60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<html>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<head>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<title>dig</title>

e21a2904f02a03fa06b6db04d348f65fe9c67b2bMark Andrews<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</head>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<a name="man.dig"></a><div class="titlepage"></div>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="refnamediv">

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<h2>Name</h2>

7208386cd37a2092c70eddf80cf29519b16c4c80Mark Andrews<p>dig &#8212; DNS lookup utility</p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="refsynopsisdiv">

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<h2>Synopsis</h2>

e2e4d321999340802f77adaacd19c797d04b4b95Automatic Updater<div class="cmdsynopsis"><p><code class="command">dig</code> [@server] [<code class="option">-b <em class="replaceable"><code>address</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-k <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-m</code>] [<code class="option">-p <em class="replaceable"><code>port#</code></em></code>] [<code class="option">-q <em class="replaceable"><code>name</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-x <em class="replaceable"><code>addr</code></em></code>] [<code class="option">-y <em class="replaceable"><code>[<span class="optional">hmac:</span>]name:key</code></em></code>] [<code class="option">-4</code>] [<code class="option">-6</code>] [name] [type] [class] [queryopt...]</p></div>

e2e4d321999340802f77adaacd19c797d04b4b95Automatic Updater<div class="cmdsynopsis"><p><code class="command">dig</code> [<code class="option">-h</code>]</p></div>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="cmdsynopsis"><p><code class="command">dig</code> [global-queryopt...] [query...]</p></div>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>

e2e4d321999340802f77adaacd19c797d04b4b95Automatic Updater<div class="refsect1" lang="en">

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="id2543527"></a><h2>DESCRIPTION</h2>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p><span><strong class="command">dig</strong></span>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein (domain information groper) is a flexible tool

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein for interrogating DNS name servers. It performs DNS lookups and

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein displays the answers that are returned from the name server(s) that

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein were queried. Most DNS administrators use <span><strong class="command">dig</strong></span> to

7208386cd37a2092c70eddf80cf29519b16c4c80Mark Andrews troubleshoot DNS problems because of its flexibility, ease of use and

7208386cd37a2092c70eddf80cf29519b16c4c80Mark Andrews clarity of output. Other lookup tools tend to have less functionality

7208386cd37a2092c70eddf80cf29519b16c4c80Mark Andrews than <span><strong class="command">dig</strong></span>.

7208386cd37a2092c70eddf80cf29519b16c4c80Mark Andrews </p>

7208386cd37a2092c70eddf80cf29519b16c4c80Mark Andrews<p>

7208386cd37a2092c70eddf80cf29519b16c4c80Mark Andrews Although <span><strong class="command">dig</strong></span> is normally used with

7208386cd37a2092c70eddf80cf29519b16c4c80Mark Andrews command-line

f6da30bb5447c23d880b09f601441e70c5313557Mark Andrews arguments, it also has a batch mode of operation for reading lookup

7208386cd37a2092c70eddf80cf29519b16c4c80Mark Andrews requests from a file. A brief summary of its command-line arguments

7208386cd37a2092c70eddf80cf29519b16c4c80Mark Andrews and options is printed when the <code class="option">-h</code> option is given.

7208386cd37a2092c70eddf80cf29519b16c4c80Mark Andrews Unlike earlier versions, the BIND 9 implementation of

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span><strong class="command">dig</strong></span> allows multiple lookups to be issued

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein from the

e2e4d321999340802f77adaacd19c797d04b4b95Automatic Updater command line.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Unless it is told to query a specific name server,

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span><strong class="command">dig</strong></span> will try each of the servers listed in

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="filename">/etc/resolv.conf</code>. If no usable server addreses

f7b41fd9291b8f4dba27e2b57e1d93f0913a4f1dMark Andrews are found, <span><strong class="command">dig</strong></span> will send the query to the local

f7b41fd9291b8f4dba27e2b57e1d93f0913a4f1dMark Andrews host.

f7b41fd9291b8f4dba27e2b57e1d93f0913a4f1dMark Andrews </p>

f7b41fd9291b8f4dba27e2b57e1d93f0913a4f1dMark Andrews<p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein When no command line arguments or options are given,

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span><strong class="command">dig</strong></span> will perform an NS query for "." (the root).

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein It is possible to set per-user defaults for <span><strong class="command">dig</strong></span> via

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="filename">${HOME}/.digrc</code>. This file is read and

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein any options in it

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein are applied before the command line arguments.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The IN and CH class names overlap with the IN and CH top level

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein domains names. Either use the <code class="option">-t</code> and

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="option">-c</code> options to specify the type and class,

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein use the <code class="option">-q</code> the specify the domain name, or

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein use "IN." and "CH." when looking up these top level domains.

