10139N/A - Copyright (C) 2004-2014 Internet Systems Consortium, Inc. ("ISC") 10139N/A - Copyright (C) 2000-2003 Internet Software Consortium. 10139N/A - Permission to use, copy, modify, and/or distribute this software for any 10139N/A - purpose with or without fee is hereby granted, provided that the above 10139N/A - copyright notice and this permission notice appear in all copies. 10139N/A - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH 17177N/A - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 18603N/A - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, 17177N/A - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 10139N/A - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE 10139N/A - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 10139N/A - PERFORMANCE OF THIS SOFTWARE. 18615N/A<
meta http-
equiv="Content-Type" content="text/html; charset=ISO-8859-1">
18532N/A<
meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
10139N/A<
body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
19022N/A<
table width="100%" summary="Navigation header">
19022N/A<
tr><
th colspan="3" align="center">delv</
th></
tr>
20291N/A<
th width="60%" align="center">Manual pages</
th>
10139N/A<
div class="refentry" lang="en">
10139N/A<
p>delv — DNS lookup and validation utility</
p>
10139N/A<
div class="cmdsynopsis"><
p><
code class="command">delv</
code> [@server] [<
code class="option">-4</
code>] [<
code class="option">-6</
code>] [<
code class="option">-a <
em class="replaceable"><
code>anchor-file</
code></
em></
code>] [<
code class="option">-b <
em class="replaceable"><
code>address</
code></
em></
code>] [<
code class="option">-c <
em class="replaceable"><
code>class</
code></
em></
code>] [<
code class="option">-d <
em class="replaceable"><
code>level</
code></
em></
code>] [<
code class="option">-i</
code>] [<
code class="option">-m</
code>] [<
code class="option">-p <
em class="replaceable"><
code>port#</
code></
em></
code>] [<
code class="option">-q <
em class="replaceable"><
code>name</
code></
em></
code>] [<
code class="option">-t <
em class="replaceable"><
code>type</
code></
em></
code>] [<
code class="option">-x <
em class="replaceable"><
code>addr</
code></
em></
code>] [name] [type] [class] [queryopt...]</
p></
div>
10139N/A<
div class="cmdsynopsis"><
p><
code class="command">delv</
code> [<
code class="option">-h</
code>]</
p></
div>
10139N/A<
div class="cmdsynopsis"><
p><
code class="command">delv</
code> [<
code class="option">-v</
code>]</
p></
div>
10139N/A<
div class="cmdsynopsis"><
p><
code class="command">delv</
code> [queryopt...] [query...]</
p></
div>
10139N/A<
div class="refsect1" lang="en">
10139N/A<
a name="id2615475"></
a><
h2>DESCRIPTION</
h2>
10139N/A<
p><
span><
strong class="command">delv</
strong></
span>
10139N/A (Domain Entity Lookup & Validation) is a tool for sending
10139N/A DNS queries and validating the results, using the the same internal
10139N/A resolver and validator logic as <
span><
strong class="command">named</
strong></
span>.
10139N/A <
span><
strong class="command">delv</
strong></
span> will send to a specified name server all
10139N/A queries needed to fetch and validate the requested data; this
10139N/A includes the original requested query, subsequent queries to follow
10139N/A CNAME or DNAME chains, and queries for DNSKEY, DS and DLV records
10139N/A to establish a chain of trust for DNSSEC validation.
10139N/A It does not perform iterative resolution, but simulates the
10139N/A behavior of a name server configured for DNSSEC validating and
10159N/A By default, responses are validated using built-in DNSSEC trust
10139N/A anchors for the root zone (".") and for the ISC DNSSEC lookaside
10139N/A <
span><
strong class="command">delv</
strong></
span> are either fully validated or
19022N/A were not signed. If validation fails, an explanation of
19046N/A the failure is included in the output; the validation process
20291N/A can be traced in detail. Because <
span><
strong class="command">delv</
strong></
span> does
10139N/A not rely on an external server to carry out validation, it can
10139N/A be used to check the validity of DNS responses in environments
10139N/A where local name servers may not be trustworthy.
10139N/A Unless it is told to query a specific name server,
10139N/A <
span><
strong class="command">delv</
strong></
span> will try each of the servers listed in
10139N/A addresses are found, <
span><
strong class="command">delv</
strong></
span> will send
10139N/A queries to the localhost addresses (127.0.0.1 for IPv4, ::1
10139N/A When no command line arguments or options are given,
10139N/A <
span><
strong class="command">delv</
strong></
span> will perform an NS query for "."
