2 - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
3 - Copyright (C) 2000-2003 Internet Software Consortium.
5 - Permission to use, copy, modify, and/or distribute this software for any
6 - purpose with or without fee is hereby granted, provided that the above
7 - copyright notice and this permission notice appear in all copies.
9 - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
10 - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
11 - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
12 - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
13 - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
14 - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
15 - PERFORMANCE OF THIS SOFTWARE.
17 <!-- $Id: man.delv.html,v 1.5 2015/09/03 07:33:34 christos Exp $ -->
20 <meta http-equiv=
"Content-Type" content=
"text/html; charset=ISO-8859-1">
22 <meta name=
"generator" content=
"DocBook XSL Stylesheets V1.71.1">
23 <link rel=
"start" href=
"Bv9ARM.html" title=
"BIND 9 Administrator Reference Manual">
24 <link rel=
"up" href=
"Bv9ARM.ch13.html" title=
"Manual pages">
25 <link rel=
"prev" href=
"man.host.html" title=
"host">
26 <link rel=
"next" href=
"man.dnssec-checkds.html" title=
"dnssec-checkds">
28 <body bgcolor=
"white" text=
"black" link=
"#0000FF" vlink=
"#840084" alink=
"#0000FF">
29 <div class=
"navheader">
30 <table width=
"100%" summary=
"Navigation header">
31 <tr><th colspan=
"3" align=
"center">delv
</th></tr>
33 <td width=
"20%" align=
"left">
34 <a accesskey=
"p" href=
"man.host.html">Prev
</a> </td>
35 <th width=
"60%" align=
"center">Manual pages
</th>
36 <td width=
"20%" align=
"right"> <a accesskey=
"n" href=
"man.dnssec-checkds.html">Next
</a>
42 <div class=
"refentry" lang=
"en">
43 <a name=
"man.delv"></a><div class=
"titlepage"></div>
44 <div class=
"refnamediv">
46 <p>delv
— DNS lookup and validation utility
</p>
48 <div class=
"refsynopsisdiv">
50 <div class=
"cmdsynopsis"><p><code class=
"command">delv
</code> [@server] [
<code class=
"option">-
4</code>] [
<code class=
"option">-
6</code>] [
<code class=
"option">-a
<em class=
"replaceable"><code>anchor-file
</code></em></code>] [
<code class=
"option">-b
<em class=
"replaceable"><code>address
</code></em></code>] [
<code class=
"option">-c
<em class=
"replaceable"><code>class
</code></em></code>] [
<code class=
"option">-d
<em class=
"replaceable"><code>level
</code></em></code>] [
<code class=
"option">-i
</code>] [
<code class=
"option">-m
</code>] [
<code class=
"option">-p
<em class=
"replaceable"><code>port#
</code></em></code>] [
<code class=
"option">-q
<em class=
"replaceable"><code>name
</code></em></code>] [
<code class=
"option">-t
<em class=
"replaceable"><code>type
</code></em></code>] [
<code class=
"option">-x
<em class=
"replaceable"><code>addr
</code></em></code>] [name] [type] [class] [queryopt...]
</p></div>
51 <div class=
"cmdsynopsis"><p><code class=
"command">delv
</code> [
<code class=
"option">-h
</code>]
</p></div>
52 <div class=
"cmdsynopsis"><p><code class=
"command">delv
</code> [
<code class=
"option">-v
</code>]
</p></div>
53 <div class=
"cmdsynopsis"><p><code class=
"command">delv
</code> [queryopt...] [query...]
</p></div>
55 <div class=
"refsect1" lang=
"en">
56 <a name=
"id2615191"></a><h2>DESCRIPTION
</h2>
57 <p><span><strong class=
"command">delv
</strong></span>
58 (Domain Entity Lookup
& Validation) is a tool for sending
59 DNS queries and validating the results, using the the same internal
60 resolver and validator logic as
<span><strong class=
"command">named
</strong></span>.
63 <span><strong class=
"command">delv
</strong></span> will send to a specified name server all
64 queries needed to fetch and validate the requested data; this
65 includes the original requested query, subsequent queries to follow
66 CNAME or DNAME chains, and queries for DNSKEY, DS and DLV records
67 to establish a chain of trust for DNSSEC validation.
