1*00b67f09SDavid van Moolenbroek<!-- 2*00b67f09SDavid van Moolenbroek - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC") 3*00b67f09SDavid van Moolenbroek - Copyright (C) 2000-2003 Internet Software Consortium. 4*00b67f09SDavid van Moolenbroek - 5*00b67f09SDavid van Moolenbroek - Permission to use, copy, modify, and/or distribute this software for any 6*00b67f09SDavid van Moolenbroek - purpose with or without fee is hereby granted, provided that the above 7*00b67f09SDavid van Moolenbroek - copyright notice and this permission notice appear in all copies. 8*00b67f09SDavid van Moolenbroek - 9*00b67f09SDavid van Moolenbroek - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH 10*00b67f09SDavid van Moolenbroek - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 11*00b67f09SDavid van Moolenbroek - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, 12*00b67f09SDavid van Moolenbroek - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 13*00b67f09SDavid van Moolenbroek - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE 14*00b67f09SDavid van Moolenbroek - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 15*00b67f09SDavid van Moolenbroek - PERFORMANCE OF THIS SOFTWARE. 16*00b67f09SDavid van Moolenbroek--> 17*00b67f09SDavid van Moolenbroek<!-- $Id: man.delv.html,v 1.5 2015/09/03 07:33:34 christos Exp $ --> 18*00b67f09SDavid van Moolenbroek<html> 19*00b67f09SDavid van Moolenbroek<head> 20*00b67f09SDavid van Moolenbroek<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> 21*00b67f09SDavid van Moolenbroek<title>delv</title> 22*00b67f09SDavid van Moolenbroek<meta name="generator" content="DocBook XSL Stylesheets V1.71.1"> 23*00b67f09SDavid van Moolenbroek<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> 24*00b67f09SDavid van Moolenbroek<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages"> 25*00b67f09SDavid van Moolenbroek<link rel="prev" href="man.host.html" title="host"> 26*00b67f09SDavid van Moolenbroek<link rel="next" href="man.dnssec-checkds.html" title="dnssec-checkds"> 27*00b67f09SDavid van Moolenbroek</head> 28*00b67f09SDavid van Moolenbroek<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"> 29*00b67f09SDavid van Moolenbroek<div class="navheader"> 30*00b67f09SDavid van Moolenbroek<table width="100%" summary="Navigation header"> 31*00b67f09SDavid van Moolenbroek<tr><th colspan="3" align="center">delv</th></tr> 32*00b67f09SDavid van Moolenbroek<tr> 33*00b67f09SDavid van Moolenbroek<td width="20%" align="left"> 34*00b67f09SDavid van Moolenbroek<a accesskey="p" href="man.host.html">Prev</a>�</td> 35*00b67f09SDavid van Moolenbroek<th width="60%" align="center">Manual pages</th> 36*00b67f09SDavid van Moolenbroek<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-checkds.html">Next</a> 37*00b67f09SDavid van Moolenbroek</td> 38*00b67f09SDavid van Moolenbroek</tr> 39*00b67f09SDavid van Moolenbroek</table> 40*00b67f09SDavid van Moolenbroek<hr> 41*00b67f09SDavid van Moolenbroek</div> 42*00b67f09SDavid van Moolenbroek<div class="refentry" lang="en"> 43*00b67f09SDavid van Moolenbroek<a name="man.delv"></a><div class="titlepage"></div> 44*00b67f09SDavid van Moolenbroek<div class="refnamediv"> 45*00b67f09SDavid van Moolenbroek<h2>Name</h2> 46*00b67f09SDavid van Moolenbroek<p>delv — DNS lookup and validation utility</p> 47*00b67f09SDavid van Moolenbroek</div> 48*00b67f09SDavid van Moolenbroek<div class="refsynopsisdiv"> 49*00b67f09SDavid van Moolenbroek<h2>Synopsis</h2> 50*00b67f09SDavid van Moolenbroek<div class="cmdsynopsis"><p><code class="command">delv</code> [@server] [<code class="option">-4</code>] [<code class="option">-6</code>] [<code class="option">-a <em class="replaceable"><code>anchor-file</code></em></code>] [<code class="option">-b <em class="replaceable"><code>address</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>level</code></em></code>] [<code class="option">-i</code>] [<code class="option">-m</code>] [<code class="option">-p <em class="replaceable"><code>port#</code></em></code>] [<code class="option">-q <em class="replaceable"><code>name</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-x <em class="replaceable"><code>addr</code></em></code>] [name] [type] [class] [queryopt...]</p></div> 51*00b67f09SDavid van Moolenbroek<div class="cmdsynopsis"><p><code class="command">delv</code> [<code class="option">-h</code>]</p></div> 52*00b67f09SDavid van Moolenbroek<div class="cmdsynopsis"><p><code class="command">delv</code> [<code class="option">-v</code>]</p></div> 53*00b67f09SDavid van Moolenbroek<div class="cmdsynopsis"><p><code class="command">delv</code> [queryopt...] [query...]