delv.html revision 2ae159b376dac23870d8005563c585acf85a4b5a
279c6ec074be17dce62dd1b2c6ed7c2cc56a7b78David Lawrence - Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC")
281bfa2a98f1d1721538086e1b550185559f1d8bMark Andrews - Permission to use, copy, modify, and/or distribute this software for any
40f53fa8d9c6a4fc38c0014495e7a42b08f52481David Lawrence - purpose with or without fee is hereby granted, provided that the above
7de2c6e6d51f38daeb2d346f3f21dc01ccece6daEvan Hunt - copyright notice and this permission notice appear in all copies.
279c6ec074be17dce62dd1b2c6ed7c2cc56a7b78David Lawrence - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
40f53fa8d9c6a4fc38c0014495e7a42b08f52481David Lawrence - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
281bfa2a98f1d1721538086e1b550185559f1d8bMark Andrews - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
281bfa2a98f1d1721538086e1b550185559f1d8bMark Andrews - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
281bfa2a98f1d1721538086e1b550185559f1d8bMark Andrews - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
281bfa2a98f1d1721538086e1b550185559f1d8bMark Andrews - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
281bfa2a98f1d1721538086e1b550185559f1d8bMark Andrews - PERFORMANCE OF THIS SOFTWARE.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
a14613fce99dee3cad5bf842fd6be78f8e463582Brian Wellington<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
279c6ec074be17dce62dd1b2c6ed7c2cc56a7b78David Lawrence<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
279c6ec074be17dce62dd1b2c6ed7c2cc56a7b78David Lawrence<a name="man.delve"></a><div class="titlepage"></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>delve — DNS lookup and validation utility</p>
a30e7fc23415fd238d067a8a871607bca36068baMichael Graff<div class="cmdsynopsis"><p><code class="command">delve</code> [@server] [<code class="option">-4</code>] [<code class="option">-6</code>] [<code class="option">-a <em class="replaceable"><code>anchor-file</code></em></code>] [<code class="option">-b <em class="replaceable"><code>address</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>level</code></em></code>] [<code class="option">-i</code>] [<code class="option">-m</code>] [<code class="option">-p <em class="replaceable"><code>port#</code></em></code>] [<code class="option">-q <em class="replaceable"><code>name</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-x <em class="replaceable"><code>addr</code></em></code>] [name] [type] [class] [queryopt...]</p></div>
a30e7fc23415fd238d067a8a871607bca36068baMichael Graff<div class="cmdsynopsis"><p><code class="command">delve</code> [<code class="option">-h</code>]</p></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="cmdsynopsis"><p><code class="command">delve</code> [<code class="option">-v</code>]</p></div>
8d4257cff01b3821abcb9a21f46c6c6a43bb1e72Bob Halley<div class="cmdsynopsis"><p><code class="command">delve</code> [queryopt...] [query...]</p></div>
8d4257cff01b3821abcb9a21f46c6c6a43bb1e72Bob Halley<p><span><strong class="command">delve</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein (Domain Entity Lookup & Validation Engine) is a tool for sending
dc97fe4ed08488d314ab5bc8e99ed839542cf411David Lawrence DNS queries and validating the results, using the the same internal
dc97fe4ed08488d314ab5bc8e99ed839542cf411David Lawrence resolver and validator logic as <span><strong class="command">named</strong></span>.
8d4257cff01b3821abcb9a21f46c6c6a43bb1e72Bob Halley <span><strong class="command">delve</strong></span> will send to a specified name server all
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein queries needed to fetch and validate the requested data; this
50453ad879d0d93854de5a3385776bd799e8f35cBob Halley includes the original requested query, subsequent queries to follow
50453ad879d0d93854de5a3385776bd799e8f35cBob Halley CNAME or DNAME chains, and queries for DNSKEY, DS and DLV records
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein to establish a chain of trust for DNSSEC validation.