9fbbfb5757a1e3e86d7dea62c4e63ffc2303ca2bAutomatic Updater </p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>

3a3705ef7747327df182bf8d009333d2472253d5Mark Andrews<div class="refsect1" lang="en">

3a3705ef7747327df182bf8d009333d2472253d5Mark Andrews<a name="id2543606"></a><h2>SIMPLE USAGE</h2>

3a3705ef7747327df182bf8d009333d2472253d5Mark Andrews<p>

d71e2e0c61df16ff37c9934c371a4a60c08974f7Mark Andrews A typical invocation of <span><strong class="command">dig</strong></span> looks like:

3a3705ef7747327df182bf8d009333d2472253d5Mark Andrews </p>

a057e8e33baa5fa369be28a9680585200ce3ff73Mark Andrews<pre class="programlisting"> dig @server name type </pre>

a057e8e33baa5fa369be28a9680585200ce3ff73Mark Andrews<p>

a057e8e33baa5fa369be28a9680585200ce3ff73Mark Andrews where:

3a3705ef7747327df182bf8d009333d2472253d5Mark Andrews

3a3705ef7747327df182bf8d009333d2472253d5Mark Andrews </p>

3a3705ef7747327df182bf8d009333d2472253d5Mark Andrews<div class="variablelist"><dl>

3a3705ef7747327df182bf8d009333d2472253d5Mark Andrews<dt><span class="term"><code class="constant">server</code></span></dt>

3a3705ef7747327df182bf8d009333d2472253d5Mark Andrews<dd>

3a3705ef7747327df182bf8d009333d2472253d5Mark Andrews<p>

3a3705ef7747327df182bf8d009333d2472253d5Mark Andrews is the name or IP address of the name server to query. This

3a3705ef7747327df182bf8d009333d2472253d5Mark Andrews can be an IPv4 address in dotted-decimal notation or an IPv6

3a3705ef7747327df182bf8d009333d2472253d5Mark Andrews address in colon-delimited notation. When the supplied

3a3705ef7747327df182bf8d009333d2472253d5Mark Andrews <em class="parameter"><code>server</code></em> argument is a hostname,

3a3705ef7747327df182bf8d009333d2472253d5Mark Andrews <span><strong class="command">dig</strong></span> resolves that name before querying

3a3705ef7747327df182bf8d009333d2472253d5Mark Andrews that name server.

3a3705ef7747327df182bf8d009333d2472253d5Mark Andrews </p>

3a3705ef7747327df182bf8d009333d2472253d5Mark Andrews<p>

3a3705ef7747327df182bf8d009333d2472253d5Mark Andrews If no <em class="parameter"><code>server</code></em> argument is

3a3705ef7747327df182bf8d009333d2472253d5Mark Andrews provided, <span><strong class="command">dig</strong></span> consults

3a3705ef7747327df182bf8d009333d2472253d5Mark Andrews <code class="filename">/etc/resolv.conf</code>; if an

d71e2e0c61df16ff37c9934c371a4a60c08974f7Mark Andrews address is found there, it queries the name server at

3a3705ef7747327df182bf8d009333d2472253d5Mark Andrews that address. If either of the <code class="option">-4</code> or

3a3705ef7747327df182bf8d009333d2472253d5Mark Andrews <code class="option">-6</code> options are in use, then

3a3705ef7747327df182bf8d009333d2472253d5Mark Andrews only addresses for the corresponding transport

3a3705ef7747327df182bf8d009333d2472253d5Mark Andrews will be tried. If no usable addresses are found,

3a3705ef7747327df182bf8d009333d2472253d5Mark Andrews <span><strong class="command">dig</strong></span> will send the query to the

a057e8e33baa5fa369be28a9680585200ce3ff73Mark Andrews local host. The reply from the name server that

a057e8e33baa5fa369be28a9680585200ce3ff73Mark Andrews responds is displayed.

a057e8e33baa5fa369be28a9680585200ce3ff73Mark Andrews </p>

a057e8e33baa5fa369be28a9680585200ce3ff73Mark Andrews</dd>

a057e8e33baa5fa369be28a9680585200ce3ff73Mark Andrews<dt><span class="term"><code class="constant">name</code></span></dt>

a057e8e33baa5fa369be28a9680585200ce3ff73Mark Andrews<dd><p>

3a3705ef7747327df182bf8d009333d2472253d5Mark Andrews is the name of the resource record that is to be looked up.