68 It does not perform iterative resolution, but simulates the
69 behavior of a name server configured for DNSSEC validating and
73 By default, responses are validated using built-in DNSSEC trust
74 anchors for the root zone (
".") and for the ISC DNSSEC lookaside
75 validation zone (
"dlv.isc.org"). Records returned by
76 <span><strong class=
"command">delv
</strong></span> are either fully validated or
77 were not signed. If validation fails, an explanation of
78 the failure is included in the output; the validation process
79 can be traced in detail. Because
<span><strong class=
"command">delv
</strong></span> does
80 not rely on an external server to carry out validation, it can
81 be used to check the validity of DNS responses in environments
82 where local name servers may not be trustworthy.
85 Unless it is told to query a specific name server,
86 <span><strong class=
"command">delv
</strong></span> will try each of the servers listed in
87 <code class=
"filename">/etc/resolv.conf
</code>. If no usable server
88 addresses are found,
<span><strong class=
"command">delv
</strong></span> will send
89 queries to the localhost addresses (
127.0.0.1 for IPv4, ::
1
93 When no command line arguments or options are given,
94 <span><strong class=
"command">delv
</strong></span> will perform an NS query for
"."
98 <div class=
"refsect1" lang=
"en">
99 <a name=
"id2615264"></a><h2>SIMPLE USAGE
</h2>
101 A typical invocation of
<span><strong class=
"command">delv
</strong></span> looks like:
103 <pre class=
"programlisting"> delv @server name type
</pre>
108 <div class=
"variablelist"><dl>
109 <dt><span class=
"term"><code class=
"constant">server
</code></span></dt>
112 is the name or IP address of the name server to query. This
113 can be an IPv4 address in dotted-decimal notation or an IPv6
114 address in colon-delimited notation. When the supplied
115 <em class=
"parameter"><code>server
</code></em> argument is a hostname,
116 <span><strong class=
"command">delv
</strong></span> resolves that name before
117 querying that name server (note, however, that this
118 initial lookup is
<span class=
"emphasis"><em>not
</em></span> validated
122 If no
<em class=
"parameter"><code>server
</code></em> argument is
123 provided,
<span><strong class=
"command">delv
</strong></span> consults
124 <code class=
"filename">/etc/resolv.conf
</code>; if an
125 address is found there, it queries the name server at
126 that address. If either of the
<code class=
"option">-
4</code> or
127 <code class=
"option">-
6</code> options are in use, then
128 only addresses for the corresponding transport
129 will be tried. If no usable addresses are found,
130 <span><strong class=
"command">delv
</strong></span> will send queries to
131 the localhost addresses (
127.0.0.1 for IPv4,
135 <dt><span class=
"term"><code class=
"constant">name
</code></span></dt>
137 is the domain name to be looked up.
139 <dt><span class=
"term"><code class=
"constant">type
</code></span></dt>
141 indicates what type of query is required
—
143 <em class=
"parameter"><code>type
</code></em> can be any valid query
145 <em class=
"parameter"><code>type
</code></em> argument is supplied,
146 <span><strong class=
"command">delv
</strong></span> will perform a lookup for an
153 <div class=
"refsect1" lang=
"en">
154 <a name=
"id2616487"></a><h2>OPTIONS
</h2>
155 <div class=
"variablelist"><dl>
156 <dt><span class=
"term">-a
<em class=
"replaceable"><code>anchor-file
</code></em></span></dt>
159 Specifies a file from which to read DNSSEC trust anchors.
160 The default is
<code class=
"filename">/etc/bind.keys
</code>, which
161 is included with
<acronym class=
"acronym">BIND
</acronym> 9 and contains
162 trust anchors for the root zone (
".") and for the ISC
163 DNSSEC lookaside validation zone (
"dlv.isc.org").
166 Keys that do not match the root or DLV trust-anchor
167 names are ignored; these key names can be overridden
168 using the
<code class=
"option">+dlv=NAME
</code> or
169 <code class=
"option">+root=NAME
</code> options.
172 Note: When reading the trust anchor file,
173 <span><strong class=
"command">delv
</strong></span> treats
<code class=
"option">managed-keys
</code>
174 statements and
<code class=
"option">trusted-keys
</code> statements
175 identically. That is, for a managed key, it is the
176 <span class=
"emphasis"><em>initial
</em></span> key that is trusted; RFC
5011
177 key management is not supported.
<span><strong class=
"command">delv
</strong></span>
178 will not consult the managed-keys database maintained by
179 <span><strong class=
"command">named
</strong></span>. This means that if either of the
180 keys in
<code class=
"filename">/etc/bind.keys
</code> is revoked
181 and rolled over, it will be necessary to update
182 <code class=
"filename">/etc/bind.keys
</code> to use DNSSEC
183 validation in
<span><strong class=
"command">delv
</strong></span>.