7005cfed8cd3296d356883dcb414979f22e06b13Brian Wellington It does not perform iterative resolution, but simulates the
7005cfed8cd3296d356883dcb414979f22e06b13Brian Wellington behavior of a name server configured for DNSSEC validating and
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein By default, responses are validated using built-in DNSSEC trust
d8dcd6ad4617cc8d7df979bd62101fa9c4bac1bcBob Halley anchors for the root zone (".") and for the ISC DNSSEC lookaside
d8dcd6ad4617cc8d7df979bd62101fa9c4bac1bcBob Halley validation zone ("dlv.isc.org"). Records returned by
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span><strong class="command">delve</strong></span> are either fully validated or
baf7c7e589f313f10b29d9119811fc4d36c2e4bcMark Andrews were not signed. If validation fails, an explanation of
baf7c7e589f313f10b29d9119811fc4d36c2e4bcMark Andrews the failure is included in the output; the validation process
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein can be traced in detail. Because <span><strong class="command">delve</strong></span> does
a30e7fc23415fd238d067a8a871607bca36068baMichael Graff not rely on an external server to carry out validation, it can
a30e7fc23415fd238d067a8a871607bca36068baMichael Graff be used to check the validity of DNS responses in environments
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein where local name servers may not be trustworthy.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Unless it is told to query a specific name server,
6286983c506433d642b23e64845c50be30f2a7f6Mark Andrews <span><strong class="command">delve</strong></span> will try each of the servers listed in
6286983c506433d642b23e64845c50be30f2a7f6Mark Andrews <code class="filename">/etc/resolv.conf</code>. If no usable server
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein addresses are found, <span><strong class="command">delve</strong></span> will send
8313838954d67250d0ed7edf67fba5da0790d1a7Michael Graff queries to the localhost addresses (127.0.0.1 for IPv4, ::1
8313838954d67250d0ed7edf67fba5da0790d1a7Michael Graff When no command line arguments or options are given,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span><strong class="command">delve</strong></span> will perform an NS query for "."
703e1c0bb66f3cd3d300358ca0c1fdf3cb5fb1c5Brian Wellington (the root zone).
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein A typical invocation of <span><strong class="command">delve</strong></span> looks like:
0eb2572d79822d02ea05448ce4e5f1759c73d171Michael Graff<pre class="programlisting"> delve @server name type </pre>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term"><code class="constant">server</code></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein is the name or IP address of the name server to query. This
64b92523f9333ba053f4b2860335583be455b0b3Brian Wellington can be an IPv4 address in dotted-decimal notation or an IPv6
64b92523f9333ba053f4b2860335583be455b0b3Brian Wellington address in colon-delimited notation. When the supplied
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <em class="parameter"><code>server</code></em> argument is a hostname,
876753d5ce1be48f3218fb4875fac501f8adfd6cDavid Lawrence <span><strong class="command">delve</strong></span> resolves that name before
876753d5ce1be48f3218fb4875fac501f8adfd6cDavid Lawrence querying that name server (note, however, that this
876753d5ce1be48f3218fb4875fac501f8adfd6cDavid Lawrence initial lookup is <span class="emphasis"><em>not</em></span> validated
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein If no <em class="parameter"><code>server</code></em> argument is
ed71ea51c6ecb5d7d659b6e6a20f6b3f5c2678c6David Lawrence provided, <span><strong class="command">delve</strong></span> consults
ed71ea51c6ecb5d7d659b6e6a20f6b3f5c2678c6David Lawrence <code class="filename">/etc/resolv.conf</code>; if an
ed71ea51c6ecb5d7d659b6e6a20f6b3f5c2678c6David Lawrence address is found there, it queries the name server at
ed71ea51c6ecb5d7d659b6e6a20f6b3f5c2678c6David Lawrence that address. If either of the <code class="option">-4</code> or
ed71ea51c6ecb5d7d659b6e6a20f6b3f5c2678c6David Lawrence <code class="option">-6</code> options are in use, then
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein only addresses for the corresponding transport
49a2cf8f211213712d452287ae8e121cf59e3178David Lawrence will be tried. If no usable addresses are found,
49a2cf8f211213712d452287ae8e121cf59e3178David Lawrence <span><strong class="command">delve</strong></span> will send queries to
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein the localhost addresses (127.0.0.1 for IPv4,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein ::1 for IPv6).
