summaryrefslogtreecommitdiffstats
path: root/doc/man/dig.1in
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--doc/man/dig.1in926
1 files changed, 926 insertions, 0 deletions
diff --git a/doc/man/dig.1in b/doc/man/dig.1in
new file mode 100644
index 0000000..62154ab
--- /dev/null
+++ b/doc/man/dig.1in
@@ -0,0 +1,926 @@
+.\" Man page generated from reStructuredText.
+.
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.TH "DIG" "1" "@RELEASE_DATE@" "@PACKAGE_VERSION@" "BIND 9"
+.SH NAME
+dig \- DNS lookup utility
+.SH SYNOPSIS
+.sp
+\fBdig\fP [@server] [\fB\-b\fP address] [\fB\-c\fP class] [\fB\-f\fP filename] [\fB\-k\fP filename] [\fB\-m\fP] [\fB\-p\fP port#] [\fB\-q\fP name] [\fB\-t\fP type] [\fB\-v\fP] [\fB\-x\fP addr] [\fB\-y\fP [hmac:]name:key] [ [\fB\-4\fP] | [\fB\-6\fP] ] [name] [type] [class] [queryopt...]
+.sp
+\fBdig\fP [\fB\-h\fP]
+.sp
+\fBdig\fP [global\-queryopt...] [query...]
+.SH DESCRIPTION
+.sp
+\fBdig\fP is a flexible tool for interrogating DNS name servers. It
+performs DNS lookups and displays the answers that are returned from the
+name server(s) that were queried. Most DNS administrators use \fBdig\fP to
+troubleshoot DNS problems because of its flexibility, ease of use, and
+clarity of output. Other lookup tools tend to have less functionality
+than \fBdig\fP\&.
+.sp
+Although \fBdig\fP is normally used with command\-line arguments, it also
+has a batch mode of operation for reading lookup requests from a file. A
+brief summary of its command\-line arguments and options is printed when
+the \fI\%\-h\fP option is given. The BIND 9
+implementation of \fBdig\fP allows multiple lookups to be issued from the
+command line.
+.sp
+Unless it is told to query a specific name server, \fBdig\fP tries each
+of the servers listed in \fB/etc/resolv.conf\fP\&. If no usable server
+addresses are found, \fBdig\fP sends the query to the local host.
+.sp
+When no command\-line arguments or options are given, \fBdig\fP
+performs an NS query for \(dq.\(dq (the root).
+.sp
+It is possible to set per\-user defaults for \fBdig\fP via
+\fB${HOME}/.digrc\fP\&. This file is read and any options in it are applied
+before the command\-line arguments. The \fI\%\-r\fP option disables this
+feature, for scripts that need predictable behavior.
+.sp
+The IN and CH class names overlap with the IN and CH top\-level domain
+names. Either use the \fI\%\-t\fP and \fI\%\-c\fP options to specify the type and
+class, use the \fI\%\-q\fP to specify the domain name, or use \(dqIN.\(dq and
+\(dqCH.\(dq when looking up these top\-level domains.
+.SH SIMPLE USAGE
+.sp
+A typical invocation of \fBdig\fP looks like:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+dig @server name type
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+where:
+.INDENT 0.0
+.TP
+.B server
+is the name or IP address of the name server to query. This can be an
+IPv4 address in dotted\-decimal notation or an IPv6 address in
+colon\-delimited notation. When the supplied \fBserver\fP argument is a
+hostname, \fBdig\fP resolves that name before querying that name
+server.
+.sp
+If no \fBserver\fP argument is provided, \fBdig\fP consults
+\fB/etc/resolv.conf\fP; if an address is found there, it queries the
+name server at that address. If either of the \fI\%\-4\fP or \fI\%\-6\fP
+options are in use, then only addresses for the corresponding
+transport are tried. If no usable addresses are found, \fBdig\fP
+sends the query to the local host. The reply from the name server
+that responds is displayed.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B name
+is the name of the resource record that is to be looked up.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B type
+indicates what type of query is required \- ANY, A, MX, SIG, etc.
+\fBtype\fP can be any valid query type. If no \fBtype\fP argument is
+supplied, \fBdig\fP performs a lookup for an A record.
