1<!-- 2 - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC") 3 - Copyright (C) 2000-2003 Internet Software Consortium. 4 - 5 - Permission to use, copy, modify, and/or distribute this software for any 6 - purpose with or without fee is hereby granted, provided that the above 7 - copyright notice and this permission notice appear in all copies. 8 - 9 - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH 10 - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 11 - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, 12 - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 13 - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE 14 - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 15 - PERFORMANCE OF THIS SOFTWARE. 16--> 17<!-- $Id: man.delv.html,v 1.5 2015/09/03 07:33:34 christos Exp $ --> 18<html> 19<head> 20<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> 21<title>delv</title> 22<meta name="generator" content="DocBook XSL Stylesheets V1.71.1"> 23<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> 24<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages"> 25<link rel="prev" href="man.host.html" title="host"> 26<link rel="next" href="man.dnssec-checkds.html" title="dnssec-checkds"> 27</head> 28<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"> 29<div class="navheader"> 30<table width="100%" summary="Navigation header"> 31<tr><th colspan="3" align="center">delv</th></tr> 32<tr> 33<td width="20%" align="left"> 34<a accesskey="p" href="man.host.html">Prev</a>�</td> 35<th width="60%" align="center">Manual pages</th> 36<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-checkds.html">Next</a> 37</td> 38</tr> 39</table> 40<hr> 41</div> 42<div class="refentry" lang="en"> 43<a name="man.delv"></a><div class="titlepage"></div> 44<div class="refnamediv"> 45<h2>Name</h2> 46<p>delv — DNS lookup and validation utility</p> 47</div> 48<div class="refsynopsisdiv"> 49<h2>Synopsis</h2> 50<div class="cmdsynopsis"><p><code class="command">delv</code> [@server] [<code class="option">-4</code>] [<code class="option">-6</code>] [<code class="option">-a <em class="replaceable"><code>anchor-file</code></em></code>] [<code class="option">-b <em class="replaceable"><code>address</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>level</code></em></code>] [<code class="option">-i</code>] [<code class="option">-m</code>] [<code class="option">-p <em class="replaceable"><code>port#</code></em></code>] [<code class="option">-q <em class="replaceable"><code>name</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-x <em class="replaceable"><code>addr</code></em></code>] [name] [type] [class] [queryopt...]</p></div> 51<div class="cmdsynopsis"><p><code class="command">delv</code> [<code class="option">-h</code>]</p></div> 52<div class="cmdsynopsis"><p><code class="command">delv</code> [<code class="option">-v</code>]</p></div> 53<div class="cmdsynopsis"><p><code class="command">delv</code> [queryopt...] [query...]</p></div> 54</div> 55<div class="refsect1" lang="en"> 56<a name="id2615191"></a><h2>DESCRIPTION</h2> 57<p><span><strong class="command">delv</strong></span> 58 (Domain Entity Lookup & Validation) is a tool for sending 59 DNS queries and validating the results, using the the same internal 60 resolver and validator logic as <span><strong class="command">named</strong></span>. 61 </p> 62<p> 63 <span><strong class="command">delv</strong></span> will send to a specified name server all 64 queries needed to fetch and validate the requested data; this 65 includes the original requested query, subsequent queries to follow 66 CNAME or DNAME chains, and queries for DNSKEY, DS and DLV records 67 to establish a chain of trust for DNSSEC validation. 68 It does not perform iterative resolution, but simulates the 69 behavior of a name server configured for DNSSEC validating and 70 forwarding. 71 </p> 72<p> 73 By default, responses are validated using built-in DNSSEC trust 74 anchors for the root zone (".") and for the ISC DNSSEC lookaside 75 validation zone ("dlv.isc.org"). Records returned by 76 <span><strong class="command">delv</strong></span> are either fully validated or 77 were not signed. If validation fails, an explanation of 78 the failure is included in the output; the validation process 79 can be traced in detail. Because <span><strong class="command">delv</strong></span> does 80 not rely on an external server to carry out validation, it can 81 be used to check the validity of DNS responses in environments 82 where local name servers may not be trustworthy. 