3a3705ef7747327df182bf8d009333d2472253d5Mark Andrews </p></dd>

3a3705ef7747327df182bf8d009333d2472253d5Mark Andrews<dt><span class="term"><code class="constant">type</code></span></dt>

3a3705ef7747327df182bf8d009333d2472253d5Mark Andrews<dd><p>

7208386cd37a2092c70eddf80cf29519b16c4c80Mark Andrews indicates what type of query is required &#8212;

7208386cd37a2092c70eddf80cf29519b16c4c80Mark Andrews ANY, A, MX, SIG, etc.

7208386cd37a2092c70eddf80cf29519b16c4c80Mark Andrews <em class="parameter"><code>type</code></em> can be any valid query

7208386cd37a2092c70eddf80cf29519b16c4c80Mark Andrews type. If no

7208386cd37a2092c70eddf80cf29519b16c4c80Mark Andrews <em class="parameter"><code>type</code></em> argument is supplied,

7208386cd37a2092c70eddf80cf29519b16c4c80Mark Andrews <span><strong class="command">dig</strong></span> will perform a lookup for an

7208386cd37a2092c70eddf80cf29519b16c4c80Mark Andrews A record.

7208386cd37a2092c70eddf80cf29519b16c4c80Mark Andrews </p></dd>

7208386cd37a2092c70eddf80cf29519b16c4c80Mark Andrews</dl></div>

7208386cd37a2092c70eddf80cf29519b16c4c80Mark Andrews<p>

7208386cd37a2092c70eddf80cf29519b16c4c80Mark Andrews </p>

7208386cd37a2092c70eddf80cf29519b16c4c80Mark Andrews</div>

7208386cd37a2092c70eddf80cf29519b16c4c80Mark Andrews<div class="refsect1" lang="en">

7208386cd37a2092c70eddf80cf29519b16c4c80Mark Andrews<a name="id2543709"></a><h2>OPTIONS</h2>

7208386cd37a2092c70eddf80cf29519b16c4c80Mark Andrews<p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The <code class="option">-b</code> option sets the source IP address of the query

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein to <em class="parameter"><code>address</code></em>. This must be a valid

bf056b7184b38281c1b0bf0cf21b5982fa1a4edaMark Andrews address on

7208386cd37a2092c70eddf80cf29519b16c4c80Mark Andrews one of the host's network interfaces or "0.0.0.0" or "::". An optional

7208386cd37a2092c70eddf80cf29519b16c4c80Mark Andrews port

7208386cd37a2092c70eddf80cf29519b16c4c80Mark Andrews may be specified by appending "#&lt;port&gt;"

7208386cd37a2092c70eddf80cf29519b16c4c80Mark Andrews </p>

7208386cd37a2092c70eddf80cf29519b16c4c80Mark Andrews<p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The default query class (IN for internet) is overridden by the

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="option">-c</code> option. <em class="parameter"><code>class</code></em> is

3a3705ef7747327df182bf8d009333d2472253d5Mark Andrews any valid

3a3705ef7747327df182bf8d009333d2472253d5Mark Andrews class, such as HS for Hesiod records or CH for Chaosnet records.

3a3705ef7747327df182bf8d009333d2472253d5Mark Andrews </p>

3a3705ef7747327df182bf8d009333d2472253d5Mark Andrews<p>

3a3705ef7747327df182bf8d009333d2472253d5Mark Andrews The <code class="option">-f</code> option makes <span><strong class="command">dig </strong></span>

3a3705ef7747327df182bf8d009333d2472253d5Mark Andrews operate

3a3705ef7747327df182bf8d009333d2472253d5Mark Andrews in batch mode by reading a list of lookup requests to process from the

3b4098640dd85040270f39b9a5ee5e22de99d3d6Mark Andrews file <em class="parameter"><code>filename</code></em>. The file contains a

3b4098640dd85040270f39b9a5ee5e22de99d3d6Mark Andrews number of

3b4098640dd85040270f39b9a5ee5e22de99d3d6Mark Andrews queries, one per line. Each entry in the file should be organized in

3b4098640dd85040270f39b9a5ee5e22de99d3d6Mark Andrews the same way they would be presented as queries to

3b4098640dd85040270f39b9a5ee5e22de99d3d6Mark Andrews <span><strong class="command">dig</strong></span> using the command-line interface.