</p></div> 54*00b67f09SDavid van Moolenbroek</div> 55*00b67f09SDavid van Moolenbroek<div class="refsect1" lang="en"> 56*00b67f09SDavid van Moolenbroek<a name="id2615191"></a><h2>DESCRIPTION</h2> 57*00b67f09SDavid van Moolenbroek<p><span><strong class="command">delv</strong></span> 58*00b67f09SDavid van Moolenbroek (Domain Entity Lookup & Validation) is a tool for sending 59*00b67f09SDavid van Moolenbroek DNS queries and validating the results, using the the same internal 60*00b67f09SDavid van Moolenbroek resolver and validator logic as <span><strong class="command">named</strong></span>. 61*00b67f09SDavid van Moolenbroek </p> 62*00b67f09SDavid van Moolenbroek<p> 63*00b67f09SDavid van Moolenbroek <span><strong class="command">delv</strong></span> will send to a specified name server all 64*00b67f09SDavid van Moolenbroek queries needed to fetch and validate the requested data; this 65*00b67f09SDavid van Moolenbroek includes the original requested query, subsequent queries to follow 66*00b67f09SDavid van Moolenbroek CNAME or DNAME chains, and queries for DNSKEY, DS and DLV records 67*00b67f09SDavid van Moolenbroek to establish a chain of trust for DNSSEC validation. 68*00b67f09SDavid van Moolenbroek It does not perform iterative resolution, but simulates the 69*00b67f09SDavid van Moolenbroek behavior of a name server configured for DNSSEC validating and 70*00b67f09SDavid van Moolenbroek forwarding. 71*00b67f09SDavid van Moolenbroek </p> 72*00b67f09SDavid van Moolenbroek<p> 73*00b67f09SDavid van Moolenbroek By default, responses are validated using built-in DNSSEC trust 74*00b67f09SDavid van Moolenbroek anchors for the root zone (".") and for the ISC DNSSEC lookaside 75*00b67f09SDavid van Moolenbroek validation zone ("dlv.isc.org"). Records returned by 76*00b67f09SDavid van Moolenbroek <span><strong class="command">delv</strong></span> are either fully validated or 77*00b67f09SDavid van Moolenbroek were not signed. If validation fails, an explanation of 78*00b67f09SDavid van Moolenbroek the failure is included in the output; the validation process 79*00b67f09SDavid van Moolenbroek can be traced in detail. Because <span><strong class="command">delv</strong></span> does 80*00b67f09SDavid van Moolenbroek not rely on an external server to carry out validation, it can 81*00b67f09SDavid van Moolenbroek be used to check the validity of DNS responses in environments 82*00b67f09SDavid van Moolenbroek where local name servers may not be trustworthy. 83*00b67f09SDavid van Moolenbroek </p> 84*00b67f09SDavid van Moolenbroek<p> 85*00b67f09SDavid van Moolenbroek Unless it is told to query a specific name server, 86*00b67f09SDavid van Moolenbroek <span><strong class="command">delv</strong></span> will try each of the servers listed in 87*00b67f09SDavid van Moolenbroek <code class="filename">/etc/resolv.conf</code>. If no usable server 88*00b67f09SDavid van Moolenbroek addresses are found, <span><strong class="command">delv</strong></span> will send 89*00b67f09SDavid van Moolenbroek queries to the localhost addresses (127.0.0.1 for IPv4, ::1 90*00b67f09SDavid van Moolenbroek for IPv6). 91*00b67f09SDavid van Moolenbroek </p> 92*00b67f09SDavid van Moolenbroek<p> 93*00b67f09SDavid van Moolenbroek When no command line arguments or options are given, 94*00b67f09SDavid van Moolenbroek <span><strong class="command">delv</strong></span> will perform an NS query for "." 95*00b67f09SDavid van Moolenbroek (the root zone). 96*00b67f09SDavid van Moolenbroek </p> 97*00b67f09SDavid van Moolenbroek</div> 98*00b67f09SDavid van Moolenbroek<div class="refsect1" lang="en"> 99*00b67f09SDavid van Moolenbroek<a name="id2615264"></a><h2>SIMPLE USAGE</h2> 100*00b67f09SDavid van Moolenbroek<p> 101*00b67f09SDavid van Moolenbroek A typical invocation of <span><strong class="command">delv</strong></span> looks like: 102*00b67f09SDavid van Moolenbroek </p> 103*00b67f09SDavid van Moolenbroek<pre class="programlisting"> delv @server name type </pre> 104*00b67f09SDavid van Moolenbroek<p> 105*00b67f09SDavid van Moolenbroek where: 106*00b67f09SDavid van Moolenbroek 107*00b67f09SDavid van Moolenbroek </p> 108*00b67f09SDavid van Moolenbroek<div class="variablelist"><dl> 109*00b67f09SDavid van Moolenbroek<dt><span class="term"><code class="constant">server</code></span></dt> 110*00b67f09SDavid van Moolenbroek<dd> 111*00b67f09SDavid van Moolenbroek<p> 112*00b67f09SDavid van Moolenbroek is the name or IP address of the name server to query. This 113*00b67f09SDavid van Moolenbroek can be an IPv4 address in dotted-decimal notation or an IPv6 114*00b67f09SDavid van Moolenbroek address in colon-delimited notation. When the supplied 115*00b67f09SDavid van Moolenbroek <em class="parameter"><code>server</code></em> argument is a hostname, 116*00b67f09SDavid van Moolenbroek <span><strong class="command">delv</strong></span> resolves that name before 117*00b67f09SDavid van Moolenbroek querying that name server (note, however, that this 118*00b67f09SDavid van Moolenbroek initial lookup is <span class="emphasis"><em>not</em></span> validated 119*00b67f09SDavid van Moolenbroek by DNSSEC). 