xref: /minix/external/bsd/bind/dist/doc/arm/man.delv.html (revision fb9c64b2) 
1<!--
2 - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
3 - Copyright (C) 2000-2003 Internet Software Consortium.
4 -
5 - Permission to use, copy, modify, and/or distribute this software for any
6 - purpose with or without fee is hereby granted, provided that the above
7 - copyright notice and this permission notice appear in all copies.
8 -
9 - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
10 - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
11 - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
12 - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
13 - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
14 - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
15 - PERFORMANCE OF THIS SOFTWARE.
16-->
17<!-- $Id: man.delv.html,v 1.5 2015/09/03 07:33:34 christos Exp $ -->
18<html>
19<head>
20<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
21<title>delv</title>
22<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
23<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
24<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
25<link rel="prev" href="man.host.html" title="host">
26<link rel="next" href="man.dnssec-checkds.html" title="dnssec-checkds">
27</head>
28<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
29<div class="navheader">
30<table width="100%" summary="Navigation header">
31<tr><th colspan="3" align="center">delv</th></tr>
32<tr>
33<td width="20%" align="left">
34<a accesskey="p" href="man.host.html">Prev</a>�</td>
35<th width="60%" align="center">Manual pages</th>
36<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-checkds.html">Next</a>
37</td>
38</tr>
39</table>
40<hr>
41</div>
42<div class="refentry" lang="en">
43<a name="man.delv"></a><div class="titlepage"></div>
44<div class="refnamediv">
45<h2>Name</h2>
46<p>delv &#8212; DNS lookup and validation utility</p>
47</div>
48<div class="refsynopsisdiv">
49<h2>Synopsis</h2>
50<div class="cmdsynopsis"><p><code class="command">delv</code>  [@server] [<code class="option">-4</code>] [<code class="option">-6</code>] [<code class="option">-a <em class="replaceable"><code>anchor-file</code></em></code>] [<code class="option">-b <em class="replaceable"><code>address</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>level</code></em></code>] [<code class="option">-i</code>] [<code class="option">-m</code>] [<code class="option">-p <em class="replaceable"><code>port#</code></em></code>] [<code class="option">-q <em class="replaceable"><code>name</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-x <em class="replaceable"><code>addr</code></em></code>] [name] [type] [class] [queryopt...]</p></div>
51<div class="cmdsynopsis"><p><code class="command">delv</code>  [<code class="option">-h</code>]</p></div>
52<div class="cmdsynopsis"><p><code class="command">delv</code>  [<code class="option">-v</code>]</p></div>
53<div class="cmdsynopsis"><p><code class="command">delv</code>  [queryopt...] [query...]</p></div>
54</div>
55<div class="refsect1" lang="en">
56<a name="id2615191"></a><h2>DESCRIPTION</h2>
57<p><span><strong class="command">delv</strong></span>
58      (Domain Entity Lookup &amp; Validation) is a tool for sending
59      DNS queries and validating the results, using the the same internal
60      resolver and validator logic as <span><strong class="command">named</strong></span>.
61    </p>
62<p>
63      <span><strong class="command">delv</strong></span> will send to a specified name server all
64      queries needed to fetch and validate the requested data; this
65      includes the original requested query, subsequent queries to follow
66      CNAME or DNAME chains, and queries for DNSKEY, DS and DLV records
67      to establish a chain of trust for DNSSEC validation.
68      It does not perform iterative resolution, but simulates the
69      behavior of a name server configured for DNSSEC validating and
70      forwarding.
71    </p>
72<p>
73      By default, responses are validated using built-in DNSSEC trust
74      anchors for the root zone (".") and for the ISC DNSSEC lookaside
75      validation zone ("dlv.isc.org").  Records returned by
76      <span><strong class="command">delv</strong></span> are either fully validated or
77      were not signed.  If validation fails, an explanation of
78      the failure is included in the output; the validation process
79      can be traced in detail.  Because <span><strong class="command">delv</strong></span> does
80      not rely on an external server to carry out validation, it can
81      be used to check the validity of DNS responses in environments
82      where local name servers may not be trustworthy.
83    </p>
84<p>
85      Unless it is told to query a specific name server,
86      <span><strong class="command">delv</strong></span> will try each of the servers listed in
87      <code class="filename">/etc/resolv.conf</code>. If no usable server
88      addresses are found, <span><strong class="command">delv</strong></span> will send
89      queries to the localhost addresses (127.0.0.1 for IPv4, ::1
90      for IPv6).
91    </p>
92<p>
93      When no command line arguments or options are given,
94      <span><strong class="command">delv</strong></span> will perform an NS query for "."
