delve.docbook revision 1d761cb453c76353deb8423c78e98d00c5f86ffa
03831d35f7499c87d51205817c93e9a8d42c4baestevel<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
03831d35f7499c87d51205817c93e9a8d42c4baestevel "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
03831d35f7499c87d51205817c93e9a8d42c4baestevel [<!ENTITY mdash "—">]>
03831d35f7499c87d51205817c93e9a8d42c4baestevel - Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC")
03831d35f7499c87d51205817c93e9a8d42c4baestevel - Permission to use, copy, modify, and/or distribute this software for any
03831d35f7499c87d51205817c93e9a8d42c4baestevel - purpose with or without fee is hereby granted, provided that the above
03831d35f7499c87d51205817c93e9a8d42c4baestevel - copyright notice and this permission notice appear in all copies.
03831d35f7499c87d51205817c93e9a8d42c4baestevel - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
03831d35f7499c87d51205817c93e9a8d42c4baestevel - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
03831d35f7499c87d51205817c93e9a8d42c4baestevel - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
03831d35f7499c87d51205817c93e9a8d42c4baestevel - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
03831d35f7499c87d51205817c93e9a8d42c4baestevel - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
03831d35f7499c87d51205817c93e9a8d42c4baestevel - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
03831d35f7499c87d51205817c93e9a8d42c4baestevel - PERFORMANCE OF THIS SOFTWARE.
03831d35f7499c87d51205817c93e9a8d42c4baestevel <refentryinfo>
03831d35f7499c87d51205817c93e9a8d42c4baestevel </refentryinfo>
03831d35f7499c87d51205817c93e9a8d42c4baestevel <refnamediv>
03831d35f7499c87d51205817c93e9a8d42c4baestevel <refpurpose>DNS lookup and validation utility</refpurpose>
03831d35f7499c87d51205817c93e9a8d42c4baestevel </refnamediv>
03831d35f7499c87d51205817c93e9a8d42c4baestevel <copyright>
03831d35f7499c87d51205817c93e9a8d42c4baestevel <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
03831d35f7499c87d51205817c93e9a8d42c4baestevel </copyright>
03831d35f7499c87d51205817c93e9a8d42c4baestevel <refsynopsisdiv>
03831d35f7499c87d51205817c93e9a8d42c4baestevel <cmdsynopsis>
03831d35f7499c87d51205817c93e9a8d42c4baestevel <arg><option>-a <replaceable class="parameter">anchor-file</replaceable></option></arg>
03831d35f7499c87d51205817c93e9a8d42c4baestevel <arg><option>-b <replaceable class="parameter">address</replaceable></option></arg>
03831d35f7499c87d51205817c93e9a8d42c4baestevel <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
03831d35f7499c87d51205817c93e9a8d42c4baestevel <arg><option>-d <replaceable class="parameter">level</replaceable></option></arg>
03831d35f7499c87d51205817c93e9a8d42c4baestevel <arg><option>-p <replaceable class="parameter">port#</replaceable></option></arg>
03831d35f7499c87d51205817c93e9a8d42c4baestevel <arg><option>-q <replaceable class="parameter">name</replaceable></option></arg>
03831d35f7499c87d51205817c93e9a8d42c4baestevel <arg><option>-t <replaceable class="parameter">type</replaceable></option></arg>
03831d35f7499c87d51205817c93e9a8d42c4baestevel <arg><option>-x <replaceable class="parameter">addr</replaceable></option></arg>
03831d35f7499c87d51205817c93e9a8d42c4baestevel </cmdsynopsis>
03831d35f7499c87d51205817c93e9a8d42c4baestevel <cmdsynopsis>
03831d35f7499c87d51205817c93e9a8d42c4baestevel </cmdsynopsis>
03831d35f7499c87d51205817c93e9a8d42c4baestevel <cmdsynopsis>
03831d35f7499c87d51205817c93e9a8d42c4baestevel </cmdsynopsis>
03831d35f7499c87d51205817c93e9a8d42c4baestevel </refsynopsisdiv>
03831d35f7499c87d51205817c93e9a8d42c4baestevel (Domain Entity Lookup & Validation Engine) is a tool for sending
03831d35f7499c87d51205817c93e9a8d42c4baestevel DNS queries and validating the results, using the the same internal
03831d35f7499c87d51205817c93e9a8d42c4baestevel resolver and validator logic as <command>named</command>.