83 </p> 84<p> 85 Unless it is told to query a specific name server, 86 <span><strong class="command">delv</strong></span> will try each of the servers listed in 87 <code class="filename">/etc/resolv.conf</code>. If no usable server 88 addresses are found, <span><strong class="command">delv</strong></span> will send 89 queries to the localhost addresses (127.0.0.1 for IPv4, ::1 90 for IPv6). 91 </p> 92<p> 93 When no command line arguments or options are given, 94 <span><strong class="command">delv</strong></span> will perform an NS query for "." 95 (the root zone). 96 </p> 97</div> 98<div class="refsect1" lang="en"> 99<a name="id2615264"></a><h2>SIMPLE USAGE</h2> 100<p> 101 A typical invocation of <span><strong class="command">delv</strong></span> looks like: 102 </p> 103<pre class="programlisting"> delv @server name type </pre> 104<p> 105 where: 106 107 </p> 108<div class="variablelist"><dl> 109<dt><span class="term"><code class="constant">server</code></span></dt> 110<dd> 111<p> 112 is the name or IP address of the name server to query. This 113 can be an IPv4 address in dotted-decimal notation or an IPv6 114 address in colon-delimited notation. When the supplied 115 <em class="parameter"><code>server</code></em> argument is a hostname, 116 <span><strong class="command">delv</strong></span> resolves that name before 117 querying that name server (note, however, that this 118 initial lookup is <span class="emphasis"><em>not</em></span> validated 119 by DNSSEC). 120 </p> 121<p> 122 If no <em class="parameter"><code>server</code></em> argument is 123 provided, <span><strong class="command">delv</strong></span> consults 124 <code class="filename">/etc/resolv.conf</code>; if an 125 address is found there, it queries the name server at 126 that address. If either of the <code class="option">-4</code> or 127 <code class="option">-6</code> options are in use, then 128 only addresses for the corresponding transport 129 will be tried. If no usable addresses are found, 130 <span><strong class="command">delv</strong></span> will send queries to 131 the localhost addresses (127.0.0.1 for IPv4, 132 ::1 for IPv6). 133 </p> 134</dd> 135<dt><span class="term"><code class="constant">name</code></span></dt> 136<dd><p> 137 is the domain name to be looked up. 138 </p></dd> 139<dt><span class="term"><code class="constant">type</code></span></dt> 140<dd><p> 141 indicates what type of query is required — 142 ANY, A, MX, etc. 143 <em class="parameter"><code>type</code></em> can be any valid query 144 type. If no 145 <em class="parameter"><code>type</code></em> argument is supplied, 146 <span><strong class="command">delv</strong></span> will perform a lookup for an 147 A record. 148 </p></dd> 149</dl></div> 150<p> 151 </p> 152</div> 153<div class="refsect1" lang="en"> 154<a name="id2616487"></a><h2>OPTIONS</h2> 155<div class="variablelist"><dl> 156<dt><span class="term">-a <em class="replaceable"><code>anchor-file</code></em></span></dt> 157<dd> 158<p> 159 Specifies a file from which to read DNSSEC trust anchors. 160 The default is <code class="filename">/etc/bind.keys</code>, which 161 is included with <acronym class="acronym">BIND</acronym> 9 and contains 162 trust anchors for the root zone (".") and for the ISC 163 DNSSEC lookaside validation zone ("dlv.isc.org"). 164 </p> 165<p> 166 Keys that do not match the root or DLV trust-anchor 167 names are ignored; these key names can be overridden 168 using the <code class="option">+dlv=NAME</code> or 169 <code class="option">+root=NAME</code> options. 170 </p> 171<p> 172 Note: When reading the trust anchor file, 173 <span><strong class="command">delv</strong></span> treats <code class="option">managed-keys</code> 174 statements and <code class="option">trusted-keys</code> statements 175 identically. That is, for a managed key, it is the 176 <span class="emphasis"><em>initial</em></span> key that is trusted; RFC 5011 177 key management is not supported. <span><strong class="command">delv</strong></span> 178 will not consult the managed-keys database maintained by 179 <span><strong class="command">named</strong></span>. This means that if either of the 180 keys in <code class="filename">/etc/bind.keys</code> is revoked 181 and rolled over, it will be necessary to update 182 <code class="filename">/etc/bind.keys</code> to use DNSSEC 183 validation in <span><strong class="command">delv</strong></span>. 184 </p> 185</dd> 186<dt><span class="term">-b <em class="replaceable"><code>address</code></em></span></dt> 187<dd><p> 188 Sets the source IP address of the query to 189 <em class="parameter"><code>address</code></em>. This must be a valid address 190 on one of the host's network interfaces or "0.0.0.0" or "::". 