1.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") 2.. 3.. SPDX-License-Identifier: MPL-2.0 4.. 5.. This Source Code Form is subject to the terms of the Mozilla Public 6.. License, v. 2.0. If a copy of the MPL was not distributed with this 7.. file, you can obtain one at https://mozilla.org/MPL/2.0/. 8.. 9.. See the COPYRIGHT file distributed with this work for additional 10.. information regarding copyright ownership. 11 12.. highlight: console 13 14.. iscman:: delv 15.. program:: delv 16.. _man_delv: 17 18delv - DNS lookup and validation utility 19---------------------------------------- 20 21Synopsis 22~~~~~~~~ 23 24:program:`delv` [@server] [ [**-4**] | [**-6**] ] [**-a** anchor-file] [**-b** address] [**-c** class] [**-d** level] [**-i**] [**-m**] [**-p** port#] [**-q** name] [**-t** type] [**-x** addr] [name] [type] [class] [queryopt...] 25 26:program:`delv` [**-h**] 27 28:program:`delv` [**-v**] 29 30:program:`delv` [queryopt...] [query...] 31 32Description 33~~~~~~~~~~~ 34 35:program:`delv` is a tool for sending DNS queries and validating the results, 36using the same internal resolver and validator logic as :iscman:`named`. 37 38:program:`delv` sends to a specified name server all queries needed to 39fetch and validate the requested data; this includes the original 40requested query, subsequent queries to follow CNAME or DNAME chains, 41queries for DNSKEY, and DS records to establish a chain of trust for 42DNSSEC validation. It does not perform iterative resolution, but 43simulates the behavior of a name server configured for DNSSEC validating 44and forwarding. 45 46By default, responses are validated using the built-in DNSSEC trust anchor 47for the root zone ("."). Records returned by :program:`delv` are either fully 48validated or were not signed. If validation fails, an explanation of the 49failure is included in the output; the validation process can be traced 50in detail. Because :program:`delv` does not rely on an external server to carry 51out validation, it can be used to check the validity of DNS responses in 52environments where local name servers may not be trustworthy. 53 54Unless it is told to query a specific name server, :program:`delv` tries 55each of the servers listed in ``/etc/resolv.conf``. If no usable server 56addresses are found, :program:`delv` sends queries to the localhost 57addresses (127.0.0.1 for IPv4, ::1 for IPv6). 58 59When no command-line arguments or options are given, :program:`delv` 60performs an NS query for "." (the root zone). 61 62Simple Usage 63~~~~~~~~~~~~ 64 65A typical invocation of :program:`delv` looks like: 66 67:: 68 69 delv @server name type 70 71where: 72 73.. option:: server 74 75 is the name or IP address of the name server to query. This can be an 76 IPv4 address in dotted-decimal notation or an IPv6 address in 77 colon-delimited notation. When the supplied ``server`` argument is a 78 hostname, :program:`delv` resolves that name before querying that name 79 server (note, however, that this initial lookup is *not* validated by 80 DNSSEC). 81 82 If no ``server`` argument is provided, :program:`delv` consults 83 ``/etc/resolv.conf``; if an address is found there, it queries the 84 name server at that address. If either of the :option:`-4` or :option:`-6` 85 options is in use, then only addresses for the corresponding 86 transport are tried. If no usable addresses are found, :program:`delv` 87 sends queries to the localhost addresses (127.0.0.1 for IPv4, ::1 88 for IPv6). 89 90.. option:: name 91 92 is the domain name to be looked up. 93 94.. option:: type 95 96 indicates what type of query is required - ANY, A, MX, etc. 97 ``type`` can be any valid query type. If no ``type`` argument is 98 supplied, :program:`delv` performs a lookup for an A record. 99 100Options 101~~~~~~~ 102 103.. option:: -a anchor-file 104 105 This option specifies a file from which to read DNSSEC trust anchors. The default 106 is |bind_keys|, which is included with BIND 9 and contains one 107 or more trust anchors for the root zone ("."). 108 109 Keys that do not match the root zone name are ignored. An alternate 110 key name can be specified using the :option:`+root` option. 111 112 Note: When reading the trust anchor file, :program:`delv` treats ``trust-anchors``, 113 ``initial-key``, and ``static-key`` identically. That is, for a managed key, 114 it is the *initial* key that is trusted; :rfc:`5011` key management is not 115 supported. :program:`delv` does not consult the managed-keys database maintained by 116 :iscman:`named`, which means that if either of the keys in |bind_keys| is 117 revoked and rolled over, |bind_keys| must be updated to 118 use DNSSEC validation in :program:`delv`. 