summaryrefslogtreecommitdiffstats
path: root/doc/man/delv.1in
diff options
context:
space:
mode:
Diffstat (limited to 'doc/man/delv.1in')
-rw-r--r--doc/man/delv.1in345
1 files changed, 345 insertions, 0 deletions
diff --git a/doc/man/delv.1in b/doc/man/delv.1in
new file mode 100644
index 0000000..9a2b186
--- /dev/null
+++ b/doc/man/delv.1in
@@ -0,0 +1,345 @@
+.\" Man page generated from reStructuredText.
+.
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.TH "DELV" "1" "@RELEASE_DATE@" "@BIND9_VERSION@" "BIND 9"
+.SH NAME
+delv \- DNS lookup and validation utility
+.SH SYNOPSIS
+.sp
+\fBdelv\fP [@server] [ [\fB\-4\fP] | [\fB\-6\fP] ] [\fB\-a\fP anchor\-file] [\fB\-b\fP address] [\fB\-c\fP class] [\fB\-d\fP level] [\fB\-i\fP] [\fB\-m\fP] [\fB\-p\fP port#] [\fB\-q\fP name] [\fB\-t\fP type] [\fB\-x\fP addr] [name] [type] [class] [queryopt...]
+.sp
+\fBdelv\fP [\fB\-h\fP]
+.sp
+\fBdelv\fP [\fB\-v\fP]
+.sp
+\fBdelv\fP [queryopt...] [query...]
+.SH DESCRIPTION
+.sp
+\fBdelv\fP is a tool for sending DNS queries and validating the results,
+using the same internal resolver and validator logic as \fBnamed\fP\&.
+.sp
+\fBdelv\fP sends to a specified name server all queries needed to
+fetch and validate the requested data; this includes the original
+requested query, subsequent queries to follow CNAME or DNAME chains,
+queries for DNSKEY, and DS records to establish a chain of trust for
+DNSSEC validation. It does not perform iterative resolution, but
+simulates the behavior of a name server configured for DNSSEC validating
+and forwarding.
+.sp
+By default, responses are validated using the built\-in DNSSEC trust anchor
+for the root zone (\(dq.\(dq). Records returned by \fBdelv\fP are either fully
+validated or were not signed. If validation fails, an explanation of the
+failure is included in the output; the validation process can be traced
+in detail. Because \fBdelv\fP does not rely on an external server to carry
+out validation, it can be used to check the validity of DNS responses in
+environments where local name servers may not be trustworthy.
+.sp
+Unless it is told to query a specific name server, \fBdelv\fP tries
+each of the servers listed in \fB/etc/resolv.conf\fP\&. If no usable server
+addresses are found, \fBdelv\fP sends queries to the localhost
+addresses (127.0.0.1 for IPv4, ::1 for IPv6).
+.sp
+When no command\-line arguments or options are given, \fBdelv\fP
+performs an NS query for \(dq.\(dq (the root zone).
+.SH SIMPLE USAGE
+.sp
+A typical invocation of \fBdelv\fP looks like:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+delv @server name type
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+where:
+.INDENT 0.0
+.TP
+.B \fBserver\fP
+is the name or IP address of the name server to query. This can be an
+IPv4 address in dotted\-decimal notation or an IPv6 address in
+colon\-delimited notation. When the supplied \fBserver\fP argument is a
+hostname, \fBdelv\fP resolves that name before querying that name
+server (note, however, that this initial lookup is \fInot\fP validated by
+DNSSEC).
+.sp
+If no \fBserver\fP argument is provided, \fBdelv\fP consults
+\fB/etc/resolv.conf\fP; if an address is found there, it queries the
+name server at that address. If either of the \fB\-4\fP or \fB\-6\fP
+options is in use, then only addresses for the corresponding
+transport are tried. If no usable addresses are found, \fBdelv\fP
+sends queries to the localhost addresses (127.0.0.1 for IPv4, ::1
+for IPv6).
+.TP
+.B \fBname\fP
+is the domain name to be looked up.
+.TP
+.B \fBtype\fP
+indicates what type of query is required \- ANY, A, MX, etc.
+\fBtype\fP can be any valid query type. If no \fBtype\fP argument is
+supplied, \fBdelv\fP performs a lookup for an A record.
+.UNINDENT
+.SH OPTIONS
+.INDENT 0.0
+.TP
+.B \fB\-a anchor\-file\fP
+This option specifies a file from which to read DNSSEC trust anchors. The default
+is \fB/etc/bind.keys\fP, which is included with BIND 9 and contains one
+or more trust anchors for the root zone (\(dq.\(dq).
+.sp
+Keys that do not match the root zone name are ignored. An alternate
+key name can be specified using the \fB+root=NAME\fP options.
+.sp
+Note: When reading the trust anchor file, \fBdelv\fP treats \fBtrust\-anchors\fP,
+\fBinitial\-key\fP, and \fBstatic\-key\fP identically. That is, for a managed key,
+it is the \fIinitial\fP key that is trusted; \fI\%RFC 5011\fP key management is not
+supported. \fBdelv\fP does not consult the managed\-keys database maintained by
+\fBnamed\fP, which means that if either of the keys in \fB/etc/bind.keys\fP is
+revoked and rolled over, \fB/etc/bind.keys\fP must be updated to
+use DNSSEC validation in \fBdelv\fP\&.