191 An optional source port may be specified by appending 192 "#<port>" 193 </p></dd> 194<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt> 195<dd><p> 196 Sets the query class for the requested data. Currently, 197 only class "IN" is supported in <span><strong class="command">delv</strong></span> 198 and any other value is ignored. 199 </p></dd> 200<dt><span class="term">-d <em class="replaceable"><code>level</code></em></span></dt> 201<dd><p> 202 Set the systemwide debug level to <code class="option">level</code>. 203 The allowed range is from 0 to 99. 204 The default is 0 (no debugging). 205 Debugging traces from <span><strong class="command">delv</strong></span> become 206 more verbose as the debug level increases. 207 See the <code class="option">+mtrace</code>, <code class="option">+rtrace</code>, 208 and <code class="option">+vtrace</code> options below for additional 209 debugging details. 210 </p></dd> 211<dt><span class="term">-h</span></dt> 212<dd><p> 213 Display the <span><strong class="command">delv</strong></span> help usage output and exit. 214 </p></dd> 215<dt><span class="term">-i</span></dt> 216<dd><p> 217 Insecure mode. This disables internal DNSSEC validation. 218 (Note, however, this does not set the CD bit on upstream 219 queries. If the server being queried is performing DNSSEC 220 validation, then it will not return invalid data; this 221 can cause <span><strong class="command">delv</strong></span> to time out. When it 222 is necessary to examine invalid data to debug a DNSSEC 223 problem, use <span><strong class="command">dig +cd</strong></span>.) 224 </p></dd> 225<dt><span class="term">-m</span></dt> 226<dd><p> 227 Enables memory usage debugging. 228 </p></dd> 229<dt><span class="term">-p <em class="replaceable"><code>port#</code></em></span></dt> 230<dd><p> 231 Specifies a destination port to use for queries instead of 232 the standard DNS port number 53. This option would be used 233 with a name server that has been configured to listen 234 for queries on a non-standard port number. 235 </p></dd> 236<dt><span class="term">-q <em class="replaceable"><code>name</code></em></span></dt> 237<dd><p> 238 Sets the query name to <em class="parameter"><code>name</code></em>. 239 While the query name can be specified without using the 240 <code class="option">-q</code>, it is sometimes necessary to disambiguate 241 names from types or classes (for example, when looking up the 242 name "ns", which could be misinterpreted as the type NS, 243 or "ch", which could be misinterpreted as class CH). 244 </p></dd> 245<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt> 246<dd> 247<p> 248 Sets the query type to <em class="parameter"><code>type</code></em>, which 249 can be any valid query type supported in BIND 9 except 250 for zone transfer types AXFR and IXFR. As with 251 <code class="option">-q</code>, this is useful to distinguish 252 query name type or class when they are ambiguous. 253 it is sometimes necessary to disambiguate names from types. 254 </p> 255<p> 256 The default query type is "A", unless the <code class="option">-x</code> 257 option is supplied to indicate a reverse lookup, in which case 258 it is "PTR". 259 </p> 260</dd> 261<dt><span class="term">-v</span></dt> 262<dd><p> 263 Print the <span><strong class="command">delv</strong></span> version and exit. 264 </p></dd> 265<dt><span class="term">-x <em class="replaceable"><code>addr</code></em></span></dt> 266<dd><p> 267 Performs a reverse lookup, mapping an addresses to 268 a name. <em class="parameter"><code>addr</code></em> is an IPv4 address in 269 dotted-decimal notation, or a colon-delimited IPv6 address. 270 When <code class="option">-x</code> is used, there is no need to provide 271 the <em class="parameter"><code>name</code></em> or <em class="parameter"><code>type</code></em> 272 arguments. <span><strong class="command">delv</strong></span> automatically performs a 273 lookup for a name like <code class="literal">11.12.13.10.in-addr.arpa</code> 274 and sets the query type to PTR. IPv6 addresses are looked up 275 using nibble format under the IP6.ARPA domain. 276 </p></dd> 277<dt><span class="term">-4</span></dt> 278<dd><p> 279 Forces <span><strong class="command">delv</strong></span> to only use IPv4. 280 </p></dd> 281<dt><span class="term">-6</span></dt> 282<dd><p> 283 Forces <span><strong class="command">delv</strong></span> to only use IPv6. 284 </p></dd> 285</dl></div> 286</div> 287<div class="refsect1" lang="en"> 288<a name="id2671445"></a><h2>QUERY OPTIONS</h2> 289<p><span><strong class="command">delv</strong></span> 290 provides a number of query options which affect the way results are 291 displayed, and in some cases the way lookups are performed. 