186 <dt><span class=
"term">-b
<em class=
"replaceable"><code>address
</code></em></span></dt>
188 Sets the source IP address of the query to
189 <em class=
"parameter"><code>address
</code></em>. This must be a valid address
190 on one of the host's network interfaces or
"0.0.0.0" or
"::".
191 An optional source port may be specified by appending
194 <dt><span class=
"term">-c
<em class=
"replaceable"><code>class
</code></em></span></dt>
196 Sets the query class for the requested data. Currently,
197 only class
"IN" is supported in
<span><strong class=
"command">delv
</strong></span>
198 and any other value is ignored.
200 <dt><span class=
"term">-d
<em class=
"replaceable"><code>level
</code></em></span></dt>
202 Set the systemwide debug level to
<code class=
"option">level
</code>.
203 The allowed range is from
0 to
99.
204 The default is
0 (no debugging).
205 Debugging traces from
<span><strong class=
"command">delv
</strong></span> become
206 more verbose as the debug level increases.
207 See the
<code class=
"option">+mtrace
</code>,
<code class=
"option">+rtrace
</code>,
208 and
<code class=
"option">+vtrace
</code> options below for additional
211 <dt><span class=
"term">-h
</span></dt>
213 Display the
<span><strong class=
"command">delv
</strong></span> help usage output and exit.
215 <dt><span class=
"term">-i
</span></dt>
217 Insecure mode. This disables internal DNSSEC validation.
218 (Note, however, this does not set the CD bit on upstream
219 queries. If the server being queried is performing DNSSEC
220 validation, then it will not return invalid data; this
221 can cause
<span><strong class=
"command">delv
</strong></span> to time out. When it
222 is necessary to examine invalid data to debug a DNSSEC
223 problem, use
<span><strong class=
"command">dig +cd
</strong></span>.)
225 <dt><span class=
"term">-m
</span></dt>
227 Enables memory usage debugging.
229 <dt><span class=
"term">-p
<em class=
"replaceable"><code>port#
</code></em></span></dt>
231 Specifies a destination port to use for queries instead of
232 the standard DNS port number
53. This option would be used
233 with a name server that has been configured to listen
234 for queries on a non-standard port number.
236 <dt><span class=
"term">-q
<em class=
"replaceable"><code>name
</code></em></span></dt>
238 Sets the query name to
<em class=
"parameter"><code>name
</code></em>.
239 While the query name can be specified without using the
240 <code class=
"option">-q
</code>, it is sometimes necessary to disambiguate
241 names from types or classes (for example, when looking up the
242 name
"ns", which could be misinterpreted as the type NS,
243 or
"ch", which could be misinterpreted as class CH).
245 <dt><span class=
"term">-t
<em class=
"replaceable"><code>type
</code></em></span></dt>
248 Sets the query type to
<em class=
"parameter"><code>type
</code></em>, which
249 can be any valid query type supported in BIND
9 except
250 for zone transfer types AXFR and IXFR. As with
251 <code class=
"option">-q
</code>, this is useful to distinguish
252 query name type or class when they are ambiguous.
253 it is sometimes necessary to disambiguate names from types.
256 The default query type is
"A", unless the
<code class=
"option">-x
</code>
257 option is supplied to indicate a reverse lookup, in which case
261 <dt><span class=
"term">-v
</span></dt>
263 Print the
<span><strong class=
"command">delv
</strong></span> version and exit.
265 <dt><span class=
"term">-x
<em class=
"replaceable"><code>addr
</code></em></span></dt>
267 Performs a reverse lookup, mapping an addresses to
268 a name.
<em class=
"parameter"><code>addr
</code></em> is an IPv4 address in
269 dotted-decimal notation, or a colon-delimited IPv6 address.
270 When
<code class=
"option">-x
</code> is used, there is no need to provide
271 the
<em class=
"parameter"><code>name
</code></em> or
<em class=
"parameter"><code>type
</code></em>
272 arguments.
<span><strong class=
"command">delv
</strong></span> automatically performs a
273 lookup for a name like
<code class=
"literal">11.12.13.10.in-addr.arpa
</code>
274 and sets the query type to PTR. IPv6 addresses are looked up
275 using nibble format under the IP6.ARPA domain.
277 <dt><span class=
"term">-
4</span></dt>
279 Forces
<span><strong class=
"command">delv
</strong></span> to only use IPv4.
281 <dt><span class=
"term">-
6</span></dt>
283 Forces
<span><strong class=
"command">delv
</strong></span> to only use IPv6.