+.UNINDENT
+.SH OPTIONS
+.INDENT 0.0
+.TP
+.B \-4
+This option indicates that only IPv4 should be used.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-6
+This option indicates that only IPv6 should be used.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-b address[#port]
+This option sets the source IP address of the query. The \fBaddress\fP must be a
+valid address on one of the host\(aqs network interfaces, or \(dq0.0.0.0\(dq
+or \(dq::\(dq. An optional port may be specified by appending \fB#port\fP\&.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-c class
+This option sets the query class. The default \fBclass\fP is IN; other classes are
+HS for Hesiod records or CH for Chaosnet records.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-f file
+This option sets batch mode, in which \fBdig\fP reads a list of lookup requests to process from
+the given \fBfile\fP\&. Each line in the file should be organized in the
+same way it would be presented as a query to \fBdig\fP using the
+command\-line interface.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-h
+Print a usage summary.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-k keyfile
+This option tells \fBdig\fP to sign queries using TSIG or
+SIG(0) using a key read from the given file. Key files can be
+generated using \fI\%tsig\-keygen\fP\&. When using TSIG authentication
+with \fBdig\fP, the name server that is queried needs to
+know the key and algorithm that is being used. In BIND, this is
+done by providing appropriate \fBkey\fP and \fBserver\fP statements
+in \fI\%named.conf\fP for TSIG and by looking up the KEY record
+in zone data for SIG(0).
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-m
+This option enables memory usage debugging.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-p port
+This option sends the query to a non\-standard port on the server, instead of the
+default port 53. This option is used to test a name server that
+has been configured to listen for queries on a non\-standard port
+number.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-q name
+This option specifies the domain name to query. This is useful to distinguish the \fBname\fP
+from other arguments.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-r
+This option indicates that options from \fB${HOME}/.digrc\fP should not be read. This is useful for
+scripts that need predictable behavior.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-t type
+This option indicates the resource record type to query, which can be any valid query type. If
+it is a resource record type supported in BIND 9, it can be given by
+the type mnemonic (such as \fBNS\fP or \fBAAAA\fP). The default query type is
+\fBA\fP, unless the \fI\%\-x\fP option is supplied to indicate a reverse
+lookup. A zone transfer can be requested by specifying a type of
+AXFR. When an incremental zone transfer (IXFR) is required, set the
+\fBtype\fP to \fBixfr=N\fP\&. The incremental zone transfer contains
+all changes made to the zone since the serial number in the zone\(aqs
+SOA record was \fBN\fP\&.
+.sp
+All resource record types can be expressed as \fBTYPEnn\fP, where \fBnn\fP is
+the number of the type. If the resource record type is not supported
+in BIND 9, the result is displayed as described in \fI\%RFC 3597\fP\&.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-u
+This option indicates that print query times should be provided in microseconds instead of milliseconds.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-v
+This option prints the version number and exits.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-x addr
+This option sets simplified reverse lookups, for mapping addresses to names. The
+\fBaddr\fP is an IPv4 address in dotted\-decimal notation, or a
+colon\-delimited IPv6 address. When the \fI\%\-x\fP option is used, there is no
+need to provide the \fBname\fP, \fBclass\fP, and \fBtype\fP arguments.
+\fBdig\fP automatically performs a lookup for a name like
+\fB94.2.0.192.in\-addr.arpa\fP and sets the query type and class to PTR
+and IN respectively. IPv6 addresses are looked up using nibble format
+under the IP6.ARPA domain.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B \-y [hmac:]keyname:secret
+This option signs queries using TSIG with the given authentication key.
+\fBkeyname\fP is the name of the key, and \fBsecret\fP is the
+base64\-encoded shared secret. \fBhmac\fP is the name of the key algorithm;
+valid choices are \fBhmac\-md5\fP, \fBhmac\-sha1\fP, \fBhmac\-sha224\fP,
+\fBhmac\-sha256\fP, \fBhmac\-sha384\fP, or \fBhmac\-sha512\fP\&. If \fBhmac\fP is
+not specified, the default is \fBhmac\-md5\fP; if MD5 was disabled, the default is
+\fBhmac\-sha256\fP\&.
+.UNINDENT
+.sp
+\fBNOTE:\fP
+.INDENT 0.0
+.INDENT 3.5
+Only the \fI\%\-k\fP option should be used, rather than the \fI\%\-y\fP option,
+because with \fI\%\-y\fP the shared secret is supplied as a command\-line
+argument in clear text. This may be visible in the output from \fBps1\fP or
+in a history file maintained by the user\(aqs shell.