12773N/A<
div class="refsect1" lang="en">
12773N/A<
a name="id2615684"></
a><
h2>SIMPLE USAGE</
h2>
12773N/A A typical invocation of <
span><
strong class="command">delv</
strong></
span> looks like:
10139N/A<
pre class="programlisting"> delv @server name type </
pre>
10139N/A<
dt><
span class="term"><
code class="constant">server</
code></
span></
dt>
10139N/A is the name or IP address of the name server to query. This
10139N/A can be an IPv4 address in dotted-decimal notation or an IPv6
17882N/A address in colon-delimited notation. When the supplied
10139N/A <
em class="parameter"><
code>server</
code></
em> argument is a hostname,
10139N/A <
span><
strong class="command">delv</
strong></
span> resolves that name before
10139N/A querying that name server (note, however, that this
10139N/A initial lookup is <
span class="emphasis"><
em>not</
em></
span> validated
10139N/A If no <
em class="parameter"><
code>server</
code></
em> argument is
10139N/A provided, <
span><
strong class="command">delv</
strong></
span> consults
10139N/A address is found there, it queries the name server at
12184N/A that address. If either of the <
code class="option">-4</
code> or
10139N/A <
code class="option">-6</
code> options are in use, then
10139N/A only addresses for the corresponding transport
10139N/A will be tried. If no usable addresses are found,
10139N/A <
span><
strong class="command">delv</
strong></
span> will send queries to
10139N/A the localhost addresses (127.0.0.1 for IPv4,
10139N/A<
dt><
span class="term"><
code class="constant">name</
code></
span></
dt>
10139N/A is the domain name to be looked up.
10139N/A<
dt><
span class="term"><
code class="constant">type</
code></
span></
dt>
10139N/A indicates what type of query is required —
12184N/A <
em class="parameter"><
code>type</
code></
em> can be any valid query
10139N/A <
em class="parameter"><
code>type</
code></
em> argument is supplied,
10139N/A <
span><
strong class="command">delv</
strong></
span> will perform a lookup for an
20291N/A<
div class="refsect1" lang="en">
19046N/A<
a name="id2615815"></
a><
h2>OPTIONS</
h2>
19022N/A<
dt><
span class="term">-a <
em class="replaceable"><
code>anchor-file</
code></
em></
span></
dt>
18905N/A Specifies a file from which to read DNSSEC trust anchors.
18690N/A is included with <
acronym class="acronym">BIND</
acronym> 9 and contains
18685N/A trust anchors for the root zone (".") and for the ISC
18532N/A Keys that do not match the root or DLV trust-anchor
18532N/A names are ignored; these key names can be overridden
18422N/A using the <
code class="option">+dlv=NAME</
code> or
18422N/A <
code class="option">+root=NAME</
code> options.
18300N/A Note: When reading the trust anchor file,
18300N/A <
span><
strong class="command">delv</
strong></
span> treats <
code class="option">managed-keys</
code>
18236N/A statements and <
code class="option">trusted-keys</
code> statements
18236N/A identically. That is, for a managed key, it is the
18140N/A <
span class="emphasis"><
em>initial</
em></
span> key that is trusted; RFC 5011
18140N/A key management is not supported. <
span><
strong class="command">delv</
strong></
span>
18140N/A will not consult the managed-keys database maintained by
17882N/A <
span><
strong class="command">named</
strong></
span>. This means that if either of the
17882N/A and rolled over, it will be necessary to update
17570N/A validation in <
span><
strong class="command">delv</
strong></
span>.
17301N/A<
dt><
span class="term">-b <
em class="replaceable"><
code>address</
code></
em></
span></
dt>
17142N/A Sets the source IP address of the query to
17142N/A <
em class="parameter"><
code>address</
code></
em>. This must be a valid address
16987N/A on one of the host's network interfaces or "0.0.0.0" or "::".
16987N/A An optional source port may be specified by appending
16807N/A<
dt><
span class="term">-c <
em class="replaceable"><
code>class</
code></
em></
span></
dt>
16670N/A Sets the query class for the requested data. Currently,
16670N/A only class "IN" is supported in <
span><
strong class="command">delv</
strong></
span>
16670N/A and any other value is ignored.