49a2cf8f211213712d452287ae8e121cf59e3178David Lawrence<dt><span class="term"><code class="constant">name</code></span></dt>
49a2cf8f211213712d452287ae8e121cf59e3178David Lawrence is the domain name to be looked up.
f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark Andrews<dt><span class="term"><code class="constant">type</code></span></dt>
f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark Andrews indicates what type of query is required —
f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark Andrews ANY, A, MX, etc.
f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark Andrews <em class="parameter"><code>type</code></em> can be any valid query
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <em class="parameter"><code>type</code></em> argument is supplied,
49a2cf8f211213712d452287ae8e121cf59e3178David Lawrence <span><strong class="command">delve</strong></span> will perform a lookup for an
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-a <em class="replaceable"><code>anchor-file</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Specifies a file from which to read DNSSEC trust anchors.
f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark Andrews The default is <code class="filename">/etc/bind.keys</code>, which
f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark Andrews is included with <acronym class="acronym">BIND</acronym> 9 and contains
cffc2e06f906dd048af4cc27d487deb157f5a082Mark Andrews trust anchors for the root zone (".") and for the ISC
cffc2e06f906dd048af4cc27d487deb157f5a082Mark Andrews DNSSEC lookaside validation zone ("dlv.isc.org").
43fe2897fc80bbec2115310ca79d432a252f3ea4Mark Andrews Keys that do not match the root or DLV trust-anchor
43fe2897fc80bbec2115310ca79d432a252f3ea4Mark Andrews names are ignored; these key names can be overridden
70e854766f5304f43e94212dc38ebaefe214148cMark Andrews using the <code class="option">+dlv=NAME</code> or
70e854766f5304f43e94212dc38ebaefe214148cMark Andrews <code class="option">+root=NAME</code> options.
43501e6570e9081d459fb5c1a81b73c2c53c5df0Mark Andrews Note: When reading the trust anchor file,
43501e6570e9081d459fb5c1a81b73c2c53c5df0Mark Andrews <span><strong class="command">delve</strong></span> treats <code class="option">managed-keys</code>
43501e6570e9081d459fb5c1a81b73c2c53c5df0Mark Andrews statements and <code class="option">trusted-keys</code> statements
2b66a51a7d72e9cc07917fb583ad528b0539d2a3Mark Andrews identically. That is, for a managed key, it is the
2b66a51a7d72e9cc07917fb583ad528b0539d2a3Mark Andrews <span class="emphasis"><em>initial</em></span> key that is trusted; RFC 5011
2b66a51a7d72e9cc07917fb583ad528b0539d2a3Mark Andrews key management is not supported. <span><strong class="command">delve</strong></span>
8b56b8956fc1e6c70efacb4f71db28d0d1f0c577Mark Andrews will not consult the managed-keys database maintained by
8b56b8956fc1e6c70efacb4f71db28d0d1f0c577Mark Andrews <span><strong class="command">named</strong></span>. This means that if either of the
8b56b8956fc1e6c70efacb4f71db28d0d1f0c577Mark Andrews keys in <code class="filename">/etc/bind.keys</code> is revoked
f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark Andrews and rolled over, it will be necessary to update
64b92523f9333ba053f4b2860335583be455b0b3Brian Wellington <code class="filename">/etc/bind.keys</code> to use DNSSEC
64b92523f9333ba053f4b2860335583be455b0b3Brian Wellington validation in <span><strong class="command">delve</strong></span>.
a5d43b72413db3edd6b36a58f9bdf2cf6ff692f2Bob Halley<dt><span class="term">-b <em class="replaceable"><code>address</code></em></span></dt>
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews Sets the source IP address of the query to
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews <em class="parameter"><code>address</code></em>. This must be a valid address
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews on one of the host's network interfaces or "0.0.0.0" or "::".
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews An optional source port may be specified by appending
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews "#<port>"
f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark Andrews<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark Andrews Sets the query class for the requested data. Currently,
f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark Andrews only class "IN" is supported in <span><strong class="command">delve</strong></span>
f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark Andrews and any other value is ignored.
0415ca35ada2cac6a86127eaca64f3a997aea121Evan Hunt<dt><span class="term">-d <em class="replaceable"><code>level</code></em></span></dt>
f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark Andrews Set the systemwide debug level to <code class="option">level</code>.
f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark Andrews The allowed range is from 0 to 99.
f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark Andrews The default is 0 (no debugging).
f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark Andrews Debugging traces from <span><strong class="command">delve</strong></span> become
f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark Andrews more verbose as the debug level increases.
f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark Andrews See the <code class="option">+mtrace</code>, <code class="option">+rtrace</code>,
f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark Andrews and <code class="option">+vtrace</code> options below for additional
f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark Andrews debugging details.
