delv.html 22 KB
Newer Older
Evan Hunt's avatar
Evan Hunt committed
1
<!--
Tinderbox User's avatar
Tinderbox User committed
2 3
 - Copyright (C) 2014-2016 Internet Systems Consortium, Inc. ("ISC")
 - 
Tinderbox User's avatar
Tinderbox User committed
4 5 6
 - This Source Code Form is subject to the terms of the Mozilla Public
 - License, v. 2.0. If a copy of the MPL was not distributed with this
 - file, You can obtain one at http://mozilla.org/MPL/2.0/.
Evan Hunt's avatar
Evan Hunt committed
7 8 9 10
-->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
Tinderbox User's avatar
Tinderbox User committed
11
<title>delv</title>
Tinderbox User's avatar
Tinderbox User committed
12
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
Evan Hunt's avatar
Evan Hunt committed
13
</head>
Tinderbox User's avatar
Tinderbox User committed
14
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
Tinderbox User's avatar
Tinderbox User committed
15
<a name="man.delv"></a><div class="titlepage"></div>
Tinderbox User's avatar
Tinderbox User committed
16
<div class="refnamediv">
Evan Hunt's avatar
Evan Hunt committed
17
<h2>Name</h2>
Tinderbox User's avatar
Tinderbox User committed
18
<p>delv &#8212; DNS lookup and validation utility</p>
Evan Hunt's avatar
Evan Hunt committed
19
</div>
Tinderbox User's avatar
Tinderbox User committed
20
<div class="refsynopsisdiv">
Evan Hunt's avatar
Evan Hunt committed
21
<h2>Synopsis</h2>
Tinderbox User's avatar
Tinderbox User committed
22 23 24 25 26 27 28 29
<div class="cmdsynopsis"><p><code class="command">delv</code>  [@server] [<code class="option">-4</code>] [<code class="option">-6</code>] [<code class="option">-a <em class="replaceable"><code>anchor-file</code></em></code>] [<code class="option">-b <em class="replaceable"><code>address</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>level</code></em></code>] [<code class="option">-i</code>] [<code class="option">-m</code>] [<code class="option">-p <em class="replaceable"><code>port#</code></em></code>] [<code class="option">-q <em class="replaceable"><code>name</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-x <em class="replaceable"><code>addr</code></em></code>] [name] [type] [class] [queryopt...]</p></div>
<div class="cmdsynopsis"><p><code class="command">delv</code>  [<code class="option">-h</code>]</p></div>
<div class="cmdsynopsis"><p><code class="command">delv</code>  [<code class="option">-v</code>]</p></div>
<div class="cmdsynopsis"><p><code class="command">delv</code>  [queryopt...] [query...]</p></div>
</div>
<div class="refsection">
<a name="id-1.7"></a><h2>DESCRIPTION</h2>
<p><span class="command"><strong>delv</strong></span>
Tinderbox User's avatar
Tinderbox User committed
30
      (Domain Entity Lookup &amp; Validation) is a tool for sending
Tinderbox User's avatar
Tinderbox User committed
31
      DNS queries and validating the results, using the same internal
Tinderbox User's avatar
Tinderbox User committed
32
      resolver and validator logic as <span class="command"><strong>named</strong></span>.
Evan Hunt's avatar
Evan Hunt committed
33
    </p>
Tinderbox User's avatar
Tinderbox User committed
34
<p>
Tinderbox User's avatar
Tinderbox User committed
35
      <span class="command"><strong>delv</strong></span> will send to a specified name server all
Evan Hunt's avatar
Evan Hunt committed
36 37 38 39 40 41 42 43
      queries needed to fetch and validate the requested data; this
      includes the original requested query, subsequent queries to follow
      CNAME or DNAME chains, and queries for DNSKEY, DS and DLV records
      to establish a chain of trust for DNSSEC validation.
      It does not perform iterative resolution, but simulates the
      behavior of a name server configured for DNSSEC validating and
      forwarding.
    </p>
Tinderbox User's avatar
Tinderbox User committed
44
<p>
Evan Hunt's avatar
Evan Hunt committed
45 46 47
      By default, responses are validated using built-in DNSSEC trust
      anchors for the root zone (".") and for the ISC DNSSEC lookaside
      validation zone ("dlv.isc.org").  Records returned by
Tinderbox User's avatar
Tinderbox User committed
48
      <span class="command"><strong>delv</strong></span> are either fully validated or
Evan Hunt's avatar
Evan Hunt committed
49 50
      were not signed.  If validation fails, an explanation of
      the failure is included in the output; the validation process
Tinderbox User's avatar
Tinderbox User committed
51
      can be traced in detail.  Because <span class="command"><strong>delv</strong></span> does
Evan Hunt's avatar
Evan Hunt committed
52 53 54 55
      not rely on an external server to carry out validation, it can
      be used to check the validity of DNS responses in environments
      where local name servers may not be trustworthy.