120*00b67f09SDavid van Moolenbroek </p> 121*00b67f09SDavid van Moolenbroek<p> 122*00b67f09SDavid van Moolenbroek If no <em class="parameter"><code>server</code></em> argument is 123*00b67f09SDavid van Moolenbroek provided, <span><strong class="command">delv</strong></span> consults 124*00b67f09SDavid van Moolenbroek <code class="filename">/etc/resolv.conf</code>; if an 125*00b67f09SDavid van Moolenbroek address is found there, it queries the name server at 126*00b67f09SDavid van Moolenbroek that address. If either of the <code class="option">-4</code> or 127*00b67f09SDavid van Moolenbroek <code class="option">-6</code> options are in use, then 128*00b67f09SDavid van Moolenbroek only addresses for the corresponding transport 129*00b67f09SDavid van Moolenbroek will be tried. If no usable addresses are found, 130*00b67f09SDavid van Moolenbroek <span><strong class="command">delv</strong></span> will send queries to 131*00b67f09SDavid van Moolenbroek the localhost addresses (127.0.0.1 for IPv4, 132*00b67f09SDavid van Moolenbroek ::1 for IPv6). 133*00b67f09SDavid van Moolenbroek </p> 134*00b67f09SDavid van Moolenbroek</dd> 135*00b67f09SDavid van Moolenbroek<dt><span class="term"><code class="constant">name</code></span></dt> 136*00b67f09SDavid van Moolenbroek<dd><p> 137*00b67f09SDavid van Moolenbroek is the domain name to be looked up. 138*00b67f09SDavid van Moolenbroek </p></dd> 139*00b67f09SDavid van Moolenbroek<dt><span class="term"><code class="constant">type</code></span></dt> 140*00b67f09SDavid van Moolenbroek<dd><p> 141*00b67f09SDavid van Moolenbroek indicates what type of query is required — 142*00b67f09SDavid van Moolenbroek ANY, A, MX, etc. 143*00b67f09SDavid van Moolenbroek <em class="parameter"><code>type</code></em> can be any valid query 144*00b67f09SDavid van Moolenbroek type. If no 145*00b67f09SDavid van Moolenbroek <em class="parameter"><code>type</code></em> argument is supplied, 146*00b67f09SDavid van Moolenbroek <span><strong class="command">delv</strong></span> will perform a lookup for an 147*00b67f09SDavid van Moolenbroek A record. 148*00b67f09SDavid van Moolenbroek </p></dd> 149*00b67f09SDavid van Moolenbroek</dl></div> 150*00b67f09SDavid van Moolenbroek<p> 151*00b67f09SDavid van Moolenbroek </p> 152*00b67f09SDavid van Moolenbroek</div> 153*00b67f09SDavid van Moolenbroek<div class="refsect1" lang="en"> 154*00b67f09SDavid van Moolenbroek<a name="id2616487"></a><h2>OPTIONS</h2> 155*00b67f09SDavid van Moolenbroek<div class="variablelist"><dl> 156*00b67f09SDavid van Moolenbroek<dt><span class="term">-a <em class="replaceable"><code>anchor-file</code></em></span></dt> 157*00b67f09SDavid van Moolenbroek<dd> 158*00b67f09SDavid van Moolenbroek<p> 159*00b67f09SDavid van Moolenbroek Specifies a file from which to read DNSSEC trust anchors. 160*00b67f09SDavid van Moolenbroek The default is <code class="filename">/etc/bind.keys</code>, which 161*00b67f09SDavid van Moolenbroek is included with <acronym class="acronym">BIND</acronym> 9 and contains 162*00b67f09SDavid van Moolenbroek trust anchors for the root zone (".") and for the ISC 163*00b67f09SDavid van Moolenbroek DNSSEC lookaside validation zone ("dlv.isc.org"). 164*00b67f09SDavid van Moolenbroek </p> 165*00b67f09SDavid van Moolenbroek<p> 166*00b67f09SDavid van Moolenbroek Keys that do not match the root or DLV trust-anchor 167*00b67f09SDavid van Moolenbroek names are ignored; these key names can be overridden 168*00b67f09SDavid van Moolenbroek using the <code class="option">+dlv=NAME</code> or 169*00b67f09SDavid van Moolenbroek <code class="option">+root=NAME</code> options. 170*00b67f09SDavid van Moolenbroek </p> 171*00b67f09SDavid van Moolenbroek<p> 172*00b67f09SDavid van Moolenbroek Note: When reading the trust anchor file, 173*00b67f09SDavid van Moolenbroek <span><strong class="command">delv</strong></span> treats <code class="option">managed-keys</code> 174*00b67f09SDavid van Moolenbroek statements and <code class="option">trusted-keys</code> statements 175*00b67f09SDavid van Moolenbroek identically. That is, for a managed key, it is the 176*00b67f09SDavid van Moolenbroek <span class="emphasis"><em>initial</em></span> key that is trusted; RFC 5011 177*00b67f09SDavid van Moolenbroek key management is not supported. <span><strong class="command">delv</strong></span> 178*00b67f09SDavid van Moolenbroek will not consult the managed-keys database maintained by 179*00b67f09SDavid van Moolenbroek <span><strong class="command">named</strong></span>. This means that if either of the 180*00b67f09SDavid van Moolenbroek keys in <code class="filename">/etc/bind.keys</code> is revoked 181*00b67f09SDavid van Moolenbroek and rolled over, it will be necessary to update 182*00b67f09SDavid van Moolenbroek <code class="filename">/etc/bind.keys</code> to use DNSSEC 183*00b67f09SDavid van Moolenbroek validation in <span><strong class="command">delv</strong></span>. 