delv.1 15.4 KB
Newer Older
1
.\" Copyright (C) 2014, 2015  Internet Systems Consortium, Inc. ("ISC")
Tinderbox User's avatar
Tinderbox User committed
2
.\"
Evan Hunt's avatar
Evan Hunt committed
3 4 5
.\" Permission to use, copy, modify, and/or distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
Tinderbox User's avatar
Tinderbox User committed
6
.\"
Evan Hunt's avatar
Evan Hunt committed
7 8
.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
Tinderbox User's avatar
Tinderbox User committed
9
.\" AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
Evan Hunt's avatar
Evan Hunt committed
10 11 12 13 14 15 16
.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
.hy 0
.ad l
Tinderbox User's avatar
Tinderbox User committed
17
'\" t
Tinderbox User's avatar
Tinderbox User committed
18
.\"     Title: delv
Evan Hunt's avatar
Evan Hunt committed
19
.\"    Author: 
Tinderbox User's avatar
Tinderbox User committed
20
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
Tinderbox User's avatar
Tinderbox User committed
21
.\"      Date: 2014-04-23
Evan Hunt's avatar
Evan Hunt committed
22
.\"    Manual: BIND9
Tinderbox User's avatar
Tinderbox User committed
23 24
.\"    Source: ISC
.\"  Language: English
Evan Hunt's avatar
Evan Hunt committed
25
.\"
Tinderbox User's avatar
Tinderbox User committed
26 27 28 29 30 31 32 33 34 35 36 37 38
.TH "DELV" "1" "2014\-04\-23" "ISC" "BIND9"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
Evan Hunt's avatar
Evan Hunt committed
39 40 41 42
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
Tinderbox User's avatar
Tinderbox User committed
43 44 45
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
Evan Hunt's avatar
Evan Hunt committed
46
.SH "NAME"
Tinderbox User's avatar
Tinderbox User committed
47
delv \- DNS lookup and validation utility
Evan Hunt's avatar
Evan Hunt committed
48
.SH "SYNOPSIS"
Tinderbox User's avatar
Tinderbox User committed
49
.HP \w'\fBdelv\fR\ 'u
Tinderbox User's avatar
Tinderbox User committed
50
\fBdelv\fR [@server] [\fB\-4\fR] [\fB\-6\fR] [\fB\-a\ \fR\fB\fIanchor\-file\fR\fR] [\fB\-b\ \fR\fB\fIaddress\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-d\ \fR\fB\fIlevel\fR\fR] [\fB\-i\fR] [\fB\-m\fR] [\fB\-p\ \fR\fB\fIport#\fR\fR] [\fB\-q\ \fR\fB\fIname\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-x\ \fR\fB\fIaddr\fR\fR] [name] [type] [class] [queryopt...]
Tinderbox User's avatar
Tinderbox User committed
51
.HP \w'\fBdelv\fR\ 'u
Tinderbox User's avatar
Tinderbox User committed
52
\fBdelv\fR [\fB\-h\fR]
Tinderbox User's avatar
Tinderbox User committed
53
.HP \w'\fBdelv\fR\ 'u
Tinderbox User's avatar
Tinderbox User committed
54
\fBdelv\fR [\fB\-v\fR]
Tinderbox User's avatar
Tinderbox User committed
55
.HP \w'\fBdelv\fR\ 'u
Tinderbox User's avatar
Tinderbox User committed
56
\fBdelv\fR [queryopt...] [query...]
Evan Hunt's avatar
Evan Hunt committed
57 58
.SH "DESCRIPTION"
.PP
Tinderbox User's avatar
Tinderbox User committed
59
\fBdelv\fR
Tinderbox User's avatar
Tinderbox User committed
60
(Domain Entity Lookup & Validation) is a tool for sending DNS queries and validating the results, using the same internal resolver and validator logic as
Tinderbox User's avatar
Tinderbox User committed
61
\fBnamed\fR\&.
