man.delv.html revision 8908291ce54a924176de1e28f158ed7323472f26
d74801c0368d6d784eff276713def80ef9d56445vboxsync - Copyright (C) 2004-2014 Internet Systems Consortium, Inc. ("ISC")
d74801c0368d6d784eff276713def80ef9d56445vboxsync - Copyright (C) 2000-2003 Internet Software Consortium.
d74801c0368d6d784eff276713def80ef9d56445vboxsync - Permission to use, copy, modify, and/or distribute this software for any
d74801c0368d6d784eff276713def80ef9d56445vboxsync - purpose with or without fee is hereby granted, provided that the above
c0b6af690ad705bddfa87c643b89770a7a0aaf5avboxsync - copyright notice and this permission notice appear in all copies.
d74801c0368d6d784eff276713def80ef9d56445vboxsync - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
d74801c0368d6d784eff276713def80ef9d56445vboxsync - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
d74801c0368d6d784eff276713def80ef9d56445vboxsync - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
d74801c0368d6d784eff276713def80ef9d56445vboxsync - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
d74801c0368d6d784eff276713def80ef9d56445vboxsync - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
d74801c0368d6d784eff276713def80ef9d56445vboxsync - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
d74801c0368d6d784eff276713def80ef9d56445vboxsync - PERFORMANCE OF THIS SOFTWARE.
d74801c0368d6d784eff276713def80ef9d56445vboxsync<!-- $Id$ -->
d74801c0368d6d784eff276713def80ef9d56445vboxsync<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
d74801c0368d6d784eff276713def80ef9d56445vboxsync<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
d74801c0368d6d784eff276713def80ef9d56445vboxsync<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
d74801c0368d6d784eff276713def80ef9d56445vboxsync<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
d74801c0368d6d784eff276713def80ef9d56445vboxsync<link rel="next" href="man.dnssec-checkds.html" title="dnssec-checkds">
d74801c0368d6d784eff276713def80ef9d56445vboxsync<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
d74801c0368d6d784eff276713def80ef9d56445vboxsync<a accesskey="p" href="man.host.html">Prev</a>�</td>
9e1a1dfa158ca0c1b95c864ea85024a459ad0024vboxsync<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-checkds.html">Next</a>
d74801c0368d6d784eff276713def80ef9d56445vboxsync<a name="man.delv"></a><div class="titlepage"></div>
d55f5ac020ffc727e495eebc00ff75a022bbd27avboxsync<p>delv — DNS lookup and validation utility</p>
d55f5ac020ffc727e495eebc00ff75a022bbd27avboxsync<div class="cmdsynopsis"><p><code class="command">delv</code> [@server] [<code class="option">-4</code>] [<code class="option">-6</code>] [<code class="option">-a <em class="replaceable"><code>anchor-file</code></em></code>] [<code class="option">-b <em class="replaceable"><code>address</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>level</code></em></code>] [<code class="option">-i</code>] [<code class="option">-m</code>] [<code class="option">-p <em class="replaceable"><code>port#</code></em></code>] [<code class="option">-q <em class="replaceable"><code>name</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-x <em class="replaceable"><code>addr</code></em></code>] [name] [type] [class] [queryopt...]</p></div>
d55f5ac020ffc727e495eebc00ff75a022bbd27avboxsync<div class="cmdsynopsis"><p><code class="command">delv</code> [<code class="option">-h</code>]</p></div>
d55f5ac020ffc727e495eebc00ff75a022bbd27avboxsync<div class="cmdsynopsis"><p><code class="command">delv</code> [<code class="option">-v</code>]</p></div>
d55f5ac020ffc727e495eebc00ff75a022bbd27avboxsync<div class="cmdsynopsis"><p><code class="command">delv</code> [queryopt...] [query...]</p></div>
d55f5ac020ffc727e495eebc00ff75a022bbd27avboxsync<p><span><strong class="command">delv</strong></span>
9e1a1dfa158ca0c1b95c864ea85024a459ad0024vboxsync (Domain Entity Lookup & Validation) is a tool for sending
9e1a1dfa158ca0c1b95c864ea85024a459ad0024vboxsync DNS queries and validating the results, using the the same internal
c2ac210bd84591123bb8803712887e2b016cb78fvboxsync resolver and validator logic as <span><strong class="command">named</strong></span>.
