delv</command> become
271 272 273 274
	    more verbose as the debug level increases.
	    See the <option>+mtrace</option>, <option>+rtrace</option>,
	    and <option>+vtrace</option> options below for additional
	    debugging details.
Evan Hunt's avatar
Evan Hunt committed
275 276 277 278 279
	  </para>
	</listitem>
      </varlistentry>

      <varlistentry>
280
	<term>-h</term>
Evan Hunt's avatar
Evan Hunt committed
281 282
	<listitem>
	  <para>
283
	    Display the <command>delv</command> help usage output and exit.
Evan Hunt's avatar
Evan Hunt committed
284 285 286 287 288
	  </para>
	</listitem>
      </varlistentry>

      <varlistentry>
289
	<term>-i</term>
Evan Hunt's avatar
Evan Hunt committed
290 291
	<listitem>
	  <para>
292 293 294 295
	    Insecure mode. This disables internal DNSSEC validation.
	    (Note, however, this does not set the CD bit on upstream
	    queries. If the server being queried is performing DNSSEC
	    validation, then it will not return invalid data; this
296
	    can cause <command>delv</command> to time out. When it
297 298
	    is necessary to examine invalid data to debug a DNSSEC
	    problem, use <command>dig +cd</command>.)
Evan Hunt's avatar
Evan Hunt committed
299 300 301 302 303
	  </para>
	</listitem>
      </varlistentry>

      <varlistentry>
304
	<term>-m</term>
Evan Hunt's avatar
Evan Hunt committed
305 306
	<listitem>
	  <para>
307
	    Enables memory usage debugging.
Evan Hunt's avatar
Evan Hunt committed
308 309 310 311 312
	  </para>
	</listitem>
      </varlistentry>

      <varlistentry>
313
	<term>-p <replaceable class="parameter">port#</replaceable></term>
Evan Hunt's avatar
Evan Hunt committed
314 315
	<listitem>
	  <para>
316 317 318 319
	    Specifies a destination port to use for queries instead of
	    the standard DNS port number 53.  This option would be used
	    with a name server that has been configured to listen
	    for queries on a non-standard port number.
Evan Hunt's avatar
Evan Hunt committed
320 321 322 323 324
	  </para>
	</listitem>
      </varlistentry>

      <varlistentry>
325
	<term>-q <replaceable class="parameter">name</replaceable></term>
Evan Hunt's avatar
Evan Hunt committed
326 327 328 329 330 331 332 333 334 335 336 337 338
	<listitem>
	  <para>
	    Sets the query name to <parameter>name</parameter>.
	    While the query name can be specified without using the
	    <option>-q</option>, it is sometimes necessary to disambiguate
	    names from types or classes (for example, when looking up the
	    name "ns", which could be misinterpreted as the type NS,
	    or "ch", which could be misinterpreted as class CH).
	  </para>
	</listitem>
      </varlistentry>

      <varlistentry>
339
	<term>-t <replaceable class="parameter">type</replaceable></term>
Evan Hunt's avatar
Evan Hunt committed
340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357
	<listitem>
	  <para>
	    Sets the query type to <parameter>type</parameter>, which
	    can be any valid query type supported in BIND 9 except
	    for zone transfer types AXFR and IXFR. As with
	    <option>-q</option>, this is useful to distinguish
	    query name type or class when they are ambiguous.
	    it is sometimes necessary to disambiguate names from types.
	  </para>
	  <para>
	    The default query type is "A", unless the <option>-x</option>
	    option is supplied to indicate a reverse lookup, in which case
	    it is "PTR".
	  </para>
	</listitem>
      </varlistentry>

      <varlistentry>
358 359 360
	<term>-v</term>
	<listitem>
	  <para>
361
	    Print the <command>delv</command> version and exit.
362 363 364 365 366 367
	  </para>
	</listitem>
      </varlistentry>