Evan Hunt's avatar
Evan Hunt committed
62
.PP
Tinderbox User's avatar
Tinderbox User committed
63
\fBdelv\fR
Tinderbox User's avatar
Tinderbox User committed
64
will send to a specified name server all queries needed to fetch and validate the requested data; this includes the original requested query, subsequent queries to follow CNAME or DNAME chains, and queries for DNSKEY, DS and DLV records to establish a chain of trust for DNSSEC validation\&. It does not perform iterative resolution, but simulates the behavior of a name server configured for DNSSEC validating and forwarding\&.
Evan Hunt's avatar
Evan Hunt committed
65
.PP
Tinderbox User's avatar
Tinderbox User committed
66
By default, responses are validated using built\-in DNSSEC trust anchors for the root zone ("\&.") and for the ISC DNSSEC lookaside validation zone ("dlv\&.isc\&.org")\&. Records returned by
Tinderbox User's avatar
Tinderbox User committed
67
\fBdelv\fR
Tinderbox User's avatar
Tinderbox User committed
68
are either fully validated or were not signed\&. If validation fails, an explanation of the failure is included in the output; the validation process can be traced in detail\&. Because
Tinderbox User's avatar
Tinderbox User committed
69
\fBdelv\fR
Tinderbox User's avatar
Tinderbox User committed
70
does not rely on an external server to carry out validation, it can be used to check the validity of DNS responses in environments where local name servers may not be trustworthy\&.
Evan Hunt's avatar
Evan Hunt committed
71 72
.PP
Unless it is told to query a specific name server,
Tinderbox User's avatar
Tinderbox User committed
73
\fBdelv\fR
Evan Hunt's avatar
Evan Hunt committed
74
will try each of the servers listed in
Tinderbox User's avatar
Tinderbox User committed
75
/etc/resolv\&.conf\&. If no usable server addresses are found,
Tinderbox User's avatar
Tinderbox User committed
76
\fBdelv\fR
Tinderbox User's avatar
Tinderbox User committed
77
will send queries to the localhost addresses (127\&.0\&.0\&.1 for IPv4, ::1 for IPv6)\&.
Evan Hunt's avatar
Evan Hunt committed
78 79
.PP
When no command line arguments or options are given,
Tinderbox User's avatar
Tinderbox User committed
80
\fBdelv\fR
Tinderbox User's avatar
Tinderbox User committed
81
will perform an NS query for "\&." (the root zone)\&.
Evan Hunt's avatar
Evan Hunt committed
82 83 84
.SH "SIMPLE USAGE"
.PP
A typical invocation of
Tinderbox User's avatar
Tinderbox User committed
85
\fBdelv\fR
Evan Hunt's avatar
Evan Hunt committed
86 87
looks like:
.sp
Tinderbox User's avatar
Tinderbox User committed
88
.if n \{\
Evan Hunt's avatar
Evan Hunt committed
89
.RS 4
Tinderbox User's avatar
Tinderbox User committed
90
.\}
Evan Hunt's avatar
Evan Hunt committed
91
.nf
Tinderbox User's avatar
Tinderbox User committed
92
 delv @server name type 
Evan Hunt's avatar
Evan Hunt committed
93
.fi
Tinderbox User's avatar
Tinderbox User committed
94
.if n \{\
Evan Hunt's avatar
Evan Hunt committed
95
.RE
Tinderbox User's avatar
Tinderbox User committed
96
.\}
Evan Hunt's avatar
Evan Hunt committed
97 98 99 100 101
.sp
where:
.PP
\fBserver\fR
.RS 4
Tinderbox User's avatar
Tinderbox User committed
102
is the name or IP address of the name server to query\&. This can be an IPv4 address in dotted\-decimal notation or an IPv6 address in colon\-delimited notation\&. When the supplied
Evan Hunt's avatar
Evan Hunt committed
103 104
\fIserver\fR
argument is a hostname,
Tinderbox User's avatar
Tinderbox User committed
105
\fBdelv\fR
Evan Hunt's avatar
Evan Hunt committed
106 107
resolves that name before querying that name server (note, however, that this initial lookup is
\fInot\fR
Tinderbox User's avatar
Tinderbox User committed
108
validated by DNSSEC)\&.
