1KDIG(1)                            Knot DNS                            KDIG(1)
2
3
4

NAME

6       kdig - Advanced DNS lookup utility
7

SYNOPSIS

9       kdig [common-settings] [query [settings]]...
10
11       kdig -h
12

DESCRIPTION

14       This  utility sends one or more DNS queries to a nameserver. Each query
15       can have individual settings, or it can be specified globally via  com‐
16       mon-settings, which must precede query specification.
17
18   Parameters
19       query  name | -q name | -x address | -G tapfile
20
21       common-settings, settings
22              [query_class] [query_type] [@server]... [options]
23
24       name   Is a domain name that is to be looked up.
25
26       server Is a domain name or an IPv4 or IPv6 address of the nameserver to
27              send a query to. An  additional  port  can  be  specified  using
28              address:port ([address]:port for IPv6 address), address@port, or
29              address#port notation. If no server is  specified,  the  servers
30              from /etc/resolv.conf are used.
31
32       If no arguments are provided, kdig sends NS query for the root zone.
33
34   Query classes
35       A  query_class can be either a DNS class name (IN, CH) or generic class
36       specification CLASSXXXXX where XXXXX is a corresponding  decimal  class
37       number. The default query class is IN.
38
39   Query types
40       A  query_type  can  be  either a DNS resource record type (A, AAAA, NS,
41       SOA, DNSKEY, ANY, etc.) or one of the following:
42
43       TYPEXXXXX
44              Generic query type specification where XXXXX is a  corresponding
45              decimal type number.
46
47       AXFR   Full zone transfer request.
48
49       IXFR=serial
50              Incremental  zone transfer request for specified SOA serial num‐
51              ber (i.e. all zone updates since the specified zone version  are
52              to be returned).
53
54       NOTIFY=serial
55              Notify message with a SOA serial hint specified.
56
57       NOTIFY Notify message with a SOA serial hint unspecified.
58
59       The default query type is A.
60
61   Options
62       -4     Use the IPv4 protocol only.
63
64       -6     Use the IPv6 protocol only.
65
66       -b address
67              Set  the  source IP address of the query to address. The address
68              must be a valid address for local interface or :: or 0.0.0.0. An
69              optional  port can be specified in the same format as the server
70              value.
71
72       -c class
73              An  explicit  query_class  specification.  See  possible  values
74              above.
75
76       -d     Enable debug messages.
77
78       -h, --help
79              Print the program help.
80
81       -k keyfile
82              Use  the  TSIG  key stored in a file keyfile to authenticate the
83              request. The file must contain the key in  the  same  format  as
84              accepted by the -y option.
85
86       -p port
87              Set  the  nameserver port number or service name to send a query
88              to. The default port is 53.
89
90       -q name
91              Set the query name. An explicit variant of  name  specification.
92              If no name is provided, empty question section is set.
93
94       -t type
95              An explicit query_type specification. See possible values above.
96
97       -V, --version
98              Print the program version.
99
100       -x address
101              Send a reverse (PTR) query for IPv4 or IPv6 address. The correct
102              name, class and type is set automatically.
103
104       -y [alg:]name:key
105              Use the TSIG key named name to authenticate the request. The alg
106              part  specifies  the  algorithm (the default is hmac-sha256) and
107              key specifies the shared secret encoded in Base64.
108
109       -E tapfile
110              Export a  dnstap  trace  of  the  query  and  response  messages
111              received to the file tapfile.
112
113       -G tapfile
114              Generate message output from a previously saved dnstap file tap‐
115              file.
116
117       +[no]multiline
118              Wrap long records to more lines and improve human readability.
119
120       +[no]short
121              Show record data only.
122
123       +[no]generic
124              Use the generic representation  format  when  printing  resource
125              record types and data.
126
127       +[no]crypto
128              Display the DNSSEC keys and signatures values in base64, instead
129              of omitting them.
130
131       +[no]aaflag
132              Set the AA flag.
133
134       +[no]tcflag
135              Set the TC flag.
136
137       +[no]rdflag
138              Set the RD flag.
139
140       +[no]recurse
141              Same as +[no]rdflag
142
143       +[no]raflag
144              Set the RA flag.
145
146       +[no]zflag
147              Set the zero flag bit.
148
149       +[no]adflag
150              Set the AD flag.
151
152       +[no]cdflag
153              Set the CD flag.
154
155       +[no]dnssec
156              Set the DO flag.
157
158       +[no]all
159              Show all packet sections.
160
161       +[no]qr
162              Show the query packet.
163
164       +[no]header
165              Show the packet header.
166
167       +[no]comments
168              Show commented section names.
169
170       +[no]opt
171              Show the EDNS pseudosection.
172
173       +[no]question
174              Show the question section.
175
176       +[no]answer
177              Show the answer section.
178
179       +[no]authority
180              Show the authority section.
181
182       +[no]additional
183              Show the additional section.
184
185       +[no]tsig
186              Show the TSIG pseudosection.
187
188       +[no]stats
189              Show trailing packet statistics.
190
191       +[no]class
192              Show the DNS class.
193
194       +[no]ttl
195              Show the TTL value.
196
197       +[no]tcp
198              Use the TCP protocol (default is UDP for standard query and  TCP
199              for AXFR/IXFR).
200
201       +[no]fastopen
202              Use TCP Fast Open (default with TCP).
203
204       +[no]ignore
205              Don't use TCP automatically if a truncated reply is received.
206
207       +[no]tls
208              Use  TLS  with  the Opportunistic privacy profile (RFC 7858#sec‐
209              tion-4.1).
210
211       +[no]tls-ca[=FILE]
212              Use TLS with a certificate validation.  Certification  authority
213              certificates  are loaded from the specified PEM file (default is
214              system certificate storage if no argument is provided).  Can  be
215              specified  multiple  times.  If  the +tls-hostname option is not
216              provided, the name of the target server (if specified)  is  used
217              for strict authentication.
218
219       +[no]tls-pin=BASE64
220              Use  TLS  with  the  Out-of-Band key-pinned privacy profile (RFC
221              7858#section-4.2).  The PIN must be  a  Base64  encoded  SHA-256
222              hash of the X.509 SubjectPublicKeyInfo.  Can be specified multi‐
223              ple times.
224
225       +[no]tls-hostname=STR
226              Use TLS with a remote server hostname check.
227
228       +[no]tls-sni=STR
229              Use TLS with a Server Name Indication.
230
231       +[no]tls-keyfile=FILE
232              Use TLS with a client keyfile.
233
234       +[no]tls-certfile=FILE
235              Use TLS with a client certfile.
236
237       +[no]tls-ocsp-stapling[=H]
238              Use TLS with a valid stapled OCSP response for the  server  cer‐
239              tificate  (%u  or  specify hours). OCSP responses older than the
240              specified period are considered invalid.
241
242       +[no]nsid
243              Request the nameserver identifier (NSID).
244
245       +[no]bufsize=B
246              Set EDNS buffer size in bytes (default is 512 bytes).
247
248       +[no]padding[=B]
249              Use EDNS(0) padding option to pad queries, optionally to a  spe‐
250              cific size. The default is to pad queries with a sensible amount
251              when using +tls, and not to pad at all  when  queries  are  sent
252              without  TLS.   With no argument (i.e., just +padding) pad every
253              query with a sensible amount regardless of the use of TLS.  With
254              +nopadding, never pad.
255
256       +[no]alignment[=B]
257              Align  the  query to B-byte-block message using the EDNS(0) pad‐
258              ding option (default is no or 128 if no argument is specified).
259
260       +[no]subnet=SUBN
261              Set EDNS(0) client subnet SUBN=addr/prefix.
262
263       +[no]edns[=N]
264              Use EDNS version (default is 0).
265
266       +[no]timeout=T
267              Set the wait-for-reply interval in seconds (default  is  5  sec‐
268              onds). This timeout applies to each query attempt. An attempt to
269              set T to less than 1 will result in a query timeout of 1  second
270              being applied.
271
272       +[no]retry=N
273              Set the number (>=0) of UDP retries (default is 2). This doesn't
274              apply to AXFR/IXFR.
275
276       +[no]cookie=HEX
277              Attach EDNS(0) cookie to the query.
278
279       +[no]badcookie
280              Repeat a query with the correct cookie.
281
282       +[no]ednsopt[=CODE[:HEX]]
283              Send custom EDNS option. The CODE is EDNS option code  in  deci‐
284              mal, HEX is an optional hex encoded string to use as EDNS option
285              value. This argument can  be  used  multiple  times.  +noednsopt
286              clears all EDNS options specified by +ednsopt.
287
288       +noidn Disable the IDN transformation to ASCII and vice versa. IDN sup‐
289              port depends on libidn availability during project building!  If
290              used  in  common-settings, all IDN transformations are disabled.
291              If used in the individual query  settings,  transformation  from
292              ASCII  is disabled on output for the particular query. Note that
293              IDN transformation does not preserve domain name letter case.
294

