man.delve.html revision 27963ad22062efe8eac2beed51ff70d8f0b35900
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync - Copyright (C) 2004-2014 Internet Systems Consortium, Inc. ("ISC")
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync - Copyright (C) 2000-2003 Internet Software Consortium.
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync - Permission to use, copy, modify, and/or distribute this software for any
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync - purpose with or without fee is hereby granted, provided that the above
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync - copyright notice and this permission notice appear in all copies.
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync - PERFORMANCE OF THIS SOFTWARE.
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync<!-- $Id$ -->
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
dfd08267d2958ae1cd559dd7dc2f36bf5461648dvboxsync<link rel="next" href="man.dnssec-checkds.html" title="dnssec-checkds">
dfd08267d2958ae1cd559dd7dc2f36bf5461648dvboxsync<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync<a accesskey="p" href="man.host.html">Prev</a>�</td>
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-checkds.html">Next</a>
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync<a name="man.delve"></a><div class="titlepage"></div>
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync<p>delve — DNS lookup and validation utility</p>
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync<div class="cmdsynopsis"><p><code class="command">delve</code> [@server] [<code class="option">-4</code>] [<code class="option">-6</code>] [<code class="option">-a <em class="replaceable"><code>anchor-file</code></em></code>] [<code class="option">-b <em class="replaceable"><code>address</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>level</code></em></code>] [<code class="option">-i</code>] [<code class="option">-m</code>] [<code class="option">-p <em class="replaceable"><code>port#</code></em></code>] [<code class="option">-q <em class="replaceable"><code>name</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-x <em class="replaceable"><code>addr</code></em></code>] [name] [type] [class] [queryopt...]</p></div>
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync<div class="cmdsynopsis"><p><code class="command">delve</code> [<code class="option">-h</code>]</p></div>
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync<div class="cmdsynopsis"><p><code class="command">delve</code> [<code class="option">-v</code>]</p></div>
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync<div class="cmdsynopsis"><p><code class="command">delve</code> [queryopt...] [query...]</p></div>
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync<p><span><strong class="command">delve</strong></span>
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync (Domain Entity Lookup & Validation Engine) is a tool for sending
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync DNS queries and validating the results, using the the same internal
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync resolver and validator logic as <span><strong class="command">named</strong></span>.
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync <span><strong class="command">delve</strong></span> will send to a specified name server all
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync queries needed to fetch and validate the requested data; this
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync includes the original requested query, subsequent queries to follow
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync CNAME or DNAME chains, and queries for DNSKEY, DS and DLV records
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync to establish a chain of trust for DNSSEC validation.
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync It does not perform iterative resolution, but simulates the
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync behavior of a name server configured for DNSSEC validating and
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync forwarding.
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync By default, responses are validated using built-in DNSSEC trust
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync anchors for the root zone (".") and for the ISC DNSSEC lookaside
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync validation zone ("dlv.isc.org"). Records returned by
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync <span><strong class="command">delve</strong></span> are either fully validated or
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync were not signed. If validation fails, an explanation of
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync the failure is included in the output; the validation process
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync can be traced in detail. Because <span><strong class="command">delve</strong></span> does
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync not rely on an external server to carry out validation, it can
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync be used to check the validity of DNS responses in environments
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync where local name servers may not be trustworthy.
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync Unless it is told to query a specific name server,
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync <span><strong class="command">delve</strong></span> will try each of the servers listed in
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync <code class="filename">/etc/resolv.conf</code>. If no usable server
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync addresses are found, <span><strong class="command">delve</strong></span> will send
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync queries to the localhost addresses (127.0.0.1 for IPv4, ::1
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync When no command line arguments or options are given,
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync <span><strong class="command">delve</strong></span> will perform an NS query for "."
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync (the root zone).
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync A typical invocation of <span><strong class="command">delve</strong></span> looks like:
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync<pre class="programlisting"> delve @server name type </pre>
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync<dt><span class="term"><code class="constant">server</code></span></dt>
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync is the name or IP address of the name server to query. This
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync can be an IPv4 address in dotted-decimal notation or an IPv6
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync address in colon-delimited notation. When the supplied
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync <em class="parameter"><code>server</code></em> argument is a hostname,
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync <span><strong class="command">delve</strong></span> resolves that name before
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync querying that name server (note, however, that this
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync initial lookup is <span class="emphasis"><em>not</em></span> validated
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync by DNSSEC).
