From ea648e70a989cca190cd7403fe892fd2dcc290b4 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sun, 5 May 2024 20:37:14 +0200 Subject: Adding upstream version 1:9.11.5.P4+dfsg. Signed-off-by: Daniel Baumann --- bin/delv/delv.docbook | 701 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 701 insertions(+) create mode 100644 bin/delv/delv.docbook (limited to 'bin/delv/delv.docbook') diff --git a/bin/delv/delv.docbook b/bin/delv/delv.docbook new file mode 100644 index 0000000..f8c4f79 --- /dev/null +++ b/bin/delv/delv.docbook @@ -0,0 +1,701 @@ +]> + + + + + + 2014-04-23 + + + ISC + Internet Systems Consortium, Inc. + + + + delv + 1 + BIND9 + + + + delv + DNS lookup and validation utility + + + + + 2014 + 2015 + 2016 + 2017 + 2018 + 2019 + Internet Systems Consortium, Inc. ("ISC") + + + + + + delv + @server + + + + + + + + + + + + + + + name + type + class + queryopt + + + + delv + + + + + delv + + + + + delv + queryopt + query + + + + DESCRIPTION + + delv + is a tool for sending + DNS queries and validating the results, using the same internal + resolver and validator logic as named. + + + delv will send to a specified name server all + queries needed to fetch and validate the requested data; this + includes the original requested query, subsequent queries to follow + CNAME or DNAME chains, and queries for DNSKEY, DS and DLV records + to establish a chain of trust for DNSSEC validation. + It does not perform iterative resolution, but simulates the + behavior of a name server configured for DNSSEC validating and + forwarding. + + + By default, responses are validated using built-in DNSSEC trust + anchor for the root zone ("."). Records returned by + delv are either fully validated or + were not signed. If validation fails, an explanation of + the failure is included in the output; the validation process + can be traced in detail. Because delv does + not rely on an external server to carry out validation, it can + be used to check the validity of DNS responses in environments + where local name servers may not be trustworthy. + + + Unless it is told to query a specific name server, + delv will try each of the servers listed in + /etc/resolv.conf. If no usable server + addresses are found, delv will send + queries to the localhost addresses (127.0.0.1 for IPv4, ::1 + for IPv6). + + + When no command line arguments or options are given, + delv will perform an NS query for "." + (the root zone). + + + + SIMPLE USAGE + + + + A typical invocation of delv looks like: + delv @server name type + where: + + + + server + + + is the name or IP address of the name server to query. This + can be an IPv4 address in dotted-decimal notation or an IPv6 + address in colon-delimited notation. When the supplied + server argument is a hostname, + delv resolves that name before + querying that name server (note, however, that this + initial lookup is not validated + by DNSSEC). + + + If no server argument is + provided, delv consults + /etc/resolv.conf; if an + address is found there, it queries the name server at + that address. If either of the or + options are in use, then + only addresses for the corresponding transport + will be tried. If no usable addresses are found, + delv will send queries to + the localhost addresses (127.0.0.1 for IPv4, + ::1 for IPv6). + + + + + + name + + + is the domain name to be looked up. + + + + + + type + + + indicates what type of query is required — + ANY, A, MX, etc. + type can be any valid query + type. If no + type argument is supplied, + delv will perform a lookup for an + A record. + + + + + + + + + + OPTIONS + + + + + -a anchor-file + + + Specifies a file from which to read DNSSEC trust anchors. + The default is /etc/bind.keys, which + is included with BIND 9 and contains + one or more trust anchors for the root zone ("."). + + + Keys that do not match the root zone name are ignored. + An alternate key name can be specified using the + options. DNSSEC Lookaside + Validation can also be turned on by using the + to specify the name of a + zone containing DLV records. + + + Note: When reading the trust anchor file, + delv treats + statements and statements + identically. That is, for a managed key, it is the + initial key that is trusted; RFC 5011 + key management is not supported. delv + will not consult the managed-keys database maintained by + named. This means that if either of the + keys in /etc/bind.keys is revoked + and rolled over, it will be necessary to update + /etc/bind.keys to use DNSSEC + validation in delv. + + + + + + -b address + + + Sets the source IP address of the query to + address. This must be a valid address + on one of the host's network interfaces or "0.0.0.0" or "::". + An optional source port may be specified by appending + "#<port>" + + + + + + -c class + + + Sets the query class for the requested data. Currently, + only class "IN" is supported in delv + and any other value is ignored. + + + + + + -d level + + + Set the systemwide debug level to . + The allowed range is from 0 to 99. + The default is 0 (no debugging). + Debugging traces from delv become + more verbose as the debug level increases. + See the , , + and options below for additional + debugging details. + + + + + + -h + + + Display the delv help usage output and exit. + + + + + + -i + + + Insecure mode. This disables internal DNSSEC validation. + (Note, however, this does not set the CD bit on upstream + queries. If the server being queried is performing DNSSEC + validation, then it will not return invalid data; this + can cause delv to time out. When it + is necessary to examine invalid data to debug a DNSSEC + problem, use dig +cd.) + + + + + + -m + + + Enables memory usage debugging. + + + + + + -p port# + + + Specifies a destination port to use for queries instead of + the standard DNS port number 53. This option would be used + with a name server that has been configured to listen + for queries on a non-standard port number. + + + + + + -q name + + + Sets the query name to name. + While the query name can be specified without using the + , it is sometimes necessary to disambiguate + names from types or classes (for example, when looking up the + name "ns", which could be misinterpreted as the type NS, + or "ch", which could be misinterpreted as class CH). + + + + + + -t type + + + Sets the query type to type, which + can be any valid query type supported in BIND 9 except + for zone transfer types AXFR and IXFR. As with + , this is useful to distinguish + query name type or class when they are ambiguous. + it is sometimes necessary to disambiguate names from types. + + + The default query type is "A", unless the + option is supplied to indicate a reverse lookup, in which case + it is "PTR". + + + + + + -v + + + Print the delv version and exit. + + + + + + -x addr + + + Performs a reverse lookup, mapping an addresses to + a name. addr is an IPv4 address in + dotted-decimal notation, or a colon-delimited IPv6 address. + When is used, there is no need to provide + the name or type + arguments. delv automatically performs a + lookup for a name like 11.12.13.10.in-addr.arpa + and sets the query type to PTR. IPv6 addresses are looked up + using nibble format under the IP6.ARPA domain. + + + + + + -4 + + + Forces delv to only use IPv4. + + + + + + -6 + + + Forces delv to only use IPv6. + + + + + + + + QUERY OPTIONS + + + delv + provides a number of query options which affect the way results are + displayed, and in some cases the way lookups are performed. + + + + Each query option is identified by a keyword preceded by a plus sign + (+). Some keywords set or reset an + option. These may be preceded by the string + no to negate the meaning of that keyword. + Other keywords assign values to options like the timeout interval. + They have the form . + The query options are: + + + + + + + Controls whether to set the CD (checking disabled) bit in + queries sent by delv. This may be useful + when troubleshooting DNSSEC problems from behind a validating + resolver. A validating resolver will block invalid responses, + making it difficult to retrieve them for analysis. Setting + the CD flag on queries will cause the resolver to return + invalid responses, which delv can then + validate internally and report the errors in detail. + + + + + + + + + Controls whether to display the CLASS when printing + a record. The default is to display the CLASS. + + + + + + + + + Controls whether to display the TTL when printing + a record. The default is to display the TTL. + + + + + + + + + Toggle resolver fetch logging. This reports the + name and type of each query sent by delv + in the process of carrying out the resolution and validation + process: this includes including the original query and + all subsequent queries to follow CNAMEs and to establish a + chain of trust for DNSSEC validation. + + + This is equivalent to setting the debug level to 1 in + the "resolver" logging category. Setting the systemwide + debug level to 1 using the option will + product the same output (but will affect other logging + categories as well). + + + + + + + + + Toggle message logging. This produces a detailed dump of + the responses received by delv in the + process of carrying out the resolution and validation process. + + + This is equivalent to setting the debug level to 10 + for the "packets" module of the "resolver" logging + category. Setting the systemwide debug level to 10 using + the option will produce the same output + (but will affect other logging categories as well). + + + + + + + + + Toggle validation logging. This shows the internal + process of the validator as it determines whether an + answer is validly signed, unsigned, or invalid. + + + This is equivalent to setting the debug level to 3 + for the "validator" module of the "dnssec" logging + category. Setting the systemwide debug level to 3 using + the option will produce the same output + (but will affect other logging categories as well). + + + + + + + + + Provide a terse answer. The default is to print the answer in a + verbose form. + + + + + + + + + Toggle the display of comment lines in the output. The default + is to print comments. + + + + + + + + + Toggle the display of per-record comments in the output (for + example, human-readable key information about DNSKEY records). + The default is to print per-record comments. + + + + + + + + + Toggle the display of cryptographic fields in DNSSEC records. + The contents of these field are unnecessary to debug most DNSSEC + validation failures and removing them makes it easier to see + the common failures. The default is to display the fields. + When omitted they are replaced by the string "[omitted]" or + in the DNSKEY case the key id is displayed as the replacement, + e.g. "[ key id = value ]". + + + + + + + + + Controls whether to display the trust level when printing + a record. The default is to display the trust level. + + + + + + + + + Split long hex- or base64-formatted fields in resource + records into chunks of W characters + (where W is rounded up to the nearest + multiple of 4). + +nosplit or + +split=0 causes fields not to be + split at all. The default is 56 characters, or 44 characters + when multiline mode is active. + + + + + + + + + Set or clear the display options + , + , and + as a group. + + + + + + + + + Print long records (such as RRSIG, DNSKEY, and SOA records) + in a verbose multi-line format with human-readable comments. + The default is to print each record on a single line, to + facilitate machine parsing of the delv + output. + + + + + + + + + Indicates whether to display RRSIG records in the + delv output. The default is to + do so. Note that (unlike in dig) + this does not control whether to + request DNSSEC records or whether to validate them. + DNSSEC records are always requested, and validation + will always occur unless suppressed by the use of + or and + . + + + + + + + + + Indicates whether to perform conventional (non-lookaside) + DNSSEC validation, and if so, specifies the + name of a trust anchor. The default is to validate using + a trust anchor of "." (the root zone), for which there is + a built-in key. If specifying a different trust anchor, + then must be used to specify a file + containing the key. + + + + + + + + + Indicates whether to perform DNSSEC lookaside validation, + and if so, specifies the name of the DLV trust anchor. + The option must also be used to specify + a file containing the DLV key. + + + + + + + + + Controls whether to use TCP when sending queries. + The default is to use UDP unless a truncated + response has been received. + + + + + + + + + Print all RDATA in unknown RR type presentation format + (RFC 3597). The default is to print RDATA for known types + in the type's presentation format. + + + + + + + + + FILES + + /etc/bind.keys + /etc/resolv.conf + + + SEE ALSO + + + dig1 + , + + named8 + , + RFC4034, + RFC4035, + RFC4431, + RFC5074, + RFC5155. + + + + -- cgit v1.2.3