292 </p> 293<p> 294 Each query option is identified by a keyword preceded by a plus sign 295 (<code class="literal">+</code>). Some keywords set or reset an 296 option. These may be preceded by the string 297 <code class="literal">no</code> to negate the meaning of that keyword. 298 Other keywords assign values to options like the timeout interval. 299 They have the form <code class="option">+keyword=value</code>. 300 The query options are: 301 302 </p> 303<div class="variablelist"><dl> 304<dt><span class="term"><code class="option">+[no]cdflag</code></span></dt> 305<dd><p> 306 Controls whether to set the CD (checking disabled) bit in 307 queries sent by <span><strong class="command">delv</strong></span>. This may be useful 308 when troubleshooting DNSSEC problems from behind a validating 309 resolver. A validating resolver will block invalid responses, 310 making it difficult to retrieve them for analysis. Setting 311 the CD flag on queries will cause the resolver to return 312 invalid responses, which <span><strong class="command">delv</strong></span> can then 313 validate internally and report the errors in detail. 314 </p></dd> 315<dt><span class="term"><code class="option">+[no]class</code></span></dt> 316<dd><p> 317 Controls whether to display the CLASS when printing 318 a record. The default is to display the CLASS. 319 </p></dd> 320<dt><span class="term"><code class="option">+[no]ttl</code></span></dt> 321<dd><p> 322 Controls whether to display the TTL when printing 323 a record. The default is to display the TTL. 324 </p></dd> 325<dt><span class="term"><code class="option">+[no]rtrace</code></span></dt> 326<dd> 327<p> 328 Toggle resolver fetch logging. This reports the 329 name and type of each query sent by <span><strong class="command">delv</strong></span> 330 in the process of carrying out the resolution and validation 331 process: this includes including the original query and 332 all subsequent queries to follow CNAMEs and to establish a 333 chain of trust for DNSSEC validation. 334 </p> 335<p> 336 This is equivalent to setting the debug level to 1 in 337 the "resolver" logging category. Setting the systemwide 338 debug level to 1 using the <code class="option">-d</code> option will 339 product the same output (but will affect other logging 340 categories as well). 341 </p> 342</dd> 343<dt><span class="term"><code class="option">+[no]mtrace</code></span></dt> 344<dd> 345<p> 346 Toggle message logging. This produces a detailed dump of 347 the responses received by <span><strong class="command">delv</strong></span> in the 348 process of carrying out the resolution and validation process. 349 </p> 350<p> 351 This is equivalent to setting the debug level to 10 352 for the the "packets" module of the "resolver" logging 353 category. Setting the systemwide debug level to 10 using 354 the <code class="option">-d</code> option will produce the same output 355 (but will affect other logging categories as well). 356 </p> 357</dd> 358<dt><span class="term"><code class="option">+[no]vtrace</code></span></dt> 359<dd> 360<p> 361 Toggle validation logging. This shows the internal 362 process of the validator as it determines whether an 363 answer is validly signed, unsigned, or invalid. 364 </p> 365<p> 366 This is equivalent to setting the debug level to 3 367 for the the "validator" module of the "dnssec" logging 368 category. Setting the systemwide debug level to 3 using 369 the <code class="option">-d</code> option will produce the same output 370 (but will affect other logging categories as well). 371 </p> 372</dd> 373<dt><span class="term"><code class="option">+[no]short</code></span></dt> 374<dd><p> 375 Provide a terse answer. The default is to print the answer in a 376 verbose form. 377 </p></dd> 378<dt><span class="term"><code class="option">+[no]comments</code></span></dt> 379<dd><p> 380 Toggle the display of comment lines in the output. The default 381 is to print comments. 382 </p></dd> 383<dt><span class="term"><code class="option">+[no]rrcomments</code></span></dt> 384<dd><p> 385 Toggle the display of per-record comments in the output (for 386 example, human-readable key information about DNSKEY records). 387 The default is to print per-record comments. 388 </p></dd> 389<dt><span class="term"><code class="option">+[no]crypto</code></span></dt> 390<dd><p> 391 Toggle the display of cryptographic fields in DNSSEC records. 392 The contents of these field are unnecessary to debug most DNSSEC 393 validation failures and removing them makes it easier to see 394 the common failures. The default is to display the fields. 