03831d35f7499c87d51205817c93e9a8d42c4baestevel <command>delve</command> will send to a specified name server all
03831d35f7499c87d51205817c93e9a8d42c4baestevel queries needed to fetch and validate the requested data; this
03831d35f7499c87d51205817c93e9a8d42c4baestevel includes the original requested query, subsequent queries to follow
03831d35f7499c87d51205817c93e9a8d42c4baestevel CNAME or DNAME chains, and queries for DNSKEY, DS and DLV records
03831d35f7499c87d51205817c93e9a8d42c4baestevel to establish a chain of trust for DNSSEC validation.
03831d35f7499c87d51205817c93e9a8d42c4baestevel It does not perform iterative resolution, but simulates the
03831d35f7499c87d51205817c93e9a8d42c4baestevel behavior of a name server configured for DNSSEC validating and
03831d35f7499c87d51205817c93e9a8d42c4baestevel forwarding.
03831d35f7499c87d51205817c93e9a8d42c4baestevel By default, responses are validated using built-in DNSSEC trust
03831d35f7499c87d51205817c93e9a8d42c4baestevel anchors for the root zone (".") and for the ISC DNSSEC lookaside
03831d35f7499c87d51205817c93e9a8d42c4baestevel validation zone ("dlv.isc.org"). Records returned by
03831d35f7499c87d51205817c93e9a8d42c4baestevel <command>delve</command> are either fully validated or
03831d35f7499c87d51205817c93e9a8d42c4baestevel were not signed. If validation fails, an explanation of
03831d35f7499c87d51205817c93e9a8d42c4baestevel the failure is included in the output; the validation process
03831d35f7499c87d51205817c93e9a8d42c4baestevel can be traced in detail. Because <command>delve</command> does
03831d35f7499c87d51205817c93e9a8d42c4baestevel not rely on an external server to carry out validation, it can
03831d35f7499c87d51205817c93e9a8d42c4baestevel be used to check the validity of DNS responses in environments
03831d35f7499c87d51205817c93e9a8d42c4baestevel where local name servers may not be trustworthy.
03831d35f7499c87d51205817c93e9a8d42c4baestevel Unless it is told to query a specific name server,
03831d35f7499c87d51205817c93e9a8d42c4baestevel <command>delve</command> will try each of the servers listed in
03831d35f7499c87d51205817c93e9a8d42c4baestevel <filename>/etc/resolv.conf</filename>. If no usable server
03831d35f7499c87d51205817c93e9a8d42c4baestevel addresses are found, <command>delve</command> will send
03831d35f7499c87d51205817c93e9a8d42c4baestevel queries to the localhost addresses (127.0.0.1 for IPv4, ::1
03831d35f7499c87d51205817c93e9a8d42c4baestevel When no command line arguments or options are given,
03831d35f7499c87d51205817c93e9a8d42c4baestevel <command>delve</command> will perform an NS query for "."
03831d35f7499c87d51205817c93e9a8d42c4baestevel (the root zone).
03831d35f7499c87d51205817c93e9a8d42c4baestevel </refsect1>
03831d35f7499c87d51205817c93e9a8d42c4baestevel A typical invocation of <command>delve</command> looks like:
03831d35f7499c87d51205817c93e9a8d42c4baestevel <programlisting> delve @server name type </programlisting>
03831d35f7499c87d51205817c93e9a8d42c4baestevel <variablelist>
03831d35f7499c87d51205817c93e9a8d42c4baestevel <varlistentry>
03831d35f7499c87d51205817c93e9a8d42c4baestevel is the name or IP address of the name server to query. This
03831d35f7499c87d51205817c93e9a8d42c4baestevel can be an IPv4 address in dotted-decimal notation or an IPv6
03831d35f7499c87d51205817c93e9a8d42c4baestevel address in colon-delimited notation. When the supplied
03831d35f7499c87d51205817c93e9a8d42c4baestevel <parameter>server</parameter> argument is a hostname,
03831d35f7499c87d51205817c93e9a8d42c4baestevel querying that name server (note, however, that this
03831d35f7499c87d51205817c93e9a8d42c4baestevel by DNSSEC).
03831d35f7499c87d51205817c93e9a8d42c4baestevel address is found there, it queries the name server at
03831d35f7499c87d51205817c93e9a8d42c4baestevel that address. If either of the <option>-4</option> or
03831d35f7499c87d51205817c93e9a8d42c4baestevel only addresses for the corresponding transport
03831d35f7499c87d51205817c93e9a8d42c4baestevel will be tried. If no usable addresses are found,
03831d35f7499c87d51205817c93e9a8d42c4baestevel the localhost addresses (127.0.0.1 for IPv4,
03831d35f7499c87d51205817c93e9a8d42c4baestevel ::1 for IPv6).
