1.. 2 Copyright (C) Internet Systems Consortium, Inc. ("ISC") 3 4 This Source Code Form is subject to the terms of the Mozilla Public 5 License, v. 2.0. If a copy of the MPL was not distributed with this 6 file, you can obtain one at https://mozilla.org/MPL/2.0/. 7 8 See the COPYRIGHT file distributed with this work for additional 9 information regarding copyright ownership. 10 11.. 12 Copyright (C) Internet Systems Consortium, Inc. ("ISC") 13 14 This Source Code Form is subject to the terms of the Mozilla Public 15 License, v. 2.0. If a copy of the MPL was not distributed with this 16 file, You can obtain one at http://mozilla.org/MPL/2.0/. 17 18 See the COPYRIGHT file distributed with this work for additional 19 information regarding copyright ownership. 20 21 22.. highlight: console 23 24.. _man_delv: 25 26delv - DNS lookup and validation utility 27---------------------------------------- 28 29Synopsis 30~~~~~~~~ 31 32:program:`delv` [@server] [ [**-4**] | [**-6**] ] [**-a** anchor-file] [**-b** address] [**-c** class] [**-d** level] [**-i**] [**-m**] [**-p** port#] [**-q** name] [**-t** type] [**-x** addr] [name] [type] [class] [queryopt...] 33 34:program:`delv` [**-h**] 35 36:program:`delv` [**-v**] 37 38:program:`delv` [queryopt...] [query...] 39 40Description 41~~~~~~~~~~~ 42 43``delv`` is a tool for sending DNS queries and validating the results, 44using the same internal resolver and validator logic as ``named``. 45 46``delv`` sends to a specified name server all queries needed to 47fetch and validate the requested data; this includes the original 48requested query, subsequent queries to follow CNAME or DNAME chains, 49queries for DNSKEY, and DS records to establish a chain of trust for 50DNSSEC validation. It does not perform iterative resolution, but 51simulates the behavior of a name server configured for DNSSEC validating 52and forwarding. 53 54By default, responses are validated using the built-in DNSSEC trust anchor 55for the root zone ("."). Records returned by ``delv`` are either fully 56validated or were not signed. If validation fails, an explanation of the 57failure is included in the output; the validation process can be traced 58in detail. Because ``delv`` does not rely on an external server to carry 59out validation, it can be used to check the validity of DNS responses in 60environments where local name servers may not be trustworthy. 61 62Unless it is told to query a specific name server, ``delv`` tries 63each of the servers listed in ``/etc/resolv.conf``. If no usable server 64addresses are found, ``delv`` sends queries to the localhost 65addresses (127.0.0.1 for IPv4, ::1 for IPv6). 66 67When no command-line arguments or options are given, ``delv`` 68performs an NS query for "." (the root zone). 69 70Simple Usage 71~~~~~~~~~~~~ 72 73A typical invocation of ``delv`` looks like: 74 75:: 76 77 delv @server name type 78 79where: 80 81``server`` 82 is the name or IP address of the name server to query. This can be an 83 IPv4 address in dotted-decimal notation or an IPv6 address in 84 colon-delimited notation. When the supplied ``server`` argument is a 85 hostname, ``delv`` resolves that name before querying that name 86 server (note, however, that this initial lookup is *not* validated by 87 DNSSEC). 88 89 If no ``server`` argument is provided, ``delv`` consults 90 ``/etc/resolv.conf``; if an address is found there, it queries the 91 name server at that address. If either of the ``-4`` or ``-6`` 92 options is in use, then only addresses for the corresponding 93 transport are tried. If no usable addresses are found, ``delv`` 94 sends queries to the localhost addresses (127.0.0.1 for IPv4, ::1 95 for IPv6). 96 97``name`` 98 is the domain name to be looked up. 99 100``type`` 101 indicates what type of query is required - ANY, A, MX, etc. 102 ``type`` can be any valid query type. If no ``type`` argument is 103 supplied, ``delv`` performs a lookup for an A record. 104 105Options 106~~~~~~~ 107 108``-a anchor-file`` 109 This option specifies a file from which to read DNSSEC trust anchors. The default 110 is ``/etc/bind.keys``, which is included with BIND 9 and contains one 111 or more trust anchors for the root zone ("."). 112 113 Keys that do not match the root zone name are ignored. An alternate 114 key name can be specified using the ``+root=NAME`` options. 115 116 Note: When reading the trust anchor file, ``delv`` treats ``trust-anchors``, 117 ``initial-key``, and ``static-key`` identically. That is, for a managed key, 118 it is the *initial* key that is trusted; :rfc:`5011` key management is not 119 supported. ``delv`` does not consult the managed-keys database maintained by 120 ``named``, which means that if either of the keys in ``/etc/bind.keys`` is 121 revoked and rolled over, ``/etc/bind.keys`` must be updated to 122 use DNSSEC validation in ``delv``. 