Evan Hunt's avatar
Evan Hunt committed
109 110 111 112
.sp
If no
\fIserver\fR
argument is provided,
Tinderbox User's avatar
Tinderbox User committed
113
\fBdelv\fR
Evan Hunt's avatar
Evan Hunt committed
114
consults
Tinderbox User's avatar
Tinderbox User committed
115
/etc/resolv\&.conf; if an address is found there, it queries the name server at that address\&. If either of the
Evan Hunt's avatar
Evan Hunt committed
116 117 118
\fB\-4\fR
or
\fB\-6\fR
Tinderbox User's avatar
Tinderbox User committed
119
options are in use, then only addresses for the corresponding transport will be tried\&. If no usable addresses are found,
Tinderbox User's avatar
Tinderbox User committed
120
\fBdelv\fR
Tinderbox User's avatar
Tinderbox User committed
121
will send queries to the localhost addresses (127\&.0\&.0\&.1 for IPv4, ::1 for IPv6)\&.
Evan Hunt's avatar
Evan Hunt committed
122 123 124 125
.RE
.PP
\fBname\fR
.RS 4
Tinderbox User's avatar
Tinderbox User committed
126
is the domain name to be looked up\&.
Evan Hunt's avatar
Evan Hunt committed
127 128 129 130
.RE
.PP
\fBtype\fR
.RS 4
Tinderbox User's avatar
Tinderbox User committed
131
indicates what type of query is required \(em ANY, A, MX, etc\&.
Evan Hunt's avatar
Evan Hunt committed
132
\fItype\fR
Tinderbox User's avatar
Tinderbox User committed
133
can be any valid query type\&. If no
Evan Hunt's avatar
Evan Hunt committed
134 135
\fItype\fR
argument is supplied,
Tinderbox User's avatar
Tinderbox User committed
136
\fBdelv\fR
Tinderbox User's avatar
Tinderbox User committed
137
will perform a lookup for an A record\&.
Evan Hunt's avatar
Evan Hunt committed
138 139 140
.RE
.SH "OPTIONS"
.PP
Tinderbox User's avatar
Tinderbox User committed
141
\-a \fIanchor\-file\fR
Evan Hunt's avatar
Evan Hunt committed
142
.RS 4
Tinderbox User's avatar
Tinderbox User committed
143 144
Specifies a file from which to read DNSSEC trust anchors\&. The default is
/etc/bind\&.keys, which is included with
Evan Hunt's avatar
Evan Hunt committed
145
BIND
Tinderbox User's avatar
Tinderbox User committed
146
9 and contains trust anchors for the root zone ("\&.") and for the ISC DNSSEC lookaside validation zone ("dlv\&.isc\&.org")\&.
Evan Hunt's avatar
Evan Hunt committed
147 148 149 150 151
.sp
Keys that do not match the root or DLV trust\-anchor names are ignored; these key names can be overridden using the
\fB+dlv=NAME\fR
or
\fB+root=NAME\fR
Tinderbox User's avatar
Tinderbox User committed
152
options\&.
Evan Hunt's avatar
Evan Hunt committed
153 154
.sp
Note: When reading the trust anchor file,
Tinderbox User's avatar
Tinderbox User committed
155
\fBdelv\fR
Evan Hunt's avatar
Evan Hunt committed
156 157 158 159
treats
\fBmanaged\-keys\fR
statements and
\fBtrusted\-keys\fR
Tinderbox User's avatar
Tinderbox User committed
160
statements identically\&. That is, for a managed key, it is the
Evan Hunt's avatar
Evan Hunt committed
161
\fIinitial\fR
Tinderbox User's avatar
Tinderbox User committed
162
key that is trusted; RFC 5011 key management is not supported\&.
Tinderbox User's avatar
Tinderbox User committed
163
\fBdelv\fR
Evan Hunt's avatar
Evan Hunt committed
164
will not consult the managed\-keys database maintained by
Tinderbox User's avatar
Tinderbox User committed
165 166
\fBnamed\fR\&. This means that if either of the keys in
/etc/bind\&.keys
Evan Hunt's avatar
Evan Hunt committed
167
is revoked and rolled over, it will be necessary to update
Tinderbox User's avatar
Tinderbox User committed
168
/etc/bind\&.keys
Evan Hunt's avatar
Evan Hunt committed
169
to use DNSSEC validation in
Tinderbox User's avatar
Tinderbox User committed
170
\fBdelv\fR\&.
