1KDIG(1)                            Knot DNS                            KDIG(1)
2
3
4

NAME

6       kdig - Advanced DNS lookup utility
7

SYNOPSIS

9       kdig [common-settings] [query [settings]]...
10
11       kdig -h
12

DESCRIPTION

14       This  utility sends one or more DNS queries to a nameserver. Each query
15       can have individual settings, or it can be specified globally via  com‐
16       mon-settings, which must precede query specification.
17
18   Parameters
19       query  name | -q name | -x address | -G tapfile
20
21       common-settings, settings
22              [query_class] [query_type] [@server]... [options]
23
24       name   Is a domain name that is to be looked up.
25
26       server Is a domain name or an IPv4 or IPv6 address of the nameserver to
27              send a query to. An  additional  port  can  be  specified  using
28              address:port ([address]:port for IPv6 address), address@port, or
29              address#port notation. If no server is  specified,  the  servers
30              from /etc/resolv.conf are used.
31
32       If no arguments are provided, kdig sends NS query for the root zone.
33
34   Query classes
35       A  query_class can be either a DNS class name (IN, CH) or generic class
36       specification CLASSXXXXX where XXXXX is a corresponding  decimal  class
37       number. The default query class is IN.
38
39   Query types
40       A  query_type  can  be  either a DNS resource record type (A, AAAA, NS,
41       SOA, DNSKEY, ANY, etc.) or one of the following:
42
43       TYPEXXXXX
44              Generic query type specification where XXXXX is a  corresponding
45              decimal type number.
46
47       AXFR   Full zone transfer request.
48
49       IXFR=serial
50              Incremental  zone  transfer  request  for specified starting SOA
51              serial number.
52
53       NOTIFY=serial
54              Notify message with a SOA serial hint specified.
55
56       NOTIFY Notify message with a SOA serial hint unspecified.
57
58       The default query type is A.
59
60   Options
61       -4     Use the IPv4 protocol only.
62
63       -6     Use the IPv6 protocol only.
64
65       -b address
66              Set the source IP address of the query to address.  The  address
67              must be a valid address for local interface or :: or 0.0.0.0. An
68              optional port can be specified in the same format as the  server
69              value.
70
71       -c class
72              An  explicit  query_class  specification.  See  possible  values
73              above.
74
75       -d     Enable debug messages.
76
77       -h, --help
78              Print the program help.
79
80       -k keyfile
81              Use the TSIG key stored in a file keyfile  to  authenticate  the
82              request.  The  file  must  contain the key in the same format as
83              accepted by the -y option.
84
85       -p port
86              Set the nameserver port number or service name to send  a  query
87              to. The default port is 53.
88
89       -q name
90              Set  the  query name. An explicit variant of name specification.
91              If no name is provided, empty question section is set.
92
93       -t type
94              An explicit query_type specification. See possible values above.
95
96       -V, --version
97              Print the program version.
98
99       -x address
100              Send a reverse (PTR) query for IPv4 or IPv6 address. The correct
101              name, class and type is set automatically.
102
103       -y [alg:]name:key
104              Use the TSIG key named name to authenticate the request. The alg
105              part specifies the algorithm (the default  is  hmac-sha256)  and
106              key specifies the shared secret encoded in Base64.
107
108       -E tapfile
109              Export  a  dnstap  trace  of  the  query  and  response messages
110              received to the file tapfile.
111
112       -G tapfile
113              Generate message output from a previously saved dnstap file tap‐
114              file.
115
116       +[no]multiline
117              Wrap long records to more lines and improve human readability.
118
119       +[no]short
120              Show record data only.
121
122       +[no]generic
123              Use  the  generic  representation  format when printing resource
124              record types and data.
125
126       +[no]crypto
127              Display the DNSSEC keys and signatures values in base64, instead
128              of omitting them.
129
130       +[no]aaflag
131              Set the AA flag.
132
133       +[no]tcflag
134              Set the TC flag.
135
136       +[no]rdflag
137              Set the RD flag.
138
139       +[no]recurse
140              Same as +[no]rdflag
141
142       +[no]raflag
143              Set the RA flag.
144
145       +[no]zflag
146              Set the zero flag bit.
147
148       +[no]adflag
149              Set the AD flag.
150
151       +[no]cdflag
152              Set the CD flag.
153
154       +[no]dnssec
155              Set the DO flag.
156
157       +[no]all
158              Show all packet sections.
159
160       +[no]qr
161              Show the query packet.
162
163       +[no]header
164              Show the packet header.
165
166       +[no]comments
167              Show commented section names.
168
169       +[no]opt
170              Show the EDNS pseudosection.
171
172       +[no]question
173              Show the question section.
174
175       +[no]answer
176              Show the answer section.
177
178       +[no]authority
179              Show the authority section.
180
181       +[no]additional
182              Show the additional section.
183
184       +[no]tsig
185              Show the TSIG pseudosection.
186
187       +[no]stats
188              Show trailing packet statistics.
189
190       +[no]class
191              Show the DNS class.
192
193       +[no]ttl
194              Show the TTL value.
195
196       +[no]tcp
197              Use  the TCP protocol (default is UDP for standard query and TCP
198              for AXFR/IXFR).
199
200       +[no]fastopen
201              Use TCP Fast Open (default with TCP).
202
203       +[no]ignore
204              Don't use TCP automatically if a truncated reply is received.
205
206       +[no]tls
207              Use TLS with the Opportunistic privacy  profile  (RFC  7858#sec‐
208              tion-4.1).
209
210       +[no]tls-ca[=FILE]
211              Use  TLS  with a certificate validation. Certification authority
212              certificates are loaded from the specified PEM file (default  is
213              system  certificate storage if no argument is provided).  Can be
214              specified multiple times. If the  +tls-hostname  option  is  not
215              provided,  the  name of the target server (if specified) is used
216              for strict authentication.
217
218       +[no]tls-pin=BASE64
219              Use TLS with the Out-of-Band  key-pinned  privacy  profile  (RFC
220              7858#section-4.2).   The  PIN  must  be a Base64 encoded SHA-256
221              hash of the X.509 SubjectPublicKeyInfo.  Can be specified multi‐
222              ple times.
223
224       +[no]tls-hostname=STR
225              Use TLS with a remote server hostname check.
226
227       +[no]tls-sni=STR
228              Use TLS with a Server Name Indication.
229
230       +[no]tls-keyfile=FILE
231              Use TLS with a client keyfile.
232
233       +[no]tls-certfile=FILE
234              Use TLS with a client certfile.
235
236       +[no]tls-ocsp-stapling[=H]
237              Use  TLS  with a valid stapled OCSP response for the server cer‐
238              tificate (%u or specify hours). OCSP responses  older  than  the
239              specified period are considered invalid.
240
241       +[no]nsid
242              Request the nameserver identifier (NSID).
243
244       +[no]bufsize=B
245              Set EDNS buffer size in bytes (default is 512 bytes).
246
247       +[no]padding[=B]
248              Use  EDNS(0) padding option to pad queries, optionally to a spe‐
249              cific size. The default is to pad queries with a sensible amount
250              when  using  +tls,  and  not to pad at all when queries are sent
251              without TLS.  With no argument (i.e., just +padding)  pad  every
252              query  with a sensible amount regardless of the use of TLS. With
253              +nopadding, never pad.
254
255       +[no]alignment[=B]
256              Align the query to B-byte-block message using the  EDNS(0)  pad‐
257              ding option (default is no or 128 if no argument is specified).
258
259       +[no]subnet=SUBN
260              Set EDNS(0) client subnet SUBN=addr/prefix.
261
262       +[no]edns[=N]
263              Use EDNS version (default is 0).
264
265       +[no]timeout=T
266              Set  the  wait-for-reply  interval in seconds (default is 5 sec‐
267              onds). This timeout applies to each query attempt. An attempt to
268              set  T to less than 1 will result in a query timeout of 1 second
269              being applied.
270
271       +[no]retry=N
272              Set the number (>=0) of UDP retries (default is 2). This doesn't
273              apply to AXFR/IXFR.
274
275       +[no]cookie=HEX
276              Attach EDNS(0) cookie to the query.
277
278       +[no]badcookie
279              Repeat a query with the correct cookie.
280
281       +[no]ednsopt[=CODE[:HEX]]
282              Send  custom  EDNS option. The CODE is EDNS option code in deci‐
283              mal, HEX is an optional hex encoded string to use as EDNS option
284              value.  This  argument  can  be  used multiple times. +noednsopt
285              clears all EDNS options specified by +ednsopt.
286
287       +noidn Disable the IDN transformation to ASCII and vice versa. IDN sup‐
288              port  depends on libidn availability during project building! If
289              used in common-settings, all IDN transformations  are  disabled.
290              If  used  in  the individual query settings, transformation from
291              ASCII is disabled on output for the particular query. Note  that
292              IDN transformation does not preserve domain name letter case.
293