184*00b67f09SDavid van Moolenbroek </p> 185*00b67f09SDavid van Moolenbroek</dd> 186*00b67f09SDavid van Moolenbroek<dt><span class="term">-b <em class="replaceable"><code>address</code></em></span></dt> 187*00b67f09SDavid van Moolenbroek<dd><p> 188*00b67f09SDavid van Moolenbroek Sets the source IP address of the query to 189*00b67f09SDavid van Moolenbroek <em class="parameter"><code>address</code></em>. This must be a valid address 190*00b67f09SDavid van Moolenbroek on one of the host's network interfaces or "0.0.0.0" or "::". 191*00b67f09SDavid van Moolenbroek An optional source port may be specified by appending 192*00b67f09SDavid van Moolenbroek "#<port>" 193*00b67f09SDavid van Moolenbroek </p></dd> 194*00b67f09SDavid van Moolenbroek<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt> 195*00b67f09SDavid van Moolenbroek<dd><p> 196*00b67f09SDavid van Moolenbroek Sets the query class for the requested data. Currently, 197*00b67f09SDavid van Moolenbroek only class "IN" is supported in <span><strong class="command">delv</strong></span> 198*00b67f09SDavid van Moolenbroek and any other value is ignored. 199*00b67f09SDavid van Moolenbroek </p></dd> 200*00b67f09SDavid van Moolenbroek<dt><span class="term">-d <em class="replaceable"><code>level</code></em></span></dt> 201*00b67f09SDavid van Moolenbroek<dd><p> 202*00b67f09SDavid van Moolenbroek Set the systemwide debug level to <code class="option">level</code>. 203*00b67f09SDavid van Moolenbroek The allowed range is from 0 to 99. 204*00b67f09SDavid van Moolenbroek The default is 0 (no debugging). 205*00b67f09SDavid van Moolenbroek Debugging traces from <span><strong class="command">delv</strong></span> become 206*00b67f09SDavid van Moolenbroek more verbose as the debug level increases. 207*00b67f09SDavid van Moolenbroek See the <code class="option">+mtrace</code>, <code class="option">+rtrace</code>, 208*00b67f09SDavid van Moolenbroek and <code class="option">+vtrace</code> options below for additional 209*00b67f09SDavid van Moolenbroek debugging details. 210*00b67f09SDavid van Moolenbroek </p></dd> 211*00b67f09SDavid van Moolenbroek<dt><span class="term">-h</span></dt> 212*00b67f09SDavid van Moolenbroek<dd><p> 213*00b67f09SDavid van Moolenbroek Display the <span><strong class="command">delv</strong></span> help usage output and exit. 214*00b67f09SDavid van Moolenbroek </p></dd> 215*00b67f09SDavid van Moolenbroek<dt><span class="term">-i</span></dt> 216*00b67f09SDavid van Moolenbroek<dd><p> 217*00b67f09SDavid van Moolenbroek Insecure mode. This disables internal DNSSEC validation. 218*00b67f09SDavid van Moolenbroek (Note, however, this does not set the CD bit on upstream 219*00b67f09SDavid van Moolenbroek queries. If the server being queried is performing DNSSEC 220*00b67f09SDavid van Moolenbroek validation, then it will not return invalid data; this 221*00b67f09SDavid van Moolenbroek can cause <span><strong class="command">delv</strong></span> to time out. When it 222*00b67f09SDavid van Moolenbroek is necessary to examine invalid data to debug a DNSSEC 223*00b67f09SDavid van Moolenbroek problem, use <span><strong class="command">dig +cd</strong></span>.) 224*00b67f09SDavid van Moolenbroek </p></dd> 225*00b67f09SDavid van Moolenbroek<dt><span class="term">-m</span></dt> 226*00b67f09SDavid van Moolenbroek<dd><p> 227*00b67f09SDavid van Moolenbroek Enables memory usage debugging. 228*00b67f09SDavid van Moolenbroek </p></dd> 229*00b67f09SDavid van Moolenbroek<dt><span class="term">-p <em class="replaceable"><code>port#</code></em></span></dt> 230*00b67f09SDavid van Moolenbroek<dd><p> 231*00b67f09SDavid van Moolenbroek Specifies a destination port to use for queries instead of 232*00b67f09SDavid van Moolenbroek the standard DNS port number 53. This option would be used 233*00b67f09SDavid van Moolenbroek with a name server that has been configured to listen 234*00b67f09SDavid van Moolenbroek for queries on a non-standard port number. 235*00b67f09SDavid van Moolenbroek </p></dd> 236*00b67f09SDavid van Moolenbroek<dt><span class="term">-q <em class="replaceable"><code>name</code></em></span></dt> 237*00b67f09SDavid van Moolenbroek<dd><p> 238*00b67f09SDavid van Moolenbroek Sets the query name to <em class="parameter"><code>name</code></em>. 239*00b67f09SDavid van Moolenbroek While the query name can be specified without using the 240*00b67f09SDavid van Moolenbroek <code class="option">-q</code>, it is sometimes necessary to disambiguate 241*00b67f09SDavid van Moolenbroek names from types or classes (for example, when looking up the 242*00b67f09SDavid van Moolenbroek name "ns", which could be misinterpreted as the type NS, 243*00b67f09SDavid van Moolenbroek or "ch", which could be misinterpreted as class CH). 