03831d35f7499c87d51205817c93e9a8d42c4baestevel </listitem>
03831d35f7499c87d51205817c93e9a8d42c4baestevel </varlistentry>
03831d35f7499c87d51205817c93e9a8d42c4baestevel <varlistentry>
03831d35f7499c87d51205817c93e9a8d42c4baestevel is the domain name to be looked up.
03831d35f7499c87d51205817c93e9a8d42c4baestevel </listitem>
03831d35f7499c87d51205817c93e9a8d42c4baestevel </varlistentry>
03831d35f7499c87d51205817c93e9a8d42c4baestevel <varlistentry>
03831d35f7499c87d51205817c93e9a8d42c4baestevel indicates what type of query is required —
03831d35f7499c87d51205817c93e9a8d42c4baestevel ANY, A, MX, etc.
03831d35f7499c87d51205817c93e9a8d42c4baestevel type. If no
03831d35f7499c87d51205817c93e9a8d42c4baestevel <command>delve</command> will perform a lookup for an
03831d35f7499c87d51205817c93e9a8d42c4baestevel </listitem>
03831d35f7499c87d51205817c93e9a8d42c4baestevel </varlistentry>
03831d35f7499c87d51205817c93e9a8d42c4baestevel </variablelist>
03831d35f7499c87d51205817c93e9a8d42c4baestevel </refsect1>
03831d35f7499c87d51205817c93e9a8d42c4baestevel <variablelist>
03831d35f7499c87d51205817c93e9a8d42c4baestevel <varlistentry>
03831d35f7499c87d51205817c93e9a8d42c4baestevel Specifies a file from which to read DNSSEC trust anchors.
03831d35f7499c87d51205817c93e9a8d42c4baestevel The default is <filename>/etc/bind.keys</filename>, which
03831d35f7499c87d51205817c93e9a8d42c4baestevel is included with <acronym>BIND</acronym> 9 and contains
03831d35f7499c87d51205817c93e9a8d42c4baestevel trust anchors for the root zone (".") and for the ISC
03831d35f7499c87d51205817c93e9a8d42c4baestevel DNSSEC lookaside validation zone ("dlv.isc.org").
03831d35f7499c87d51205817c93e9a8d42c4baestevel Keys that do not match the root or DLV trust-anchor
03831d35f7499c87d51205817c93e9a8d42c4baestevel names are ignored; these key names can be overridden
03831d35f7499c87d51205817c93e9a8d42c4baestevel Note: When reading the trust anchor file,
03831d35f7499c87d51205817c93e9a8d42c4baestevel <command>delve</command> treats <option>managed-keys</option>
03831d35f7499c87d51205817c93e9a8d42c4baestevel statements and <option>trusted-keys</option> statements
03831d35f7499c87d51205817c93e9a8d42c4baestevel identically. That is, for a managed key, it is the
03831d35f7499c87d51205817c93e9a8d42c4baestevel <emphasis>initial</emphasis> key that is trusted; RFC 5011
03831d35f7499c87d51205817c93e9a8d42c4baestevel key management is not supported. <command>delve</command>
03831d35f7499c87d51205817c93e9a8d42c4baestevel will not consult the managed-keys database maintained by
03831d35f7499c87d51205817c93e9a8d42c4baestevel <command>named</command>. This means that if either of the
03831d35f7499c87d51205817c93e9a8d42c4baestevel keys in <filename>/etc/bind.keys</filename> is revoked
03831d35f7499c87d51205817c93e9a8d42c4baestevel and rolled over, it will be necessary to update
03831d35f7499c87d51205817c93e9a8d42c4baestevel </listitem>
03831d35f7499c87d51205817c93e9a8d42c4baestevel </varlistentry>
03831d35f7499c87d51205817c93e9a8d42c4baestevel <varlistentry>
03831d35f7499c87d51205817c93e9a8d42c4baestevel Sets the source IP address of the query to
03831d35f7499c87d51205817c93e9a8d42c4baestevel <parameter>address</parameter>. This must be a valid address
03831d35f7499c87d51205817c93e9a8d42c4baestevel on one of the host's network interfaces or "0.0.0.0" or "::".