119 120.. option:: -b address 121 122 This option sets the source IP address of the query to ``address``. This must be 123 a valid address on one of the host's network interfaces, or ``0.0.0.0``, 124 or ``::``. An optional source port may be specified by appending 125 ``#<port>`` 126 127.. option:: -c class 128 129 This option sets the query class for the requested data. Currently, only class 130 "IN" is supported in :program:`delv` and any other value is ignored. 131 132.. option:: -d level 133 134 This option sets the systemwide debug level to ``level``. The allowed range is 135 from 0 to 99. The default is 0 (no debugging). Debugging traces from 136 :program:`delv` become more verbose as the debug level increases. See the 137 :option:`+mtrace`, :option:`+rtrace`, and :option:`+vtrace` options below for 138 additional debugging details. 139 140.. option:: -h 141 142 This option displays the :program:`delv` help usage output and exits. 143 144.. option:: -i 145 146 This option sets insecure mode, which disables internal DNSSEC validation. (Note, 147 however, that this does not set the CD bit on upstream queries. If the 148 server being queried is performing DNSSEC validation, then it does 149 not return invalid data; this can cause :program:`delv` to time out. When it 150 is necessary to examine invalid data to debug a DNSSEC problem, use 151 :option:`dig +cd`.) 152 153.. option:: -m 154 155 This option enables memory usage debugging. 156 157.. option:: -p port# 158 159 This option specifies a destination port to use for queries, instead of the 160 standard DNS port number 53. This option is used with a name 161 server that has been configured to listen for queries on a 162 non-standard port number. 163 164.. option:: -q name 165 166 This option sets the query name to ``name``. While the query name can be 167 specified without using the :option:`-q` option, it is sometimes necessary to 168 disambiguate names from types or classes (for example, when looking 169 up the name "ns", which could be misinterpreted as the type NS, or 170 "ch", which could be misinterpreted as class CH). 171 172.. option:: -t type 173 174 This option sets the query type to ``type``, which can be any valid query type 175 supported in BIND 9 except for zone transfer types AXFR and IXFR. As 176 with :option:`-q`, this is useful to distinguish query-name types or classes 177 when they are ambiguous. It is sometimes necessary to disambiguate 178 names from types. 179 180 The default query type is "A", unless the :option:`-x` option is supplied 181 to indicate a reverse lookup, in which case it is "PTR". 182 183.. option:: -v 184 185 This option prints the :program:`delv` version and exits. 186 187.. option:: -x addr 188 189 This option performs a reverse lookup, mapping an address to a name. ``addr`` 190 is an IPv4 address in dotted-decimal notation, or a colon-delimited 191 IPv6 address. When :option:`-x` is used, there is no need to provide the 192 ``name`` or ``type`` arguments; :program:`delv` automatically performs a 193 lookup for a name like ``11.12.13.10.in-addr.arpa`` and sets the 194 query type to PTR. IPv6 addresses are looked up using nibble format 195 under the IP6.ARPA domain. 196 197.. option:: -4 198 199 This option forces :program:`delv` to only use IPv4. 200 201.. option:: -6 202 203 This option forces :program:`delv` to only use IPv6. 204 205Query Options 206~~~~~~~~~~~~~ 207 208:program:`delv` provides a number of query options which affect the way results 209are displayed, and in some cases the way lookups are performed. 210 211Each query option is identified by a keyword preceded by a plus sign 212(``+``). Some keywords set or reset an option. These may be preceded by 213the string ``no`` to negate the meaning of that keyword. Other keywords 214assign values to options like the timeout interval. They have the form 215``+keyword=value``. The query options are: 216 217.. option:: +cdflag, +nocdflag 218 219 This option controls whether to set the CD (checking disabled) bit in queries 220 sent by :program:`delv`. This may be useful when troubleshooting DNSSEC 221 problems from behind a validating resolver. A validating resolver 222 blocks invalid responses, making it difficult to retrieve them 223 for analysis. Setting the CD flag on queries causes the resolver 224 to return invalid responses, which :program:`delv` can then validate 225 internally and report the errors in detail. 226 227.. option:: +class, +noclass 228 229 This option controls whether to display the CLASS when printing a record. The 230 default is to display the CLASS. 231 232.. option:: +ttl, +nottl 233 234 This option controls whether to display the TTL when printing a record. The 235 default is to display the TTL. 236 237.. option:: +rtrace, +nortrace 238 239 This option toggles resolver fetch logging. This reports the name and type of each 240 query sent by :program:`delv` in the process of carrying out the resolution 241 and validation process, including the original query 242 and all subsequent queries to follow CNAMEs and to establish a chain 243 of trust for DNSSEC validation. 