95      (the root zone).
96    </p>
97</div>
98<div class="refsect1" lang="en">
99<a name="id2615264"></a><h2>SIMPLE USAGE</h2>
100<p>
101      A typical invocation of <span><strong class="command">delv</strong></span> looks like:
102      </p>
103<pre class="programlisting"> delv @server name type </pre>
104<p>
105      where:
106
107      </p>
108<div class="variablelist"><dl>
109<dt><span class="term"><code class="constant">server</code></span></dt>
110<dd>
111<p>
112	      is the name or IP address of the name server to query.  This
113	      can be an IPv4 address in dotted-decimal notation or an IPv6
114	      address in colon-delimited notation.  When the supplied
115	      <em class="parameter"><code>server</code></em> argument is a hostname,
116	      <span><strong class="command">delv</strong></span> resolves that name before
117	      querying that name server (note, however, that this
118	      initial lookup is <span class="emphasis"><em>not</em></span> validated
119	      by DNSSEC).
120	    </p>
121<p>
122	      If no <em class="parameter"><code>server</code></em> argument is
123	      provided, <span><strong class="command">delv</strong></span> consults
124	      <code class="filename">/etc/resolv.conf</code>; if an
125	      address is found there, it queries the name server at
126	      that address. If either of the <code class="option">-4</code> or
127	      <code class="option">-6</code> options are in use, then
128	      only addresses for the corresponding transport
129	      will be tried.  If no usable addresses are found,
130	      <span><strong class="command">delv</strong></span> will send queries to
131	      the localhost addresses (127.0.0.1 for IPv4,
132	      ::1 for IPv6).
133	    </p>
134</dd>
135<dt><span class="term"><code class="constant">name</code></span></dt>
136<dd><p>
137	      is the domain name to be looked up.
138	    </p></dd>
139<dt><span class="term"><code class="constant">type</code></span></dt>
140<dd><p>
141	      indicates what type of query is required &#8212;
142	      ANY, A, MX, etc.
143	      <em class="parameter"><code>type</code></em> can be any valid query
144	      type.  If no
145	      <em class="parameter"><code>type</code></em> argument is supplied,
146	      <span><strong class="command">delv</strong></span> will perform a lookup for an
147	      A record.
148	    </p></dd>
149</dl></div>
150<p>
151    </p>
152</div>
153<div class="refsect1" lang="en">
154<a name="id2616487"></a><h2>OPTIONS</h2>
155<div class="variablelist"><dl>
156<dt><span class="term">-a <em class="replaceable"><code>anchor-file</code></em></span></dt>
157<dd>
158<p>
159	    Specifies a file from which to read DNSSEC trust anchors.
160	    The default is <code class="filename">/etc/bind.keys</code>, which
161	    is included with <acronym class="acronym">BIND</acronym> 9 and contains
162	    trust anchors for the root zone (".") and for the ISC
163	    DNSSEC lookaside validation zone ("dlv.isc.org").
164	  </p>
165<p>
166	    Keys that do not match the root or DLV trust-anchor
167	    names are ignored; these key names can be overridden
168	    using the <code class="option">+dlv=NAME</code> or
169	    <code class="option">+root=NAME</code> options.
170	  </p>
171<p>
172	    Note: When reading the trust anchor file,
173	    <span><strong class="command">delv</strong></span> treats <code class="option">managed-keys</code>
174	    statements and <code class="option">trusted-keys</code> statements
175	    identically.  That is, for a managed key, it is the
176	    <span class="emphasis"><em>initial</em></span> key that is trusted; RFC 5011
177	    key management is not supported. <span><strong class="command">delv</strong></span>
178	    will not consult the managed-keys database maintained by
179	    <span><strong class="command">named</strong></span>. This means that if either of the
180	    keys in <code class="filename">/etc/bind.keys</code> is revoked
181	    and rolled over, it will be necessary to update
182	    <code class="filename">/etc/bind.keys</code> to use DNSSEC
183	    validation in <span><strong class="command">delv</strong></span>.
184	  </p>
185</dd>
186<dt><span class="term">-b  <em class="replaceable"><code>address</code></em></span></dt>
187<dd><p>
188	    Sets the source IP address of the query to
189	    <em class="parameter"><code>address</code></em>.  This must be a valid address
190	    on one of the host's network interfaces or "0.0.0.0" or "::".
191	    An optional source port may be specified by appending
192	    "#&lt;port&gt;"
193	  </p></dd>
194<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
195<dd><p>
196	    Sets the query class for the requested data. Currently,
197	    only class "IN" is supported in <span><strong class="command">delv</strong></span>
198	    and any other value is ignored.
