man.delv.html revision d95b19f839f5bad2d1c25577fd334907bd90656c
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync - Copyright (C) 2000-2017 Internet Systems Consortium, Inc. ("ISC")
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync - This Source Code Form is subject to the terms of the Mozilla Public
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync - License, v. 2.0. If a copy of the MPL was not distributed with this
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync - file, You can obtain one at http://mozilla.org/MPL/2.0/.
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync<link rel="next" href="man.nslookup.html" title="nslookup">
930b5f872e89407f445d4000d4e4aaecaa6a0998vboxsync<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
930b5f872e89407f445d4000d4e4aaecaa6a0998vboxsync<a accesskey="p" href="man.host.html">Prev</a>�</td>
930b5f872e89407f445d4000d4e4aaecaa6a0998vboxsync<td width="20%" align="right">�<a accesskey="n" href="man.nslookup.html">Next</a>
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync<a name="man.delv"></a><div class="titlepage"></div>
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync — DNS lookup and validation utility
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync [<code class="option">-a <em class="replaceable"><code>anchor-file</code></em></code>]
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync [<code class="option">-b <em class="replaceable"><code>address</code></em></code>]
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync [<code class="option">-d <em class="replaceable"><code>level</code></em></code>]
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync [<code class="option">-p <em class="replaceable"><code>port#</code></em></code>]
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync [<code class="option">-q <em class="replaceable"><code>name</code></em></code>]
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync [<code class="option">-t <em class="replaceable"><code>type</code></em></code>]
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync [<code class="option">-x <em class="replaceable"><code>addr</code></em></code>]
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync [queryopt...]
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync [queryopt...]
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync <p><span class="command"><strong>delv</strong></span>
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync is a tool for sending
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync DNS queries and validating the results, using the same internal
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync resolver and validator logic as <span class="command"><strong>named</strong></span>.
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync <span class="command"><strong>delv</strong></span> will send to a specified name server all
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync queries needed to fetch and validate the requested data; this
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync includes the original requested query, subsequent queries to follow
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync CNAME or DNAME chains, and queries for DNSKEY, DS and DLV records
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync to establish a chain of trust for DNSSEC validation.
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync It does not perform iterative resolution, but simulates the
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync behavior of a name server configured for DNSSEC validating and
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync forwarding.
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync By default, responses are validated using built-in DNSSEC trust
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync anchors for the root zone (".") and for the ISC DNSSEC lookaside
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync validation zone ("dlv.isc.org"). Records returned by
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync <span class="command"><strong>delv</strong></span> are either fully validated or
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync were not signed. If validation fails, an explanation of
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync the failure is included in the output; the validation process
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync can be traced in detail. Because <span class="command"><strong>delv</strong></span> does
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync not rely on an external server to carry out validation, it can
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync be used to check the validity of DNS responses in environments
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync where local name servers may not be trustworthy.
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync Unless it is told to query a specific name server,
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync <span class="command"><strong>delv</strong></span> will try each of the servers listed in
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync <code class="filename">/etc/resolv.conf</code>. If no usable server
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync addresses are found, <span class="command"><strong>delv</strong></span> will send
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync queries to the localhost addresses (127.0.0.1 for IPv4, ::1
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync When no command line arguments or options are given,
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync <span class="command"><strong>delv</strong></span> will perform an NS query for "."
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync (the root zone).
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync A typical invocation of <span class="command"><strong>delv</strong></span> looks like:
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync<pre class="programlisting"> delv @server name type </pre>
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync<dt><span class="term"><code class="constant">server</code></span></dt>
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync is the name or IP address of the name server to query. This
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync can be an IPv4 address in dotted-decimal notation or an IPv6
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync address in colon-delimited notation. When the supplied
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync <em class="parameter"><code>server</code></em> argument is a hostname,
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync <span class="command"><strong>delv</strong></span> resolves that name before
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync querying that name server (note, however, that this
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync initial lookup is <span class="emphasis"><em>not</em></span> validated
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync by DNSSEC).
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync If no <em class="parameter"><code>server</code></em> argument is
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync provided, <span class="command"><strong>delv</strong></span> consults
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync <code class="filename">/etc/resolv.conf</code>; if an
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync address is found there, it queries the name server at
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync that address. If either of the <code class="option">-4</code> or
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync <code class="option">-6</code> options are in use, then
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync only addresses for the corresponding transport
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync will be tried. If no usable addresses are found,
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync <span class="command"><strong>delv</strong></span> will send queries to
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync the localhost addresses (127.0.0.1 for IPv4,
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync ::1 for IPv6).
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync<dt><span class="term"><code class="constant">name</code></span></dt>
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync is the domain name to be looked up.
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync<dt><span class="term"><code class="constant">type</code></span></dt>
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync indicates what type of query is required —
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync ANY, A, MX, etc.
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync <em class="parameter"><code>type</code></em> can be any valid query
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync type. If no
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync <em class="parameter"><code>type</code></em> argument is supplied,
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync <span class="command"><strong>delv</strong></span> will perform a lookup for an
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync <div class="variablelist"><dl class="variablelist">
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync<dt><span class="term">-a <em class="replaceable"><code>anchor-file</code></em></span></dt>
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync Specifies a file from which to read DNSSEC trust anchors.
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync The default is <code class="filename">/etc/bind.keys</code>, which
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync is included with <acronym class="acronym">BIND</acronym> 9 and contains
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync trust anchors for the root zone (".") and for the ISC
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync DNSSEC lookaside validation zone ("dlv.isc.org").
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync Keys that do not match the root or DLV trust-anchor
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync names are ignored; these key names can be overridden
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync Note: When reading the trust anchor file,
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync <span class="command"><strong>delv</strong></span> treats <code class="option">managed-keys</code>
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync statements and <code class="option">trusted-keys</code> statements
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync identically. That is, for a managed key, it is the
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync <span class="emphasis"><em>initial</em></span> key that is trusted; RFC 5011
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync key management is not supported. <span class="command"><strong>delv</strong></span>
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync will not consult the managed-keys database maintained by
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync <span class="command"><strong>named</strong></span>. This means that if either of the
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync keys in <code class="filename">/etc/bind.keys</code> is revoked
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync and rolled over, it will be necessary to update
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync <code class="filename">/etc/bind.keys</code> to use DNSSEC
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync validation in <span class="command"><strong>delv</strong></span>.
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync<dt><span class="term">-b <em class="replaceable"><code>address</code></em></span></dt>
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync Sets the source IP address of the query to
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync <em class="parameter"><code>address</code></em>. This must be a valid address
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync on one of the host's network interfaces or "0.0.0.0" or "::".
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync An optional source port may be specified by appending
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync "#<port>"
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync Sets the query class for the requested data. Currently,
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync only class "IN" is supported in <span class="command"><strong>delv</strong></span>
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync and any other value is ignored.
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync<dt><span class="term">-d <em class="replaceable"><code>level</code></em></span></dt>
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync Set the systemwide debug level to <code class="option">level</code>.
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync The allowed range is from 0 to 99.
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync The default is 0 (no debugging).
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync Debugging traces from <span class="command"><strong>delv</strong></span> become
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync more verbose as the debug level increases.
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync See the <code class="option">+mtrace</code>, <code class="option">+rtrace</code>,
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync and <code class="option">+vtrace</code> options below for additional
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync debugging details.
3194da424708abdd288b28d96892b3a5f3f7df0bvboxsync Display the <span class="command"><strong>delv</strong></span> help usage output and exit.
using nibble format under the IP6.ARPA domain.
e.g. "[ key id = value ]".
a trust anchor of "dlv.isc.org", for which there is a