123 124``-b address`` 125 This option sets the source IP address of the query to ``address``. This must be 126 a valid address on one of the host's network interfaces, or ``0.0.0.0``, 127 or ``::``. An optional source port may be specified by appending 128 ``#<port>`` 129 130``-c class`` 131 This option sets the query class for the requested data. Currently, only class 132 "IN" is supported in ``delv`` and any other value is ignored. 133 134``-d level`` 135 This option sets the systemwide debug level to ``level``. The allowed range is 136 from 0 to 99. The default is 0 (no debugging). Debugging traces from 137 ``delv`` become more verbose as the debug level increases. See the 138 ``+mtrace``, ``+rtrace``, and ``+vtrace`` options below for 139 additional debugging details. 140 141``-h`` 142 This option displays the ``delv`` help usage output and exits. 143 144``-i`` 145 This option sets insecure mode, which disables internal DNSSEC validation. (Note, 146 however, that this does not set the CD bit on upstream queries. If the 147 server being queried is performing DNSSEC validation, then it does 148 not return invalid data; this can cause ``delv`` to time out. When it 149 is necessary to examine invalid data to debug a DNSSEC problem, use 150 ``dig +cd``.) 151 152``-m`` 153 This option enables memory usage debugging. 154 155``-p port#`` 156 This option specifies a destination port to use for queries, instead of the 157 standard DNS port number 53. This option is used with a name 158 server that has been configured to listen for queries on a 159 non-standard port number. 160 161``-q name`` 162 This option sets the query name to ``name``. While the query name can be 163 specified without using the ``-q`` option, it is sometimes necessary to 164 disambiguate names from types or classes (for example, when looking 165 up the name "ns", which could be misinterpreted as the type NS, or 166 "ch", which could be misinterpreted as class CH). 167 168``-t type`` 169 This option sets the query type to ``type``, which can be any valid query type 170 supported in BIND 9 except for zone transfer types AXFR and IXFR. As 171 with ``-q``, this is useful to distinguish query-name types or classes 172 when they are ambiguous. It is sometimes necessary to disambiguate 173 names from types. 174 175 The default query type is "A", unless the ``-x`` option is supplied 176 to indicate a reverse lookup, in which case it is "PTR". 177 178``-v`` 179 This option prints the ``delv`` version and exits. 180 181``-x addr`` 182 This option performs a reverse lookup, mapping an address to a name. ``addr`` 183 is an IPv4 address in dotted-decimal notation, or a colon-delimited 184 IPv6 address. When ``-x`` is used, there is no need to provide the 185 ``name`` or ``type`` arguments; ``delv`` automatically performs a 186 lookup for a name like ``11.12.13.10.in-addr.arpa`` and sets the 187 query type to PTR. IPv6 addresses are looked up using nibble format 188 under the IP6.ARPA domain. 189 190``-4`` 191 This option forces ``delv`` to only use IPv4. 192 193``-6`` 194 This option forces ``delv`` to only use IPv6. 195 196Query Options 197~~~~~~~~~~~~~ 198 199``delv`` provides a number of query options which affect the way results 200are displayed, and in some cases the way lookups are performed. 201 202Each query option is identified by a keyword preceded by a plus sign 203(``+``). Some keywords set or reset an option. These may be preceded by 204the string ``no`` to negate the meaning of that keyword. Other keywords 205assign values to options like the timeout interval. They have the form 206``+keyword=value``. The query options are: 207 208``+[no]cdflag`` 209 This option controls whether to set the CD (checking disabled) bit in queries 210 sent by ``delv``. This may be useful when troubleshooting DNSSEC 211 problems from behind a validating resolver. A validating resolver 212 blocks invalid responses, making it difficult to retrieve them 213 for analysis. Setting the CD flag on queries causes the resolver 214 to return invalid responses, which ``delv`` can then validate 215 internally and report the errors in detail. 216 217``+[no]class`` 218 This option controls whether to display the CLASS when printing a record. The 219 default is to display the CLASS. 220 221``+[no]ttl`` 222 This option controls whether to display the TTL when printing a record. The 223 default is to display the TTL. 224 225``+[no]rtrace`` 226 This option toggles resolver fetch logging. This reports the name and type of each 227 query sent by ``delv`` in the process of carrying out the resolution 228 and validation process, including the original query 229 and all subsequent queries to follow CNAMEs and to establish a chain 230 of trust for DNSSEC validation. 