199	  </p></dd>
200<dt><span class="term">-d <em class="replaceable"><code>level</code></em></span></dt>
201<dd><p>
202	    Set the systemwide debug level to <code class="option">level</code>.
203	    The allowed range is from 0 to 99.
204	    The default is 0 (no debugging).
205	    Debugging traces from <span><strong class="command">delv</strong></span> become
206	    more verbose as the debug level increases.
207	    See the <code class="option">+mtrace</code>, <code class="option">+rtrace</code>,
208	    and <code class="option">+vtrace</code> options below for additional
209	    debugging details.
210	  </p></dd>
211<dt><span class="term">-h</span></dt>
212<dd><p>
213	    Display the <span><strong class="command">delv</strong></span> help usage output and exit.
214	  </p></dd>
215<dt><span class="term">-i</span></dt>
216<dd><p>
217	    Insecure mode. This disables internal DNSSEC validation.
218	    (Note, however, this does not set the CD bit on upstream
219	    queries. If the server being queried is performing DNSSEC
220	    validation, then it will not return invalid data; this
221	    can cause <span><strong class="command">delv</strong></span> to time out. When it
222	    is necessary to examine invalid data to debug a DNSSEC
223	    problem, use <span><strong class="command">dig +cd</strong></span>.)
224	  </p></dd>
225<dt><span class="term">-m</span></dt>
226<dd><p>
227	    Enables memory usage debugging.
228	  </p></dd>
229<dt><span class="term">-p <em class="replaceable"><code>port#</code></em></span></dt>
230<dd><p>
231	    Specifies a destination port to use for queries instead of
232	    the standard DNS port number 53.  This option would be used
233	    with a name server that has been configured to listen
234	    for queries on a non-standard port number.
235	  </p></dd>
236<dt><span class="term">-q <em class="replaceable"><code>name</code></em></span></dt>
237<dd><p>
238	    Sets the query name to <em class="parameter"><code>name</code></em>.
239	    While the query name can be specified without using the
240	    <code class="option">-q</code>, it is sometimes necessary to disambiguate
241	    names from types or classes (for example, when looking up the
242	    name "ns", which could be misinterpreted as the type NS,
243	    or "ch", which could be misinterpreted as class CH).
244	  </p></dd>
245<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
246<dd>
247<p>
248	    Sets the query type to <em class="parameter"><code>type</code></em>, which
249	    can be any valid query type supported in BIND 9 except
250	    for zone transfer types AXFR and IXFR. As with
251	    <code class="option">-q</code>, this is useful to distinguish
252	    query name type or class when they are ambiguous.
253	    it is sometimes necessary to disambiguate names from types.
254	  </p>
255<p>
256	    The default query type is "A", unless the <code class="option">-x</code>
257	    option is supplied to indicate a reverse lookup, in which case
258	    it is "PTR".
259	  </p>
260</dd>
261<dt><span class="term">-v</span></dt>
262<dd><p>
263	    Print the <span><strong class="command">delv</strong></span> version and exit.
264	  </p></dd>
265<dt><span class="term">-x <em class="replaceable"><code>addr</code></em></span></dt>
266<dd><p>
267	    Performs a reverse lookup, mapping an addresses to
268	    a name.  <em class="parameter"><code>addr</code></em> is an IPv4 address in
269	    dotted-decimal notation, or a colon-delimited IPv6 address.
270	    When <code class="option">-x</code> is used, there is no need to provide
271	    the <em class="parameter"><code>name</code></em> or <em class="parameter"><code>type</code></em>
272	    arguments.  <span><strong class="command">delv</strong></span> automatically performs a
273	    lookup for a name like <code class="literal">11.12.13.10.in-addr.arpa</code>
274	    and sets the query type to PTR.  IPv6 addresses are looked up
275	    using nibble format under the IP6.ARPA domain.
276	  </p></dd>
277<dt><span class="term">-4</span></dt>
278<dd><p>
279	    Forces <span><strong class="command">delv</strong></span> to only use IPv4.
280	  </p></dd>
281<dt><span class="term">-6</span></dt>
282<dd><p>
283	    Forces <span><strong class="command">delv</strong></span> to only use IPv6.
284	  </p></dd>
285</dl></div>
286</div>
287<div class="refsect1" lang="en">
288<a name="id2671445"></a><h2>QUERY OPTIONS</h2>
289<p><span><strong class="command">delv</strong></span>
290      provides a number of query options which affect the way results are
291      displayed, and in some cases the way lookups are performed.