287 <div class=
"refsect1" lang=
"en">
288 <a name=
"id2671445"></a><h2>QUERY OPTIONS
</h2>
289 <p><span><strong class=
"command">delv
</strong></span>
290 provides a number of query options which affect the way results are
291 displayed, and in some cases the way lookups are performed.
294 Each query option is identified by a keyword preceded by a plus sign
295 (
<code class=
"literal">+
</code>). Some keywords set or reset an
296 option. These may be preceded by the string
297 <code class=
"literal">no
</code> to negate the meaning of that keyword.
298 Other keywords assign values to options like the timeout interval.
299 They have the form
<code class=
"option">+keyword=value
</code>.
300 The query options are:
303 <div class=
"variablelist"><dl>
304 <dt><span class=
"term"><code class=
"option">+[no]cdflag
</code></span></dt>
306 Controls whether to set the CD (checking disabled) bit in
307 queries sent by
<span><strong class=
"command">delv
</strong></span>. This may be useful
308 when troubleshooting DNSSEC problems from behind a validating
309 resolver. A validating resolver will block invalid responses,
310 making it difficult to retrieve them for analysis. Setting
311 the CD flag on queries will cause the resolver to return
312 invalid responses, which
<span><strong class=
"command">delv
</strong></span> can then
313 validate internally and report the errors in detail.
315 <dt><span class=
"term"><code class=
"option">+[no]class
</code></span></dt>
317 Controls whether to display the CLASS when printing
318 a record. The default is to display the CLASS.
320 <dt><span class=
"term"><code class=
"option">+[no]ttl
</code></span></dt>
322 Controls whether to display the TTL when printing
323 a record. The default is to display the TTL.
325 <dt><span class=
"term"><code class=
"option">+[no]rtrace
</code></span></dt>
328 Toggle resolver fetch logging. This reports the
329 name and type of each query sent by
<span><strong class=
"command">delv
</strong></span>
330 in the process of carrying out the resolution and validation
331 process: this includes including the original query and
332 all subsequent queries to follow CNAMEs and to establish a
333 chain of trust for DNSSEC validation.
336 This is equivalent to setting the debug level to
1 in
337 the
"resolver" logging category. Setting the systemwide
338 debug level to
1 using the
<code class=
"option">-d
</code> option will
339 product the same output (but will affect other logging
343 <dt><span class=
"term"><code class=
"option">+[no]mtrace
</code></span></dt>
346 Toggle message logging. This produces a detailed dump of
347 the responses received by
<span><strong class=
"command">delv
</strong></span> in the
348 process of carrying out the resolution and validation process.
351 This is equivalent to setting the debug level to
10
352 for the the
"packets" module of the
"resolver" logging
353 category. Setting the systemwide debug level to
10 using
354 the
<code class=
"option">-d
</code> option will produce the same output
355 (but will affect other logging categories as well).
358 <dt><span class=
"term"><code class=
"option">+[no]vtrace
</code></span></dt>
361 Toggle validation logging. This shows the internal
362 process of the validator as it determines whether an
363 answer is validly signed, unsigned, or invalid.
366 This is equivalent to setting the debug level to
3
367 for the the
"validator" module of the
"dnssec" logging
368 category. Setting the systemwide debug level to
3 using
369 the
<code class=
"option">-d
</code> option will produce the same output
370 (but will affect other logging categories as well).
373 <dt><span class=
"term"><code class=
"option">+[no]short
</code></span></dt>
375 Provide a terse answer. The default is to print the answer in a
378 <dt><span class=
"term"><code class=
"option">+[no]comments
</code></span></dt>
380 Toggle the display of comment lines in the output. The default
381 is to print comments.
383 <dt><span class=
"term"><code class=
"option">+[no]rrcomments
</code></span></dt>
385 Toggle the display of per-record comments in the output (for
386 example, human-readable key information about DNSKEY records).
387 The default is to print per-record comments.
389 <dt><span class=
"term"><code class=
"option">+[no]crypto
</code></span></dt>
391 Toggle the display of cryptographic fields in DNSSEC records.
392 The contents of these field are unnecessary to debug most DNSSEC
393 validation failures and removing them makes it easier to see
394 the common failures. The default is to display the fields.
395 When omitted they are replaced by the string
"[omitted]" or
396 in the DNSKEY case the key id is displayed as the replacement,
397 e.g.
"[ key id = value ]".
399 <dt><span class=
"term"><code class=
"option">+[no]trust
</code></span></dt>
401 Controls whether to display the trust level when printing
402 a record. The default is to display the trust level.