Evan Hunt's avatar
Evan Hunt committed
171 172
.RE
.PP
Tinderbox User's avatar
Tinderbox User committed
173
\-b \fIaddress\fR
Evan Hunt's avatar
Evan Hunt committed
174 175
.RS 4
Sets the source IP address of the query to
Tinderbox User's avatar
Tinderbox User committed
176
\fIaddress\fR\&. This must be a valid address on one of the host\*(Aqs network interfaces or "0\&.0\&.0\&.0" or "::"\&. An optional source port may be specified by appending "#<port>"
Evan Hunt's avatar
Evan Hunt committed
177 178
.RE
.PP
Tinderbox User's avatar
Tinderbox User committed
179
\-c \fIclass\fR
Evan Hunt's avatar
Evan Hunt committed
180
.RS 4
Tinderbox User's avatar
Tinderbox User committed
181
Sets the query class for the requested data\&. Currently, only class "IN" is supported in
Tinderbox User's avatar
Tinderbox User committed
182
\fBdelv\fR
Tinderbox User's avatar
Tinderbox User committed
183
and any other value is ignored\&.
Evan Hunt's avatar
Evan Hunt committed
184 185
.RE
.PP
Tinderbox User's avatar
Tinderbox User committed
186 187 188
\-d \fIlevel\fR
.RS 4
Set the systemwide debug level to
Tinderbox User's avatar
Tinderbox User committed
189
\fBlevel\fR\&. The allowed range is from 0 to 99\&. The default is 0 (no debugging)\&. Debugging traces from
Tinderbox User's avatar
Tinderbox User committed
190
\fBdelv\fR
Tinderbox User's avatar
Tinderbox User committed
191
become more verbose as the debug level increases\&. See the
Tinderbox User's avatar
Tinderbox User committed
192 193 194
\fB+mtrace\fR,
\fB+rtrace\fR, and
\fB+vtrace\fR
Tinderbox User's avatar
Tinderbox User committed
195
options below for additional debugging details\&.
Tinderbox User's avatar
Tinderbox User committed
196 197 198 199 200
.RE
.PP
\-h
.RS 4
Display the
Tinderbox User's avatar
Tinderbox User committed
201
\fBdelv\fR
Tinderbox User's avatar
Tinderbox User committed
202
help usage output and exit\&.
Tinderbox User's avatar
Tinderbox User committed
203 204
.RE
.PP
Evan Hunt's avatar
Evan Hunt committed
205 206
\-i
.RS 4
Tinderbox User's avatar
Tinderbox User committed
207
Insecure mode\&. This disables internal DNSSEC validation\&. (Note, however, this does not set the CD bit on upstream queries\&. If the server being queried is performing DNSSEC validation, then it will not return invalid data; this can cause
Tinderbox User's avatar
Tinderbox User committed
208
\fBdelv\fR
Tinderbox User's avatar
Tinderbox User committed
209 210
to time out\&. When it is necessary to examine invalid data to debug a DNSSEC problem, use
\fBdig +cd\fR\&.)
Evan Hunt's avatar
Evan Hunt committed
211 212 213 214
.RE
.PP
\-m
.RS 4
Tinderbox User's avatar
Tinderbox User committed
215
Enables memory usage debugging\&.
Evan Hunt's avatar
Evan Hunt committed
216 217
.RE
.PP
Tinderbox User's avatar
Tinderbox User committed
218
\-p \fIport#\fR
Evan Hunt's avatar
Evan Hunt committed
219
.RS 4
Tinderbox User's avatar
Tinderbox User committed
220
Specifies a destination port to use for queries instead of the standard DNS port number 53\&. This option would be used with a name server that has been configured to listen for queries on a non\-standard port number\&.