244*00b67f09SDavid van Moolenbroek </p></dd> 245*00b67f09SDavid van Moolenbroek<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt> 246*00b67f09SDavid van Moolenbroek<dd> 247*00b67f09SDavid van Moolenbroek<p> 248*00b67f09SDavid van Moolenbroek Sets the query type to <em class="parameter"><code>type</code></em>, which 249*00b67f09SDavid van Moolenbroek can be any valid query type supported in BIND 9 except 250*00b67f09SDavid van Moolenbroek for zone transfer types AXFR and IXFR. As with 251*00b67f09SDavid van Moolenbroek <code class="option">-q</code>, this is useful to distinguish 252*00b67f09SDavid van Moolenbroek query name type or class when they are ambiguous. 253*00b67f09SDavid van Moolenbroek it is sometimes necessary to disambiguate names from types. 254*00b67f09SDavid van Moolenbroek </p> 255*00b67f09SDavid van Moolenbroek<p> 256*00b67f09SDavid van Moolenbroek The default query type is "A", unless the <code class="option">-x</code> 257*00b67f09SDavid van Moolenbroek option is supplied to indicate a reverse lookup, in which case 258*00b67f09SDavid van Moolenbroek it is "PTR". 259*00b67f09SDavid van Moolenbroek </p> 260*00b67f09SDavid van Moolenbroek</dd> 261*00b67f09SDavid van Moolenbroek<dt><span class="term">-v</span></dt> 262*00b67f09SDavid van Moolenbroek<dd><p> 263*00b67f09SDavid van Moolenbroek Print the <span><strong class="command">delv</strong></span> version and exit. 264*00b67f09SDavid van Moolenbroek </p></dd> 265*00b67f09SDavid van Moolenbroek<dt><span class="term">-x <em class="replaceable"><code>addr</code></em></span></dt> 266*00b67f09SDavid van Moolenbroek<dd><p> 267*00b67f09SDavid van Moolenbroek Performs a reverse lookup, mapping an addresses to 268*00b67f09SDavid van Moolenbroek a name. <em class="parameter"><code>addr</code></em> is an IPv4 address in 269*00b67f09SDavid van Moolenbroek dotted-decimal notation, or a colon-delimited IPv6 address. 270*00b67f09SDavid van Moolenbroek When <code class="option">-x</code> is used, there is no need to provide 271*00b67f09SDavid van Moolenbroek the <em class="parameter"><code>name</code></em> or <em class="parameter"><code>type</code></em> 272*00b67f09SDavid van Moolenbroek arguments. <span><strong class="command">delv</strong></span> automatically performs a 273*00b67f09SDavid van Moolenbroek lookup for a name like <code class="literal">11.12.13.10.in-addr.arpa</code> 274*00b67f09SDavid van Moolenbroek and sets the query type to PTR. IPv6 addresses are looked up 275*00b67f09SDavid van Moolenbroek using nibble format under the IP6.ARPA domain. 276*00b67f09SDavid van Moolenbroek </p></dd> 277*00b67f09SDavid van Moolenbroek<dt><span class="term">-4</span></dt> 278*00b67f09SDavid van Moolenbroek<dd><p> 279*00b67f09SDavid van Moolenbroek Forces <span><strong class="command">delv</strong></span> to only use IPv4. 280*00b67f09SDavid van Moolenbroek </p></dd> 281*00b67f09SDavid van Moolenbroek<dt><span class="term">-6</span></dt> 282*00b67f09SDavid van Moolenbroek<dd><p> 283*00b67f09SDavid van Moolenbroek Forces <span><strong class="command">delv</strong></span> to only use IPv6. 284*00b67f09SDavid van Moolenbroek </p></dd> 285*00b67f09SDavid van Moolenbroek</dl></div> 286*00b67f09SDavid van Moolenbroek</div> 287*00b67f09SDavid van Moolenbroek<div class="refsect1" lang="en"> 288*00b67f09SDavid van Moolenbroek<a name="id2671445"></a><h2>QUERY OPTIONS</h2> 289*00b67f09SDavid van Moolenbroek<p><span><strong class="command">delv</strong></span> 290*00b67f09SDavid van Moolenbroek provides a number of query options which affect the way results are 291*00b67f09SDavid van Moolenbroek displayed, and in some cases the way lookups are performed. 292*00b67f09SDavid van Moolenbroek </p> 293*00b67f09SDavid van Moolenbroek<p> 294*00b67f09SDavid van Moolenbroek Each query option is identified by a keyword preceded by a plus sign 295*00b67f09SDavid van Moolenbroek (<code class="literal">+</code>). Some keywords set or reset an 296*00b67f09SDavid van Moolenbroek option. These may be preceded by the string 297*00b67f09SDavid van Moolenbroek <code class="literal">no</code> to negate the meaning of that keyword. 298*00b67f09SDavid van Moolenbroek Other keywords assign values to options like the timeout interval. 299*00b67f09SDavid van Moolenbroek They have the form <code class="option">+keyword=value</code>. 300*00b67f09SDavid van Moolenbroek The query options are: 301*00b67f09SDavid van Moolenbroek 302*00b67f09SDavid van Moolenbroek </p> 303*00b67f09SDavid van Moolenbroek<div class="variablelist"><dl> 304*00b67f09SDavid van Moolenbroek<dt><span class="term"><code class="option">+[no]cdflag</code></span></dt> 305*00b67f09SDavid van Moolenbroek<dd><p> 306*00b67f09SDavid van Moolenbroek Controls whether to set the CD (checking disabled) bit in 307*00b67f09SDavid van Moolenbroek queries sent by <span><strong class="command">delv</strong></span>. This may be useful 308*00b67f09SDavid van Moolenbroek when troubleshooting DNSSEC problems from behind a validating 309*00b67f09SDavid van Moolenbroek resolver. A validating resolver will block invalid responses, 310*00b67f09SDavid van Moolenbroek making it difficult to retrieve them for analysis. Setting 311*00b67f09SDavid van Moolenbroek the CD flag on queries will cause the resolver to return 312*00b67f09SDavid van Moolenbroek invalid responses, which <span><strong class="command">delv</strong></span> can then 313*00b67f09SDavid van Moolenbroek validate internally and report the errors in detail. 