16626N/A<
dt><
span class="term">-d <
em class="replaceable"><
code>level</
code></
em></
span></
dt>
16429N/A Set the systemwide debug level to <
code class="option">level</
code>.
16379N/A The allowed range is from 0 to 99.
16626N/A The default is 0 (no debugging).
16379N/A Debugging traces from <
span><
strong class="command">delv</
strong></
span> become
16337N/A more verbose as the debug level increases.
16626N/A See the <
code class="option">+mtrace</
code>, <
code class="option">+rtrace</
code>,
16626N/A and <
code class="option">+vtrace</
code> options below for additional
16149N/A<
dt><
span class="term">-h</
span></
dt>
15881N/A Display the <
span><
strong class="command">delv</
strong></
span> help usage output and exit.
15854N/A<
dt><
span class="term">-i</
span></
dt>
15696N/A Insecure mode. This disables internal DNSSEC validation.
16626N/A (Note, however, this does not set the CD bit on upstream
14554N/A queries. If the server being queried is performing DNSSEC
16626N/A validation, then it will not return invalid data; this
14540N/A can cause <
span><
strong class="command">delv</
strong></
span> to time out. When it
14540N/A is necessary to examine invalid data to debug a DNSSEC
14206N/A problem, use <
span><
strong class="command">dig +cd</
strong></
span>.)
13945N/A<
dt><
span class="term">-m</
span></
dt>
13840N/A Enables memory usage debugging.
13766N/A<
dt><
span class="term">-p <
em class="replaceable"><
code>port#</
code></
em></
span></
dt>
13624N/A Specifies a destination port to use for queries instead of
13624N/A the standard DNS port number 53. This option would be used
13426N/A with a name server that has been configured to listen
13426N/A for queries on a non-standard port number.
13314N/A<
dt><
span class="term">-q <
em class="replaceable"><
code>name</
code></
em></
span></
dt>
13260N/A Sets the query name to <
em class="parameter"><
code>name</
code></
em>.
13114N/A While the query name can be specified without using the
13114N/A <
code class="option">-q</
code>, it is sometimes necessary to disambiguate
12808N/A names from types or classes (for example, when looking up the
12808N/A name "ns", which could be misinterpreted as the type NS,
12586N/A or "ch", which could be misinterpreted as class CH).
12467N/A<
dt><
span class="term">-t <
em class="replaceable"><
code>type</
code></
em></
span></
dt>
12363N/A Sets the query type to <
em class="parameter"><
code>type</
code></
em>, which
12288N/A can be any valid query type supported in BIND 9 except
12288N/A for zone transfer types AXFR and IXFR. As with
12184N/A <
code class="option">-q</
code>, this is useful to distinguish
12184N/A query name type or class when they are ambiguous.
12147N/A it is sometimes necessary to disambiguate names from types.
12094N/A The default query type is "A", unless the <
code class="option">-x</
code>
11989N/A option is supplied to indicate a reverse lookup, in which case
11240N/A<
dt><
span class="term">-v</
span></
dt>
11185N/A Print the <
span><
strong class="command">delv</
strong></
span> version and exit.
11149N/A<
dt><
span class="term">-x <
em class="replaceable"><
code>addr</
code></
em></
span></
dt>
11123N/A Performs a reverse lookup, mapping an addresses to
11123N/A a name. <
em class="parameter"><
code>addr</
code></
em> is an IPv4 address in
11069N/A dotted-decimal notation, or a colon-delimited IPv6 address.
11069N/A When <
code class="option">-x</
code> is used, there is no need to provide
10979N/A the <
em class="parameter"><
code>name</
code></
em> or <
em class="parameter"><
code>type</
code></
em>
10979N/A arguments. <
span><
strong class="command">delv</
strong></
span> automatically performs a
10924N/A and sets the query type to PTR. IPv6 addresses are looked up
10642N/A<
dt><
span class="term">-4</
span></
dt>
10601N/A Forces <
span><
strong class="command">delv</
strong></
span> to only use IPv4.
10601N/A<
dt><
span class="term">-6</
span></
dt>
10601N/A Forces <
span><
strong class="command">delv</
strong></
span> to only use IPv6.
10152N/A<
div class="refsect1" lang="en">
10152N/A<
a name="id2671865"></
a><
h2>QUERY OPTIONS</
h2>
10139N/A<
p><
span><
strong class="command">delv</
strong></
span>
10139N/A provides a number of query options which affect the way results are
10139N/A displayed, and in some cases the way lookups are performed.