+.UNINDENT
+.UNINDENT
+.SH QUERY OPTIONS
+.sp
+\fBdig\fP provides a number of query options which affect the way in which
+lookups are made and the results displayed. Some of these set or reset
+flag bits in the query header, some determine which sections of the
+answer get printed, and others determine the timeout and retry
+strategies.
+.sp
+Each query option is identified by a keyword preceded by a plus sign
+(\fB+\fP). Some keywords set or reset an option; these may be preceded by
+the string \fBno\fP to negate the meaning of that keyword. Other keywords
+assign values to options, like the timeout interval. They have the form
+\fB+keyword=value\fP\&. Keywords may be abbreviated, provided the
+abbreviation is unambiguous; for example, \fI\%+cd\fP is equivalent to
+\fI\%+cdflag\fP\&. The query options are:
+.INDENT 0.0
+.TP
+.B +aaflag, +noaaflag
+This option is a synonym for \fI\%+aaonly\fP, \fI\%+noaaonly\fP\&.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B +aaonly, +noaaonly
+This option sets the \fBaa\fP flag in the query.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B +additional, +noadditional
+This option displays [or does not display] the additional section of a reply. The
+default is to display it.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B +adflag, +noadflag
+This option sets [or does not set] the AD (authentic data) bit in the query. This
+requests the server to return whether all of the answer and authority
+sections have been validated as secure, according to the security
+policy of the server. \fBAD=1\fP indicates that all records have been
+validated as secure and the answer is not from a OPT\-OUT range. \fBAD=0\fP
+indicates that some part of the answer was insecure or not validated.
+This bit is set by default.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B +all, +noall
+This option sets or clears all display flags.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B +answer, +noanswer
+This option displays [or does not display] the answer section of a reply. The default
+is to display it.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B +authority, +noauthority
+This option displays [or does not display] the authority section of a reply. The
+default is to display it.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B +badcookie, +nobadcookie
+This option retries the lookup with a new server cookie if a BADCOOKIE response is
+received.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B +besteffort, +nobesteffort
+This option attempts to display the contents of messages which are malformed. The
+default is to not display malformed answers.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B +bufsize[=B]
+This option sets the UDP message buffer size advertised using EDNS0 to
+\fBB\fP bytes. The maximum and minimum sizes of this buffer are 65535 and
+0, respectively. \fB+bufsize\fP restores the default buffer size.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B +cd, +cdflag, +nocdflag
+This option sets [or does not set] the CD (checking disabled) bit in the query. This
+requests the server to not perform DNSSEC validation of responses.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B +class, +noclass
+This option displays [or does not display] the CLASS when printing the record.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B +cmd, +nocmd
+This option toggles the printing of the initial comment in the output, identifying the
+version of \fBdig\fP and the query options that have been applied. This option
+always has a global effect; it cannot be set globally and then overridden on a
+per\-lookup basis. The default is to print this comment.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B +comments, +nocomments
+This option toggles the display of some comment lines in the output, with
+information about the packet header and OPT pseudosection, and the names of
+the response section. The default is to print these comments.
+.sp
+Other types of comments in the output are not affected by this option, but
+can be controlled using other command\-line switches. These include
+\fI\%+cmd\fP, \fI\%+question\fP, \fI\%+stats\fP, and \fI\%+rrcomments\fP\&.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B +cookie=####, +nocookie
+This option sends [or does not send] a COOKIE EDNS option, with an optional value. Replaying a COOKIE
+from a previous response allows the server to identify a previous
+client. The default is \fB+cookie\fP\&.
+.sp
+\fB+cookie\fP is also set when \fI\%+trace\fP is set to better emulate the
+default queries from a nameserver.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B +crypto, +nocrypto
+This option toggles the display of cryptographic fields in DNSSEC records. The
+contents of these fields are unnecessary for debugging most DNSSEC
+validation failures and removing them makes it easier to see the
+common failures. The default is to display the fields. When omitted,
+they are replaced by the string \fB[omitted]\fP or, in the DNSKEY case, the
+key ID is displayed as the replacement, e.g. \fB[ key id = value ]\fP\&.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B +defname, +nodefname
+This option, which is deprecated, is treated as a synonym for
+\fI\%+search\fP, \fI\%+nosearch\fP\&.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B +dns64prefix, +nodns64prefix
+Lookup IPV4ONLY.ARPA AAAA and print any DNS64 prefixes found.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B +dnssec, +do, +nodnssec, +nodo
+This option requests that DNSSEC records be sent by setting the DNSSEC OK (DO) bit in
+the OPT record in the additional section of the query.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B +domain=somename
+This option sets the search list to contain the single domain \fBsomename\fP, as if
+specified in a \fBdomain\fP directive in \fB/etc/resolv.conf\fP, and
+enables search list processing as if the \fI\%+search\fP option were
+given.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B +dscp=value
+This option formerly set the DSCP value used when sending a query.