314*00b67f09SDavid van Moolenbroek </p></dd> 315*00b67f09SDavid van Moolenbroek<dt><span class="term"><code class="option">+[no]class</code></span></dt> 316*00b67f09SDavid van Moolenbroek<dd><p> 317*00b67f09SDavid van Moolenbroek Controls whether to display the CLASS when printing 318*00b67f09SDavid van Moolenbroek a record. The default is to display the CLASS. 319*00b67f09SDavid van Moolenbroek </p></dd> 320*00b67f09SDavid van Moolenbroek<dt><span class="term"><code class="option">+[no]ttl</code></span></dt> 321*00b67f09SDavid van Moolenbroek<dd><p> 322*00b67f09SDavid van Moolenbroek Controls whether to display the TTL when printing 323*00b67f09SDavid van Moolenbroek a record. The default is to display the TTL. 324*00b67f09SDavid van Moolenbroek </p></dd> 325*00b67f09SDavid van Moolenbroek<dt><span class="term"><code class="option">+[no]rtrace</code></span></dt> 326*00b67f09SDavid van Moolenbroek<dd> 327*00b67f09SDavid van Moolenbroek<p> 328*00b67f09SDavid van Moolenbroek Toggle resolver fetch logging. This reports the 329*00b67f09SDavid van Moolenbroek name and type of each query sent by <span><strong class="command">delv</strong></span> 330*00b67f09SDavid van Moolenbroek in the process of carrying out the resolution and validation 331*00b67f09SDavid van Moolenbroek process: this includes including the original query and 332*00b67f09SDavid van Moolenbroek all subsequent queries to follow CNAMEs and to establish a 333*00b67f09SDavid van Moolenbroek chain of trust for DNSSEC validation. 334*00b67f09SDavid van Moolenbroek </p> 335*00b67f09SDavid van Moolenbroek<p> 336*00b67f09SDavid van Moolenbroek This is equivalent to setting the debug level to 1 in 337*00b67f09SDavid van Moolenbroek the "resolver" logging category. Setting the systemwide 338*00b67f09SDavid van Moolenbroek debug level to 1 using the <code class="option">-d</code> option will 339*00b67f09SDavid van Moolenbroek product the same output (but will affect other logging 340*00b67f09SDavid van Moolenbroek categories as well). 341*00b67f09SDavid van Moolenbroek </p> 342*00b67f09SDavid van Moolenbroek</dd> 343*00b67f09SDavid van Moolenbroek<dt><span class="term"><code class="option">+[no]mtrace</code></span></dt> 344*00b67f09SDavid van Moolenbroek<dd> 345*00b67f09SDavid van Moolenbroek<p> 346*00b67f09SDavid van Moolenbroek Toggle message logging. This produces a detailed dump of 347*00b67f09SDavid van Moolenbroek the responses received by <span><strong class="command">delv</strong></span> in the 348*00b67f09SDavid van Moolenbroek process of carrying out the resolution and validation process. 349*00b67f09SDavid van Moolenbroek </p> 350*00b67f09SDavid van Moolenbroek<p> 351*00b67f09SDavid van Moolenbroek This is equivalent to setting the debug level to 10 352*00b67f09SDavid van Moolenbroek for the the "packets" module of the "resolver" logging 353*00b67f09SDavid van Moolenbroek category. Setting the systemwide debug level to 10 using 354*00b67f09SDavid van Moolenbroek the <code class="option">-d</code> option will produce the same output 355*00b67f09SDavid van Moolenbroek (but will affect other logging categories as well). 356*00b67f09SDavid van Moolenbroek </p> 357*00b67f09SDavid van Moolenbroek</dd> 358*00b67f09SDavid van Moolenbroek<dt><span class="term"><code class="option">+[no]vtrace</code></span></dt> 359*00b67f09SDavid van Moolenbroek<dd> 360*00b67f09SDavid van Moolenbroek<p> 361*00b67f09SDavid van Moolenbroek Toggle validation logging. This shows the internal 362*00b67f09SDavid van Moolenbroek process of the validator as it determines whether an 363*00b67f09SDavid van Moolenbroek answer is validly signed, unsigned, or invalid. 364*00b67f09SDavid van Moolenbroek </p> 365*00b67f09SDavid van Moolenbroek<p> 366*00b67f09SDavid van Moolenbroek This is equivalent to setting the debug level to 3 367*00b67f09SDavid van Moolenbroek for the the "validator" module of the "dnssec" logging 368*00b67f09SDavid van Moolenbroek category. Setting the systemwide debug level to 3 using 369*00b67f09SDavid van Moolenbroek the <code class="option">-d</code> option will produce the same output 370*00b67f09SDavid van Moolenbroek (but will affect other logging categories as well). 