03831d35f7499c87d51205817c93e9a8d42c4baestevel An optional source port may be specified by appending
03831d35f7499c87d51205817c93e9a8d42c4baestevel "#<port>"
03831d35f7499c87d51205817c93e9a8d42c4baestevel </listitem>
03831d35f7499c87d51205817c93e9a8d42c4baestevel </varlistentry>
03831d35f7499c87d51205817c93e9a8d42c4baestevel <varlistentry>
03831d35f7499c87d51205817c93e9a8d42c4baestevel Sets the query class for the requested data. Currently,
03831d35f7499c87d51205817c93e9a8d42c4baestevel only class "IN" is supported in <command>delve</command>
03831d35f7499c87d51205817c93e9a8d42c4baestevel and any other value is ignored.
03831d35f7499c87d51205817c93e9a8d42c4baestevel </listitem>
03831d35f7499c87d51205817c93e9a8d42c4baestevel </varlistentry>
03831d35f7499c87d51205817c93e9a8d42c4baestevel <varlistentry>
03831d35f7499c87d51205817c93e9a8d42c4baestevel Insecure mode. This disables internal DNSSEC validation.
03831d35f7499c87d51205817c93e9a8d42c4baestevel (Note, however, this does not set the CD bit on upstream
03831d35f7499c87d51205817c93e9a8d42c4baestevel queries. If the server being queried is performing DNSSEC
03831d35f7499c87d51205817c93e9a8d42c4baestevel validation, then it will not return invalid data; this
03831d35f7499c87d51205817c93e9a8d42c4baestevel can cause <command>delve</command> to time out. When it
03831d35f7499c87d51205817c93e9a8d42c4baestevel is necessary to examine invalid data to debug a DNSSEC
03831d35f7499c87d51205817c93e9a8d42c4baestevel </listitem>
03831d35f7499c87d51205817c93e9a8d42c4baestevel </varlistentry>
03831d35f7499c87d51205817c93e9a8d42c4baestevel <varlistentry>
03831d35f7499c87d51205817c93e9a8d42c4baestevel Enables memory usage debugging.
03831d35f7499c87d51205817c93e9a8d42c4baestevel </listitem>
03831d35f7499c87d51205817c93e9a8d42c4baestevel </varlistentry>
03831d35f7499c87d51205817c93e9a8d42c4baestevel <varlistentry>
03831d35f7499c87d51205817c93e9a8d42c4baestevel Specifies a destination port to use for queries instead of
03831d35f7499c87d51205817c93e9a8d42c4baestevel the standard DNS port number 53. This option would be used
03831d35f7499c87d51205817c93e9a8d42c4baestevel with a name server that has been configured to listen
03831d35f7499c87d51205817c93e9a8d42c4baestevel for queries on a non-standard port number.
03831d35f7499c87d51205817c93e9a8d42c4baestevel </listitem>
03831d35f7499c87d51205817c93e9a8d42c4baestevel </varlistentry>
03831d35f7499c87d51205817c93e9a8d42c4baestevel <varlistentry>
03831d35f7499c87d51205817c93e9a8d42c4baestevel </listitem>
03831d35f7499c87d51205817c93e9a8d42c4baestevel </varlistentry>
03831d35f7499c87d51205817c93e9a8d42c4baestevel <varlistentry>
03831d35f7499c87d51205817c93e9a8d42c4baestevel </listitem>
03831d35f7499c87d51205817c93e9a8d42c4baestevel </varlistentry>
03831d35f7499c87d51205817c93e9a8d42c4baestevel <varlistentry>
03831d35f7499c87d51205817c93e9a8d42c4baestevel While the query name can be specified without using the
03831d35f7499c87d51205817c93e9a8d42c4baestevel <option>-q</option>, it is sometimes necessary to disambiguate
03831d35f7499c87d51205817c93e9a8d42c4baestevel names from types or classes (for example, when looking up the
03831d35f7499c87d51205817c93e9a8d42c4baestevel name "ns", which could be misinterpreted as the type NS,
03831d35f7499c87d51205817c93e9a8d42c4baestevel or "ch", which could be misinterpreted as class CH).
03831d35f7499c87d51205817c93e9a8d42c4baestevel </listitem>
03831d35f7499c87d51205817c93e9a8d42c4baestevel </varlistentry>
03831d35f7499c87d51205817c93e9a8d42c4baestevel <varlistentry>
03831d35f7499c87d51205817c93e9a8d42c4baestevel Sets the query type to <parameter>type</parameter>, which
03831d35f7499c87d51205817c93e9a8d42c4baestevel can be any valid query type supported in BIND 9 except
03831d35f7499c87d51205817c93e9a8d42c4baestevel for zone transfer types AXFR and IXFR. As with
03831d35f7499c87d51205817c93e9a8d42c4baestevel query name type or class when they are ambiguous.