    </p>
Tinderbox User's avatar
Tinderbox User committed
56
<p>
Evan Hunt's avatar
Evan Hunt committed
57
      Unless it is told to query a specific name server,
Tinderbox User's avatar
Tinderbox User committed
58
      <span class="command"><strong>delv</strong></span> will try each of the servers listed in
Evan Hunt's avatar
Evan Hunt committed
59
      <code class="filename">/etc/resolv.conf</code>. If no usable server
Tinderbox User's avatar
Tinderbox User committed
60
      addresses are found, <span class="command"><strong>delv</strong></span> will send
Evan Hunt's avatar
Evan Hunt committed
61 62 63
      queries to the localhost addresses (127.0.0.1 for IPv4, ::1
      for IPv6).
    </p>
Tinderbox User's avatar
Tinderbox User committed
64
<p>
Evan Hunt's avatar
Evan Hunt committed
65
      When no command line arguments or options are given,
Tinderbox User's avatar
Tinderbox User committed
66
      <span class="command"><strong>delv</strong></span> will perform an NS query for "."
Evan Hunt's avatar
Evan Hunt committed
67 68
      (the root zone).
    </p>
Tinderbox User's avatar
Tinderbox User committed
69 70 71 72
</div>
<div class="refsection">
<a name="id-1.8"></a><h2>SIMPLE USAGE</h2>
<p>
Tinderbox User's avatar
Tinderbox User committed
73
      A typical invocation of <span class="command"><strong>delv</strong></span> looks like:
Evan Hunt's avatar
Evan Hunt committed
74
      </p>
Tinderbox User's avatar
Tinderbox User committed
75
<pre class="programlisting"> delv @server name type </pre>
Evan Hunt's avatar
Evan Hunt committed
76 77 78 79
<p>
      where:

      </p>
Tinderbox User's avatar
Tinderbox User committed
80
<div class="variablelist"><dl class="variablelist">
Evan Hunt's avatar
Evan Hunt committed
81 82
<dt><span class="term"><code class="constant">server</code></span></dt>
<dd>
Tinderbox User's avatar
Tinderbox User committed
83
<p>
Evan Hunt's avatar
Evan Hunt committed
84 85 86 87
	      is the name or IP address of the name server to query.  This
	      can be an IPv4 address in dotted-decimal notation or an IPv6
	      address in colon-delimited notation.  When the supplied
	      <em class="parameter"><code>server</code></em> argument is a hostname,
Tinderbox User's avatar
Tinderbox User committed
88
	      <span class="command"><strong>delv</strong></span> resolves that name before
Evan Hunt's avatar
Evan Hunt committed
89 90 91 92
	      querying that name server (note, however, that this
	      initial lookup is <span class="emphasis"><em>not</em></span> validated
	      by DNSSEC).
	    </p>
Tinderbox User's avatar
Tinderbox User committed
93
<p>
Evan Hunt's avatar
Evan Hunt committed
94
	      If no <em class="parameter"><code>server</code></em> argument is
Tinderbox User's avatar
Tinderbox User committed
95
	      provided, <span class="command"><strong>delv</strong></span> consults
Evan Hunt's avatar
Evan Hunt committed
96 97 98 99 100 101
	      <code class="filename">/etc/resolv.conf</code>; if an
	      address is found there, it queries the name server at
	      that address. If either of the <code class="option">-4</code> or
	      <code class="option">-6</code> options are in use, then
	      only addresses for the corresponding transport
	      will be tried.  If no usable addresses are found,
Tinderbox User's avatar
Tinderbox User committed
102
	      <span class="command"><strong>delv</strong></span> will send queries to
Evan Hunt's avatar
Evan Hunt committed
103 104 105
	      the localhost addresses (127.0.0.1 for IPv4,
	      ::1 for IPv6).
	    </p>
Tinderbox User's avatar
Tinderbox User committed
106
</dd>
Evan Hunt's avatar
Evan Hunt committed
107
<dt><span class="term"><code class="constant">name</code></span></dt>
Tinderbox User's avatar
Tinderbox User committed
108
<dd><p>
Evan Hunt's avatar
Evan Hunt committed
109
	      is the domain name to be looked up.