10139N/A Each query option is identified by a keyword preceded by a plus sign
10139N/A (<
code class="literal">+</
code>). Some keywords set or reset an
10139N/A option. These may be preceded by the string
10139N/A <
code class="literal">no</
code> to negate the meaning of that keyword.
10139N/A Other keywords assign values to options like the timeout interval.
10139N/A They have the form <
code class="option">+keyword=value</
code>.
10139N/A<
dt><
span class="term"><
code class="option">+[no]cdflag</
code></
span></
dt>
10139N/A Controls whether to set the CD (checking disabled) bit in
10139N/A queries sent by <
span><
strong class="command">delv</
strong></
span>. This may be useful
16626N/A when troubleshooting DNSSEC problems from behind a validating
10139N/A resolver. A validating resolver will block invalid responses,
10139N/A making it difficult to retrieve them for analysis. Setting
10139N/A the CD flag on queries will cause the resolver to return
16626N/A invalid responses, which <
span><
strong class="command">delv</
strong></
span> can then
10139N/A validate internally and report the errors in detail.
10139N/A<
dt><
span class="term"><
code class="option">+[no]class</
code></
span></
dt>
10139N/A Controls whether to display the CLASS when printing
10139N/A a record. The default is to display the CLASS.
10139N/A<
dt><
span class="term"><
code class="option">+[no]ttl</
code></
span></
dt>
10139N/A Controls whether to display the TTL when printing
10139N/A a record. The default is to display the TTL.
10139N/A<
dt><
span class="term"><
code class="option">+[no]rtrace</
code></
span></
dt>
10139N/A Toggle resolver fetch logging. This reports the
10139N/A name and type of each query sent by <
span><
strong class="command">delv</
strong></
span>
10139N/A in the process of carrying out the resolution and validation
10139N/A process: this includes including the original query and
10139N/A all subsequent queries to follow CNAMEs and to establish a
10139N/A chain of trust for DNSSEC validation.
10139N/A This is equivalent to setting the debug level to 1 in
10139N/A the "resolver" logging category. Setting the systemwide
10139N/A debug level to 1 using the <
code class="option">-d</
code> option will
10139N/A product the same output (but will affect other logging
10139N/A<
dt><
span class="term"><
code class="option">+[no]mtrace</
code></
span></
dt>
10139N/A Toggle message logging. This produces a detailed dump of
10139N/A the responses received by <
span><
strong class="command">delv</
strong></
span> in the
10139N/A process of carrying out the resolution and validation process.
16626N/A This is equivalent to setting the debug level to 10
10139N/A for the the "packets" module of the "resolver" logging
10139N/A category. Setting the systemwide debug level to 10 using
10139N/A the <
code class="option">-d</
code> option will produce the same output
10139N/A (but will affect other logging categories as well).
10139N/A<
dt><
span class="term"><
code class="option">+[no]vtrace</
code></
span></
dt>
16626N/A Toggle validation logging. This shows the internal
10139N/A process of the validator as it determines whether an
16626N/A answer is validly signed, unsigned, or invalid.
10139N/A This is equivalent to setting the debug level to 3
10139N/A for the the "validator" module of the "dnssec" logging
10139N/A category. Setting the systemwide debug level to 3 using
16626N/A the <
code class="option">-d</
code> option will produce the same output
10139N/A (but will affect other logging categories as well).
10139N/A<
dt><
span class="term"><
code class="option">+[no]short</
code></
span></
dt>
10139N/A Provide a terse answer. The default is to print the answer in a
16626N/A<
dt><
span class="term"><
code class="option">+[no]comments</
code></
span></
dt>
16626N/A Toggle the display of comment lines in the output. The default
10139N/A<
dt><
span class="term"><
code class="option">+[no]rrcomments</
code></
span></
dt>
10139N/A Toggle the display of per-record comments in the output (for
10139N/A example, human-readable key information about DNSKEY records).
16626N/A The default is to print per-record comments.
16626N/A<
dt><
span class="term"><
code class="option">+[no]crypto</
code></
span></
dt>
10139N/A Toggle the display of cryptographic fields in DNSSEC records.
10139N/A The contents of these field are unnecessary to debug most DNSSEC
10139N/A validation failures and removing them makes it easier to see
10139N/A the common failures. The default is to display the fields.