292    </p>
293<p>
294      Each query option is identified by a keyword preceded by a plus sign
295      (<code class="literal">+</code>).  Some keywords set or reset an
296      option.  These may be preceded by the string
297      <code class="literal">no</code> to negate the meaning of that keyword.
298      Other keywords assign values to options like the timeout interval.
299      They have the form <code class="option">+keyword=value</code>.
300      The query options are:
301
302      </p>
303<div class="variablelist"><dl>
304<dt><span class="term"><code class="option">+[no]cdflag</code></span></dt>
305<dd><p>
306	      Controls whether to set the CD (checking disabled) bit in
307	      queries sent by <span><strong class="command">delv</strong></span>. This may be useful
308	      when troubleshooting DNSSEC problems from behind a validating
309	      resolver. A validating resolver will block invalid responses,
310	      making it difficult to retrieve them for analysis. Setting
311	      the CD flag on queries will cause the resolver to return
312	      invalid responses, which <span><strong class="command">delv</strong></span> can then
313	      validate internally and report the errors in detail.
314	    </p></dd>
315<dt><span class="term"><code class="option">+[no]class</code></span></dt>
316<dd><p>
317	      Controls whether to display the CLASS when printing
318	      a record. The default is to display the CLASS.
319	    </p></dd>
320<dt><span class="term"><code class="option">+[no]ttl</code></span></dt>
321<dd><p>
322	      Controls whether to display the TTL when printing
323	      a record. The default is to display the TTL.
324	    </p></dd>
325<dt><span class="term"><code class="option">+[no]rtrace</code></span></dt>
326<dd>
327<p>
328	      Toggle resolver fetch logging. This reports the
329	      name and type of each query sent by <span><strong class="command">delv</strong></span>
330	      in the process of carrying out the resolution and validation
331	      process: this includes including the original query and
332	      all subsequent queries to follow CNAMEs and to establish a
333	      chain of trust for DNSSEC validation.
334	    </p>
335<p>
336	      This is equivalent to setting the debug level to 1 in
337	      the "resolver" logging category. Setting the systemwide
338	      debug level to 1 using the <code class="option">-d</code> option will
339	      product the same output (but will affect other logging
340	      categories as well).
341	    </p>
342</dd>
343<dt><span class="term"><code class="option">+[no]mtrace</code></span></dt>
344<dd>
345<p>
346	      Toggle message logging. This produces a detailed dump of
347	      the responses received by <span><strong class="command">delv</strong></span> in the
348	      process of carrying out the resolution and validation process.
349	    </p>
350<p>
351	      This is equivalent to setting the debug level to 10
352	      for the the "packets" module of the "resolver" logging
353	      category. Setting the systemwide debug level to 10 using
354	      the <code class="option">-d</code> option will produce the same output
355	      (but will affect other logging categories as well).
356	    </p>
357</dd>
358<dt><span class="term"><code class="option">+[no]vtrace</code></span></dt>
359<dd>
360<p>
361	      Toggle validation logging. This shows the internal
362	      process of the validator as it determines whether an
363	      answer is validly signed, unsigned, or invalid.
364	    </p>
365<p>
366	      This is equivalent to setting the debug level to 3
367	      for the the "validator" module of the "dnssec" logging
368	      category. Setting the systemwide debug level to 3 using
369	      the <code class="option">-d</code> option will produce the same output
370	      (but will affect other logging categories as well).
371	    </p>
372</dd>
373<dt><span class="term"><code class="option">+[no]short</code></span></dt>
374<dd><p>
375	      Provide a terse answer.  The default is to print the answer in a
376	      verbose form.
377	    </p></dd>
378<dt><span class="term"><code class="option">+[no]comments</code></span></dt>
379<dd><p>
380	      Toggle the display of comment lines in the output.  The default
381	      is to print comments.
382	    </p></dd>
383<dt><span class="term"><code class="option">+[no]rrcomments</code></span></dt>
384<dd><p>
385	      Toggle the display of per-record comments in the output (for
386	      example, human-readable key information about DNSKEY records).
387	      The default is to print per-record comments.
388	    </p></dd>
389<dt><span class="term"><code class="option">+[no]crypto</code></span></dt>
390<dd><p>
391	      Toggle the display of cryptographic fields in DNSSEC records.
392	      The contents of these field are unnecessary to debug most DNSSEC
393	      validation failures and removing them makes it easier to see
394	      the common failures.  The default is to display the fields.
395	      When omitted they are replaced by the string "[omitted]" or
396	      in the DNSKEY case the key id is displayed as the replacement,
397	      e.g. "[ key id = value ]".
398	    </p></dd>
399<dt><span class="term"><code class="option">+[no]trust</code></span></dt>
400<dd><p>
401	      Controls whether to display the trust level when printing
402	      a record. The default is to display the trust level.