3b4098640dd85040270f39b9a5ee5e22de99d3d6Mark Andrews </p>

3b4098640dd85040270f39b9a5ee5e22de99d3d6Mark Andrews<p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The <code class="option">-m</code> option enables memory usage debugging.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p>

7208386cd37a2092c70eddf80cf29519b16c4c80Mark Andrews<p>

7208386cd37a2092c70eddf80cf29519b16c4c80Mark Andrews If a non-standard port number is to be queried, the

7208386cd37a2092c70eddf80cf29519b16c4c80Mark Andrews <code class="option">-p</code> option is used. <em class="parameter"><code>port#</code></em> is

7208386cd37a2092c70eddf80cf29519b16c4c80Mark Andrews the port number that <span><strong class="command">dig</strong></span> will send its

7208386cd37a2092c70eddf80cf29519b16c4c80Mark Andrews queries

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein instead of the standard DNS port number 53. This option would be used

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein to test a name server that has been configured to listen for queries

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein on a non-standard port number.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>

f7b41fd9291b8f4dba27e2b57e1d93f0913a4f1dMark Andrews The <code class="option">-4</code> option forces <span><strong class="command">dig</strong></span>

f7b41fd9291b8f4dba27e2b57e1d93f0913a4f1dMark Andrews to only

7208386cd37a2092c70eddf80cf29519b16c4c80Mark Andrews use IPv4 query transport. The <code class="option">-6</code> option forces

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span><strong class="command">dig</strong></span> to only use IPv6 query transport.

e2e4d321999340802f77adaacd19c797d04b4b95Automatic Updater </p>

e2e4d321999340802f77adaacd19c797d04b4b95Automatic Updater<p>

e2e4d321999340802f77adaacd19c797d04b4b95Automatic Updater The <code class="option">-t</code> option sets the query type to

e2e4d321999340802f77adaacd19c797d04b4b95Automatic Updater <em class="parameter"><code>type</code></em>. It can be any valid query type

e2e4d321999340802f77adaacd19c797d04b4b95Automatic Updater which is

e2e4d321999340802f77adaacd19c797d04b4b95Automatic Updater supported in BIND 9. The default query type is "A", unless the

e2e4d321999340802f77adaacd19c797d04b4b95Automatic Updater <code class="option">-x</code> option is supplied to indicate a reverse lookup.

e2e4d321999340802f77adaacd19c797d04b4b95Automatic Updater A zone transfer can be requested by specifying a type of AXFR. When

7208386cd37a2092c70eddf80cf29519b16c4c80Mark Andrews an incremental zone transfer (IXFR) is required,

7208386cd37a2092c70eddf80cf29519b16c4c80Mark Andrews <em class="parameter"><code>type</code></em> is set to <code class="literal">ixfr=N</code>.

7208386cd37a2092c70eddf80cf29519b16c4c80Mark Andrews The incremental zone transfer will contain the changes made to the zone

7208386cd37a2092c70eddf80cf29519b16c4c80Mark Andrews since the serial number in the zone's SOA record was

285254345ce5ab270848f8c11f7be146793f1e00Mark Andrews <em class="parameter"><code>N</code></em>.

7208386cd37a2092c70eddf80cf29519b16c4c80Mark Andrews </p>

7208386cd37a2092c70eddf80cf29519b16c4c80Mark Andrews<p>

285254345ce5ab270848f8c11f7be146793f1e00Mark Andrews The <code class="option">-q</code> option sets the query name to

7208386cd37a2092c70eddf80cf29519b16c4c80Mark Andrews <em class="parameter"><code>name</code></em>. This useful do distinguish the

7208386cd37a2092c70eddf80cf29519b16c4c80Mark Andrews <em class="parameter"><code>name</code></em> from other arguments.

7208386cd37a2092c70eddf80cf29519b16c4c80Mark Andrews </p>

7208386cd37a2092c70eddf80cf29519b16c4c80Mark Andrews<p>

7208386cd37a2092c70eddf80cf29519b16c4c80Mark Andrews Reverse lookups &#8212; mapping addresses to names &#8212; are simplified by the

7208386cd37a2092c70eddf80cf29519b16c4c80Mark Andrews <code class="option">-x</code> option. <em class="parameter"><code>addr</code></em> is

7208386cd37a2092c70eddf80cf29519b16c4c80Mark Andrews an IPv4

3b4098640dd85040270f39b9a5ee5e22de99d3d6Mark Andrews address in dotted-decimal notation, or a colon-delimited IPv6 address.