371*00b67f09SDavid van Moolenbroek </p> 372*00b67f09SDavid van Moolenbroek</dd> 373*00b67f09SDavid van Moolenbroek<dt><span class="term"><code class="option">+[no]short</code></span></dt> 374*00b67f09SDavid van Moolenbroek<dd><p> 375*00b67f09SDavid van Moolenbroek Provide a terse answer. The default is to print the answer in a 376*00b67f09SDavid van Moolenbroek verbose form. 377*00b67f09SDavid van Moolenbroek </p></dd> 378*00b67f09SDavid van Moolenbroek<dt><span class="term"><code class="option">+[no]comments</code></span></dt> 379*00b67f09SDavid van Moolenbroek<dd><p> 380*00b67f09SDavid van Moolenbroek Toggle the display of comment lines in the output. The default 381*00b67f09SDavid van Moolenbroek is to print comments. 382*00b67f09SDavid van Moolenbroek </p></dd> 383*00b67f09SDavid van Moolenbroek<dt><span class="term"><code class="option">+[no]rrcomments</code></span></dt> 384*00b67f09SDavid van Moolenbroek<dd><p> 385*00b67f09SDavid van Moolenbroek Toggle the display of per-record comments in the output (for 386*00b67f09SDavid van Moolenbroek example, human-readable key information about DNSKEY records). 387*00b67f09SDavid van Moolenbroek The default is to print per-record comments. 388*00b67f09SDavid van Moolenbroek </p></dd> 389*00b67f09SDavid van Moolenbroek<dt><span class="term"><code class="option">+[no]crypto</code></span></dt> 390*00b67f09SDavid van Moolenbroek<dd><p> 391*00b67f09SDavid van Moolenbroek Toggle the display of cryptographic fields in DNSSEC records. 392*00b67f09SDavid van Moolenbroek The contents of these field are unnecessary to debug most DNSSEC 393*00b67f09SDavid van Moolenbroek validation failures and removing them makes it easier to see 394*00b67f09SDavid van Moolenbroek the common failures. The default is to display the fields. 395*00b67f09SDavid van Moolenbroek When omitted they are replaced by the string "[omitted]" or 396*00b67f09SDavid van Moolenbroek in the DNSKEY case the key id is displayed as the replacement, 397*00b67f09SDavid van Moolenbroek e.g. "[ key id = value ]". 398*00b67f09SDavid van Moolenbroek </p></dd> 399*00b67f09SDavid van Moolenbroek<dt><span class="term"><code class="option">+[no]trust</code></span></dt> 400*00b67f09SDavid van Moolenbroek<dd><p> 401*00b67f09SDavid van Moolenbroek Controls whether to display the trust level when printing 402*00b67f09SDavid van Moolenbroek a record. The default is to display the trust level. 403*00b67f09SDavid van Moolenbroek </p></dd> 404*00b67f09SDavid van Moolenbroek<dt><span class="term"><code class="option">+[no]split[=W]</code></span></dt> 405*00b67f09SDavid van Moolenbroek<dd><p> 406*00b67f09SDavid van Moolenbroek Split long hex- or base64-formatted fields in resource 407*00b67f09SDavid van Moolenbroek records into chunks of <em class="parameter"><code>W</code></em> characters 408*00b67f09SDavid van Moolenbroek (where <em class="parameter"><code>W</code></em> is rounded up to the nearest 409*00b67f09SDavid van Moolenbroek multiple of 4). 410*00b67f09SDavid van Moolenbroek <em class="parameter"><code>+nosplit</code></em> or 411*00b67f09SDavid van Moolenbroek <em class="parameter"><code>+split=0</code></em> causes fields not to be 412*00b67f09SDavid van Moolenbroek split at all. The default is 56 characters, or 44 characters 413*00b67f09SDavid van Moolenbroek when multiline mode is active. 414*00b67f09SDavid van Moolenbroek </p></dd> 415*00b67f09SDavid van Moolenbroek<dt><span class="term"><code class="option">+[no]all</code></span></dt> 416*00b67f09SDavid van Moolenbroek<dd><p> 417*00b67f09SDavid van Moolenbroek Set or clear the display options 418*00b67f09SDavid van Moolenbroek <code class="option">+[no]comments</code>, 419*00b67f09SDavid van Moolenbroek <code class="option">+[no]rrcomments</code>, and 420*00b67f09SDavid van Moolenbroek <code class="option">+[no]trust</code> as a group. 421*00b67f09SDavid van Moolenbroek </p></dd> 422*00b67f09SDavid van Moolenbroek<dt><span class="term"><code class="option">+[no]multiline</code></span></dt> 423*00b67f09SDavid van Moolenbroek<dd><p> 424*00b67f09SDavid van Moolenbroek Print long records (such as RRSIG, DNSKEY, and SOA records) 425*00b67f09SDavid van Moolenbroek in a verbose multi-line format with human-readable comments. 426*00b67f09SDavid van Moolenbroek The default is to print each record on a single line, to 427*00b67f09SDavid van Moolenbroek facilitate machine parsing of the <span><strong class="command">delv</strong></span> 428*00b67f09SDavid van Moolenbroek output. 429*00b67f09SDavid van Moolenbroek </p></dd> 430*00b67f09SDavid van Moolenbroek<dt><span class="term"><code class="option">+[no]dnssec</code></span></dt> 431*00b67f09SDavid van Moolenbroek<dd><p> 432*00b67f09SDavid van Moolenbroek Indicates whether to display RRSIG records in the 433*00b67f09SDavid van Moolenbroek <span><strong class="command">delv</strong></span> output. The default is to 434*00b67f09SDavid van Moolenbroek do so. Note that (unlike in <span><strong class="command">dig</strong></span>) 435*00b67f09SDavid van Moolenbroek this does <span class="emphasis"><em>not</em></span> control whether to 436*00b67f09SDavid van Moolenbroek request DNSSEC records or whether to validate them. 437*00b67f09SDavid van Moolenbroek DNSSEC records are always requested, and validation 438*00b67f09SDavid van Moolenbroek will always occur unless suppressed by the use of 439*00b67f09SDavid van Moolenbroek <code class="option">-i</code> or <code class="option">+noroot</code> and 440*00b67f09SDavid van Moolenbroek <code class="option">+nodlv</code>. 