03831d35f7499c87d51205817c93e9a8d42c4baestevel it is sometimes necessary to disambiguate names from types.
03831d35f7499c87d51205817c93e9a8d42c4baestevel The default query type is "A", unless the <option>-x</option>
03831d35f7499c87d51205817c93e9a8d42c4baestevel option is supplied to indicate a reverse lookup, in which case
03831d35f7499c87d51205817c93e9a8d42c4baestevel it is "PTR".
03831d35f7499c87d51205817c93e9a8d42c4baestevel </listitem>
03831d35f7499c87d51205817c93e9a8d42c4baestevel </varlistentry>
03831d35f7499c87d51205817c93e9a8d42c4baestevel <varlistentry>
03831d35f7499c87d51205817c93e9a8d42c4baestevel Performs a reverse lookup, mapping an addresses to
03831d35f7499c87d51205817c93e9a8d42c4baestevel a name. <parameter>addr</parameter> is an IPv4 address in
03831d35f7499c87d51205817c93e9a8d42c4baestevel dotted-decimal notation, or a colon-delimited IPv6 address.
03831d35f7499c87d51205817c93e9a8d42c4baestevel When <option>-x</option> is used, there is no need to provide
03831d35f7499c87d51205817c93e9a8d42c4baestevel the <parameter>name</parameter> or <parameter>type</parameter>
03831d35f7499c87d51205817c93e9a8d42c4baestevel arguments. <command>delve</command> automatically performs a
03831d35f7499c87d51205817c93e9a8d42c4baestevel lookup for a name like <literal>11.12.13.10.in-addr.arpa</literal>
03831d35f7499c87d51205817c93e9a8d42c4baestevel and sets the query type to PTR. IPv6 addresses are looked up
03831d35f7499c87d51205817c93e9a8d42c4baestevel using nibble format under the IP6.ARPA domain.
03831d35f7499c87d51205817c93e9a8d42c4baestevel </listitem>
03831d35f7499c87d51205817c93e9a8d42c4baestevel </varlistentry>
03831d35f7499c87d51205817c93e9a8d42c4baestevel </variablelist>
03831d35f7499c87d51205817c93e9a8d42c4baestevel </refsect1>
03831d35f7499c87d51205817c93e9a8d42c4baestevel provides a number of query options which affect the way results are
03831d35f7499c87d51205817c93e9a8d42c4baestevel displayed, and in some cases the way lookups are performed.
03831d35f7499c87d51205817c93e9a8d42c4baestevel Each query option is identified by a keyword preceded by a plus sign
03831d35f7499c87d51205817c93e9a8d42c4baestevel (<literal>+</literal>). Some keywords set or reset an
03831d35f7499c87d51205817c93e9a8d42c4baestevel option. These may be preceded by the string
03831d35f7499c87d51205817c93e9a8d42c4baestevel <literal>no</literal> to negate the meaning of that keyword.
03831d35f7499c87d51205817c93e9a8d42c4baestevel Other keywords assign values to options like the timeout interval.
03831d35f7499c87d51205817c93e9a8d42c4baestevel The query options are:
03831d35f7499c87d51205817c93e9a8d42c4baestevel <variablelist>
03831d35f7499c87d51205817c93e9a8d42c4baestevel <varlistentry>
03831d35f7499c87d51205817c93e9a8d42c4baestevel Controls whether to set the CD (checking disabled) bit in
03831d35f7499c87d51205817c93e9a8d42c4baestevel queries sent by <command>delve</command>. This may be useful
03831d35f7499c87d51205817c93e9a8d42c4baestevel when troubleshooting DNSSEC problems from behind a validating
03831d35f7499c87d51205817c93e9a8d42c4baestevel resolver. A validating resolver will block invalid responses,
03831d35f7499c87d51205817c93e9a8d42c4baestevel making it difficult to retrieve them for analysis. Setting
03831d35f7499c87d51205817c93e9a8d42c4baestevel the CD flag on queries will cause the resolver to return
03831d35f7499c87d51205817c93e9a8d42c4baestevel invalid responses, which <command>delve</command> can then
03831d35f7499c87d51205817c93e9a8d42c4baestevel validate internally and report the errors in detail.
03831d35f7499c87d51205817c93e9a8d42c4baestevel </listitem>
03831d35f7499c87d51205817c93e9a8d42c4baestevel </varlistentry>
03831d35f7499c87d51205817c93e9a8d42c4baestevel <varlistentry>
03831d35f7499c87d51205817c93e9a8d42c4baestevel Controls whether to display the CLASS when printing
03831d35f7499c87d51205817c93e9a8d42c4baestevel a record. The default is to display the CLASS.