NOTES

296       Options -k and -y can not be used simultaneously.
297
298       Dnssec-keygen keyfile format is not supported. Use keymgr(8) instead.
299

EXIT VALUES

301       Exit status of 0 means successful  operation.  Any  other  exit  status
302       indicates an error.
303

EXAMPLES

305       1. Get A records for example.com:
306
307             $ kdig example.com A
308
309       2. Perform AXFR for zone example.com from the server 192.0.2.1:
310
311             $ kdig example.com -t AXFR @192.0.2.1
312
313       3. Get  A records for example.com from 192.0.2.1 and reverse lookup for
314          address 2001:DB8::1 from 192.0.2.2. Both using the TCP protocol:
315
316             $ kdig +tcp example.com -t A @192.0.2.1 -x 2001:DB8::1 @192.0.2.2
317
318       4. Get SOA record for example.com, use TLS,  use  system  certificates,
319          check  for  specified hostname, check for certificate pin, and print
320          additional debug info:
321
322             $ kdig -d @185.49.141.38 +tls-ca +tls-host=getdnsapi.net \
323               +tls-pin=foxZRnIh9gZpWnl+zEiKa0EJ2rdCGroMWm02gaxSc9S= soa example.com
324

FILES

326       /etc/resolv.conf
327

SEE ALSO

329       khost(1), knsupdate(1), keymgr(8).
330

AUTHOR

332       CZ.NIC Labs <https://www.knot-dns.cz>
333
335       Copyright 2010–2020, CZ.NIC, z.s.p.o.
336
337
338
339
3402.9.3                             2020-03-03                           KDIG(1)
Impressum