Tinderbox User's avatar
Tinderbox User committed
110
	    </p></dd>
Evan Hunt's avatar
Evan Hunt committed
111
<dt><span class="term"><code class="constant">type</code></span></dt>
Tinderbox User's avatar
Tinderbox User committed
112
<dd><p>
Evan Hunt's avatar
Evan Hunt committed
113 114 115 116 117
	      indicates what type of query is required &#8212;
	      ANY, A, MX, etc.
	      <em class="parameter"><code>type</code></em> can be any valid query
	      type.  If no
	      <em class="parameter"><code>type</code></em> argument is supplied,
Tinderbox User's avatar
Tinderbox User committed
118
	      <span class="command"><strong>delv</strong></span> will perform a lookup for an
Evan Hunt's avatar
Evan Hunt committed
119
	      A record.
Tinderbox User's avatar
Tinderbox User committed
120
	    </p></dd>
Evan Hunt's avatar
Evan Hunt committed
121 122 123
</dl></div>
<p>
    </p>
Tinderbox User's avatar
Tinderbox User committed
124 125 126 127
</div>
<div class="refsection">
<a name="id-1.9"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl class="variablelist">
Tinderbox User's avatar
Tinderbox User committed
128
<dt><span class="term">-a <em class="replaceable"><code>anchor-file</code></em></span></dt>
Evan Hunt's avatar
Evan Hunt committed
129
<dd>
Tinderbox User's avatar
Tinderbox User committed
130
<p>
Evan Hunt's avatar
Evan Hunt committed
131 132 133 134 135 136
	    Specifies a file from which to read DNSSEC trust anchors.
	    The default is <code class="filename">/etc/bind.keys</code>, which
	    is included with <acronym class="acronym">BIND</acronym> 9 and contains
	    trust anchors for the root zone (".") and for the ISC
	    DNSSEC lookaside validation zone ("dlv.isc.org").
	  </p>
Tinderbox User's avatar
Tinderbox User committed
137
<p>
Evan Hunt's avatar
Evan Hunt committed
138 139 140 141 142
	    Keys that do not match the root or DLV trust-anchor
	    names are ignored; these key names can be overridden
	    using the <code class="option">+dlv=NAME</code> or
	    <code class="option">+root=NAME</code> options.
	  </p>
Tinderbox User's avatar
Tinderbox User committed
143
<p>
Evan Hunt's avatar
Evan Hunt committed
144
	    Note: When reading the trust anchor file,
Tinderbox User's avatar
Tinderbox User committed
145
	    <span class="command"><strong>delv</strong></span> treats <code class="option">managed-keys</code>
Evan Hunt's avatar
Evan Hunt committed
146 147 148
	    statements and <code class="option">trusted-keys</code> statements
	    identically.  That is, for a managed key, it is the
	    <span class="emphasis"><em>initial</em></span> key that is trusted; RFC 5011
Tinderbox User's avatar
Tinderbox User committed
149
	    key management is not supported. <span class="command"><strong>delv</strong></span>
Evan Hunt's avatar
Evan Hunt committed
150
	    will not consult the managed-keys database maintained by
Tinderbox User's avatar
Tinderbox User committed
151
	    <span class="command"><strong>named</strong></span>. This means that if either of the
Evan Hunt's avatar
Evan Hunt committed
152 153 154
	    keys in <code class="filename">/etc/bind.keys</code> is revoked
	    and rolled over, it will be necessary to update
	    <code class="filename">/etc/bind.keys</code> to use DNSSEC
Tinderbox User's avatar
Tinderbox User committed
155
	    validation in <span class="command"><strong>delv</strong></span>.
Evan Hunt's avatar
Evan Hunt committed
156
	  </p>
Tinderbox User's avatar
Tinderbox User committed
157
</dd>
Tinderbox User's avatar
Tinderbox User committed
158
<dt><span class="term">-b  <em class="replaceable"><code>address</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
159
<dd><p>
Evan Hunt's avatar
Evan Hunt committed
160 161 162 163 164
	    Sets the source IP address of the query to
	    <em class="parameter"><code>address</code></em>.  This must be a valid address
	    on one of the host's network interfaces or "0.0.0.0" or "::".
	    An optional source port may be specified by appending
	    "#&lt;port&gt;"
Tinderbox User's avatar
Tinderbox User committed
165
	  </p></dd>
Tinderbox User's avatar
Tinderbox User committed
166
<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
167
<dd><p>
Evan Hunt's avatar
Evan Hunt committed
168
	    Sets the query class for the requested data. Currently,
Tinderbox User's avatar
Tinderbox User committed
169
	    only class "IN" is supported in <span class="command"><strong>delv</strong></span>
Evan Hunt's avatar
Evan Hunt committed
170
	    and any other value is ignored.