23ac30603a7639bea1d331537634b079b046b122Mark Andrews Display the <span><strong class="command">delve</strong></span> help usage output and exit.
c870001ae1bff0e38f622c4ed56872c7f1d2d336Mark Andrews Insecure mode. This disables internal DNSSEC validation.
c870001ae1bff0e38f622c4ed56872c7f1d2d336Mark Andrews (Note, however, this does not set the CD bit on upstream
c870001ae1bff0e38f622c4ed56872c7f1d2d336Mark Andrews queries. If the server being queried is performing DNSSEC
186e7f37c9fc985a7a7264cc8170e48a25bed434Mark Andrews validation, then it will not return invalid data; this
186e7f37c9fc985a7a7264cc8170e48a25bed434Mark Andrews can cause <span><strong class="command">delve</strong></span> to time out. When it
186e7f37c9fc985a7a7264cc8170e48a25bed434Mark Andrews is necessary to examine invalid data to debug a DNSSEC
f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark Andrews problem, use <span><strong class="command">dig +cd</strong></span>.)
cae2cb086244dfb883739edbe79e34756079f70eMark Andrews Enables memory usage debugging.
f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark Andrews<dt><span class="term">-p <em class="replaceable"><code>port#</code></em></span></dt>
f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark Andrews Specifies a destination port to use for queries instead of
f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark Andrews the standard DNS port number 53. This option would be used
fd837244be31850a764863688bce11df9ce972f4Andreas Gustafsson with a name server that has been configured to listen
fd837244be31850a764863688bce11df9ce972f4Andreas Gustafsson for queries on a non-standard port number.
cae2cb086244dfb883739edbe79e34756079f70eMark Andrews<dt><span class="term">-q <em class="replaceable"><code>name</code></em></span></dt>
f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark Andrews Sets the query name to <em class="parameter"><code>name</code></em>.
f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark Andrews While the query name can be specified without using the
f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark Andrews <code class="option">-q</code>, it is sometimes necessary to disambiguate
f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark Andrews names from types or classes (for example, when looking up the
f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark Andrews name "ns", which could be misinterpreted as the type NS,
f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark Andrews or "ch", which could be misinterpreted as class CH).
f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark Andrews<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark Andrews Sets the query type to <em class="parameter"><code>type</code></em>, which
f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark Andrews can be any valid query type supported in BIND 9 except
dc2a0aa7aaa8b85398ae183c7274c0eeec5009afMark Andrews for zone transfer types AXFR and IXFR. As with
dc2a0aa7aaa8b85398ae183c7274c0eeec5009afMark Andrews <code class="option">-q</code>, this is useful to distinguish
dc2a0aa7aaa8b85398ae183c7274c0eeec5009afMark Andrews query name type or class when they are ambiguous.
2b50e0d877db0d668f363d50914232f82ad8c454Mark Andrews it is sometimes necessary to disambiguate names from types.
f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark Andrews The default query type is "A", unless the <code class="option">-x</code>
f8727bd90366af835f551da1b5e1fdfcd2d3d01fBrian Wellington option is supplied to indicate a reverse lookup, in which case
203596d27c225ea195e4faad4f19388c6e96ac80Bob Halley Print the <span><strong class="command">delve</strong></span> version and exit.
f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark Andrews<dt><span class="term">-x <em class="replaceable"><code>addr</code></em></span></dt>
f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark Andrews Performs a reverse lookup, mapping an addresses to
f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark Andrews a name. <em class="parameter"><code>addr</code></em> is an IPv4 address in
fd837244be31850a764863688bce11df9ce972f4Andreas Gustafsson dotted-decimal notation, or a colon-delimited IPv6 address.
fd837244be31850a764863688bce11df9ce972f4Andreas Gustafsson When <code class="option">-x</code> is used, there is no need to provide
f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark Andrews the <em class="parameter"><code>name</code></em> or <em class="parameter"><code>type</code></em>
a5d43b72413db3edd6b36a58f9bdf2cf6ff692f2Bob Halley arguments. <span><strong class="command">delve</strong></span> automatically performs a
a5d43b72413db3edd6b36a58f9bdf2cf6ff692f2Bob Halley lookup for a name like <code class="literal">11.12.13.10.in-addr.arpa</code>
f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark Andrews and sets the query type to PTR. IPv6 addresses are looked up
f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark Andrews using nibble format under the IP6.ARPA domain.