3b4098640dd85040270f39b9a5ee5e22de99d3d6Mark Andrews When this option is used, there is no need to provide the

3b4098640dd85040270f39b9a5ee5e22de99d3d6Mark Andrews <em class="parameter"><code>name</code></em>, <em class="parameter"><code>class</code></em> and

3b4098640dd85040270f39b9a5ee5e22de99d3d6Mark Andrews <em class="parameter"><code>type</code></em> arguments. <span><strong class="command">dig</strong></span>

3b4098640dd85040270f39b9a5ee5e22de99d3d6Mark Andrews automatically performs a lookup for a name like

3b4098640dd85040270f39b9a5ee5e22de99d3d6Mark Andrews <code class="literal">11.12.13.10.in-addr.arpa</code> and sets the

3b4098640dd85040270f39b9a5ee5e22de99d3d6Mark Andrews query type and

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein class to PTR and IN respectively. By default, IPv6 addresses are

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein looked up using nibble format under the IP6.ARPA domain.

d71e2e0c61df16ff37c9934c371a4a60c08974f7Mark Andrews To use the older RFC1886 method using the IP6.INT domain

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein specify the <code class="option">-i</code> option. Bit string labels (RFC2874)

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein are now experimental and are not attempted.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein To sign the DNS queries sent by <span><strong class="command">dig</strong></span> and

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein their

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein responses using transaction signatures (TSIG), specify a TSIG key file

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein using the <code class="option">-k</code> option. You can also specify the TSIG

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein key itself on the command line using the <code class="option">-y</code> option;

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <em class="parameter"><code>hmac</code></em> is the type of the TSIG, default HMAC-MD5,

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <em class="parameter"><code>name</code></em> is the name of the TSIG key and

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <em class="parameter"><code>key</code></em> is the actual key. The key is a

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein base-64

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein encoded string, typically generated by

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>.

7208386cd37a2092c70eddf80cf29519b16c4c80Mark Andrews

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Caution should be taken when using the <code class="option">-y</code> option on

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein multi-user systems as the key can be visible in the output from

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="citerefentry"><span class="refentrytitle">ps</span>(1)</span>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein or in the shell's history file. When

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein using TSIG authentication with <span><strong class="command">dig</strong></span>, the name

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein server that is queried needs to know the key and algorithm that is

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein being used. In BIND, this is done by providing appropriate

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span><strong class="command">key</strong></span> and <span><strong class="command">server</strong></span> statements in

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="filename">named.conf</code>.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="refsect1" lang="en">

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="id2544058"></a><h2>QUERY OPTIONS</h2>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p><span><strong class="command">dig</strong></span>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein provides a number of query options which affect

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein the way in which lookups are made and the results displayed. Some of

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein these set or reset flag bits in the query header, some determine which

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein sections of the answer get printed, and others determine the timeout

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein and retry strategies.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>

e2e4d321999340802f77adaacd19c797d04b4b95Automatic Updater Each query option is identified by a keyword preceded by a plus sign

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein (<code class="literal">+</code>). Some keywords set or reset an

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein option. These may be preceded

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein by the string <code class="literal">no</code> to negate the meaning of

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein that keyword. Other

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein keywords assign values to options like the timeout interval. They

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein have the form <code class="option">+keyword=value</code>.

e2e4d321999340802f77adaacd19c797d04b4b95Automatic Updater The query options are:

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein

1224c3b69b3d18f7127aa042644936af25a2d679Mark Andrews </p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="variablelist"><dl>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term"><code class="option">+[no]tcp</code></span></dt>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dd><p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Use [do not use] TCP when querying name servers. The default

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein behavior is to use UDP unless an AXFR or IXFR query is

e2e4d321999340802f77adaacd19c797d04b4b95Automatic Updater requested, in

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein which case a TCP connection is used.

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></dd>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term"><code class="option">+[no]vc</code></span></dt>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dd><p>

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Use [do not use] TCP when querying name servers. This alternate

syntax to <em class="parameter"><code>+[no]tcp</code></em> is

provided for backwards

compatibility. The "vc" stands for "virtual circuit".

</p></dd>

<dt><span class="term"><code class="option">+[no]ignore</code></span></dt>

<dd><p>

Ignore truncation in UDP responses instead of retrying with TCP.

By

default, TCP retries are performed.

</p></dd>

<dt><span class="term"><code class="option">+domain=somename</code></span></dt>

<dd><p>

Set the search list to contain the single domain

<em class="parameter"><code>somename</code></em>, as if specified in

a

<span><strong class="command">domain</strong></span> directive in

<code class="filename">/etc/resolv.conf</code>, and enable

search list

processing as if the <em class="parameter"><code>+search</code></em>

option were given.

</p></dd>

<dt><span class="term"><code class="option">+[no]search</code></span></dt>

<dd><p>

Use [do not use] the search list defined by the searchlist or

domain

directive in <code class="filename">resolv.conf</code> (if

any).