      <varlistentry>
	<term>-x <replaceable class="parameter">addr</replaceable></term>
Evan Hunt's avatar
Evan Hunt committed
368 369 370 371 372 373 374
	<listitem>
	  <para>
	    Performs a reverse lookup, mapping an addresses to
	    a name.  <parameter>addr</parameter> is an IPv4 address in
	    dotted-decimal notation, or a colon-delimited IPv6 address.
	    When <option>-x</option> is used, there is no need to provide
	    the <parameter>name</parameter> or <parameter>type</parameter>
375
	    arguments.  <command>delv</command> automatically performs a
Evan Hunt's avatar
Evan Hunt committed
376 377 378 379 380 381
	    lookup for a name like <literal>11.12.13.10.in-addr.arpa</literal>
	    and sets the query type to PTR.  IPv6 addresses are looked up
	    using nibble format under the IP6.ARPA domain.
	  </para>
	</listitem>
      </varlistentry>
382 383 384 385 386

      <varlistentry>
	<term>-4</term>
	<listitem>
	  <para>
387
	    Forces <command>delv</command> to only use IPv4.
388 389 390 391 392 393 394 395
	  </para>
	</listitem>
      </varlistentry>

      <varlistentry>
	<term>-6</term>
	<listitem>
	  <para>
396
	    Forces <command>delv</command> to only use IPv6.
397 398 399 400
	  </para>
	</listitem>
      </varlistentry>

Evan Hunt's avatar
Evan Hunt committed
401
    </variablelist>
Evan Hunt's avatar
Evan Hunt committed
402
  </refsection>
Evan Hunt's avatar
Evan Hunt committed
403

Evan Hunt's avatar
Evan Hunt committed
404
  <refsection><info><title>QUERY OPTIONS</title></info>
405

Evan Hunt's avatar
Evan Hunt committed
406

407
    <para><command>delv</command>
Evan Hunt's avatar
Evan Hunt committed
408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426
      provides a number of query options which affect the way results are
      displayed, and in some cases the way lookups are performed.
    </para>

    <para>
      Each query option is identified by a keyword preceded by a plus sign
      (<literal>+</literal>).  Some keywords set or reset an
      option.  These may be preceded by the string
      <literal>no</literal> to negate the meaning of that keyword.
      Other keywords assign values to options like the timeout interval.
      They have the form <option>+keyword=value</option>.
      The query options are:

      <variablelist>
	<varlistentry>
	  <term><option>+[no]cdflag</option></term>
	  <listitem>
	    <para>
	      Controls whether to set the CD (checking disabled) bit in
427
	      queries sent by <command>delv</command>. This may be useful
Evan Hunt's avatar
Evan Hunt committed
428 429 430 431
	      when troubleshooting DNSSEC problems from behind a validating
	      resolver. A validating resolver will block invalid responses,
	      making it difficult to retrieve them for analysis. Setting
	      the CD flag on queries will cause the resolver to return
432
	      invalid responses, which <command>delv</command> can then
Evan Hunt's avatar
Evan Hunt committed
433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462
	      validate internally and report the errors in detail.
	    </para>
	  </listitem>
	</varlistentry>

	<varlistentry>
	  <term><option>+[no]class</option></term>
	  <listitem>
	    <para>
	      Controls whether to display the CLASS when printing
	      a record. The default is to display the CLASS.
	    </para>
	  </listitem>
	</varlistentry>

	<varlistentry>
	  <term><option>+[no]ttl</option></term>
	  <listitem>
	    <para>
	      Controls whether to display the TTL when printing
	      a record. The default is to display the TTL.
	    </para>
	  </listitem>
	</varlistentry>

	<varlistentry>
	  <term><option>+[no]rtrace</option></term>
	  <listitem>
	    <para>
	      Toggle resolver fetch logging. This reports the
463
	      name and type of each query sent by <command>delv</command>
Evan Hunt's avatar
Evan Hunt committed
464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483
	      in the process of carrying out the resolution and validation
	      process: this includes including the original query and
	      all subsequent queries to follow CNAMEs and to establish a
	      chain of trust for DNSSEC validation.
	    </para>
	    <para>
	      This is equivalent to setting the debug level to 1 in
	      the "resolver" logging category. Setting the systemwide
	      debug level to 1 using the <option>-d</option> option will
	      product the same output (but will affect other logging
	      categories as well).
	    </para>
	  </listitem>
	</varlistentry>