9e1a1dfa158ca0c1b95c864ea85024a459ad0024vboxsync <span><strong class="command">delv</strong></span> will send to a specified name server all
9e1a1dfa158ca0c1b95c864ea85024a459ad0024vboxsync queries needed to fetch and validate the requested data; this
9e1a1dfa158ca0c1b95c864ea85024a459ad0024vboxsync includes the original requested query, subsequent queries to follow
6c02d3ecb460395509b367a77c4b70ee673ba5ccvboxsync CNAME or DNAME chains, and queries for DNSKEY, DS and DLV records
9e1a1dfa158ca0c1b95c864ea85024a459ad0024vboxsync to establish a chain of trust for DNSSEC validation.
9e1a1dfa158ca0c1b95c864ea85024a459ad0024vboxsync It does not perform iterative resolution, but simulates the
6c02d3ecb460395509b367a77c4b70ee673ba5ccvboxsync behavior of a name server configured for DNSSEC validating and
9e1a1dfa158ca0c1b95c864ea85024a459ad0024vboxsync forwarding.
9e1a1dfa158ca0c1b95c864ea85024a459ad0024vboxsync By default, responses are validated using built-in DNSSEC trust
9e1a1dfa158ca0c1b95c864ea85024a459ad0024vboxsync anchors for the root zone (".") and for the ISC DNSSEC lookaside
6c02d3ecb460395509b367a77c4b70ee673ba5ccvboxsync validation zone ("dlv.isc.org"). Records returned by
9e1a1dfa158ca0c1b95c864ea85024a459ad0024vboxsync <span><strong class="command">delv</strong></span> are either fully validated or
9e1a1dfa158ca0c1b95c864ea85024a459ad0024vboxsync were not signed. If validation fails, an explanation of
6c02d3ecb460395509b367a77c4b70ee673ba5ccvboxsync the failure is included in the output; the validation process
9e1a1dfa158ca0c1b95c864ea85024a459ad0024vboxsync can be traced in detail. Because <span><strong class="command">delv</strong></span> does
9e1a1dfa158ca0c1b95c864ea85024a459ad0024vboxsync not rely on an external server to carry out validation, it can
6c02d3ecb460395509b367a77c4b70ee673ba5ccvboxsync be used to check the validity of DNS responses in environments
9e1a1dfa158ca0c1b95c864ea85024a459ad0024vboxsync where local name servers may not be trustworthy.
9e1a1dfa158ca0c1b95c864ea85024a459ad0024vboxsync Unless it is told to query a specific name server,
9e1a1dfa158ca0c1b95c864ea85024a459ad0024vboxsync <span><strong class="command">delv</strong></span> will try each of the servers listed in
9e1a1dfa158ca0c1b95c864ea85024a459ad0024vboxsync <code class="filename">/etc/resolv.conf</code>. If no usable server
9e1a1dfa158ca0c1b95c864ea85024a459ad0024vboxsync addresses are found, <span><strong class="command">delv</strong></span> will send
9e1a1dfa158ca0c1b95c864ea85024a459ad0024vboxsync queries to the localhost addresses (127.0.0.1 for IPv4, ::1
9e1a1dfa158ca0c1b95c864ea85024a459ad0024vboxsync When no command line arguments or options are given,
9e1a1dfa158ca0c1b95c864ea85024a459ad0024vboxsync <span><strong class="command">delv</strong></span> will perform an NS query for "."
9e1a1dfa158ca0c1b95c864ea85024a459ad0024vboxsync (the root zone).