The search list is not used by default.

</p></dd>

<dt><span class="term"><code class="option">+[no]showsearch</code></span></dt>

<dd><p>

Perform [do not perform] a search showing intermediate

results.

</p></dd>

<dt><span class="term"><code class="option">+[no]defname</code></span></dt>

<dd><p>

Deprecated, treated as a synonym for <em class="parameter"><code>+[no]search</code></em>

</p></dd>

<dt><span class="term"><code class="option">+[no]aaonly</code></span></dt>

<dd><p>

Sets the "aa" flag in the query.

</p></dd>

<dt><span class="term"><code class="option">+[no]aaflag</code></span></dt>

<dd><p>

A synonym for <em class="parameter"><code>+[no]aaonly</code></em>.

</p></dd>

<dt><span class="term"><code class="option">+[no]adflag</code></span></dt>

<dd><p>

Set [do not set] the AD (authentic data) bit in the

query. This requests the server to return whether

all of the answer and authority sections have all

been validated as secure according to the security

policy of the server. AD=1 indicates that all records

have been validated as secure and the answer is not

from a OPT-OUT range. AD=0 indicate that some part

of the answer was insecure or not validated. This

bit is set by default.

</p></dd>

<dt><span class="term"><code class="option">+[no]cdflag</code></span></dt>

<dd><p>

Set [do not set] the CD (checking disabled) bit in the query.

This

requests the server to not perform DNSSEC validation of

responses.

</p></dd>

<dt><span class="term"><code class="option">+[no]cl</code></span></dt>

<dd><p>

Display [do not display] the CLASS when printing the record.

</p></dd>

<dt><span class="term"><code class="option">+[no]ttlid</code></span></dt>

<dd><p>

Display [do not display] the TTL when printing the record.

</p></dd>

<dt><span class="term"><code class="option">+[no]recurse</code></span></dt>

<dd><p>

Toggle the setting of the RD (recursion desired) bit

in the query. This bit is set by default, which means

<span><strong class="command">dig</strong></span> normally sends recursive

queries. Recursion is automatically disabled when

the <em class="parameter"><code>+nssearch</code></em> or

<em class="parameter"><code>+trace</code></em> query options are used.

</p></dd>

<dt><span class="term"><code class="option">+[no]nssearch</code></span></dt>

<dd><p>

When this option is set, <span><strong class="command">dig</strong></span>

attempts to find the

authoritative name servers for the zone containing the name

being

looked up and display the SOA record that each name server has

for the

zone.

</p></dd>

<dt><span class="term"><code class="option">+[no]trace</code></span></dt>

<dd>

<p>

Toggle tracing of the delegation path from the root

name servers for the name being looked up. Tracing

is disabled by default. When tracing is enabled,

<span><strong class="command">dig</strong></span> makes iterative queries to

resolve the name being looked up. It will follow

referrals from the root servers, showing the answer

from each server that was used to resolve the lookup.

</p>

<p>

<span><strong class="command">+dnssec</strong></span> is also set when +trace is

set to better emulate the default queries from a nameserver.

</p>

</dd>

<dt><span class="term"><code class="option">+[no]cmd</code></span></dt>

<dd><p>

Toggles the printing of the initial comment in the output

identifying

the version of <span><strong class="command">dig</strong></span> and the query

options that have

been applied. This comment is printed by default.

</p></dd>

<dt><span class="term"><code class="option">+[no]short</code></span></dt>

<dd><p>

Provide a terse answer. The default is to print the answer in a

verbose form.

</p></dd>

<dt><span class="term"><code class="option">+[no]identify</code></span></dt>

<dd><p>

Show [or do not show] the IP address and port number that

supplied the

answer when the <em class="parameter"><code>+short</code></em> option

is enabled. If

short form answers are requested, the default is not to show the

source address and port number of the server that provided the

answer.

</p></dd>

<dt><span class="term"><code class="option">+[no]comments</code></span></dt>

<dd><p>

Toggle the display of comment lines in the output. The default

is to print comments.

</p></dd>

<dt><span class="term"><code class="option">+[no]rrcomments</code></span></dt>

<dd><p>

Toggle the display of per-record comments in the output (for

example, human-readable key information about DNSKEY records).

The default is not to print record comments unless multiline

mode is active.

</p></dd>

<dt><span class="term"><code class="option">+split=W</code></span></dt>

<dd><p>

Split long hex- or base64-formatted fields in resource

records into chunks of <em class="parameter"><code>W</code></em> characters

(where <em class="parameter"><code>W</code></em> is rounded up to the nearest

multiple of 4).