+It is now obsolete, and has no effect.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B +edns[=#], +noedns
+This option specifies the EDNS version to query with. Valid values are 0 to 255.
+Setting the EDNS version causes an EDNS query to be sent.
+\fB+noedns\fP clears the remembered EDNS version. EDNS is set to 0 by
+default.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B +ednsflags[=#], +noednsflags
+This option sets the must\-be\-zero EDNS flags bits (Z bits) to the specified value.
+Decimal, hex, and octal encodings are accepted. Setting a named flag
+(e.g., DO) is silently ignored. By default, no Z bits are set.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B +ednsnegotiation, +noednsnegotiation
+This option enables/disables EDNS version negotiation. By default, EDNS version
+negotiation is enabled.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B +ednsopt[=code[:value]], +noednsopt
+This option specifies the EDNS option with code point \fBcode\fP and an optional payload
+of \fBvalue\fP as a hexadecimal string. \fBcode\fP can be either an EDNS
+option name (for example, \fBNSID\fP or \fBECS\fP) or an arbitrary
+numeric value. \fB+noednsopt\fP clears the EDNS options to be sent.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B +expire, +noexpire
+This option sends an EDNS Expire option.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B +fail, +nofail
+This option indicates that \fI\%named\fP should try [or not try] the next server if a SERVFAIL is received. The default is
+to not try the next server, which is the reverse of normal stub
+resolver behavior.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B +fuzztime[=value], +nofuzztime
+This option allows the signing time to be specified when generating
+signed messages. If a value is specified it is the seconds since
+00:00:00 January 1, 1970 UTC ignoring leap seconds. If no value
+is specified 1646972129 (Fri 11 Mar 2022 04:15:29 UTC) is used.
+The default is \fB+nofuzztime\fP and the current time is used.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B +header\-only, +noheader\-only
+This option sends a query with a DNS header without a question section. The
+default is to add a question section. The query type and query name
+are ignored when this is set.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B +https[=value], +nohttps
+This option indicates whether to use DNS over HTTPS (DoH) when querying
+name servers. When this option is in use, the port number defaults to 443.
+The HTTP POST request mode is used when sending the query.
+.sp
+If \fBvalue\fP is specified, it will be used as the HTTP endpoint in the
+query URI; the default is \fB/dns\-query\fP\&. So, for example, \fBdig
+@example.com +https\fP will use the URI \fBhttps://example.com/dns\-query\fP\&.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B +https\-get[=value], +nohttps\-get
+Similar to \fI\%+https\fP, except that the HTTP GET request mode is used
+when sending the query.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B +https\-post[=value], +nohttps\-post
+Same as \fI\%+https\fP\&.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B +http\-plain[=value], +nohttp\-plain
+Similar to \fI\%+https\fP, except that HTTP queries will be sent over a
+non\-encrypted channel. When this option is in use, the port number
+defaults to 80 and the HTTP request mode is POST.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B +http\-plain\-get[=value], +nohttp\-plain\-get
+Similar to \fI\%+http\-plain\fP, except that the HTTP request mode is GET.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B +http\-plain\-post[=value], +nohttp\-plain\-post
+Same as \fI\%+http\-plain\fP\&.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B +identify, +noidentify
+This option shows [or does not show] the IP address and port number that
+supplied the answer, when the \fI\%+short\fP option is enabled. If short
+form answers are requested, the default is not to show the source
+address and port number of the server that provided the answer.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B +idnin, +noidnin
+This option processes [or does not process] IDN domain names on input. This requires
+\fBIDN SUPPORT\fP to have been enabled at compile time.
+.sp
+The default is to process IDN input when standard output is a tty.
+The IDN processing on input is disabled when \fBdig\fP output is redirected
+to files, pipes, and other non\-tty file descriptors.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B +idnout, +noidnout
+This option converts [or does not convert] puny code on output. This requires
+\fBIDN SUPPORT\fP to have been enabled at compile time.