Evan Hunt's avatar
Evan Hunt committed
221 222
.RE
.PP
Tinderbox User's avatar
Tinderbox User committed
223
\-q \fIname\fR
Evan Hunt's avatar
Evan Hunt committed
224 225
.RS 4
Sets the query name to
Tinderbox User's avatar
Tinderbox User committed
226 227
\fIname\fR\&. While the query name can be specified without using the
\fB\-q\fR, it is sometimes necessary to disambiguate names from types or classes (for example, when looking up the name "ns", which could be misinterpreted as the type NS, or "ch", which could be misinterpreted as class CH)\&.
Evan Hunt's avatar
Evan Hunt committed
228 229
.RE
.PP
Tinderbox User's avatar
Tinderbox User committed
230
\-t \fItype\fR
Evan Hunt's avatar
Evan Hunt committed
231 232
.RS 4
Sets the query type to
Tinderbox User's avatar
Tinderbox User committed
233 234
\fItype\fR, which can be any valid query type supported in BIND 9 except for zone transfer types AXFR and IXFR\&. As with
\fB\-q\fR, this is useful to distinguish query name type or class when they are ambiguous\&. it is sometimes necessary to disambiguate names from types\&.
Evan Hunt's avatar
Evan Hunt committed
235 236 237
.sp
The default query type is "A", unless the
\fB\-x\fR
Tinderbox User's avatar
Tinderbox User committed
238
option is supplied to indicate a reverse lookup, in which case it is "PTR"\&.
Evan Hunt's avatar
Evan Hunt committed
239 240
.RE
.PP
Tinderbox User's avatar
Tinderbox User committed
241 242 243
\-v
.RS 4
Print the
Tinderbox User's avatar
Tinderbox User committed
244
\fBdelv\fR
Tinderbox User's avatar
Tinderbox User committed
245
version and exit\&.
Tinderbox User's avatar
Tinderbox User committed
246 247 248
.RE
.PP
\-x \fIaddr\fR
Evan Hunt's avatar
Evan Hunt committed
249
.RS 4
Tinderbox User's avatar
Tinderbox User committed
250
Performs a reverse lookup, mapping an addresses to a name\&.
Evan Hunt's avatar
Evan Hunt committed
251
\fIaddr\fR
Tinderbox User's avatar
Tinderbox User committed
252
is an IPv4 address in dotted\-decimal notation, or a colon\-delimited IPv6 address\&. When
Evan Hunt's avatar
Evan Hunt committed
253 254 255 256 257
\fB\-x\fR
is used, there is no need to provide the
\fIname\fR
or
\fItype\fR
Tinderbox User's avatar
Tinderbox User committed
258
arguments\&.
Tinderbox User's avatar
Tinderbox User committed
259
\fBdelv\fR
Evan Hunt's avatar
Evan Hunt committed
260
automatically performs a lookup for a name like
Tinderbox User's avatar
Tinderbox User committed
261 262
11\&.12\&.13\&.10\&.in\-addr\&.arpa
and sets the query type to PTR\&. IPv6 addresses are looked up using nibble format under the IP6\&.ARPA domain\&.
Evan Hunt's avatar
Evan Hunt committed
263
.RE
Tinderbox User's avatar
Tinderbox User committed
264 265 266 267
.PP
\-4
.RS 4
Forces
Tinderbox User's avatar
Tinderbox User committed
268
\fBdelv\fR
Tinderbox User's avatar
Tinderbox User committed
269
to only use IPv4\&.
Tinderbox User's avatar
Tinderbox User committed
270 271 272 273 274
.RE
.PP
\-6
.RS 4
Forces
Tinderbox User's avatar
Tinderbox User committed
275
\fBdelv\fR
Tinderbox User's avatar
Tinderbox User committed
276
to only use IPv6\&.
Tinderbox User's avatar
Tinderbox User committed
277
.RE
Evan Hunt's avatar
Evan Hunt committed
278 279
.SH "QUERY OPTIONS"
.PP
Tinderbox User's avatar
Tinderbox User committed
280
\fBdelv\fR
Tinderbox User's avatar
Tinderbox User committed
281
provides a number of query options which affect the way results are displayed, and in some cases the way lookups are performed\&.