<em class="parameter"><code>+nosplit</code></em> or

<em class="parameter"><code>+split=0</code></em> causes fields not to be

split at all. The default is 56 characters, or 44 characters

when multiline mode is active.

</p></dd>

<dt><span class="term"><code class="option">+[no]stats</code></span></dt>

<dd><p>

This query option toggles the printing of statistics: when the

query

was made, the size of the reply and so on. The default

behavior is

to print the query statistics.

</p></dd>

<dt><span class="term"><code class="option">+[no]qr</code></span></dt>

<dd><p>

Print [do not print] the query as it is sent.

By default, the query is not printed.

</p></dd>

<dt><span class="term"><code class="option">+[no]question</code></span></dt>

<dd><p>

Print [do not print] the question section of a query when an

answer is

returned. The default is to print the question section as a

comment.

</p></dd>

<dt><span class="term"><code class="option">+[no]answer</code></span></dt>

<dd><p>

Display [do not display] the answer section of a reply. The

default

is to display it.

</p></dd>

<dt><span class="term"><code class="option">+[no]authority</code></span></dt>

<dd><p>

Display [do not display] the authority section of a reply. The

default is to display it.

</p></dd>

<dt><span class="term"><code class="option">+[no]additional</code></span></dt>

<dd><p>

Display [do not display] the additional section of a reply.

The default is to display it.

</p></dd>

<dt><span class="term"><code class="option">+[no]all</code></span></dt>

<dd><p>

Set or clear all display flags.

</p></dd>

<dt><span class="term"><code class="option">+time=T</code></span></dt>

<dd><p>

Sets the timeout for a query to

<em class="parameter"><code>T</code></em> seconds. The default

timeout is 5 seconds.

An attempt to set <em class="parameter"><code>T</code></em> to less

than 1 will result

in a query timeout of 1 second being applied.

</p></dd>

<dt><span class="term"><code class="option">+tries=T</code></span></dt>

<dd><p>

Sets the number of times to try UDP queries to server to

<em class="parameter"><code>T</code></em> instead of the default, 3.

If

<em class="parameter"><code>T</code></em> is less than or equal to

zero, the number of

tries is silently rounded up to 1.

</p></dd>

<dt><span class="term"><code class="option">+retry=T</code></span></dt>

<dd><p>

Sets the number of times to retry UDP queries to server to

<em class="parameter"><code>T</code></em> instead of the default, 2.

Unlike

<em class="parameter"><code>+tries</code></em>, this does not include

the initial

query.

</p></dd>

<dt><span class="term"><code class="option">+ndots=D</code></span></dt>

<dd><p>

Set the number of dots that have to appear in

<em class="parameter"><code>name</code></em> to <em class="parameter"><code>D</code></em> for it to be

considered absolute. The default value is that defined using

the

ndots statement in <code class="filename">/etc/resolv.conf</code>, or 1 if no

ndots statement is present. Names with fewer dots are

interpreted as

relative names and will be searched for in the domains listed in

the

<code class="option">search</code> or <code class="option">domain</code> directive in

<code class="filename">/etc/resolv.conf</code>.

</p></dd>

<dt><span class="term"><code class="option">+bufsize=B</code></span></dt>

<dd><p>

Set the UDP message buffer size advertised using EDNS0 to

<em class="parameter"><code>B</code></em> bytes. The maximum and minimum sizes

of this buffer are 65535 and 0 respectively. Values outside

this range are rounded up or down appropriately.

Values other than zero will cause a EDNS query to be sent.

</p></dd>

<dt><span class="term"><code class="option">+edns=#</code></span></dt>

<dd><p>

Specify the EDNS version to query with. Valid values

are 0 to 255. Setting the EDNS version will cause

a EDNS query to be sent. <code class="option">+noedns</code>

clears the remembered EDNS version. EDNS is set to

0 by default.

</p></dd>

<dt><span class="term"><code class="option">+[no]multiline</code></span></dt>

<dd><p>

Print records like the SOA records in a verbose multi-line

format with human-readable comments. The default is to print

each record on a single line, to facilitate machine parsing

of the <span><strong class="command">dig</strong></span> output.

</p></dd>

<dt><span class="term"><code class="option">+[no]onesoa</code></span></dt>

<dd><p>

Print only one (starting) SOA record when performing

an AXFR. The default is to print both the starting and

ending SOA records.

</p></dd>

<dt><span class="term"><code class="option">+[no]fail</code></span></dt>

<dd><p>

Do not try the next server if you receive a SERVFAIL. The

default is

to not try the next server which is the reverse of normal stub

resolver

behavior.