+.sp
+The default is to process puny code on output when standard output is
+a tty. The puny code processing on output is disabled when \fBdig\fP output
+is redirected to files, pipes, and other non\-tty file descriptors.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B +ignore, +noignore
+This option ignores [or does not ignore] truncation in UDP responses instead of retrying with TCP. By
+default, TCP retries are performed.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B +keepalive, +nokeepalive
+This option sends [or does not send] an EDNS Keepalive option.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B +keepopen, +nokeepopen
+This option keeps [or does not keep] the TCP socket open between queries, and reuses it rather than
+creating a new TCP socket for each lookup. The default is
+\fB+nokeepopen\fP\&.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B +multiline, +nomultiline
+This option prints [or does not print] records, like the SOA records, in a verbose multi\-line format
+with human\-readable comments. The default is to print each record on
+a single line to facilitate machine parsing of the \fBdig\fP output.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B +ndots=D
+This option sets the number of dots (\fBD\fP) that must appear in \fBname\fP for
+it to be considered absolute. The default value is that defined using
+the \fBndots\fP statement in \fB/etc/resolv.conf\fP, or 1 if no \fBndots\fP
+statement is present. Names with fewer dots are interpreted as
+relative names, and are searched for in the domains listed in the
+\fBsearch\fP or \fBdomain\fP directive in \fB/etc/resolv.conf\fP if
+\fI\%+search\fP is set.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B +nsid, +nonsid
+When enabled, this option includes an EDNS name server ID request when sending a query.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B +nssearch, +nonssearch
+When this option is set, \fBdig\fP attempts to find the authoritative
+name servers for the zone containing the name being looked up, and
+display the SOA record that each name server has for the zone.
+Addresses of servers that did not respond are also printed.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B +onesoa, +noonesoa
+When enabled, this option prints only one (starting) SOA record when performing an AXFR. The
+default is to print both the starting and ending SOA records.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B +opcode=value, +noopcode
+When enabled, this option sets (restores) the DNS message opcode to the specified value. The
+default value is QUERY (0).
+.UNINDENT
+.INDENT 0.0
+.TP
+.B +padding=value
+This option pads the size of the query packet using the EDNS Padding option to
+blocks of \fBvalue\fP bytes. For example, \fB+padding=32\fP causes a
+48\-byte query to be padded to 64 bytes. The default block size is 0,
+which disables padding; the maximum is 512. Values are ordinarily
+expected to be powers of two, such as 128; however, this is not
+mandatory. Responses to padded queries may also be padded, but only
+if the query uses TCP or DNS COOKIE.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B +qid=value
+This option specifies the query ID to use when sending queries.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B +qr, +noqr
+This option toggles the display of the query message as it is sent. By default, the query
+is not printed.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B +question, +noquestion
+This option toggles the display of the question section of a query when an answer is
+returned. The default is to print the question section as a comment.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B +raflag, +noraflag
+This option sets [or does not set] the RA (Recursion Available) bit in the query. The
+default is \fB+noraflag\fP\&. This bit is ignored by the server for
+QUERY.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B +rdflag, +nordflag
+This option is a synonym for \fI\%+recurse\fP, \fI\%+norecurse\fP\&.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B +recurse, +norecurse
+This option toggles the setting of the RD (recursion desired) bit in the query.
+This bit is set by default, which means \fBdig\fP normally sends
+recursive queries. Recursion is automatically disabled when the
+\fI\%+nssearch\fP or \fI\%+trace\fP query option is used.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B +retry=T
+This option sets the number of times to retry UDP and TCP queries to server to \fBT\fP
+instead of the default, 2. Unlike \fI\%+tries\fP, this does not include
+the initial query.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B +rrcomments, +norrcomments
+This option toggles the display of per\-record comments in the output (for example,
+human\-readable key information about DNSKEY records). The default is
+not to print record comments unless multiline mode is active.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B +search, +nosearch
+This option uses [or does not use] the search list defined by the searchlist or domain
+directive in \fBresolv.conf\fP, if any. The search list is not used by
+default.