9e1a1dfa158ca0c1b95c864ea85024a459ad0024vboxsync A typical invocation of <span><strong class="command">delv</strong></span> looks like:
d27bf03c13c7a5707386600ef9b0bbb82fb3420dvboxsync<pre class="programlisting"> delv @server name type </pre>
9e1a1dfa158ca0c1b95c864ea85024a459ad0024vboxsync<dt><span class="term"><code class="constant">server</code></span></dt>
9e1a1dfa158ca0c1b95c864ea85024a459ad0024vboxsync is the name or IP address of the name server to query. This
9e1a1dfa158ca0c1b95c864ea85024a459ad0024vboxsync can be an IPv4 address in dotted-decimal notation or an IPv6
6c02d3ecb460395509b367a77c4b70ee673ba5ccvboxsync address in colon-delimited notation. When the supplied
9e1a1dfa158ca0c1b95c864ea85024a459ad0024vboxsync <em class="parameter"><code>server</code></em> argument is a hostname,
9e1a1dfa158ca0c1b95c864ea85024a459ad0024vboxsync <span><strong class="command">delv</strong></span> resolves that name before
9e1a1dfa158ca0c1b95c864ea85024a459ad0024vboxsync querying that name server (note, however, that this
9e1a1dfa158ca0c1b95c864ea85024a459ad0024vboxsync initial lookup is <span class="emphasis"><em>not</em></span> validated
9e1a1dfa158ca0c1b95c864ea85024a459ad0024vboxsync by DNSSEC).
9e1a1dfa158ca0c1b95c864ea85024a459ad0024vboxsync If no <em class="parameter"><code>server</code></em> argument is
9e1a1dfa158ca0c1b95c864ea85024a459ad0024vboxsync provided, <span><strong class="command">delv</strong></span> consults
9e1a1dfa158ca0c1b95c864ea85024a459ad0024vboxsync <code class="filename">/etc/resolv.conf</code>; if an
9e1a1dfa158ca0c1b95c864ea85024a459ad0024vboxsync address is found there, it queries the name server at
9e1a1dfa158ca0c1b95c864ea85024a459ad0024vboxsync that address. If either of the <code class="option">-4</code> or
9e1a1dfa158ca0c1b95c864ea85024a459ad0024vboxsync <code class="option">-6</code> options are in use, then
9e1a1dfa158ca0c1b95c864ea85024a459ad0024vboxsync only addresses for the corresponding transport
9e1a1dfa158ca0c1b95c864ea85024a459ad0024vboxsync will be tried. If no usable addresses are found,
9e1a1dfa158ca0c1b95c864ea85024a459ad0024vboxsync <span><strong class="command">delv</strong></span> will send queries to
9e1a1dfa158ca0c1b95c864ea85024a459ad0024vboxsync the localhost addresses (127.0.0.1 for IPv4,
9e1a1dfa158ca0c1b95c864ea85024a459ad0024vboxsync ::1 for IPv6).
9e1a1dfa158ca0c1b95c864ea85024a459ad0024vboxsync<dt><span class="term"><code class="constant">name</code></span></dt>
d74801c0368d6d784eff276713def80ef9d56445vboxsync is the domain name to be looked up.
d74801c0368d6d784eff276713def80ef9d56445vboxsync<dt><span class="term"><code class="constant">type</code></span></dt>
d74801c0368d6d784eff276713def80ef9d56445vboxsync indicates what type of query is required —
d74801c0368d6d784eff276713def80ef9d56445vboxsync ANY, A, MX, etc.
d74801c0368d6d784eff276713def80ef9d56445vboxsync <em class="parameter"><code>type</code></em> can be any valid query
d74801c0368d6d784eff276713def80ef9d56445vboxsync type. If no
d74801c0368d6d784eff276713def80ef9d56445vboxsync <em class="parameter"><code>type</code></em> argument is supplied,
d74801c0368d6d784eff276713def80ef9d56445vboxsync <span><strong class="command">delv</strong></span> will perform a lookup for an
d74801c0368d6d784eff276713def80ef9d56445vboxsync<dt><span class="term">-a <em class="replaceable"><code>anchor-file</code></em></span></dt>
d74801c0368d6d784eff276713def80ef9d56445vboxsync Specifies a file from which to read DNSSEC trust anchors.