403	    </p></dd>
404<dt><span class="term"><code class="option">+[no]split[=W]</code></span></dt>
405<dd><p>
406	      Split long hex- or base64-formatted fields in resource
407	      records into chunks of <em class="parameter"><code>W</code></em> characters
408	      (where <em class="parameter"><code>W</code></em> is rounded up to the nearest
409	      multiple of 4).
410	      <em class="parameter"><code>+nosplit</code></em> or
411	      <em class="parameter"><code>+split=0</code></em> causes fields not to be
412	      split at all.  The default is 56 characters, or 44 characters
413	      when multiline mode is active.
414	    </p></dd>
415<dt><span class="term"><code class="option">+[no]all</code></span></dt>
416<dd><p>
417	      Set or clear the display options
418	      <code class="option">+[no]comments</code>,
419	      <code class="option">+[no]rrcomments</code>, and
420	      <code class="option">+[no]trust</code> as a group.
421	    </p></dd>
422<dt><span class="term"><code class="option">+[no]multiline</code></span></dt>
423<dd><p>
424	      Print long records (such as RRSIG, DNSKEY, and SOA records)
425	      in a verbose multi-line format with human-readable comments.
426	      The default is to print each record on a single line, to
427	      facilitate machine parsing of the <span><strong class="command">delv</strong></span>
428	      output.
429	    </p></dd>
430<dt><span class="term"><code class="option">+[no]dnssec</code></span></dt>
431<dd><p>
432	      Indicates whether to display RRSIG records in the
433	      <span><strong class="command">delv</strong></span> output.  The default is to
434	      do so.  Note that (unlike in <span><strong class="command">dig</strong></span>)
435	      this does <span class="emphasis"><em>not</em></span> control whether to
436	      request DNSSEC records or whether to validate them.
437	      DNSSEC records are always requested, and validation
438	      will always occur unless suppressed by the use of
439	      <code class="option">-i</code> or <code class="option">+noroot</code> and
440	      <code class="option">+nodlv</code>.
441	    </p></dd>
442<dt><span class="term"><code class="option">+[no]root[=ROOT]</code></span></dt>
443<dd><p>
444	      Indicates whether to perform conventional (non-lookaside)
445	      DNSSEC validation, and if so, specifies the
446	      name of a trust anchor.  The default is to validate using
447	      a trust anchor of "." (the root zone), for which there is
448	      a built-in key.  If specifying a different trust anchor,
449	      then <code class="option">-a</code> must be used to specify a file
450	      containing the key.
451	    </p></dd>
452<dt><span class="term"><code class="option">+[no]dlv[=DLV]</code></span></dt>
453<dd><p>
454	      Indicates whether to perform DNSSEC lookaside validation,
455	      and if so, specifies the name of the DLV trust anchor.
456	      The default is to perform lookaside validation using
457	      a trust anchor of "dlv.isc.org", for which there is a
458	      built-in key.  If specifying a different name, then
459	      <code class="option">-a</code> must be used to specify a file
460	      containing the DLV key.
461	    </p></dd>
462</dl></div>
463<p>
464
465    </p>
466</div>
467<div class="refsect1" lang="en">
468<a name="id2671961"></a><h2>FILES</h2>
469<p><code class="filename">/etc/bind.keys</code></p>
470<p><code class="filename">/etc/resolv.conf</code></p>
471</div>
472<div class="refsect1" lang="en">
473<a name="id2671980"></a><h2>SEE ALSO</h2>
474<p><span class="citerefentry"><span class="refentrytitle">dig</span>(1)</span>,
475      <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
476      <em class="citetitle">RFC4034</em>,
477      <em class="citetitle">RFC4035</em>,
478      <em class="citetitle">RFC4431</em>,
479      <em class="citetitle">RFC5074</em>,
480      <em class="citetitle">RFC5155</em>.
481    </p>
482</div>
483</div>
484<div class="navfooter">
485<hr>
486<table width="100%" summary="Navigation footer">
487<tr>
488<td width="40%" align="left">
489<a accesskey="p" href="man.host.html">Prev</a>�</td>
490<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
491<td width="40%" align="right">�<a accesskey="n" href="man.dnssec-checkds.html">Next</a>
492</td>
493</tr>
494<tr>
495<td width="40%" align="left" valign="top">host�</td>
496<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
497<td width="40%" align="right" valign="top">�<span class="application">dnssec-checkds</span>
498</td>
499</tr>
500</table>
501</div>
502<p style="text-align: center;">BIND 9.10.2-P4</p>
503</body>
504</html>
505