+.sp
+\fBndots\fP from \fBresolv.conf\fP (default 1), which may be overridden by
+\fI\%+ndots\fP, determines whether the name is treated as relative
+and hence whether a search is eventually performed.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B +short, +noshort
+This option toggles whether a terse answer is provided. The default is to print the answer in a verbose
+form. This option always has a global effect; it cannot be set globally and
+then overridden on a per\-lookup basis.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B +showbadcookie, +noshowbadcookie
+This option toggles whether to show the message containing the
+BADCOOKIE rcode before retrying the request or not. The default
+is to not show the messages.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B +showsearch, +noshowsearch
+This option performs [or does not perform] a search showing intermediate results.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B +sigchase, +nosigchase
+This feature is now obsolete and has been removed; use \fI\%delv\fP
+instead.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B +split=W
+This option splits long hex\- or base64\-formatted fields in resource records into
+chunks of \fBW\fP characters (where \fBW\fP is rounded up to the nearest
+multiple of 4). \fB+nosplit\fP or \fB+split=0\fP causes fields not to be
+split at all. The default is 56 characters, or 44 characters when
+multiline mode is active.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B +stats, +nostats
+This option toggles the printing of statistics: when the query was made, the size of the
+reply, etc. The default behavior is to print the query statistics as a
+comment after each lookup.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B +subnet=addr[/prefix\-length], +nosubnet
+This option sends [or does not send] an EDNS CLIENT\-SUBNET option with the specified IP
+address or network prefix.
+.sp
+\fBdig +subnet=0.0.0.0/0\fP, or simply \fBdig +subnet=0\fP for short,
+sends an EDNS CLIENT\-SUBNET option with an empty address and a source
+prefix\-length of zero, which signals a resolver that the client\(aqs
+address information must \fInot\fP be used when resolving this query.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B +tcflag, +notcflag
+This option sets [or does not set] the TC (TrunCation) bit in the query. The default is
+\fB+notcflag\fP\&. This bit is ignored by the server for QUERY.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B +tcp, +notcp
+This option indicates whether to use TCP when querying name
+servers. The default behavior is to use UDP unless a type \fBany\fP
+or \fBixfr=N\fP query is requested, in which case the default is
+TCP. AXFR queries always use TCP. To prevent retry over TCP when
+TC=1 is returned from a UDP query, use \fB+ignore\fP\&.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B +timeout=T
+This option sets the timeout for a query to \fBT\fP seconds. The default timeout is
+5 seconds. An attempt to set \fBT\fP to less than 1 is silently set to 1.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B +tls, +notls
+This option indicates whether to use DNS over TLS (DoT) when querying
+name servers. When this option is in use, the port number defaults
+to 853.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B +tls\-ca[=file\-name], +notls\-ca
+This option enables remote server TLS certificate validation for
+DNS transports, relying on TLS. Certificate authorities
+certificates are loaded from the specified PEM file
+(\fBfile\-name\fP). If the file is not specified, the default
+certificates from the global certificates store are used.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B +tls\-certfile=file\-name, +tls\-keyfile=file\-name, +notls\-certfile, +notls\-keyfile
+These options set the state of certificate\-based client
+authentication for DNS transports, relying on TLS. Both certificate
+chain file and private key file are expected to be in PEM format.
+Both options must be specified at the same time.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B +tls\-hostname=hostname, +notls\-hostname
+This option makes \fBdig\fP use the provided hostname during remote
+server TLS certificate verification. Otherwise, the DNS server name
+is used. This option has no effect if \fI\%+tls\-ca\fP is not specified.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B +topdown, +notopdown
+This feature is related to \fI\%dig +sigchase\fP, which is obsolete and
+has been removed. Use \fI\%delv\fP instead.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B +trace, +notrace
+This option toggles tracing of the delegation path from the root name servers for
+the name being looked up. Tracing is disabled by default. When
+tracing is enabled, \fBdig\fP makes iterative queries to resolve the
+name being looked up. It follows referrals from the root servers,
+showing the answer from each server that was used to resolve the
+lookup.
+.sp
+If \fB@server\fP is also specified, it affects only the initial query for
+the root zone name servers.