d74801c0368d6d784eff276713def80ef9d56445vboxsync The default is <code class="filename">/etc/bind.keys</code>, which
d74801c0368d6d784eff276713def80ef9d56445vboxsync is included with <acronym class="acronym">BIND</acronym> 9 and contains
d74801c0368d6d784eff276713def80ef9d56445vboxsync trust anchors for the root zone (".") and for the ISC
d74801c0368d6d784eff276713def80ef9d56445vboxsync DNSSEC lookaside validation zone ("dlv.isc.org").
d74801c0368d6d784eff276713def80ef9d56445vboxsync Keys that do not match the root or DLV trust-anchor
d74801c0368d6d784eff276713def80ef9d56445vboxsync names are ignored; these key names can be overridden
d74801c0368d6d784eff276713def80ef9d56445vboxsync Note: When reading the trust anchor file,
d74801c0368d6d784eff276713def80ef9d56445vboxsync <span><strong class="command">delv</strong></span> treats <code class="option">managed-keys</code>
d74801c0368d6d784eff276713def80ef9d56445vboxsync statements and <code class="option">trusted-keys</code> statements
d74801c0368d6d784eff276713def80ef9d56445vboxsync identically. That is, for a managed key, it is the
d74801c0368d6d784eff276713def80ef9d56445vboxsync <span class="emphasis"><em>initial</em></span> key that is trusted; RFC 5011
d74801c0368d6d784eff276713def80ef9d56445vboxsync key management is not supported. <span><strong class="command">delv</strong></span>
d74801c0368d6d784eff276713def80ef9d56445vboxsync will not consult the managed-keys database maintained by
d74801c0368d6d784eff276713def80ef9d56445vboxsync <span><strong class="command">named</strong></span>. This means that if either of the
ad27e1d5e48ca41245120c331cc88b50464813cevboxsync keys in <code class="filename">/etc/bind.keys</code> is revoked
6c02d3ecb460395509b367a77c4b70ee673ba5ccvboxsync and rolled over, it will be necessary to update
6c02d3ecb460395509b367a77c4b70ee673ba5ccvboxsync <code class="filename">/etc/bind.keys</code> to use DNSSEC
22197ad5dba8323699e719b622fff028e69b9d54vboxsync validation in <span><strong class="command">delv</strong></span>.
22197ad5dba8323699e719b622fff028e69b9d54vboxsync<dt><span class="term">-b <em class="replaceable"><code>address</code></em></span></dt>
6c02d3ecb460395509b367a77c4b70ee673ba5ccvboxsync Sets the source IP address of the query to
6c02d3ecb460395509b367a77c4b70ee673ba5ccvboxsync <em class="parameter"><code>address</code></em>. This must be a valid address
6c02d3ecb460395509b367a77c4b70ee673ba5ccvboxsync on one of the host's network interfaces or "0.0.0.0" or "::".
6c02d3ecb460395509b367a77c4b70ee673ba5ccvboxsync An optional source port may be specified by appending
6c02d3ecb460395509b367a77c4b70ee673ba5ccvboxsync "#<port>"
6c02d3ecb460395509b367a77c4b70ee673ba5ccvboxsync<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
22197ad5dba8323699e719b622fff028e69b9d54vboxsync Sets the query class for the requested data. Currently,
22197ad5dba8323699e719b622fff028e69b9d54vboxsync only class "IN" is supported in <span><strong class="command">delv</strong></span>
22197ad5dba8323699e719b622fff028e69b9d54vboxsync and any other value is ignored.
22197ad5dba8323699e719b622fff028e69b9d54vboxsync<dt><span class="term">-d <em class="replaceable"><code>level</code></em></span></dt>
bf41c93d79f641bebdb44218b5d5a8c8eb8a63afvboxsync Set the systemwide debug level to <code class="option">level</code>.
6c02d3ecb460395509b367a77c4b70ee673ba5ccvboxsync The allowed range is from 0 to 99.
6c02d3ecb460395509b367a77c4b70ee673ba5ccvboxsync The default is 0 (no debugging).