Tinderbox User's avatar
Tinderbox User committed
171
	  </p></dd>
Tinderbox User's avatar
Tinderbox User committed
172
<dt><span class="term">-d <em class="replaceable"><code>level</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
173
<dd><p>
Tinderbox User's avatar
Tinderbox User committed
174 175 176
	    Set the systemwide debug level to <code class="option">level</code>.
	    The allowed range is from 0 to 99.
	    The default is 0 (no debugging).
Tinderbox User's avatar
Tinderbox User committed
177
	    Debugging traces from <span class="command"><strong>delv</strong></span> become
Tinderbox User's avatar
Tinderbox User committed
178 179 180 181
	    more verbose as the debug level increases.
	    See the <code class="option">+mtrace</code>, <code class="option">+rtrace</code>,
	    and <code class="option">+vtrace</code> options below for additional
	    debugging details.
Tinderbox User's avatar
Tinderbox User committed
182
	  </p></dd>
Tinderbox User's avatar
Tinderbox User committed
183
<dt><span class="term">-h</span></dt>
Tinderbox User's avatar
Tinderbox User committed
184
<dd><p>
Tinderbox User's avatar
Tinderbox User committed
185
	    Display the <span class="command"><strong>delv</strong></span> help usage output and exit.
Tinderbox User's avatar
Tinderbox User committed
186
	  </p></dd>
Evan Hunt's avatar
Evan Hunt committed
187
<dt><span class="term">-i</span></dt>
Tinderbox User's avatar
Tinderbox User committed
188
<dd><p>
Evan Hunt's avatar
Evan Hunt committed
189 190 191 192
	    Insecure mode. This disables internal DNSSEC validation.
	    (Note, however, this does not set the CD bit on upstream
	    queries. If the server being queried is performing DNSSEC
	    validation, then it will not return invalid data; this
Tinderbox User's avatar
Tinderbox User committed
193
	    can cause <span class="command"><strong>delv</strong></span> to time out. When it
Evan Hunt's avatar
Evan Hunt committed
194
	    is necessary to examine invalid data to debug a DNSSEC
Tinderbox User's avatar
Tinderbox User committed
195
	    problem, use <span class="command"><strong>dig +cd</strong></span>.)
Tinderbox User's avatar
Tinderbox User committed
196
	  </p></dd>
Evan Hunt's avatar
Evan Hunt committed
197
<dt><span class="term">-m</span></dt>
Tinderbox User's avatar
Tinderbox User committed
198
<dd><p>
Evan Hunt's avatar
Evan Hunt committed
199
	    Enables memory usage debugging.
Tinderbox User's avatar
Tinderbox User committed
200
	  </p></dd>
Tinderbox User's avatar
Tinderbox User committed
201
<dt><span class="term">-p <em class="replaceable"><code>port#</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
202
<dd><p>
Evan Hunt's avatar
Evan Hunt committed
203 204 205 206
	    Specifies a destination port to use for queries instead of
	    the standard DNS port number 53.  This option would be used
	    with a name server that has been configured to listen
	    for queries on a non-standard port number.
Tinderbox User's avatar
Tinderbox User committed
207
	  </p></dd>
Tinderbox User's avatar
Tinderbox User committed
208
<dt><span class="term">-q <em class="replaceable"><code>name</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
209
<dd><p>
Evan Hunt's avatar
Evan Hunt committed
210 211 212 213 214 215
	    Sets the query name to <em class="parameter"><code>name</code></em>.
	    While the query name can be specified without using the
	    <code class="option">-q</code>, it is sometimes necessary to disambiguate
	    names from types or classes (for example, when looking up the
	    name "ns", which could be misinterpreted as the type NS,
	    or "ch", which could be misinterpreted as class CH).
Tinderbox User's avatar
Tinderbox User committed
216
	  </p></dd>
Tinderbox User's avatar
Tinderbox User committed
217
<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
Evan Hunt's avatar
Evan Hunt committed
218
<dd>
Tinderbox User's avatar
Tinderbox User committed
219
<p>
Evan Hunt's avatar
Evan Hunt committed
220 221 222 223 224 225 226
	    Sets the query type to <em class="parameter"><code>type</code></em>, which
	    can be any valid query type supported in BIND 9 except
	    for zone transfer types AXFR and IXFR. As with
	    <code class="option">-q</code>, this is useful to distinguish
	    query name type or class when they are ambiguous.
	    it is sometimes necessary to disambiguate names from types.
	  </p>
Tinderbox User's avatar
Tinderbox User committed
227
<p>
Evan Hunt's avatar
Evan Hunt committed
228 229 230 231
	    The default query type is "A", unless the <code class="option">-x</code>
	    option is supplied to indicate a reverse lookup, in which case
	    it is "PTR".