	<varlistentry>
	  <term><option>+[no]mtrace</option></term>
	  <listitem>
	    <para>
	      Toggle message logging. This produces a detailed dump of
484
	      the responses received by <command>delv</command> in the
Evan Hunt's avatar
Evan Hunt committed
485 486 487 488
	      process of carrying out the resolution and validation process.
	    </para>
	    <para>
	      This is equivalent to setting the debug level to 10
489
	      for the "packets" module of the "resolver" logging
Evan Hunt's avatar
Evan Hunt committed
490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506
	      category. Setting the systemwide debug level to 10 using
	      the <option>-d</option> option will produce the same output
	      (but will affect other logging categories as well).
	    </para>
	  </listitem>
	</varlistentry>

	<varlistentry>
	  <term><option>+[no]vtrace</option></term>
	  <listitem>
	    <para>
	      Toggle validation logging. This shows the internal
	      process of the validator as it determines whether an
	      answer is validly signed, unsigned, or invalid.
	    </para>
	    <para>
	      This is equivalent to setting the debug level to 3
507
	      for the "validator" module of the "dnssec" logging
Evan Hunt's avatar
Evan Hunt committed
508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591
	      category. Setting the systemwide debug level to 3 using
	      the <option>-d</option> option will produce the same output
	      (but will affect other logging categories as well).
	    </para>
	  </listitem>
	</varlistentry>

	<varlistentry>
	  <term><option>+[no]short</option></term>
	  <listitem>
	    <para>
	      Provide a terse answer.  The default is to print the answer in a
	      verbose form.
	    </para>
	  </listitem>
	</varlistentry>

	<varlistentry>
	  <term><option>+[no]comments</option></term>
	  <listitem>
	    <para>
	      Toggle the display of comment lines in the output.  The default
	      is to print comments.
	    </para>
	  </listitem>
	</varlistentry>

	<varlistentry>
	  <term><option>+[no]rrcomments</option></term>
	  <listitem>
	    <para>
	      Toggle the display of per-record comments in the output (for
	      example, human-readable key information about DNSKEY records).
	      The default is to print per-record comments.
	    </para>
	  </listitem>
	</varlistentry>

	<varlistentry>
	  <term><option>+[no]crypto</option></term>
	  <listitem>
	    <para>
	      Toggle the display of cryptographic fields in DNSSEC records.
	      The contents of these field are unnecessary to debug most DNSSEC
	      validation failures and removing them makes it easier to see
	      the common failures.  The default is to display the fields.
	      When omitted they are replaced by the string "[omitted]" or
	      in the DNSKEY case the key id is displayed as the replacement,
	      e.g. "[ key id = value ]".
	    </para>
	  </listitem>
	</varlistentry>

	<varlistentry>
	  <term><option>+[no]trust</option></term>
	  <listitem>
	    <para>
	      Controls whether to display the trust level when printing
	      a record. The default is to display the trust level.
	    </para>
	  </listitem>
	</varlistentry>

	<varlistentry>
	  <term><option>+[no]split[=W]</option></term>
	  <listitem>
	    <para>
	      Split long hex- or base64-formatted fields in resource
	      records into chunks of <parameter>W</parameter> characters
	      (where <parameter>W</parameter> is rounded up to the nearest
	      multiple of 4).
	      <parameter>+nosplit</parameter> or
	      <parameter>+split=0</parameter> causes fields not to be
	      split at all.  The default is 56 characters, or 44 characters
	      when multiline mode is active.
	    </para>
	  </listitem>
	</varlistentry>

	<varlistentry>
	  <term><option>+[no]all</option></term>
	  <listitem>
	    <para>
	      Set or clear the display options
592
	      <option>+[no]comments</option>,
Evan Hunt's avatar
Evan Hunt committed
593 594 595 596 597 598 599 600 601 602 603 604 605
	      <option>+[no]rrcomments</option>, and
	      <option>+[no]trust</option> as a group.
	    </para>
	  </listitem>
	</varlistentry>

	<varlistentry>
	  <term><option>+[no]multiline</option></term>
	  <listitem>
	    <para>
	      Print long records (such as RRSIG, DNSKEY, and SOA records)
	      in a verbose multi-line format with human-readable comments.
	      The default is to print each record on a single line, to
606
	      facilitate machine parsing of the <command>delv</command>
Evan Hunt's avatar
Evan Hunt committed
607 608 609 610 611 612 613 614 615 616
	      output.
	    </para>
	  </listitem>
	</varlistentry>