6c02d3ecb460395509b367a77c4b70ee673ba5ccvboxsync Debugging traces from <span><strong class="command">delv</strong></span> become
6c02d3ecb460395509b367a77c4b70ee673ba5ccvboxsync more verbose as the debug level increases.
d74801c0368d6d784eff276713def80ef9d56445vboxsync See the <code class="option">+mtrace</code>, <code class="option">+rtrace</code>,
d74801c0368d6d784eff276713def80ef9d56445vboxsync and <code class="option">+vtrace</code> options below for additional
d74801c0368d6d784eff276713def80ef9d56445vboxsync debugging details.
d74801c0368d6d784eff276713def80ef9d56445vboxsync Display the <span><strong class="command">delv</strong></span> help usage output and exit.
d74801c0368d6d784eff276713def80ef9d56445vboxsync Insecure mode. This disables internal DNSSEC validation.
d74801c0368d6d784eff276713def80ef9d56445vboxsync (Note, however, this does not set the CD bit on upstream
6c02d3ecb460395509b367a77c4b70ee673ba5ccvboxsync queries. If the server being queried is performing DNSSEC
6c02d3ecb460395509b367a77c4b70ee673ba5ccvboxsync validation, then it will not return invalid data; this
d74801c0368d6d784eff276713def80ef9d56445vboxsync can cause <span><strong class="command">delv</strong></span> to time out. When it
d74801c0368d6d784eff276713def80ef9d56445vboxsync is necessary to examine invalid data to debug a DNSSEC
d74801c0368d6d784eff276713def80ef9d56445vboxsync problem, use <span><strong class="command">dig +cd</strong></span>.)
d74801c0368d6d784eff276713def80ef9d56445vboxsync Enables memory usage debugging.
d74801c0368d6d784eff276713def80ef9d56445vboxsync<dt><span class="term">-p <em class="replaceable"><code>port#</code></em></span></dt>
22197ad5dba8323699e719b622fff028e69b9d54vboxsync Specifies a destination port to use for queries instead of
22197ad5dba8323699e719b622fff028e69b9d54vboxsync the standard DNS port number 53. This option would be used
22197ad5dba8323699e719b622fff028e69b9d54vboxsync with a name server that has been configured to listen
22197ad5dba8323699e719b622fff028e69b9d54vboxsync for queries on a non-standard port number.
6c02d3ecb460395509b367a77c4b70ee673ba5ccvboxsync<dt><span class="term">-q <em class="replaceable"><code>name</code></em></span></dt>
ad27e1d5e48ca41245120c331cc88b50464813cevboxsync Sets the query name to <em class="parameter"><code>name</code></em>.
6c02d3ecb460395509b367a77c4b70ee673ba5ccvboxsync While the query name can be specified without using the
6c02d3ecb460395509b367a77c4b70ee673ba5ccvboxsync <code class="option">-q</code>, it is sometimes necessary to disambiguate
6c02d3ecb460395509b367a77c4b70ee673ba5ccvboxsync names from types or classes (for example, when looking up the
d74801c0368d6d784eff276713def80ef9d56445vboxsync name "ns", which could be misinterpreted as the type NS,
d74801c0368d6d784eff276713def80ef9d56445vboxsync or "ch", which could be misinterpreted as class CH).
d74801c0368d6d784eff276713def80ef9d56445vboxsync<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
22197ad5dba8323699e719b622fff028e69b9d54vboxsync Sets the query type to <em class="parameter"><code>type</code></em>, which
22197ad5dba8323699e719b622fff028e69b9d54vboxsync can be any valid query type supported in BIND 9 except
22197ad5dba8323699e719b622fff028e69b9d54vboxsync for zone transfer types AXFR and IXFR. As with
6c02d3ecb460395509b367a77c4b70ee673ba5ccvboxsync <code class="option">-q</code>, this is useful to distinguish
22197ad5dba8323699e719b622fff028e69b9d54vboxsync query name type or class when they are ambiguous.
bf41c93d79f641bebdb44218b5d5a8c8eb8a63afvboxsync it is sometimes necessary to disambiguate names from types.