441*00b67f09SDavid van Moolenbroek </p></dd> 442*00b67f09SDavid van Moolenbroek<dt><span class="term"><code class="option">+[no]root[=ROOT]</code></span></dt> 443*00b67f09SDavid van Moolenbroek<dd><p> 444*00b67f09SDavid van Moolenbroek Indicates whether to perform conventional (non-lookaside) 445*00b67f09SDavid van Moolenbroek DNSSEC validation, and if so, specifies the 446*00b67f09SDavid van Moolenbroek name of a trust anchor. The default is to validate using 447*00b67f09SDavid van Moolenbroek a trust anchor of "." (the root zone), for which there is 448*00b67f09SDavid van Moolenbroek a built-in key. If specifying a different trust anchor, 449*00b67f09SDavid van Moolenbroek then <code class="option">-a</code> must be used to specify a file 450*00b67f09SDavid van Moolenbroek containing the key. 451*00b67f09SDavid van Moolenbroek </p></dd> 452*00b67f09SDavid van Moolenbroek<dt><span class="term"><code class="option">+[no]dlv[=DLV]</code></span></dt> 453*00b67f09SDavid van Moolenbroek<dd><p> 454*00b67f09SDavid van Moolenbroek Indicates whether to perform DNSSEC lookaside validation, 455*00b67f09SDavid van Moolenbroek and if so, specifies the name of the DLV trust anchor. 456*00b67f09SDavid van Moolenbroek The default is to perform lookaside validation using 457*00b67f09SDavid van Moolenbroek a trust anchor of "dlv.isc.org", for which there is a 458*00b67f09SDavid van Moolenbroek built-in key. If specifying a different name, then 459*00b67f09SDavid van Moolenbroek <code class="option">-a</code> must be used to specify a file 460*00b67f09SDavid van Moolenbroek containing the DLV key. 461*00b67f09SDavid van Moolenbroek </p></dd> 462*00b67f09SDavid van Moolenbroek</dl></div> 463*00b67f09SDavid van Moolenbroek<p> 464*00b67f09SDavid van Moolenbroek 465*00b67f09SDavid van Moolenbroek </p> 466*00b67f09SDavid van Moolenbroek</div> 467*00b67f09SDavid van Moolenbroek<div class="refsect1" lang="en"> 468*00b67f09SDavid van Moolenbroek<a name="id2671961"></a><h2>FILES</h2> 469*00b67f09SDavid van Moolenbroek<p><code class="filename">/etc/bind.keys</code></p> 470*00b67f09SDavid van Moolenbroek<p><code class="filename">/etc/resolv.conf</code></p> 471*00b67f09SDavid van Moolenbroek</div> 472*00b67f09SDavid van Moolenbroek<div class="refsect1" lang="en"> 473*00b67f09SDavid van Moolenbroek<a name="id2671980"></a><h2>SEE ALSO</h2> 474*00b67f09SDavid van Moolenbroek<p><span class="citerefentry"><span class="refentrytitle">dig</span>(1)</span>, 475*00b67f09SDavid van Moolenbroek <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>, 476*00b67f09SDavid van Moolenbroek <em class="citetitle">RFC4034</em>, 477*00b67f09SDavid van Moolenbroek <em class="citetitle">RFC4035</em>, 478*00b67f09SDavid van Moolenbroek <em class="citetitle">RFC4431</em>, 479*00b67f09SDavid van Moolenbroek <em class="citetitle">RFC5074</em>, 480*00b67f09SDavid van Moolenbroek <em class="citetitle">RFC5155</em>. 481*00b67f09SDavid van Moolenbroek </p> 482*00b67f09SDavid van Moolenbroek</div> 483*00b67f09SDavid van Moolenbroek</div> 484*00b67f09SDavid van Moolenbroek<div class="navfooter"> 485*00b67f09SDavid van Moolenbroek<hr> 486*00b67f09SDavid van Moolenbroek<table width="100%" summary="Navigation footer"> 487*00b67f09SDavid van Moolenbroek<tr> 488*00b67f09SDavid van Moolenbroek<td width="40%" align="left"> 489*00b67f09SDavid van Moolenbroek<a accesskey="p" href="man.host.html">Prev</a>�</td> 490*00b67f09SDavid van Moolenbroek<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td> 491*00b67f09SDavid van Moolenbroek<td width="40%" align="right">�<a accesskey="n" href="man.dnssec-checkds.html">Next</a> 492*00b67f09SDavid van Moolenbroek</td> 493*00b67f09SDavid van Moolenbroek</tr> 494*00b67f09SDavid van Moolenbroek<tr> 495*00b67f09SDavid van Moolenbroek<td width="40%" align="left" valign="top">host�</td> 496*00b67f09SDavid van Moolenbroek<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td> 497*00b67f09SDavid van Moolenbroek<td width="40%" align="right" valign="top">�<span class="application">dnssec-checkds</span> 498*00b67f09SDavid van Moolenbroek</td> 499*00b67f09SDavid van Moolenbroek</tr> 500*00b67f09SDavid van Moolenbroek</table> 501*00b67f09SDavid van Moolenbroek</div> 502*00b67f09SDavid van Moolenbroek<p style="text-align: center;">BIND 9.10.2-P4</p> 503*00b67f09SDavid van Moolenbroek</body> 504*00b67f09SDavid van Moolenbroek</html> 505