	  </p>
Tinderbox User's avatar
Tinderbox User committed
232
</dd>
Tinderbox User's avatar
Tinderbox User committed
233
<dt><span class="term">-v</span></dt>
Tinderbox User's avatar
Tinderbox User committed
234
<dd><p>
Tinderbox User's avatar
Tinderbox User committed
235
	    Print the <span class="command"><strong>delv</strong></span> version and exit.
Tinderbox User's avatar
Tinderbox User committed
236
	  </p></dd>
Tinderbox User's avatar
Tinderbox User committed
237
<dt><span class="term">-x <em class="replaceable"><code>addr</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
238
<dd><p>
Evan Hunt's avatar
Evan Hunt committed
239 240 241 242 243
	    Performs a reverse lookup, mapping an addresses to
	    a name.  <em class="parameter"><code>addr</code></em> is an IPv4 address in
	    dotted-decimal notation, or a colon-delimited IPv6 address.
	    When <code class="option">-x</code> is used, there is no need to provide
	    the <em class="parameter"><code>name</code></em> or <em class="parameter"><code>type</code></em>
Tinderbox User's avatar
Tinderbox User committed
244
	    arguments.  <span class="command"><strong>delv</strong></span> automatically performs a
Evan Hunt's avatar
Evan Hunt committed
245 246 247
	    lookup for a name like <code class="literal">11.12.13.10.in-addr.arpa</code>
	    and sets the query type to PTR.  IPv6 addresses are looked up
	    using nibble format under the IP6.ARPA domain.
Tinderbox User's avatar
Tinderbox User committed
248
	  </p></dd>
Tinderbox User's avatar
Tinderbox User committed
249
<dt><span class="term">-4</span></dt>
Tinderbox User's avatar
Tinderbox User committed
250
<dd><p>
Tinderbox User's avatar
Tinderbox User committed
251
	    Forces <span class="command"><strong>delv</strong></span> to only use IPv4.
Tinderbox User's avatar
Tinderbox User committed
252
	  </p></dd>
Tinderbox User's avatar
Tinderbox User committed
253
<dt><span class="term">-6</span></dt>
Tinderbox User's avatar
Tinderbox User committed
254
<dd><p>
Tinderbox User's avatar
Tinderbox User committed
255
	    Forces <span class="command"><strong>delv</strong></span> to only use IPv6.
Tinderbox User's avatar
Tinderbox User committed
256
	  </p></dd>
Evan Hunt's avatar
Evan Hunt committed
257
</dl></div>
Tinderbox User's avatar
Tinderbox User committed
258 259 260 261
</div>
<div class="refsection">
<a name="id-1.10"></a><h2>QUERY OPTIONS</h2>
<p><span class="command"><strong>delv</strong></span>
Evan Hunt's avatar
Evan Hunt committed
262 263 264
      provides a number of query options which affect the way results are
      displayed, and in some cases the way lookups are performed.
    </p>
Tinderbox User's avatar
Tinderbox User committed
265
<p>
Evan Hunt's avatar
Evan Hunt committed
266 267 268 269 270 271 272 273 274
      Each query option is identified by a keyword preceded by a plus sign
      (<code class="literal">+</code>).  Some keywords set or reset an
      option.  These may be preceded by the string
      <code class="literal">no</code> to negate the meaning of that keyword.
      Other keywords assign values to options like the timeout interval.
      They have the form <code class="option">+keyword=value</code>.
      The query options are:

      </p>
Tinderbox User's avatar
Tinderbox User committed
275
<div class="variablelist"><dl class="variablelist">
Evan Hunt's avatar
Evan Hunt committed
276
<dt><span class="term"><code class="option">+[no]cdflag</code></span></dt>
Tinderbox User's avatar
Tinderbox User committed
277
<dd><p>
Evan Hunt's avatar
Evan Hunt committed
278
	      Controls whether to set the CD (checking disabled) bit in
Tinderbox User's avatar
Tinderbox User committed
279
	      queries sent by <span class="command"><strong>delv</strong></span>. This may be useful
Evan Hunt's avatar
Evan Hunt committed
280 281 282 283
	      when troubleshooting DNSSEC problems from behind a validating
	      resolver. A validating resolver will block invalid responses,
	      making it difficult to retrieve them for analysis. Setting
	      the CD flag on queries will cause the resolver to return
Tinderbox User's avatar
Tinderbox User committed
284
	      invalid responses, which <span class="command"><strong>delv</strong></span> can then
Evan Hunt's avatar
Evan Hunt committed
285
	      validate internally and report the errors in detail.