	<varlistentry>
	  <term><option>+[no]dnssec</option></term>
	  <listitem>
	    <para>
	      Indicates whether to display RRSIG records in the
617
	      <command>delv</command> output.  The default is to
Evan Hunt's avatar
Evan Hunt committed
618 619 620 621 622 623 624 625 626 627 628 629 630 631 632
	      do so.  Note that (unlike in <command>dig</command>)
	      this does <emphasis>not</emphasis> control whether to
	      request DNSSEC records or whether to validate them.
	      DNSSEC records are always requested, and validation
	      will always occur unless suppressed by the use of
	      <option>-i</option> or <option>+noroot</option> and
	      <option>+nodlv</option>.
	    </para>
	  </listitem>
	</varlistentry>

	<varlistentry>
	  <term><option>+[no]root[=ROOT]</option></term>
	  <listitem>
	    <para>
633 634
	      Indicates whether to perform conventional (non-lookaside)
	      DNSSEC validation, and if so, specifies the
Evan Hunt's avatar
Evan Hunt committed
635 636 637 638 639 640 641 642 643 644 645 646 647 648 649
	      name of a trust anchor.  The default is to validate using
	      a trust anchor of "." (the root zone), for which there is
	      a built-in key.  If specifying a different trust anchor,
	      then <option>-a</option> must be used to specify a file
	      containing the key.
	    </para>
	  </listitem>
	</varlistentry>

	<varlistentry>
	  <term><option>+[no]dlv[=DLV]</option></term>
	  <listitem>
	    <para>
	      Indicates whether to perform DNSSEC lookaside validation,
	      and if so, specifies the name of the DLV trust anchor.
Evan Hunt's avatar
Evan Hunt committed
650 651
	      The <option>-a</option> option must also be used to specify
              a file containing the DLV key.
Evan Hunt's avatar
Evan Hunt committed
652 653 654
	    </para>
	  </listitem>
	</varlistentry>
Evan Hunt's avatar
Evan Hunt committed
655 656 657 658 659 660 661 662 663 664 665

	<varlistentry>
	  <term><option>+[no]tcp</option></term>
	  <listitem>
	    <para>
	      Controls whether to use TCP when sending queries.
	      The default is to use UDP unless a truncated
	      response has been received.
	    </para>
	  </listitem>
	</varlistentry>
Evan Hunt's avatar
Evan Hunt committed
666

667 668 669 670 671 672 673 674 675 676
	<varlistentry>
	  <term><option>+[no]unknownformat</option></term>
	  <listitem>
	    <para>
	      Print all RDATA in unknown RR type presentation format
	      (RFC 3597). The default is to print RDATA for known types
	      in the type's presentation format.
	    </para>
	  </listitem>
	</varlistentry>
Evan Hunt's avatar
Evan Hunt committed
677
      </variablelist>
678

Evan Hunt's avatar
Evan Hunt committed
679
    </para>
Evan Hunt's avatar
Evan Hunt committed
680
  </refsection>
Evan Hunt's avatar
Evan Hunt committed
681

Evan Hunt's avatar
Evan Hunt committed
682
  <refsection><info><title>FILES</title></info>
683

Evan Hunt's avatar
Evan Hunt committed
684 685
    <para><filename>/etc/bind.keys</filename></para>
    <para><filename>/etc/resolv.conf</filename></para>
Evan Hunt's avatar
Evan Hunt committed
686
  </refsection>
Evan Hunt's avatar
Evan Hunt committed
687

Evan Hunt's avatar
Evan Hunt committed
688
  <refsection><info><title>SEE ALSO</title></info>
689

Evan Hunt's avatar
Evan Hunt committed
690 691 692 693 694 695 696 697 698 699 700 701
    <para><citerefentry>
	<refentrytitle>dig</refentrytitle><manvolnum>1</manvolnum>
      </citerefentry>,
      <citerefentry>
	<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
      </citerefentry>,
      <citetitle>RFC4034</citetitle>,
      <citetitle>RFC4035</citetitle>,
      <citetitle>RFC4431</citetitle>,
      <citetitle>RFC5074</citetitle>,
      <citetitle>RFC5155</citetitle>.
    </para>
Evan Hunt's avatar
Evan Hunt committed
702 703 704
  </refsection>

</refentry>