03831d35f7499c87d51205817c93e9a8d42c4baestevel </listitem>
03831d35f7499c87d51205817c93e9a8d42c4baestevel </varlistentry>
03831d35f7499c87d51205817c93e9a8d42c4baestevel <varlistentry>
03831d35f7499c87d51205817c93e9a8d42c4baestevel Controls whether to display the TTL when printing
03831d35f7499c87d51205817c93e9a8d42c4baestevel a record. The default is to display the TTL.
03831d35f7499c87d51205817c93e9a8d42c4baestevel </listitem>
03831d35f7499c87d51205817c93e9a8d42c4baestevel </varlistentry>
03831d35f7499c87d51205817c93e9a8d42c4baestevel <varlistentry>
03831d35f7499c87d51205817c93e9a8d42c4baestevel Toggle resolver fetch logging. This reports the
03831d35f7499c87d51205817c93e9a8d42c4baestevel name and type of each query sent by <command>delve</command>
03831d35f7499c87d51205817c93e9a8d42c4baestevel in the process of carrying out the resolution and validation
03831d35f7499c87d51205817c93e9a8d42c4baestevel process: this includes including the original query and
03831d35f7499c87d51205817c93e9a8d42c4baestevel all subsequent queries to follow CNAMEs and to establish a
03831d35f7499c87d51205817c93e9a8d42c4baestevel chain of trust for DNSSEC validation.
03831d35f7499c87d51205817c93e9a8d42c4baestevel This is equivalent to setting the debug level to 1 in
03831d35f7499c87d51205817c93e9a8d42c4baestevel the "resolver" logging category. Setting the systemwide
03831d35f7499c87d51205817c93e9a8d42c4baestevel debug level to 1 using the <option>-d</option> option will
03831d35f7499c87d51205817c93e9a8d42c4baestevel product the same output (but will affect other logging
03831d35f7499c87d51205817c93e9a8d42c4baestevel categories as well).
03831d35f7499c87d51205817c93e9a8d42c4baestevel </listitem>
03831d35f7499c87d51205817c93e9a8d42c4baestevel </varlistentry>
03831d35f7499c87d51205817c93e9a8d42c4baestevel <varlistentry>
03831d35f7499c87d51205817c93e9a8d42c4baestevel Toggle message logging. This produces a detailed dump of
03831d35f7499c87d51205817c93e9a8d42c4baestevel the responses received by <command>delve</command> in the
03831d35f7499c87d51205817c93e9a8d42c4baestevel process of carrying out the resolution and validation process.
03831d35f7499c87d51205817c93e9a8d42c4baestevel This is equivalent to setting the debug level to 10
03831d35f7499c87d51205817c93e9a8d42c4baestevel for the the "packets" module of the "resolver" logging
03831d35f7499c87d51205817c93e9a8d42c4baestevel category. Setting the systemwide debug level to 10 using
03831d35f7499c87d51205817c93e9a8d42c4baestevel the <option>-d</option> option will produce the same output
03831d35f7499c87d51205817c93e9a8d42c4baestevel (but will affect other logging categories as well).
03831d35f7499c87d51205817c93e9a8d42c4baestevel </listitem>
03831d35f7499c87d51205817c93e9a8d42c4baestevel </varlistentry>
03831d35f7499c87d51205817c93e9a8d42c4baestevel <varlistentry>
03831d35f7499c87d51205817c93e9a8d42c4baestevel Toggle validation logging. This shows the internal
03831d35f7499c87d51205817c93e9a8d42c4baestevel process of the validator as it determines whether an
03831d35f7499c87d51205817c93e9a8d42c4baestevel answer is validly signed, unsigned, or invalid.
03831d35f7499c87d51205817c93e9a8d42c4baestevel This is equivalent to setting the debug level to 3
03831d35f7499c87d51205817c93e9a8d42c4baestevel for the the "validator" module of the "dnssec" logging
03831d35f7499c87d51205817c93e9a8d42c4baestevel category. Setting the systemwide debug level to 3 using
03831d35f7499c87d51205817c93e9a8d42c4baestevel the <option>-d</option> option will produce the same output
03831d35f7499c87d51205817c93e9a8d42c4baestevel (but will affect other logging categories as well).