Tinderbox User's avatar
Tinderbox User committed
286
	    </p></dd>
Evan Hunt's avatar
Evan Hunt committed
287
<dt><span class="term"><code class="option">+[no]class</code></span></dt>
Tinderbox User's avatar
Tinderbox User committed
288
<dd><p>
Evan Hunt's avatar
Evan Hunt committed
289 290
	      Controls whether to display the CLASS when printing
	      a record. The default is to display the CLASS.
Tinderbox User's avatar
Tinderbox User committed
291
	    </p></dd>
Evan Hunt's avatar
Evan Hunt committed
292
<dt><span class="term"><code class="option">+[no]ttl</code></span></dt>
Tinderbox User's avatar
Tinderbox User committed
293
<dd><p>
Evan Hunt's avatar
Evan Hunt committed
294 295
	      Controls whether to display the TTL when printing
	      a record. The default is to display the TTL.
Tinderbox User's avatar
Tinderbox User committed
296
	    </p></dd>
Evan Hunt's avatar
Evan Hunt committed
297 298
<dt><span class="term"><code class="option">+[no]rtrace</code></span></dt>
<dd>
Tinderbox User's avatar
Tinderbox User committed
299
<p>
Evan Hunt's avatar
Evan Hunt committed
300
	      Toggle resolver fetch logging. This reports the
Tinderbox User's avatar
Tinderbox User committed
301
	      name and type of each query sent by <span class="command"><strong>delv</strong></span>
Evan Hunt's avatar
Evan Hunt committed
302 303 304 305 306
	      in the process of carrying out the resolution and validation
	      process: this includes including the original query and
	      all subsequent queries to follow CNAMEs and to establish a
	      chain of trust for DNSSEC validation.
	    </p>
Tinderbox User's avatar
Tinderbox User committed
307
<p>
Evan Hunt's avatar
Evan Hunt committed
308 309 310 311 312 313
	      This is equivalent to setting the debug level to 1 in
	      the "resolver" logging category. Setting the systemwide
	      debug level to 1 using the <code class="option">-d</code> option will
	      product the same output (but will affect other logging
	      categories as well).
	    </p>
Tinderbox User's avatar
Tinderbox User committed
314
</dd>
Evan Hunt's avatar
Evan Hunt committed
315 316
<dt><span class="term"><code class="option">+[no]mtrace</code></span></dt>
<dd>
Tinderbox User's avatar
Tinderbox User committed
317
<p>
Evan Hunt's avatar
Evan Hunt committed
318
	      Toggle message logging. This produces a detailed dump of
Tinderbox User's avatar
Tinderbox User committed
319
	      the responses received by <span class="command"><strong>delv</strong></span> in the
Evan Hunt's avatar
Evan Hunt committed
320 321
	      process of carrying out the resolution and validation process.
	    </p>
Tinderbox User's avatar
Tinderbox User committed
322
<p>
Evan Hunt's avatar
Evan Hunt committed
323
	      This is equivalent to setting the debug level to 10
Tinderbox User's avatar
Tinderbox User committed
324
	      for the "packets" module of the "resolver" logging
Evan Hunt's avatar
Evan Hunt committed
325 326 327 328
	      category. Setting the systemwide debug level to 10 using
	      the <code class="option">-d</code> option will produce the same output
	      (but will affect other logging categories as well).
	    </p>
Tinderbox User's avatar
Tinderbox User committed
329
</dd>
Evan Hunt's avatar
Evan Hunt committed
330 331
<dt><span class="term"><code class="option">+[no]vtrace</code></span></dt>
<dd>
Tinderbox User's avatar
Tinderbox User committed
332
<p>
Evan Hunt's avatar
Evan Hunt committed
333 334 335 336
	      Toggle validation logging. This shows the internal
	      process of the validator as it determines whether an
	      answer is validly signed, unsigned, or invalid.
	    </p>
Tinderbox User's avatar
Tinderbox User committed
337
<p>
Evan Hunt's avatar
Evan Hunt committed
338
	      This is equivalent to setting the debug level to 3
Tinderbox User's avatar
Tinderbox User committed
339
	      for the "validator" module of the "dnssec" logging
Evan Hunt's avatar
Evan Hunt committed
340 341 342 343
	      category. Setting the systemwide debug level to 3 using
	      the <code class="option">-d</code> option will produce the same output
	      (but will affect other logging categories as well).
