1unbound-host(1) unbound 1.6.6 unbound-host(1)
2
6 unbound-host - unbound DNS lookup utility
7
9 unbound-host [-vdhr46D] [-c class] [-t type] hostname [-y key] [-f key‐
10 file] [-F namedkeyfile] [-C configfile]
11
13 Unbound-host uses the unbound validating resolver to query for the
14 hostname and display results. With the -v option it displays validation
15 status: secure, insecure, bogus (security failure).
16 By default it reads no configuration file whatsoever. It attempts to
18 reach the internet root servers. With -C an unbound config file and
19 with -r resolv.conf can be read.
20 The available options are:
22 hostname
24 This name is resolved (looked up in the DNS). If a IPv4 or IPv6
25 address is given, a reverse lookup is performed.
26 -h Show the version and commandline option help.
28 -v Enable verbose output and it shows validation results, on every
30 line. Secure means that the NXDOMAIN (no such domain name),
31 nodata (no such data) or positive data response validated cor‐
32 rectly with one of the keys. Insecure means that that domain
33 name has no security set up for it. Bogus (security failure)
34 means that the response failed one or more checks, it is likely
35 wrong, outdated, tampered with, or broken.
36 -d Enable debug output to stderr. One -d shows what the resolver
38 and validator are doing and may tell you what is going on. More
39 times, -d -d, gives a lot of output, with every packet sent and
40 received.
41 -c class
43 Specify the class to lookup for, the default is IN the internet
44 class.
45 -t type
47 Specify the type of data to lookup. The default looks for IPv4,
48 IPv6 and mail handler data, or domain name pointers for reverse
49 queries.
50 -y key Specify a public key to use as trust anchor. This is the base
52 for a chain of trust that is built up from the trust anchor to
53 the response, in order to validate the response message. Can be
54 given as a DS or DNSKEY record. For example -y "example.com DS
55 31560 5 1 1CFED84787E6E19CCF9372C1187325972FE546CD".
56 -D Enables DNSSEC validation. Reads the root anchor from the
58 default configured root anchor at the default location,
59 /var/lib/unbound/root.key.
60 -f keyfile
62 Reads keys from a file. Every line has a DS or DNSKEY record, in
63 the format as for -y. The zone file format, the same as dig and
64 drill produce.
65 -F namedkeyfile
67 Reads keys from a BIND-style named.conf file. Only the
68 trusted-key {}; entries are read.
69 -C configfile
71 Uses the specified unbound.conf to prime libunbound(3).
72 -r Read /etc/resolv.conf, and use the forward DNS servers from
74 there (those could have been set by DHCP). More info in
75 resolv.conf(5). Breaks validation if those servers do not sup‐
76 port DNSSEC.
77 -4 Use solely the IPv4 network for sending packets.
79 -6 Use solely the IPv6 network for sending packets.
81
83 Some examples of use. The keys shown below are fakes, thus a security
84 failure is encountered.
85 $ unbound-host www.example.com
87 $ unbound-host -v -y "example.com DS 31560 5 1
89 1CFED84787E6E19CCF9372C1187325972FE546CD" www.example.com
90 $ unbound-host -v -y "example.com DS 31560 5 1
92 1CFED84787E6E19CCF9372C1187325972FE546CD" 192.0.2.153
93
95 The unbound-host program exits with status code 1 on error, 0 on no
96 error. The data may not be available on exit code 0, exit code 1 means
97 the lookup encountered a fatal error.
98
100 unbound.conf(5), unbound(8).
101NLnet Labs Sep 18, 2017 unbound-host(1)