03831d35f7499c87d51205817c93e9a8d42c4baestevel </listitem>
03831d35f7499c87d51205817c93e9a8d42c4baestevel </varlistentry>
03831d35f7499c87d51205817c93e9a8d42c4baestevel <varlistentry>
03831d35f7499c87d51205817c93e9a8d42c4baestevel Provide a terse answer. The default is to print the answer in a
03831d35f7499c87d51205817c93e9a8d42c4baestevel verbose form.
03831d35f7499c87d51205817c93e9a8d42c4baestevel </listitem>
03831d35f7499c87d51205817c93e9a8d42c4baestevel </varlistentry>
03831d35f7499c87d51205817c93e9a8d42c4baestevel <varlistentry>
03831d35f7499c87d51205817c93e9a8d42c4baestevel Toggle the display of comment lines in the output. The default
03831d35f7499c87d51205817c93e9a8d42c4baestevel is to print comments.
03831d35f7499c87d51205817c93e9a8d42c4baestevel </listitem>
03831d35f7499c87d51205817c93e9a8d42c4baestevel </varlistentry>
03831d35f7499c87d51205817c93e9a8d42c4baestevel <varlistentry>
03831d35f7499c87d51205817c93e9a8d42c4baestevel Toggle the display of per-record comments in the output (for
03831d35f7499c87d51205817c93e9a8d42c4baestevel example, human-readable key information about DNSKEY records).
03831d35f7499c87d51205817c93e9a8d42c4baestevel The default is to print per-record comments.
03831d35f7499c87d51205817c93e9a8d42c4baestevel </listitem>
03831d35f7499c87d51205817c93e9a8d42c4baestevel </varlistentry>
03831d35f7499c87d51205817c93e9a8d42c4baestevel <varlistentry>
03831d35f7499c87d51205817c93e9a8d42c4baestevel Toggle the display of cryptographic fields in DNSSEC records.
03831d35f7499c87d51205817c93e9a8d42c4baestevel The contents of these field are unnecessary to debug most DNSSEC
03831d35f7499c87d51205817c93e9a8d42c4baestevel validation failures and removing them makes it easier to see
03831d35f7499c87d51205817c93e9a8d42c4baestevel the common failures. The default is to display the fields.
03831d35f7499c87d51205817c93e9a8d42c4baestevel When omitted they are replaced by the string "[omitted]" or
03831d35f7499c87d51205817c93e9a8d42c4baestevel in the DNSKEY case the key id is displayed as the replacement,
03831d35f7499c87d51205817c93e9a8d42c4baestevel e.g. "[ key id = value ]".
03831d35f7499c87d51205817c93e9a8d42c4baestevel </listitem>
03831d35f7499c87d51205817c93e9a8d42c4baestevel </varlistentry>
03831d35f7499c87d51205817c93e9a8d42c4baestevel <varlistentry>
03831d35f7499c87d51205817c93e9a8d42c4baestevel Controls whether to display the trust level when printing
03831d35f7499c87d51205817c93e9a8d42c4baestevel a record. The default is to display the trust level.
03831d35f7499c87d51205817c93e9a8d42c4baestevel </listitem>
03831d35f7499c87d51205817c93e9a8d42c4baestevel </varlistentry>
03831d35f7499c87d51205817c93e9a8d42c4baestevel <varlistentry>
03831d35f7499c87d51205817c93e9a8d42c4baestevel Split long hex- or base64-formatted fields in resource
03831d35f7499c87d51205817c93e9a8d42c4baestevel records into chunks of <parameter>W</parameter> characters
03831d35f7499c87d51205817c93e9a8d42c4baestevel (where <parameter>W</parameter> is rounded up to the nearest
03831d35f7499c87d51205817c93e9a8d42c4baestevel multiple of 4).
03831d35f7499c87d51205817c93e9a8d42c4baestevel <parameter>+split=0</parameter> causes fields not to be
03831d35f7499c87d51205817c93e9a8d42c4baestevel split at all. The default is 56 characters, or 44 characters
03831d35f7499c87d51205817c93e9a8d42c4baestevel when multiline mode is active.
03831d35f7499c87d51205817c93e9a8d42c4baestevel </listitem>
03831d35f7499c87d51205817c93e9a8d42c4baestevel </varlistentry>
03831d35f7499c87d51205817c93e9a8d42c4baestevel <varlistentry>
03831d35f7499c87d51205817c93e9a8d42c4baestevel Set or clear the display options
03831d35f7499c87d51205817c93e9a8d42c4baestevel </listitem>
03831d35f7499c87d51205817c93e9a8d42c4baestevel </varlistentry>
03831d35f7499c87d51205817c93e9a8d42c4baestevel <varlistentry>
03831d35f7499c87d51205817c93e9a8d42c4baestevel Print long records (such as RRSIG, DNSKEY, and SOA records)
03831d35f7499c87d51205817c93e9a8d42c4baestevel in a verbose multi-line format with human-readable comments.