	    </p>
Tinderbox User's avatar
Tinderbox User committed
344
</dd>
Evan Hunt's avatar
Evan Hunt committed
345
<dt><span class="term"><code class="option">+[no]short</code></span></dt>
Tinderbox User's avatar
Tinderbox User committed
346
<dd><p>
Evan Hunt's avatar
Evan Hunt committed
347 348
	      Provide a terse answer.  The default is to print the answer in a
	      verbose form.
Tinderbox User's avatar
Tinderbox User committed
349
	    </p></dd>
Evan Hunt's avatar
Evan Hunt committed
350
<dt><span class="term"><code class="option">+[no]comments</code></span></dt>
Tinderbox User's avatar
Tinderbox User committed
351
<dd><p>
Evan Hunt's avatar
Evan Hunt committed
352 353
	      Toggle the display of comment lines in the output.  The default
	      is to print comments.
Tinderbox User's avatar
Tinderbox User committed
354
	    </p></dd>
Evan Hunt's avatar
Evan Hunt committed
355
<dt><span class="term"><code class="option">+[no]rrcomments</code></span></dt>
Tinderbox User's avatar
Tinderbox User committed
356
<dd><p>
Evan Hunt's avatar
Evan Hunt committed
357 358 359
	      Toggle the display of per-record comments in the output (for
	      example, human-readable key information about DNSKEY records).
	      The default is to print per-record comments.
Tinderbox User's avatar
Tinderbox User committed
360
	    </p></dd>
Evan Hunt's avatar
Evan Hunt committed
361
<dt><span class="term"><code class="option">+[no]crypto</code></span></dt>
Tinderbox User's avatar
Tinderbox User committed
362
<dd><p>
Evan Hunt's avatar
Evan Hunt committed
363 364 365 366 367 368 369
	      Toggle the display of cryptographic fields in DNSSEC records.
	      The contents of these field are unnecessary to debug most DNSSEC
	      validation failures and removing them makes it easier to see
	      the common failures.  The default is to display the fields.
	      When omitted they are replaced by the string "[omitted]" or
	      in the DNSKEY case the key id is displayed as the replacement,
	      e.g. "[ key id = value ]".
Tinderbox User's avatar
Tinderbox User committed
370
	    </p></dd>
Evan Hunt's avatar
Evan Hunt committed
371
<dt><span class="term"><code class="option">+[no]trust</code></span></dt>
Tinderbox User's avatar
Tinderbox User committed
372
<dd><p>
Evan Hunt's avatar
Evan Hunt committed
373 374
	      Controls whether to display the trust level when printing
	      a record. The default is to display the trust level.
Tinderbox User's avatar
Tinderbox User committed
375
	    </p></dd>
Evan Hunt's avatar
Evan Hunt committed
376
<dt><span class="term"><code class="option">+[no]split[=W]</code></span></dt>
Tinderbox User's avatar
Tinderbox User committed
377
<dd><p>
Evan Hunt's avatar
Evan Hunt committed
378 379 380 381 382 383 384 385
	      Split long hex- or base64-formatted fields in resource
	      records into chunks of <em class="parameter"><code>W</code></em> characters
	      (where <em class="parameter"><code>W</code></em> is rounded up to the nearest
	      multiple of 4).
	      <em class="parameter"><code>+nosplit</code></em> or
	      <em class="parameter"><code>+split=0</code></em> causes fields not to be
	      split at all.  The default is 56 characters, or 44 characters
	      when multiline mode is active.
Tinderbox User's avatar
Tinderbox User committed
386
	    </p></dd>
Evan Hunt's avatar
Evan Hunt committed
387
<dt><span class="term"><code class="option">+[no]all</code></span></dt>
Tinderbox User's avatar
Tinderbox User committed
388
<dd><p>
Evan Hunt's avatar
Evan Hunt committed
389
	      Set or clear the display options
Mark Andrews's avatar
Mark Andrews committed
390
	      <code class="option">+[no]comments</code>,
Evan Hunt's avatar
Evan Hunt committed
391 392
	      <code class="option">+[no]rrcomments</code>, and
	      <code class="option">+[no]trust</code> as a group.
Tinderbox User's avatar
Tinderbox User committed
393
	    </p></dd>
Evan Hunt's avatar
Evan Hunt committed
394
<dt><span class="term"><code class="option">+[no]multiline</code></span></dt>
Tinderbox User's avatar
Tinderbox User committed
395
<dd><p>
Evan Hunt's avatar
Evan Hunt committed
396 397 398
	      Print long records (such as RRSIG, DNSKEY, and SOA records)
	      in a verbose multi-line format with human-readable comments.
	      The default is to print each record on a single line, to
Tinderbox User's avatar
Tinderbox User committed
399
	      facilitate machine parsing of the <span class="command"><strong>delv</strong></span>
Evan Hunt's avatar
Evan Hunt committed
400
	      output.