</p></dd>

<dt><span class="term"><code class="option">+[no]besteffort</code></span></dt>

<dd><p>

Attempt to display the contents of messages which are malformed.

The default is to not display malformed answers.

</p></dd>

<dt><span class="term"><code class="option">+[no]dnssec</code></span></dt>

<dd><p>

Requests DNSSEC records be sent by setting the DNSSEC OK bit

(DO)

in the OPT record in the additional section of the query.

</p></dd>

<dt><span class="term"><code class="option">+[no]sigchase</code></span></dt>

<dd><p>

Chase DNSSEC signature chains. Requires dig be compiled with

-DDIG_SIGCHASE.

</p></dd>

<dt><span class="term"><code class="option">+trusted-key=####</code></span></dt>

<dd>

<p>

Specifies a file containing trusted keys to be used with

<code class="option">+sigchase</code>. Each DNSKEY record must be

on its own line.

</p>

<p>

If not specified, <span><strong class="command">dig</strong></span> will look for

<code class="filename">/etc/trusted-key.key</code> then

<code class="filename">trusted-key.key</code> in the current directory.

</p>

<p>

Requires dig be compiled with -DDIG_SIGCHASE.

</p>

</dd>

<dt><span class="term"><code class="option">+[no]topdown</code></span></dt>

<dd><p>

When chasing DNSSEC signature chains perform a top-down

validation.

Requires dig be compiled with -DDIG_SIGCHASE.

</p></dd>

<dt><span class="term"><code class="option">+[no]nsid</code></span></dt>

<dd><p>

Include an EDNS name server ID request when sending a query.

</p></dd>

</dl></div>

<p>

</p>

</div>

<div class="refsect1" lang="en">

<a name="id2545321"></a><h2>MULTIPLE QUERIES</h2>

<p>

The BIND 9 implementation of <span><strong class="command">dig </strong></span>

supports

specifying multiple queries on the command line (in addition to

supporting the <code class="option">-f</code> batch file option). Each of those

queries can be supplied with its own set of flags, options and query

options.

</p>

<p>

In this case, each <em class="parameter"><code>query</code></em> argument

represent an

individual query in the command-line syntax described above. Each

consists of any of the standard options and flags, the name to be

looked up, an optional query type and class and any query options that

should be applied to that query.

</p>

<p>

A global set of query options, which should be applied to all queries,

can also be supplied. These global query options must precede the

first tuple of name, class, type, options, flags, and query options

supplied on the command line. Any global query options (except

the <code class="option">+[no]cmd</code> option) can be

overridden by a query-specific set of query options. For example:

</p>

<pre class="programlisting">

dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr

</pre>

<p>

shows how <span><strong class="command">dig</strong></span> could be used from the

command line

to make three lookups: an ANY query for <code class="literal">www.isc.org</code>, a

reverse lookup of 127.0.0.1 and a query for the NS records of

<code class="literal">isc.org</code>.

A global query option of <em class="parameter"><code>+qr</code></em> is

applied, so

that <span><strong class="command">dig</strong></span> shows the initial query it made

for each

lookup. The final query has a local query option of

<em class="parameter"><code>+noqr</code></em> which means that <span><strong class="command">dig</strong></span>

will not print the initial query when it looks up the NS records for

<code class="literal">isc.org</code>.

</p>

</div>

<div class="refsect1" lang="en">

<a name="id2545383"></a><h2>IDN SUPPORT</h2>

<p>

If <span><strong class="command">dig</strong></span> has been built with IDN (internationalized

domain name) support, it can accept and display non-ASCII domain names.

<span><strong class="command">dig</strong></span> appropriately converts character encoding of

domain name before sending a request to DNS server or displaying a

reply from the server.

If you'd like to turn off the IDN support for some reason, defines

the <code class="envar">IDN_DISABLE</code> environment variable.

The IDN support is disabled if the variable is set when

<span><strong class="command">dig</strong></span> runs.

</p>

</div>

<div class="refsect1" lang="en">

<a name="id2545405"></a><h2>FILES</h2>

<p><code class="filename">/etc/resolv.conf</code>

</p>

<p><code class="filename">${HOME}/.digrc</code>

</p>

</div>

<div class="refsect1" lang="en">

<a name="id2545422"></a><h2>SEE ALSO</h2>

<p><span class="citerefentry"><span class="refentrytitle">host</span>(1)</span>,

<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,

<span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,

<em class="citetitle">RFC1035</em>.

</p>

</div>

<div class="refsect1" lang="en">

<a name="id2545528"></a><h2>BUGS</h2>

<p>

There are probably too many query options.

</p>

</div>

</div></body>

</html>