+.sp
+\fI\%+dnssec\fP is also set when \fI\%+trace\fP is set, to better emulate the
+default queries from a name server.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B +tries=T
+This option sets the number of times to try UDP and TCP queries to server to \fBT\fP
+instead of the default, 3. If \fBT\fP is less than or equal to zero,
+the number of tries is silently rounded up to 1.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B +trusted\-key=####
+This option formerly specified trusted keys for use with \fI\%dig +sigchase\fP\&. This
+feature is now obsolete and has been removed; use \fI\%delv\fP instead.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B +ttlid, +nottlid
+This option displays [or does not display] the TTL when printing the record.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B +ttlunits, +nottlunits
+This option displays [or does not display] the TTL in friendly human\-readable time
+units of \fBs\fP, \fBm\fP, \fBh\fP, \fBd\fP, and \fBw\fP, representing seconds, minutes,
+hours, days, and weeks. This implies \fI\%+ttlid\fP\&.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B +unknownformat, +nounknownformat
+This option prints all RDATA in unknown RR type presentation format (\fI\%RFC 3597\fP).
+The default is to print RDATA for known types in the type\(aqs
+presentation format.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B +vc, +novc
+This option uses [or does not use] TCP when querying name servers. This alternate
+syntax to \fI\%+tcp\fP is provided for backwards compatibility. The
+\fBvc\fP stands for \(dqvirtual circuit.\(dq
+.UNINDENT
+.INDENT 0.0
+.TP
+.B +yaml, +noyaml
+When enabled, this option prints the responses (and, if \fI\%+qr\fP is in use, also the
+outgoing queries) in a detailed YAML format.
+.UNINDENT
+.INDENT 0.0
+.TP
+.B +zflag, +nozflag
+This option sets [or does not set] the last unassigned DNS header flag in a DNS query.
+This flag is off by default.
+.UNINDENT
+.SH MULTIPLE QUERIES
+.sp
+The BIND 9 implementation of \fBdig\fP supports specifying multiple
+queries on the command line (in addition to supporting the \fI\%\-f\fP batch
+file option). Each of those queries can be supplied with its own set of
+flags, options, and query options.
+.sp
+In this case, each \fBquery\fP argument represents an individual query in
+the command\-line syntax described above. Each consists of any of the
+standard options and flags, the name to be looked up, an optional query
+type and class, and any query options that should be applied to that
+query.
+.sp
+A global set of query options, which should be applied to all queries,
+can also be supplied. These global query options must precede the first
+tuple of name, class, type, options, flags, and query options supplied
+on the command line. Any global query options (except \fI\%+cmd\fP and
+\fI\%+short\fP options) can be overridden by a query\-specific set of
+query options. For example:
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+dig +qr www.isc.org any \-x 127.0.0.1 isc.org ns +noqr
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
+.sp
+shows how \fBdig\fP can be used from the command line to make three
+lookups: an ANY query for \fBwww.isc.org\fP, a reverse lookup of 127.0.0.1,
+and a query for the NS records of \fBisc.org\fP\&. A global query option of
+\fI\%+qr\fP is applied, so that \fBdig\fP shows the initial query it made for
+each lookup. The final query has a local query option of \fI\%+noqr\fP which
+means that \fBdig\fP does not print the initial query when it looks up the
+NS records for \fBisc.org\fP\&.
+.SH IDN SUPPORT
+.sp
+If \fBdig\fP has been built with IDN (internationalized domain name)
+support, it can accept and display non\-ASCII domain names. \fBdig\fP
+appropriately converts character encoding of a domain name before sending
+a request to a DNS server or displaying a reply from the server.
+To turn off IDN support, use the parameters
+\fI\%+idnin\fP and \fI\%+idnout\fP, or define the \fBIDN_DISABLE\fP environment
+variable.
+.SH RETURN CODES
+.sp
+\fBdig\fP return codes are:
+.INDENT 0.0
+.TP
+.B \fB0\fP
+DNS response received, including NXDOMAIN status
+.TP
+.B \fB1\fP
+Usage error
+.TP
+.B \fB8\fP
+Couldn\(aqt open batch file
+.TP
+.B \fB9\fP
+No reply from server
+.TP
+.B \fB10\fP
+Internal error
+.UNINDENT
+.SH FILES
+.sp
+\fB/etc/resolv.conf\fP
+.sp
+\fB${HOME}/.digrc\fP
+.SH SEE ALSO
+.sp
+\fI\%delv(1)\fP, \fI\%host(1)\fP, \fI\%named(8)\fP, \fI\%dnssec\-keygen(8)\fP, \fI\%RFC 1035\fP\&.
+.SH BUGS
+.sp
+There are probably too many query options.
+.SH AUTHOR
+Internet Systems Consortium
+.SH COPYRIGHT
+2023, Internet Systems Consortium
+.\" Generated by docutils manpage writer.
+.