404 <dt><span class=
"term"><code class=
"option">+[no]split[=W]
</code></span></dt>
406 Split long hex- or base64-formatted fields in resource
407 records into chunks of
<em class=
"parameter"><code>W
</code></em> characters
408 (where
<em class=
"parameter"><code>W
</code></em> is rounded up to the nearest
410 <em class=
"parameter"><code>+nosplit
</code></em> or
411 <em class=
"parameter"><code>+split=
0</code></em> causes fields not to be
412 split at all. The default is
56 characters, or
44 characters
413 when multiline mode is active.
415 <dt><span class=
"term"><code class=
"option">+[no]all
</code></span></dt>
417 Set or clear the display options
418 <code class=
"option">+[no]comments
</code>,
419 <code class=
"option">+[no]rrcomments
</code>, and
420 <code class=
"option">+[no]trust
</code> as a group.
422 <dt><span class=
"term"><code class=
"option">+[no]multiline
</code></span></dt>
424 Print long records (such as RRSIG, DNSKEY, and SOA records)
425 in a verbose multi-line format with human-readable comments.
426 The default is to print each record on a single line, to
427 facilitate machine parsing of the
<span><strong class=
"command">delv
</strong></span>
430 <dt><span class=
"term"><code class=
"option">+[no]dnssec
</code></span></dt>
432 Indicates whether to display RRSIG records in the
433 <span><strong class=
"command">delv
</strong></span> output. The default is to
434 do so. Note that (unlike in
<span><strong class=
"command">dig
</strong></span>)
435 this does
<span class=
"emphasis"><em>not
</em></span> control whether to
436 request DNSSEC records or whether to validate them.
437 DNSSEC records are always requested, and validation
438 will always occur unless suppressed by the use of
439 <code class=
"option">-i
</code> or
<code class=
"option">+noroot
</code> and
440 <code class=
"option">+nodlv
</code>.
442 <dt><span class=
"term"><code class=
"option">+[no]root[=ROOT]
</code></span></dt>
444 Indicates whether to perform conventional (non-lookaside)
445 DNSSEC validation, and if so, specifies the
446 name of a trust anchor. The default is to validate using
447 a trust anchor of
"." (the root zone), for which there is
448 a built-in key. If specifying a different trust anchor,
449 then
<code class=
"option">-a
</code> must be used to specify a file
452 <dt><span class=
"term"><code class=
"option">+[no]dlv[=DLV]
</code></span></dt>
454 Indicates whether to perform DNSSEC lookaside validation,
455 and if so, specifies the name of the DLV trust anchor.
456 The default is to perform lookaside validation using
457 a trust anchor of
"dlv.isc.org", for which there is a
458 built-in key. If specifying a different name, then
459 <code class=
"option">-a
</code> must be used to specify a file
460 containing the DLV key.
467 <div class=
"refsect1" lang=
"en">
468 <a name=
"id2671961"></a><h2>FILES
</h2>
469 <p><code class=
"filename">/etc/bind.keys
</code></p>
470 <p><code class=
"filename">/etc/resolv.conf
</code></p>
472 <div class=
"refsect1" lang=
"en">
473 <a name=
"id2671980"></a><h2>SEE ALSO
</h2>
474 <p><span class=
"citerefentry"><span class=
"refentrytitle">dig
</span>(
1)
</span>,
475 <span class=
"citerefentry"><span class=
"refentrytitle">named
</span>(
8)
</span>,
476 <em class=
"citetitle">RFC4034
</em>,
477 <em class=
"citetitle">RFC4035
</em>,
478 <em class=
"citetitle">RFC4431
</em>,
479 <em class=
"citetitle">RFC5074
</em>,
480 <em class=
"citetitle">RFC5155
</em>.
484 <div class=
"navfooter">
486 <table width=
"100%" summary=
"Navigation footer">
488 <td width=
"40%" align=
"left">
489 <a accesskey=
"p" href=
"man.host.html">Prev
</a> </td>
490 <td width=
"20%" align=
"center"><a accesskey=
"u" href=
"Bv9ARM.ch13.html">Up
</a></td>
491 <td width=
"40%" align=
"right"> <a accesskey=
"n" href=
"man.dnssec-checkds.html">Next
</a>
495 <td width=
"40%" align=
"left" valign=
"top">host
</td>
496 <td width=
"20%" align=
"center"><a accesskey=
"h" href=
"Bv9ARM.html">Home
</a></td>
497 <td width=
"40%" align=
"right" valign=
"top"> <span class=
"application">dnssec-checkds
</span>
502 <p style=
"text-align: center;">BIND
9.10.2-P4
</p>