244 245 This is equivalent to setting the debug level to 1 in the "resolver" 246 logging category. Setting the systemwide debug level to 1 using the 247 :option:`-d` option produces the same output, but affects other 248 logging categories as well. 249 250.. option:: +mtrace, +nomtrace 251 252 This option toggles message logging. This produces a detailed dump of the 253 responses received by :program:`delv` in the process of carrying out the 254 resolution and validation process. 255 256 This is equivalent to setting the debug level to 10 for the "packets" 257 module of the "resolver" logging category. Setting the systemwide 258 debug level to 10 using the :option:`-d` option produces the same 259 output, but affects other logging categories as well. 260 261.. option:: +vtrace, +novtrace 262 263 This option toggles validation logging. This shows the internal process of the 264 validator as it determines whether an answer is validly signed, 265 unsigned, or invalid. 266 267 This is equivalent to setting the debug level to 3 for the 268 "validator" module of the "dnssec" logging category. Setting the 269 systemwide debug level to 3 using the :option:`-d` option produces the 270 same output, but affects other logging categories as well. 271 272.. option:: +short, +noshort 273 274 This option toggles between verbose and terse answers. The default is to print the answer in a 275 verbose form. 276 277.. option:: +comments, +nocomments 278 279 This option toggles the display of comment lines in the output. The default is to 280 print comments. 281 282.. option:: +rrcomments, +norrcomments 283 284 This option toggles the display of per-record comments in the output (for example, 285 human-readable key information about DNSKEY records). The default is 286 to print per-record comments. 287 288.. option:: +crypto, +nocrypto 289 290 This option toggles the display of cryptographic fields in DNSSEC records. The 291 contents of these fields are unnecessary to debug most DNSSEC 292 validation failures and removing them makes it easier to see the 293 common failures. The default is to display the fields. When omitted, 294 they are replaced by the string ``[omitted]`` or, in the DNSKEY case, the 295 key ID is displayed as the replacement, e.g. ``[ key id = value ]``. 296 297.. option:: +trust, +notrust 298 299 This option controls whether to display the trust level when printing a record. 300 The default is to display the trust level. 301 302.. option:: +split[=W], +nosplit 303 304 This option splits long hex- or base64-formatted fields in resource records into 305 chunks of ``W`` characters (where ``W`` is rounded up to the nearest 306 multiple of 4). ``+nosplit`` or ``+split=0`` causes fields not to be 307 split at all. The default is 56 characters, or 44 characters when 308 multiline mode is active. 309 310.. option:: +all, +noall 311 312 This option sets or clears the display options :option:`+comments`, 313 :option:`+rrcomments`, and :option:`+trust` as a group. 314 315.. option:: +multiline, +nomultiline 316 317 This option prints long records (such as RRSIG, DNSKEY, and SOA records) in a 318 verbose multi-line format with human-readable comments. The default 319 is to print each record on a single line, to facilitate machine 320 parsing of the :program:`delv` output. 321 322.. option:: +dnssec, +nodnssec 323 324 This option indicates whether to display RRSIG records in the :program:`delv` output. 325 The default is to do so. Note that (unlike in :iscman:`dig`) this does 326 *not* control whether to request DNSSEC records or to 327 validate them. DNSSEC records are always requested, and validation 328 always occurs unless suppressed by the use of :option:`-i` or 329 :option:`+noroot`. 330 331.. option:: +root[=ROOT], +noroot 332 333 This option indicates whether to perform conventional DNSSEC validation, and if so, 334 specifies the name of a trust anchor. The default is to validate using a 335 trust anchor of "." (the root zone), for which there is a built-in key. If 336 specifying a different trust anchor, then :option:`-a` must be used to specify a 337 file containing the key. 338 339.. option:: +tcp, +notcp 340 341 This option controls whether to use TCP when sending queries. The default is to 342 use UDP unless a truncated response has been received. 343 344.. option:: +unknownformat, +nounknownformat 345 346 This option prints all RDATA in unknown RR-type presentation format (:rfc:`3597`). 347 The default is to print RDATA for known types in the type's 348 presentation format. 349 350.. option:: +yaml, +noyaml 351 352 This option prints response data in YAML format. 353 354Files 355~~~~~ 356 357|bind_keys| 358 359``/etc/resolv.conf`` 360 361See Also 362~~~~~~~~ 363 364:iscman:`dig(1) <dig>`, :iscman:`named(8) <named>`, :rfc:`4034`, :rfc:`4035`, :rfc:`4431`, :rfc:`5074`, :rfc:`5155`. 365