NOTES

295       Options -k and -y can not be used simultaneously.
296
297       Dnssec-keygen keyfile format is not supported. Use keymgr(8) instead.
298

EXIT VALUES

300       Exit  status  of  0  means  successful operation. Any other exit status
301       indicates an error.
302

EXAMPLES

304       1. Get A records for example.com:
305
306             $ kdig example.com A
307
308       2. Perform AXFR for zone example.com from the server 192.0.2.1:
309
310             $ kdig example.com -t AXFR @192.0.2.1
311
312       3. Get A records for example.com from 192.0.2.1 and reverse lookup  for
313          address 2001:DB8::1 from 192.0.2.2. Both using the TCP protocol:
314
315             $ kdig +tcp example.com -t A @192.0.2.1 -x 2001:DB8::1 @192.0.2.2
316
317       4. Get  SOA  record  for example.com, use TLS, use system certificates,
318          check for specified hostname, check for certificate pin,  and  print
319          additional debug info:
320
321             $ kdig -d @185.49.141.38 +tls-ca +tls-host=getdnsapi.net \
322               +tls-pin=foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9S= soa example.com
323

FILES

325       /etc/resolv.conf
326

SEE ALSO

328       khost(1), knsupdate(1), keymgr(8).
329

AUTHOR

331       CZ.NIC Labs <https://www.knot-dns.cz>
332
334       Copyright 2010–2019, CZ.NIC, z.s.p.o.
335
336
337
338
3392.9.2                             2019-12-12                           KDIG(1)
Impressum