6c02d3ecb460395509b367a77c4b70ee673ba5ccvboxsync The default query type is "A", unless the <code class="option">-x</code>
d74801c0368d6d784eff276713def80ef9d56445vboxsync option is supplied to indicate a reverse lookup, in which case
d74801c0368d6d784eff276713def80ef9d56445vboxsync it is "PTR".
67c641fcdf8cbce057f65e5afde4d2b4095034c0vboxsync Print the <span><strong class="command">delv</strong></span> version and exit.
67c641fcdf8cbce057f65e5afde4d2b4095034c0vboxsync<dt><span class="term">-x <em class="replaceable"><code>addr</code></em></span></dt>
67c641fcdf8cbce057f65e5afde4d2b4095034c0vboxsync Performs a reverse lookup, mapping an addresses to
67c641fcdf8cbce057f65e5afde4d2b4095034c0vboxsync a name. <em class="parameter"><code>addr</code></em> is an IPv4 address in
67c641fcdf8cbce057f65e5afde4d2b4095034c0vboxsync dotted-decimal notation, or a colon-delimited IPv6 address.
67c641fcdf8cbce057f65e5afde4d2b4095034c0vboxsync When <code class="option">-x</code> is used, there is no need to provide
67c641fcdf8cbce057f65e5afde4d2b4095034c0vboxsync the <em class="parameter"><code>name</code></em> or <em class="parameter"><code>type</code></em>
67c641fcdf8cbce057f65e5afde4d2b4095034c0vboxsync arguments. <span><strong class="command">delv</strong></span> automatically performs a
67c641fcdf8cbce057f65e5afde4d2b4095034c0vboxsync lookup for a name like <code class="literal">11.12.13.10.in-addr.arpa</code>
67c641fcdf8cbce057f65e5afde4d2b4095034c0vboxsync and sets the query type to PTR. IPv6 addresses are looked up
67c641fcdf8cbce057f65e5afde4d2b4095034c0vboxsync using nibble format under the IP6.ARPA domain.
67c641fcdf8cbce057f65e5afde4d2b4095034c0vboxsync Forces <span><strong class="command">delv</strong></span> to only use IPv4.
67c641fcdf8cbce057f65e5afde4d2b4095034c0vboxsync Forces <span><strong class="command">delv</strong></span> to only use IPv6.
67c641fcdf8cbce057f65e5afde4d2b4095034c0vboxsync<p><span><strong class="command">delv</strong></span>
22197ad5dba8323699e719b622fff028e69b9d54vboxsync provides a number of query options which affect the way results are
bf41c93d79f641bebdb44218b5d5a8c8eb8a63afvboxsync displayed, and in some cases the way lookups are performed.
67c641fcdf8cbce057f65e5afde4d2b4095034c0vboxsync Each query option is identified by a keyword preceded by a plus sign
67c641fcdf8cbce057f65e5afde4d2b4095034c0vboxsync (<code class="literal">+</code>). Some keywords set or reset an
67c641fcdf8cbce057f65e5afde4d2b4095034c0vboxsync option. These may be preceded by the string
67c641fcdf8cbce057f65e5afde4d2b4095034c0vboxsync <code class="literal">no</code> to negate the meaning of that keyword.
67c641fcdf8cbce057f65e5afde4d2b4095034c0vboxsync Other keywords assign values to options like the timeout interval.
67c641fcdf8cbce057f65e5afde4d2b4095034c0vboxsync They have the form <code class="option">+keyword=value</code>.
67c641fcdf8cbce057f65e5afde4d2b4095034c0vboxsync The query options are:
c0b6af690ad705bddfa87c643b89770a7a0aaf5avboxsync<dt><span class="term"><code class="option">+[no]cdflag</code></span></dt>
c0b6af690ad705bddfa87c643b89770a7a0aaf5avboxsync Controls whether to set the CD (checking disabled) bit in
c0b6af690ad705bddfa87c643b89770a7a0aaf5avboxsync queries sent by <span><strong class="command">delv</strong></span>. This may be useful
c0b6af690ad705bddfa87c643b89770a7a0aaf5avboxsync when troubleshooting DNSSEC problems from behind a validating
e.g. "[ key id = value ]".
a trust anchor of "dlv.isc.org", for which there is a