+.TP
+.B \fB\-b address\fP
+This option sets the source IP address of the query to \fBaddress\fP\&. This must be
+a valid address on one of the host\(aqs network interfaces, or \fB0.0.0.0\fP,
+or \fB::\fP\&. An optional source port may be specified by appending
+\fB#<port>\fP
+.TP
+.B \fB\-c class\fP
+This option sets the query class for the requested data. Currently, only class
+\(dqIN\(dq is supported in \fBdelv\fP and any other value is ignored.
+.TP
+.B \fB\-d level\fP
+This option sets the systemwide debug level to \fBlevel\fP\&. The allowed range is
+from 0 to 99. The default is 0 (no debugging). Debugging traces from
+\fBdelv\fP become more verbose as the debug level increases. See the
+\fB+mtrace\fP, \fB+rtrace\fP, and \fB+vtrace\fP options below for
+additional debugging details.
+.TP
+.B \fB\-h\fP
+This option displays the \fBdelv\fP help usage output and exits.
+.TP
+.B \fB\-i\fP
+This option sets insecure mode, which disables internal DNSSEC validation. (Note,
+however, that this does not set the CD bit on upstream queries. If the
+server being queried is performing DNSSEC validation, then it does
+not return invalid data; this can cause \fBdelv\fP to time out. When it
+is necessary to examine invalid data to debug a DNSSEC problem, use
+\fBdig +cd\fP\&.)
+.TP
+.B \fB\-m\fP
+This option enables memory usage debugging.
+.TP
+.B \fB\-p port#\fP
+This option specifies a destination port to use for queries, instead of the
+standard DNS port number 53. This option is used with a name
+server that has been configured to listen for queries on a
+non\-standard port number.
+.TP
+.B \fB\-q name\fP
+This option sets the query name to \fBname\fP\&. While the query name can be
+specified without using the \fB\-q\fP option, it is sometimes necessary to
+disambiguate names from types or classes (for example, when looking
+up the name \(dqns\(dq, which could be misinterpreted as the type NS, or
+\(dqch\(dq, which could be misinterpreted as class CH).
+.TP
+.B \fB\-t type\fP
+This option sets the query type to \fBtype\fP, which can be any valid query type
+supported in BIND 9 except for zone transfer types AXFR and IXFR. As
+with \fB\-q\fP, this is useful to distinguish query\-name types or classes
+when they are ambiguous. It is sometimes necessary to disambiguate
+names from types.
+.sp
+The default query type is \(dqA\(dq, unless the \fB\-x\fP option is supplied
+to indicate a reverse lookup, in which case it is \(dqPTR\(dq.
+.TP
+.B \fB\-v\fP
+This option prints the \fBdelv\fP version and exits.
+.TP
+.B \fB\-x addr\fP
+This option performs a reverse lookup, mapping an address to a name. \fBaddr\fP
+is an IPv4 address in dotted\-decimal notation, or a colon\-delimited
+IPv6 address. When \fB\-x\fP is used, there is no need to provide the
+\fBname\fP or \fBtype\fP arguments; \fBdelv\fP automatically performs a
+lookup for a name like \fB11.12.13.10.in\-addr.arpa\fP and sets the
+query type to PTR. IPv6 addresses are looked up using nibble format
+under the IP6.ARPA domain.
+.TP
+.B \fB\-4\fP
+This option forces \fBdelv\fP to only use IPv4.
+.TP
+.B \fB\-6\fP
+This option forces \fBdelv\fP to only use IPv6.
+.UNINDENT
+.SH QUERY OPTIONS
+.sp
+\fBdelv\fP provides a number of query options which affect the way results
+are displayed, and in some cases the way lookups are performed.
+.sp
+Each query option is identified by a keyword preceded by a plus sign
+(\fB+\fP). Some keywords set or reset an option. These may be preceded by
+the string \fBno\fP to negate the meaning of that keyword. Other keywords
+assign values to options like the timeout interval. They have the form
+\fB+keyword=value\fP\&. The query options are:
+.INDENT 0.0
+.TP
+.B \fB+[no]cdflag\fP
+This option controls whether to set the CD (checking disabled) bit in queries
+sent by \fBdelv\fP\&. This may be useful when troubleshooting DNSSEC
+problems from behind a validating resolver. A validating resolver
+blocks invalid responses, making it difficult to retrieve them
+for analysis. Setting the CD flag on queries causes the resolver
+to return invalid responses, which \fBdelv\fP can then validate
+internally and report the errors in detail.
+.TP
+.B \fB+[no]class\fP
+This option controls whether to display the CLASS when printing a record. The
+default is to display the CLASS.
+.TP
+.B \fB+[no]ttl\fP
+This option controls whether to display the TTL when printing a record. The
+default is to display the TTL.
+.TP
+.B \fB+[no]rtrace\fP
+This option toggles resolver fetch logging. This reports the name and type of each
+query sent by \fBdelv\fP in the process of carrying out the resolution
+and validation process, including the original query
+and all subsequent queries to follow CNAMEs and to establish a chain
+of trust for DNSSEC validation.