4423c99613db1399dbb5c51e86ef0d351a1418c2Mark Andrews Forces <span><strong class="command">delve</strong></span> to only use IPv4.
f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark Andrews Forces <span><strong class="command">delve</strong></span> to only use IPv6.
4423c99613db1399dbb5c51e86ef0d351a1418c2Mark Andrews<p><span><strong class="command">delve</strong></span>
4423c99613db1399dbb5c51e86ef0d351a1418c2Mark Andrews provides a number of query options which affect the way results are
4423c99613db1399dbb5c51e86ef0d351a1418c2Mark Andrews displayed, and in some cases the way lookups are performed.
f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark Andrews Each query option is identified by a keyword preceded by a plus sign
882350d11c90de9de6fc1cead25690c8114b0b95Michael Graff (<code class="literal">+</code>). Some keywords set or reset an
f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark Andrews option. These may be preceded by the string
f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark Andrews <code class="literal">no</code> to negate the meaning of that keyword.
15bfd48fc5552ff1aae766021f42a250c001a098Michael Graff Other keywords assign values to options like the timeout interval.
f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark Andrews They have the form <code class="option">+keyword=value</code>.
f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark Andrews The query options are:
f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark Andrews<dt><span class="term"><code class="option">+[no]cdflag</code></span></dt>
f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark Andrews Controls whether to set the CD (checking disabled) bit in
f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark Andrews queries sent by <span><strong class="command">delve</strong></span>. This may be useful
577ca1471960830304d1d2b9bd543fa469af51c1Mark Andrews when troubleshooting DNSSEC problems from behind a validating
577ca1471960830304d1d2b9bd543fa469af51c1Mark Andrews resolver. A validating resolver will block invalid responses,
577ca1471960830304d1d2b9bd543fa469af51c1Mark Andrews making it difficult to retrieve them for analysis. Setting
577ca1471960830304d1d2b9bd543fa469af51c1Mark Andrews the CD flag on queries will cause the resolver to return
f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark Andrews invalid responses, which <span><strong class="command">delve</strong></span> can then
f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark Andrews validate internally and report the errors in detail.
f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark Andrews<dt><span class="term"><code class="option">+[no]class</code></span></dt>
f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark Andrews Controls whether to display the CLASS when printing
577ca1471960830304d1d2b9bd543fa469af51c1Mark Andrews a record. The default is to display the CLASS.
577ca1471960830304d1d2b9bd543fa469af51c1Mark Andrews<dt><span class="term"><code class="option">+[no]ttl</code></span></dt>
cae2cb086244dfb883739edbe79e34756079f70eMark Andrews Controls whether to display the TTL when printing
cae2cb086244dfb883739edbe79e34756079f70eMark Andrews a record. The default is to display the TTL.
f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark Andrews<dt><span class="term"><code class="option">+[no]rtrace</code></span></dt>
f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark Andrews Toggle resolver fetch logging. This reports the
f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark Andrews name and type of each query sent by <span><strong class="command">delve</strong></span>
f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark Andrews in the process of carrying out the resolution and validation
f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark Andrews process: this includes including the original query and
281bfa2a98f1d1721538086e1b550185559f1d8bMark Andrews all subsequent queries to follow CNAMEs and to establish a
281bfa2a98f1d1721538086e1b550185559f1d8bMark Andrews chain of trust for DNSSEC validation.
281bfa2a98f1d1721538086e1b550185559f1d8bMark Andrews This is equivalent to setting the debug level to 1 in
f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark Andrews the "resolver" logging category. Setting the systemwide
7de2c6e6d51f38daeb2d346f3f21dc01ccece6daEvan Hunt debug level to 1 using the <code class="option">-d</code> option will
f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark Andrews product the same output (but will affect other logging
f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark Andrews categories as well).
6e9efadbea9febb0494e713e54dfea6f7ef70383Mark Andrews<dt><span class="term"><code class="option">+[no]mtrace</code></span></dt>
8486ce1efa5deded85415d21d5696e5a51c63357Mark Andrews Toggle message logging. This produces a detailed dump of
8486ce1efa5deded85415d21d5696e5a51c63357Mark Andrews the responses received by <span><strong class="command">delve</strong></span> in the
8486ce1efa5deded85415d21d5696e5a51c63357Mark Andrews process of carrying out the resolution and validation process.
e.g. "[ key id = value ]".
a trust anchor of "dlv.isc.org", for which there is a