03831d35f7499c87d51205817c93e9a8d42c4baestevel The default is to print each record on a single line, to
03831d35f7499c87d51205817c93e9a8d42c4baestevel facilitate machine parsing of the <command>delve</command>
03831d35f7499c87d51205817c93e9a8d42c4baestevel </listitem>
03831d35f7499c87d51205817c93e9a8d42c4baestevel </varlistentry>
03831d35f7499c87d51205817c93e9a8d42c4baestevel <varlistentry>
03831d35f7499c87d51205817c93e9a8d42c4baestevel Indicates whether to display RRSIG records in the
03831d35f7499c87d51205817c93e9a8d42c4baestevel this does <emphasis>not</emphasis> control whether to
03831d35f7499c87d51205817c93e9a8d42c4baestevel request DNSSEC records or whether to validate them.
03831d35f7499c87d51205817c93e9a8d42c4baestevel DNSSEC records are always requested, and validation
03831d35f7499c87d51205817c93e9a8d42c4baestevel will always occur unless suppressed by the use of
03831d35f7499c87d51205817c93e9a8d42c4baestevel </listitem>
03831d35f7499c87d51205817c93e9a8d42c4baestevel </varlistentry>
03831d35f7499c87d51205817c93e9a8d42c4baestevel <varlistentry>
03831d35f7499c87d51205817c93e9a8d42c4baestevel Indicates whether to perform conventional (non-
03831d35f7499c87d51205817c93e9a8d42c4baestevel lookaside) DNSSEC validation, and if so, specifies the
03831d35f7499c87d51205817c93e9a8d42c4baestevel name of a trust anchor. The default is to validate using
03831d35f7499c87d51205817c93e9a8d42c4baestevel a trust anchor of "." (the root zone), for which there is
03831d35f7499c87d51205817c93e9a8d42c4baestevel a built-in key. If specifying a different trust anchor,
03831d35f7499c87d51205817c93e9a8d42c4baestevel then <option>-a</option> must be used to specify a file
03831d35f7499c87d51205817c93e9a8d42c4baestevel containing the key.
03831d35f7499c87d51205817c93e9a8d42c4baestevel </listitem>
03831d35f7499c87d51205817c93e9a8d42c4baestevel </varlistentry>
03831d35f7499c87d51205817c93e9a8d42c4baestevel <varlistentry>
03831d35f7499c87d51205817c93e9a8d42c4baestevel Indicates whether to perform DNSSEC lookaside validation,
03831d35f7499c87d51205817c93e9a8d42c4baestevel and if so, specifies the name of the DLV trust anchor.
03831d35f7499c87d51205817c93e9a8d42c4baestevel The default is to perform lookaside validation using
03831d35f7499c87d51205817c93e9a8d42c4baestevel a trust anchor of "dlv.isc.org", for which there is a
03831d35f7499c87d51205817c93e9a8d42c4baestevel built-in key. If specifying a different name, then
03831d35f7499c87d51205817c93e9a8d42c4baestevel containing the DLV key.
03831d35f7499c87d51205817c93e9a8d42c4baestevel </listitem>
03831d35f7499c87d51205817c93e9a8d42c4baestevel </varlistentry>
03831d35f7499c87d51205817c93e9a8d42c4baestevel </variablelist>
03831d35f7499c87d51205817c93e9a8d42c4baestevel </refsect1>
03831d35f7499c87d51205817c93e9a8d42c4baestevel </refsect1>
03831d35f7499c87d51205817c93e9a8d42c4baestevel <refentrytitle>dig</refentrytitle><manvolnum>1</manvolnum>
03831d35f7499c87d51205817c93e9a8d42c4baestevel </citerefentry>,
03831d35f7499c87d51205817c93e9a8d42c4baestevel <citerefentry>
03831d35f7499c87d51205817c93e9a8d42c4baestevel <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
03831d35f7499c87d51205817c93e9a8d42c4baestevel </citerefentry>,
03831d35f7499c87d51205817c93e9a8d42c4baestevel </refsect1>
03831d35f7499c87d51205817c93e9a8d42c4baestevel - Local variables:
03831d35f7499c87d51205817c93e9a8d42c4baestevel - mode: sgml