10139N/A When omitted they are replaced by the string "[omitted]" or
10139N/A in the DNSKEY case the key id is displayed as the replacement,
16626N/A<
dt><
span class="term"><
code class="option">+[no]trust</
code></
span></
dt>
16626N/A Controls whether to display the trust level when printing
10139N/A a record. The default is to display the trust level.
10139N/A<
dt><
span class="term"><
code class="option">+[no]split[=W]</
code></
span></
dt>
10139N/A Split long hex- or base64-formatted fields in resource
16626N/A records into chunks of <
em class="parameter"><
code>W</
code></
em> characters
10139N/A (where <
em class="parameter"><
code>W</
code></
em> is rounded up to the nearest
16626N/A <
em class="parameter"><
code>+nosplit</
code></
em> or
10139N/A <
em class="parameter"><
code>+split=0</
code></
em> causes fields not to be
10139N/A split at all. The default is 56 characters, or 44 characters
16626N/A<
dt><
span class="term"><
code class="option">+[no]all</
code></
span></
dt>
16626N/A Set or clear the display options
10139N/A <
code class="option">+[no]comments</
code>,
16626N/A <
code class="option">+[no]rrcomments</
code>, and
10139N/A <
code class="option">+[no]trust</
code> as a group.
10139N/A<
dt><
span class="term"><
code class="option">+[no]multiline</
code></
span></
dt>
16626N/A Print long records (such as RRSIG, DNSKEY, and SOA records)
10139N/A in a verbose multi-line format with human-readable comments.
16626N/A The default is to print each record on a single line, to
10139N/A facilitate machine parsing of the <
span><
strong class="command">delv</
strong></
span>
10139N/A<
dt><
span class="term"><
code class="option">+[no]dnssec</
code></
span></
dt>
10139N/A Indicates whether to display RRSIG records in the
10139N/A <
span><
strong class="command">delv</
strong></
span> output. The default is to
10139N/A do so. Note that (unlike in <
span><
strong class="command">dig</
strong></
span>)
10139N/A this does <
span class="emphasis"><
em>not</
em></
span> control whether to
10139N/A request DNSSEC records or whether to validate them.
10139N/A DNSSEC records are always requested, and validation
10139N/A will always occur unless suppressed by the use of
16626N/A <
code class="option">-i</
code> or <
code class="option">+noroot</
code> and
16626N/A <
code class="option">+nodlv</
code>.
16626N/A<
dt><
span class="term"><
code class="option">+[no]root[=ROOT]</
code></
span></
dt>
10139N/A Indicates whether to perform conventional (non-lookaside)
10139N/A DNSSEC validation, and if so, specifies the
16626N/A name of a trust anchor. The default is to validate using
10139N/A a trust anchor of "." (the root zone), for which there is
10139N/A a built-in key. If specifying a different trust anchor,
10139N/A then <
code class="option">-a</
code> must be used to specify a file
10139N/A<
dt><
span class="term"><
code class="option">+[no]dlv[=DLV]</
code></
span></
dt>
10139N/A Indicates whether to perform DNSSEC lookaside validation,
16626N/A and if so, specifies the name of the DLV trust anchor.
10139N/A The default is to perform lookaside validation using
10139N/A built-in key. If specifying a different name, then
16626N/A <
code class="option">-a</
code> must be used to specify a file
<
div class="refsect1" lang="en">
<
a name="id2672450"></
a><
h2>FILES</
h2>
<
div class="refsect1" lang="en">
<
a name="id2672469"></
a><
h2>SEE ALSO</
h2>
<
p><
span class="citerefentry"><
span class="refentrytitle">dig</
span>(1)</
span>,
<
span class="citerefentry"><
span class="refentrytitle">named</
span>(8)</
span>,
<
em class="citetitle">RFC4034</
em>,
<
em class="citetitle">RFC4035</
em>,
<
em class="citetitle">RFC4431</
em>,
<
em class="citetitle">RFC5074</
em>,
<
em class="citetitle">RFC5155</
em>.
<
table width="100%" summary="Navigation footer">
<
td width="40%" align="left">
<
td width="20%" align="center"><
a accesskey="u" href="Bv9ARM.ch10.html">Up</
a></
td>
<
td width="40%" align="left" valign="top">host�</
td>
<
td width="20%" align="center"><
a accesskey="h" href="Bv9ARM.html">Home</
a></
td>
<
td width="40%" align="right" valign="top">�<
span class="application">dnssec-checkds</
span>
<
p style="text-align: center;">BIND Version 9.11</
p>