Tinderbox User's avatar
Tinderbox User committed
401
	    </p></dd>
Evan Hunt's avatar
Evan Hunt committed
402
<dt><span class="term"><code class="option">+[no]dnssec</code></span></dt>
Tinderbox User's avatar
Tinderbox User committed
403
<dd><p>
Evan Hunt's avatar
Evan Hunt committed
404
	      Indicates whether to display RRSIG records in the
Tinderbox User's avatar
Tinderbox User committed
405 406
	      <span class="command"><strong>delv</strong></span> output.  The default is to
	      do so.  Note that (unlike in <span class="command"><strong>dig</strong></span>)
Evan Hunt's avatar
Evan Hunt committed
407 408 409 410 411 412
	      this does <span class="emphasis"><em>not</em></span> control whether to
	      request DNSSEC records or whether to validate them.
	      DNSSEC records are always requested, and validation
	      will always occur unless suppressed by the use of
	      <code class="option">-i</code> or <code class="option">+noroot</code> and
	      <code class="option">+nodlv</code>.
Tinderbox User's avatar
Tinderbox User committed
413
	    </p></dd>
Evan Hunt's avatar
Evan Hunt committed
414
<dt><span class="term"><code class="option">+[no]root[=ROOT]</code></span></dt>
Tinderbox User's avatar
Tinderbox User committed
415
<dd><p>
Tinderbox User's avatar
Tinderbox User committed
416 417
	      Indicates whether to perform conventional (non-lookaside)
	      DNSSEC validation, and if so, specifies the
Evan Hunt's avatar
Evan Hunt committed
418 419 420 421 422
	      name of a trust anchor.  The default is to validate using
	      a trust anchor of "." (the root zone), for which there is
	      a built-in key.  If specifying a different trust anchor,
	      then <code class="option">-a</code> must be used to specify a file
	      containing the key.
Tinderbox User's avatar
Tinderbox User committed
423
	    </p></dd>
Evan Hunt's avatar
Evan Hunt committed
424
<dt><span class="term"><code class="option">+[no]dlv[=DLV]</code></span></dt>
Tinderbox User's avatar
Tinderbox User committed
425
<dd><p>
Evan Hunt's avatar
Evan Hunt committed
426 427 428 429 430 431 432
	      Indicates whether to perform DNSSEC lookaside validation,
	      and if so, specifies the name of the DLV trust anchor.
	      The default is to perform lookaside validation using
	      a trust anchor of "dlv.isc.org", for which there is a
	      built-in key.  If specifying a different name, then
	      <code class="option">-a</code> must be used to specify a file
	      containing the DLV key.
Tinderbox User's avatar
Tinderbox User committed
433
	    </p></dd>
Tinderbox User's avatar
Tinderbox User committed
434
<dt><span class="term"><code class="option">+[no]tcp</code></span></dt>
Tinderbox User's avatar
Tinderbox User committed
435
<dd><p>
Tinderbox User's avatar
Tinderbox User committed
436 437 438
	      Controls whether to use TCP when sending queries.
	      The default is to use UDP unless a truncated
	      response has been received.
Tinderbox User's avatar
Tinderbox User committed
439
	    </p></dd>
Tinderbox User's avatar
Tinderbox User committed
440 441 442 443 444 445
<dt><span class="term"><code class="option">+[no]unknownformat</code></span></dt>
<dd><p>
	      Print all RDATA in unknown RR type presentation format
	      (RFC 3597). The default is to print RDATA for known types
	      in the type's presentation format.
	    </p></dd>
Evan Hunt's avatar
Evan Hunt committed
446 447 448 449
</dl></div>
<p>

    </p>
Tinderbox User's avatar
Tinderbox User committed
450 451 452 453 454 455 456 457 458 459
</div>
<div class="refsection">
<a name="id-1.11"></a><h2>FILES</h2>
<p><code class="filename">/etc/bind.keys</code></p>
<p><code class="filename">/etc/resolv.conf</code></p>
</div>
<div class="refsection">
<a name="id-1.12"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dig</span>(1)</span>,
      <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
Evan Hunt's avatar
Evan Hunt committed
460 461 462 463 464 465
      <em class="citetitle">RFC4034</em>,
      <em class="citetitle">RFC4035</em>,
      <em class="citetitle">RFC4431</em>,
      <em class="citetitle">RFC5074</em>,
      <em class="citetitle">RFC5155</em>.
    </p>
Tinderbox User's avatar
Tinderbox User committed
466
</div>
Evan Hunt's avatar
Evan Hunt committed
467 468
</div></body>
</html>