+.sp
+This is equivalent to setting the debug level to 1 in the \(dqresolver\(dq
+logging category. Setting the systemwide debug level to 1 using the
+\fB\-d\fP option produces the same output, but affects other
+logging categories as well.
+.TP
+.B \fB+[no]mtrace\fP
+This option toggles message logging. This produces a detailed dump of the
+responses received by \fBdelv\fP in the process of carrying out the
+resolution and validation process.
+.sp
+This is equivalent to setting the debug level to 10 for the \(dqpackets\(dq
+module of the \(dqresolver\(dq logging category. Setting the systemwide
+debug level to 10 using the \fB\-d\fP option produces the same
+output, but affects other logging categories as well.
+.TP
+.B \fB+[no]vtrace\fP
+This option toggles validation logging. This shows the internal process of the
+validator as it determines whether an answer is validly signed,
+unsigned, or invalid.
+.sp
+This is equivalent to setting the debug level to 3 for the
+\(dqvalidator\(dq module of the \(dqdnssec\(dq logging category. Setting the
+systemwide debug level to 3 using the \fB\-d\fP option produces the
+same output, but affects other logging categories as well.
+.TP
+.B \fB+[no]short\fP
+This option toggles between verbose and terse answers. The default is to print the answer in a
+verbose form.
+.TP
+.B \fB+[no]comments\fP
+This option toggles the display of comment lines in the output. The default is to
+print comments.
+.TP
+.B \fB+[no]rrcomments\fP
+This option toggles the display of per\-record comments in the output (for example,
+human\-readable key information about DNSKEY records). The default is
+to print per\-record comments.
+.TP
+.B \fB+[no]crypto\fP
+This option toggles the display of cryptographic fields in DNSSEC records. The
+contents of these fields are unnecessary to debug most DNSSEC
+validation failures and removing them makes it easier to see the
+common failures. The default is to display the fields. When omitted,
+they are replaced by the string \fB[omitted]\fP or, in the DNSKEY case, the
+key ID is displayed as the replacement, e.g. \fB[ key id = value ]\fP\&.
+.TP
+.B \fB+[no]trust\fP
+This option controls whether to display the trust level when printing a record.
+The default is to display the trust level.
+.TP
+.B \fB+[no]split[=W]\fP
+This option splits long hex\- or base64\-formatted fields in resource records into
+chunks of \fBW\fP characters (where \fBW\fP is rounded up to the nearest
+multiple of 4). \fB+nosplit\fP or \fB+split=0\fP causes fields not to be
+split at all. The default is 56 characters, or 44 characters when
+multiline mode is active.
+.TP
+.B \fB+[no]all\fP
+This option sets or clears the display options \fB+[no]comments\fP,
+\fB+[no]rrcomments\fP, and \fB+[no]trust\fP as a group.
+.TP
+.B \fB+[no]multiline\fP
+This option prints long records (such as RRSIG, DNSKEY, and SOA records) in a
+verbose multi\-line format with human\-readable comments. The default
+is to print each record on a single line, to facilitate machine
+parsing of the \fBdelv\fP output.
+.TP
+.B \fB+[no]dnssec\fP
+This option indicates whether to display RRSIG records in the \fBdelv\fP output.
+The default is to do so. Note that (unlike in \fBdig\fP) this does
+\fInot\fP control whether to request DNSSEC records or to
+validate them. DNSSEC records are always requested, and validation
+always occurs unless suppressed by the use of \fB\-i\fP or
+\fB+noroot\fP\&.
+.TP
+.B \fB+[no]root[=ROOT]\fP
+This option indicates whether to perform conventional DNSSEC validation, and if so,
+specifies the name of a trust anchor. The default is to validate using a
+trust anchor of \(dq.\(dq (the root zone), for which there is a built\-in key. If
+specifying a different trust anchor, then \fB\-a\fP must be used to specify a
+file containing the key.
+.TP
+.B \fB+[no]tcp\fP
+This option controls whether to use TCP when sending queries. The default is to
+use UDP unless a truncated response has been received.
+.TP
+.B \fB+[no]unknownformat\fP
+This option prints all RDATA in unknown RR\-type presentation format (\fI\%RFC 3597\fP).
+The default is to print RDATA for known types in the type\(aqs
+presentation format.
+.TP
+.B \fB+[no]yaml\fP
+This option prints response data in YAML format.
+.UNINDENT
+.SH FILES
+.sp
+\fB/etc/bind.keys\fP
+.sp
+\fB/etc/resolv.conf\fP
+.SH SEE ALSO
+.sp
+\fBdig(1)\fP, \fBnamed(8)\fP, \fI\%RFC 4034\fP, \fI\%RFC 4035\fP, \fI\%RFC 4431\fP, \fI\%RFC 5074\fP, \fI\%RFC 5155\fP\&.
+.SH AUTHOR
+Internet Systems Consortium
+.SH COPYRIGHT
+2023, Internet Systems Consortium
+.\" Generated by docutils manpage writer.
+.