231 232 This is equivalent to setting the debug level to 1 in the "resolver" 233 logging category. Setting the systemwide debug level to 1 using the 234 ``-d`` option produces the same output, but affects other 235 logging categories as well. 236 237``+[no]mtrace`` 238 This option toggles message logging. This produces a detailed dump of the 239 responses received by ``delv`` in the process of carrying out the 240 resolution and validation process. 241 242 This is equivalent to setting the debug level to 10 for the "packets" 243 module of the "resolver" logging category. Setting the systemwide 244 debug level to 10 using the ``-d`` option produces the same 245 output, but affects other logging categories as well. 246 247``+[no]vtrace`` 248 This option toggles validation logging. This shows the internal process of the 249 validator as it determines whether an answer is validly signed, 250 unsigned, or invalid. 251 252 This is equivalent to setting the debug level to 3 for the 253 "validator" module of the "dnssec" logging category. Setting the 254 systemwide debug level to 3 using the ``-d`` option produces the 255 same output, but affects other logging categories as well. 256 257``+[no]short`` 258 This option toggles between verbose and terse answers. The default is to print the answer in a 259 verbose form. 260 261``+[no]comments`` 262 This option toggles the display of comment lines in the output. The default is to 263 print comments. 264 265``+[no]rrcomments`` 266 This option toggles the display of per-record comments in the output (for example, 267 human-readable key information about DNSKEY records). The default is 268 to print per-record comments. 269 270``+[no]crypto`` 271 This option toggles the display of cryptographic fields in DNSSEC records. The 272 contents of these fields are unnecessary to debug most DNSSEC 273 validation failures and removing them makes it easier to see the 274 common failures. The default is to display the fields. When omitted, 275 they are replaced by the string ``[omitted]`` or, in the DNSKEY case, the 276 key ID is displayed as the replacement, e.g. ``[ key id = value ]``. 277 278``+[no]trust`` 279 This option controls whether to display the trust level when printing a record. 280 The default is to display the trust level. 281 282``+[no]split[=W]`` 283 This option splits long hex- or base64-formatted fields in resource records into 284 chunks of ``W`` characters (where ``W`` is rounded up to the nearest 285 multiple of 4). ``+nosplit`` or ``+split=0`` causes fields not to be 286 split at all. The default is 56 characters, or 44 characters when 287 multiline mode is active. 288 289``+[no]all`` 290 This option sets or clears the display options ``+[no]comments``, 291 ``+[no]rrcomments``, and ``+[no]trust`` as a group. 292 293``+[no]multiline`` 294 This option prints long records (such as RRSIG, DNSKEY, and SOA records) in a 295 verbose multi-line format with human-readable comments. The default 296 is to print each record on a single line, to facilitate machine 297 parsing of the ``delv`` output. 298 299``+[no]dnssec`` 300 This option indicates whether to display RRSIG records in the ``delv`` output. 301 The default is to do so. Note that (unlike in ``dig``) this does 302 *not* control whether to request DNSSEC records or to 303 validate them. DNSSEC records are always requested, and validation 304 always occurs unless suppressed by the use of ``-i`` or 305 ``+noroot``. 306 307``+[no]root[=ROOT]`` 308 This option indicates whether to perform conventional DNSSEC validation, and if so, 309 specifies the name of a trust anchor. The default is to validate using a 310 trust anchor of "." (the root zone), for which there is a built-in key. If 311 specifying a different trust anchor, then ``-a`` must be used to specify a 312 file containing the key. 313 314``+[no]tcp`` 315 This option controls whether to use TCP when sending queries. The default is to 316 use UDP unless a truncated response has been received. 317 318``+[no]unknownformat`` 319 This option prints all RDATA in unknown RR-type presentation format (:rfc:`3597`). 320 The default is to print RDATA for known types in the type's 321 presentation format. 322 323``+[no]yaml`` 324 This option prints response data in YAML format. 325 326Files 327~~~~~ 328 329``/etc/bind.keys`` 330 331``/etc/resolv.conf`` 332 333See Also 334~~~~~~~~ 335 336:manpage:`dig(1)`, :manpage:`named(8)`, :rfc:`4034`, :rfc:`4035`, :rfc:`4431`, :rfc:`5074`, :rfc:`5155`. 337