Evan Hunt's avatar
Evan Hunt committed
282
.PP
Tinderbox User's avatar
Tinderbox User committed
283
Each query option is identified by a keyword preceded by a plus sign (+)\&. Some keywords set or reset an option\&. These may be preceded by the string
Evan Hunt's avatar
Evan Hunt committed
284
no
Tinderbox User's avatar
Tinderbox User committed
285 286
to negate the meaning of that keyword\&. Other keywords assign values to options like the timeout interval\&. They have the form
\fB+keyword=value\fR\&. The query options are:
Evan Hunt's avatar
Evan Hunt committed
287 288 289 290
.PP
\fB+[no]cdflag\fR
.RS 4
Controls whether to set the CD (checking disabled) bit in queries sent by
Tinderbox User's avatar
Tinderbox User committed
291
\fBdelv\fR\&. This may be useful when troubleshooting DNSSEC problems from behind a validating resolver\&. A validating resolver will block invalid responses, making it difficult to retrieve them for analysis\&. Setting the CD flag on queries will cause the resolver to return invalid responses, which
Tinderbox User's avatar
Tinderbox User committed
292
\fBdelv\fR
Tinderbox User's avatar
Tinderbox User committed
293
can then validate internally and report the errors in detail\&.
Evan Hunt's avatar
Evan Hunt committed
294 295 296 297
.RE
.PP
\fB+[no]class\fR
.RS 4
Tinderbox User's avatar
Tinderbox User committed
298
Controls whether to display the CLASS when printing a record\&. The default is to display the CLASS\&.
Evan Hunt's avatar
Evan Hunt committed
299 300 301 302
.RE
.PP
\fB+[no]ttl\fR
.RS 4
Tinderbox User's avatar
Tinderbox User committed
303
Controls whether to display the TTL when printing a record\&. The default is to display the TTL\&.
Evan Hunt's avatar
Evan Hunt committed
304 305 306 307
.RE
.PP
\fB+[no]rtrace\fR
.RS 4
Tinderbox User's avatar
Tinderbox User committed
308
Toggle resolver fetch logging\&. This reports the name and type of each query sent by
Tinderbox User's avatar
Tinderbox User committed
309
\fBdelv\fR
Tinderbox User's avatar
Tinderbox User committed
310
in the process of carrying out the resolution and validation process: this includes including the original query and all subsequent queries to follow CNAMEs and to establish a chain of trust for DNSSEC validation\&.
Evan Hunt's avatar
Evan Hunt committed
311
.sp
Tinderbox User's avatar
Tinderbox User committed
312
This is equivalent to setting the debug level to 1 in the "resolver" logging category\&. Setting the systemwide debug level to 1 using the
Evan Hunt's avatar
Evan Hunt committed
313
\fB\-d\fR
Tinderbox User's avatar
Tinderbox User committed
314
option will product the same output (but will affect other logging categories as well)\&.
Evan Hunt's avatar
Evan Hunt committed
315 316 317 318
.RE
.PP
\fB+[no]mtrace\fR
.RS 4
Tinderbox User's avatar
Tinderbox User committed
319
Toggle message logging\&. This produces a detailed dump of the responses received by
Tinderbox User's avatar
Tinderbox User committed
320
\fBdelv\fR
Tinderbox User's avatar
Tinderbox User committed
321
in the process of carrying out the resolution and validation process\&.
Evan Hunt's avatar
Evan Hunt committed
322
.sp
Tinderbox User's avatar
Tinderbox User committed
323
This is equivalent to setting the debug level to 10 for the "packets" module of the "resolver" logging category\&. Setting the systemwide debug level to 10 using the
Evan Hunt's avatar
Evan Hunt committed
324
\fB\-d\fR
Tinderbox User's avatar
Tinderbox User committed
325
option will produce the same output (but will affect other logging categories as well)\&.
Evan Hunt's avatar
Evan Hunt committed
326 327 328 329
.RE
.PP
\fB+[no]vtrace\fR
.RS 4
Tinderbox User's avatar
Tinderbox User committed
330
Toggle validation logging\&. This shows the internal process of the validator as it determines whether an answer is validly signed, unsigned, or invalid\&.