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync If no <em class="parameter"><code>server</code></em> argument is
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync provided, <span><strong class="command">delve</strong></span> consults
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync <code class="filename">/etc/resolv.conf</code>; if an
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync address is found there, it queries the name server at
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync that address. If either of the <code class="option">-4</code> or
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync <code class="option">-6</code> options are in use, then
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync only addresses for the corresponding transport
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync will be tried. If no usable addresses are found,
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync <span><strong class="command">delve</strong></span> will send queries to
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync the localhost addresses (127.0.0.1 for IPv4,
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync ::1 for IPv6).
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync<dt><span class="term"><code class="constant">name</code></span></dt>
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync is the domain name to be looked up.
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync<dt><span class="term"><code class="constant">type</code></span></dt>
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync indicates what type of query is required —
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync ANY, A, MX, etc.
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync <em class="parameter"><code>type</code></em> can be any valid query
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync type. If no
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync <em class="parameter"><code>type</code></em> argument is supplied,
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync <span><strong class="command">delve</strong></span> will perform a lookup for an
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync<dt><span class="term">-a <em class="replaceable"><code>anchor-file</code></em></span></dt>
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync Specifies a file from which to read DNSSEC trust anchors.
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync The default is <code class="filename">/etc/bind.keys</code>, which
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync is included with <acronym class="acronym">BIND</acronym> 9 and contains
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync trust anchors for the root zone (".") and for the ISC
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync DNSSEC lookaside validation zone ("dlv.isc.org").
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync Keys that do not match the root or DLV trust-anchor
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync names are ignored; these key names can be overridden
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync Note: When reading the trust anchor file,
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync <span><strong class="command">delve</strong></span> treats <code class="option">managed-keys</code>
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync statements and <code class="option">trusted-keys</code> statements
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync identically. That is, for a managed key, it is the
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync <span class="emphasis"><em>initial</em></span> key that is trusted; RFC 5011
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync key management is not supported. <span><strong class="command">delve</strong></span>
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync will not consult the managed-keys database maintained by
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync <span><strong class="command">named</strong></span>. This means that if either of the
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync keys in <code class="filename">/etc/bind.keys</code> is revoked
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync and rolled over, it will be necessary to update
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync <code class="filename">/etc/bind.keys</code> to use DNSSEC
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync validation in <span><strong class="command">delve</strong></span>.
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync<dt><span class="term">-b <em class="replaceable"><code>address</code></em></span></dt>
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync Sets the source IP address of the query to
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync <em class="parameter"><code>address</code></em>. This must be a valid address
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync on one of the host's network interfaces or "0.0.0.0" or "::".
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync An optional source port may be specified by appending
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync "#<port>"
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync Sets the query class for the requested data. Currently,
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync only class "IN" is supported in <span><strong class="command">delve</strong></span>
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync and any other value is ignored.
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync<dt><span class="term">-d <em class="replaceable"><code>level</code></em></span></dt>
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync Set the systemwide debug level to <code class="option">level</code>.
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync The allowed range is from 0 to 99.
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync The default is 0 (no debugging).
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync Debugging traces from <span><strong class="command">delve</strong></span> become
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync more verbose as the debug level increases.
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync See the <code class="option">+mtrace</code>, <code class="option">+rtrace</code>,
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync and <code class="option">+vtrace</code> options below for additional
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync debugging details.
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync Display the <span><strong class="command">delve</strong></span> help usage output and exit.
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync Insecure mode. This disables internal DNSSEC validation.
14ea49401f3c8c61422aefbda43809e275f60c6cvboxsync (Note, however, this does not set the CD bit on upstream
using nibble format under the IP6.ARPA domain.
e.g. "[ key id = value ]".
a trust anchor of "dlv.isc.org", for which there is a