395 When omitted they are replaced by the string "[omitted]" or 396 in the DNSKEY case the key id is displayed as the replacement, 397 e.g. "[ key id = value ]". 398 </p></dd> 399<dt><span class="term"><code class="option">+[no]trust</code></span></dt> 400<dd><p> 401 Controls whether to display the trust level when printing 402 a record. The default is to display the trust level. 403 </p></dd> 404<dt><span class="term"><code class="option">+[no]split[=W]</code></span></dt> 405<dd><p> 406 Split long hex- or base64-formatted fields in resource 407 records into chunks of <em class="parameter"><code>W</code></em> characters 408 (where <em class="parameter"><code>W</code></em> is rounded up to the nearest 409 multiple of 4). 410 <em class="parameter"><code>+nosplit</code></em> or 411 <em class="parameter"><code>+split=0</code></em> causes fields not to be 412 split at all. The default is 56 characters, or 44 characters 413 when multiline mode is active. 414 </p></dd> 415<dt><span class="term"><code class="option">+[no]all</code></span></dt> 416<dd><p> 417 Set or clear the display options 418 <code class="option">+[no]comments</code>, 419 <code class="option">+[no]rrcomments</code>, and 420 <code class="option">+[no]trust</code> as a group. 421 </p></dd> 422<dt><span class="term"><code class="option">+[no]multiline</code></span></dt> 423<dd><p> 424 Print long records (such as RRSIG, DNSKEY, and SOA records) 425 in a verbose multi-line format with human-readable comments. 426 The default is to print each record on a single line, to 427 facilitate machine parsing of the <span><strong class="command">delv</strong></span> 428 output. 429 </p></dd> 430<dt><span class="term"><code class="option">+[no]dnssec</code></span></dt> 431<dd><p> 432 Indicates whether to display RRSIG records in the 433 <span><strong class="command">delv</strong></span> output. The default is to 434 do so. Note that (unlike in <span><strong class="command">dig</strong></span>) 435 this does <span class="emphasis"><em>not</em></span> control whether to 436 request DNSSEC records or whether to validate them. 437 DNSSEC records are always requested, and validation 438 will always occur unless suppressed by the use of 439 <code class="option">-i</code> or <code class="option">+noroot</code> and 440 <code class="option">+nodlv</code>. 441 </p></dd> 442<dt><span class="term"><code class="option">+[no]root[=ROOT]</code></span></dt> 443<dd><p> 444 Indicates whether to perform conventional (non-lookaside) 445 DNSSEC validation, and if so, specifies the 446 name of a trust anchor. The default is to validate using 447 a trust anchor of "." (the root zone), for which there is 448 a built-in key. If specifying a different trust anchor, 449 then <code class="option">-a</code> must be used to specify a file 450 containing the key. 451 </p></dd> 452<dt><span class="term"><code class="option">+[no]dlv[=DLV]</code></span></dt> 453<dd><p> 454 Indicates whether to perform DNSSEC lookaside validation, 455 and if so, specifies the name of the DLV trust anchor. 456 The default is to perform lookaside validation using 457 a trust anchor of "dlv.isc.org", for which there is a 458 built-in key. If specifying a different name, then 459 <code class="option">-a</code> must be used to specify a file 460 containing the DLV key. 461 </p></dd> 462</dl></div> 463<p> 464 465 </p> 466</div> 467<div class="refsect1" lang="en"> 468<a name="id2671961"></a><h2>FILES</h2> 469<p><code class="filename">/etc/bind.keys</code></p> 470<p><code class="filename">/etc/resolv.conf</code></p> 471</div> 472<div class="refsect1" lang="en"> 473<a name="id2671980"></a><h2>SEE ALSO</h2> 474<p><span class="citerefentry"><span class="refentrytitle">dig</span>(1)</span>, 475 <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>, 476 <em class="citetitle">RFC4034</em>, 477 <em class="citetitle">RFC4035</em>, 478 <em class="citetitle">RFC4431</em>, 479 <em class="citetitle">RFC5074</em>, 480 <em class="citetitle">RFC5155</em>. 481 </p> 482</div> 483</div> 484<div class="navfooter"> 485<hr> 486<table width="100%" summary="Navigation footer"> 487<tr> 488<td width="40%" align="left"> 489<a accesskey="p" href="man.host.html">Prev</a>�</td> 490<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td> 491<td width="40%" align="right">�<a accesskey="n" href="man.dnssec-checkds.html">Next</a> 492</td> 493</tr> 494<tr> 495<td width="40%" align="left" valign="top">host�</td> 496<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td> 497<td width="40%" align="right" valign="top">�<span class="application">dnssec-checkds</span> 498</td> 499</tr> 500</table> 501</div> 502<p style="text-align: center;">BIND 9.10.2-P4</p> 503</body> 504</html> 505