Evan Hunt's avatar
Evan Hunt committed
331
.sp
Tinderbox User's avatar
Tinderbox User committed
332
This is equivalent to setting the debug level to 3 for the "validator" module of the "dnssec" logging category\&. Setting the systemwide debug level to 3 using the
Evan Hunt's avatar
Evan Hunt committed
333
\fB\-d\fR
Tinderbox User's avatar
Tinderbox User committed
334
option will produce the same output (but will affect other logging categories as well)\&.
Evan Hunt's avatar
Evan Hunt committed
335 336 337 338
.RE
.PP
\fB+[no]short\fR
.RS 4
Tinderbox User's avatar
Tinderbox User committed
339
Provide a terse answer\&. The default is to print the answer in a verbose form\&.
Evan Hunt's avatar
Evan Hunt committed
340 341 342 343
.RE
.PP
\fB+[no]comments\fR
.RS 4
Tinderbox User's avatar
Tinderbox User committed
344
Toggle the display of comment lines in the output\&. The default is to print comments\&.
Evan Hunt's avatar
Evan Hunt committed
345 346 347 348
.RE
.PP
\fB+[no]rrcomments\fR
.RS 4
Tinderbox User's avatar
Tinderbox User committed
349
Toggle the display of per\-record comments in the output (for example, human\-readable key information about DNSKEY records)\&. The default is to print per\-record comments\&.
Evan Hunt's avatar
Evan Hunt committed
350 351 352 353
.RE
.PP
\fB+[no]crypto\fR
.RS 4
Tinderbox User's avatar
Tinderbox User committed
354
Toggle the display of cryptographic fields in DNSSEC records\&. The contents of these field are unnecessary to debug most DNSSEC validation failures and removing them makes it easier to see the common failures\&. The default is to display the fields\&. When omitted they are replaced by the string "[omitted]" or in the DNSKEY case the key id is displayed as the replacement, e\&.g\&. "[ key id = value ]"\&.
Evan Hunt's avatar
Evan Hunt committed
355 356 357 358
.RE
.PP
\fB+[no]trust\fR
.RS 4
Tinderbox User's avatar
Tinderbox User committed
359
Controls whether to display the trust level when printing a record\&. The default is to display the trust level\&.
Evan Hunt's avatar
Evan Hunt committed
360 361 362 363 364 365 366 367
.RE
.PP
\fB+[no]split[=W]\fR
.RS 4
Split long hex\- or base64\-formatted fields in resource records into chunks of
\fIW\fR
characters (where
\fIW\fR
Tinderbox User's avatar
Tinderbox User committed
368
is rounded up to the nearest multiple of 4)\&.
Evan Hunt's avatar
Evan Hunt committed
369 370 371
\fI+nosplit\fR
or
\fI+split=0\fR
Tinderbox User's avatar
Tinderbox User committed
372
causes fields not to be split at all\&. The default is 56 characters, or 44 characters when multiline mode is active\&.
Evan Hunt's avatar
Evan Hunt committed
373 374 375 376 377 378 379 380
.RE
.PP
\fB+[no]all\fR
.RS 4
Set or clear the display options
\fB+[no]comments\fR,
\fB+[no]rrcomments\fR, and
\fB+[no]trust\fR
Tinderbox User's avatar
Tinderbox User committed
381
as a group\&.
Evan Hunt's avatar
Evan Hunt committed
382 383 384 385
.RE
.PP
\fB+[no]multiline\fR
.RS 4
Tinderbox User's avatar
Tinderbox User committed
386
Print long records (such as RRSIG, DNSKEY, and SOA records) in a verbose multi\-line format with human\-readable comments\&. The default is to print each record on a single line, to facilitate machine parsing of the
Tinderbox User's avatar
Tinderbox User committed
387
\fBdelv\fR
Tinderbox User's avatar
Tinderbox User committed
388
output\&.
Evan Hunt's avatar
Evan Hunt committed
389 390 391 392 393
.RE
.PP
\fB+[no]dnssec\fR
.RS 4
Indicates whether to display RRSIG records in the
Tinderbox User's avatar
Tinderbox User committed
394
\fBdelv\fR
Tinderbox User's avatar
Tinderbox User committed
395
output\&. The default is to do so\&. Note that (unlike in
Evan Hunt's avatar
Evan Hunt committed
396 397
\fBdig\fR) this does
\fInot\fR
Tinderbox User's avatar
Tinderbox User committed
398
control whether to request DNSSEC records or whether to validate them\&. DNSSEC records are always requested, and validation will always occur unless suppressed by the use of
Evan Hunt's avatar
Evan Hunt committed
399 400 401 402
\fB\-i\fR
or
\fB+noroot\fR
and
Tinderbox User's avatar
Tinderbox User committed
403
\fB+nodlv\fR\&.
Evan Hunt's avatar
Evan Hunt committed
404 405 406 407
.RE
.PP
\fB+[no]root[=ROOT]\fR
.RS 4
Tinderbox User's avatar
Tinderbox User committed
408
Indicates whether to perform conventional (non\-lookaside) DNSSEC validation, and if so, specifies the name of a trust anchor\&. The default is to validate using a trust anchor of "\&." (the root zone), for which there is a built\-in key\&. If specifying a different trust anchor, then
Evan Hunt's avatar
Evan Hunt committed
409
\fB\-a\fR
Tinderbox User's avatar
Tinderbox User committed
410
must be used to specify a file containing the key\&.
Evan Hunt's avatar
Evan Hunt committed
411 412 413 414
.RE
.PP
\fB+[no]dlv[=DLV]\fR
.RS 4
Tinderbox User's avatar
Tinderbox User committed
415
Indicates whether to perform DNSSEC lookaside validation, and if so, specifies the name of the DLV trust anchor\&. The default is to perform lookaside validation using a trust anchor of "dlv\&.isc\&.org", for which there is a built\-in key\&. If specifying a different name, then
Evan Hunt's avatar
Evan Hunt committed
416
\fB\-a\fR
Tinderbox User's avatar
Tinderbox User committed
417
must be used to specify a file containing the DLV key\&.
Evan Hunt's avatar
Evan Hunt committed
418
.RE
Tinderbox User's avatar
Tinderbox User committed
419 420 421
.PP
\fB+[no]tcp\fR
.RS 4
Tinderbox User's avatar
Tinderbox User committed
422
Controls whether to use TCP when sending queries\&. The default is to use UDP unless a truncated response has been received\&.
Tinderbox User's avatar
Tinderbox User committed
423
.RE
Tinderbox User's avatar
Tinderbox User committed
424 425 426 427 428
.PP
\fB+[no]unknownformat\fR
.RS 4
Print all RDATA in unknown RR type presentation format (RFC 3597)\&. The default is to print RDATA for known types in the type\*(Aqs presentation format\&.
.RE
Evan Hunt's avatar
Evan Hunt committed
429 430
.SH "FILES"
.PP
Tinderbox User's avatar
Tinderbox User committed
431
/etc/bind\&.keys
Evan Hunt's avatar
Evan Hunt committed
432
.PP
Tinderbox User's avatar
Tinderbox User committed
433
/etc/resolv\&.conf
Evan Hunt's avatar
Evan Hunt committed
434 435 436 437 438 439 440 441
.SH "SEE ALSO"
.PP
\fBdig\fR(1),
\fBnamed\fR(8),
RFC4034,
RFC4035,
RFC4431,
RFC5074,
Tinderbox User's avatar
Tinderbox User committed
442 443 444 445
RFC5155\&.
.SH "AUTHOR"
.PP
\fBInternet Systems Consortium, Inc\&.\fR
Evan Hunt's avatar
Evan Hunt committed
446
.SH "COPYRIGHT"
Tinderbox User's avatar
Tinderbox User committed
447
.br
Tinderbox User's avatar
Tinderbox User committed
448
Copyright \(co 2014-2016 Internet Systems Consortium, Inc. ("ISC")
Evan Hunt's avatar
Evan Hunt committed
449
.br