1DELV(1) BIND9 DELV(1)
2
3
4
6 delv - DNS lookup and validation utility
7
9 delv [@server] [[-4] | [-6]] [-a anchor-file] [-b address] [-c class]
10 [-d level] [-i] [-m] [-p port#] [-q name] [-t type] [-x addr]
11 [name] [type] [class] [queryopt...]
12
13 delv [-h]
14
15 delv [-v]
16
17 delv [queryopt...] [query...]
18
20 delv is a tool for sending DNS queries and validating the results,
21 using the same internal resolver and validator logic as named.
22
23 delv will send to a specified name server all queries needed to fetch
24 and validate the requested data; this includes the original requested
25 query, subsequent queries to follow CNAME or DNAME chains, and queries
26 for DNSKEY, DS and DLV records to establish a chain of trust for DNSSEC
27 validation. It does not perform iterative resolution, but simulates the
28 behavior of a name server configured for DNSSEC validating and
29 forwarding.
30
31 By default, responses are validated using built-in DNSSEC trust anchor
32 for the root zone ("."). Records returned by delv are either fully
33 validated or were not signed. If validation fails, an explanation of
34 the failure is included in the output; the validation process can be
35 traced in detail. Because delv does not rely on an external server to
36 carry out validation, it can be used to check the validity of DNS
37 responses in environments where local name servers may not be
38 trustworthy.
39
40 Unless it is told to query a specific name server, delv will try each
41 of the servers listed in /etc/resolv.conf. If no usable server
42 addresses are found, delv will send queries to the localhost addresses
43 (127.0.0.1 for IPv4, ::1 for IPv6).
44
45 When no command line arguments or options are given, delv will perform
46 an NS query for "." (the root zone).
47
49 A typical invocation of delv looks like:
50
51 delv @server name type
52
53 where:
54
55 server
56 is the name or IP address of the name server to query. This can be
57 an IPv4 address in dotted-decimal notation or an IPv6 address in
58 colon-delimited notation. When the supplied server argument is a
59 hostname, delv resolves that name before querying that name server
60 (note, however, that this initial lookup is not validated by
61 DNSSEC).
62
63 If no server argument is provided, delv consults /etc/resolv.conf;
64 if an address is found there, it queries the name server at that
65 address. If either of the -4 or -6 options are in use, then only
66 addresses for the corresponding transport will be tried. If no
67 usable addresses are found, delv will send queries to the localhost
68 addresses (127.0.0.1 for IPv4, ::1 for IPv6).
69
70 name
71 is the domain name to be looked up.
72
73 type
74 indicates what type of query is required — ANY, A, MX, etc. type
75 can be any valid query type. If no type argument is supplied, delv
76 will perform a lookup for an A record.
77
79 -a anchor-file
80 Specifies a file from which to read DNSSEC trust anchors. The
81 default is /etc/bind.keys, which is included with BIND 9 and
82 contains one or more trust anchors for the root zone (".").
83
84 Keys that do not match the root zone name are ignored. An alternate
85 key name can be specified using the +root=NAME options. DNSSEC
86 Lookaside Validation can also be turned on by using the +dlv=NAME
87 to specify the name of a zone containing DLV records.
88
89 Note: When reading the trust anchor file, delv treats managed-keys
90 statements and trusted-keys statements identically. That is, for a
91 managed key, it is the initial key that is trusted; RFC 5011 key
92 management is not supported. delv will not consult the
93 managed-keys database maintained by named. This means that if
94 either of the keys in /etc/bind.keys is revoked and rolled over, it
95 will be necessary to update /etc/bind.keys to use DNSSEC validation
96 in delv.
97
98 -b address
99 Sets the source IP address of the query to address. This must be a
100 valid address on one of the host's network interfaces or "0.0.0.0"
101 or "::". An optional source port may be specified by appending
102 "#<port>"
103
104 -c class
105 Sets the query class for the requested data. Currently, only class
106 "IN" is supported in delv and any other value is ignored.
107
108 -d level
109 Set the systemwide debug level to level. The allowed range is from
110 0 to 99. The default is 0 (no debugging). Debugging traces from
111 delv become more verbose as the debug level increases. See the
112 +mtrace, +rtrace, and +vtrace options below for additional
113 debugging details.
114
115 -h
116 Display the delv help usage output and exit.
117
118 -i
119 Insecure mode. This disables internal DNSSEC validation. (Note,
120 however, this does not set the CD bit on upstream queries. If the
121 server being queried is performing DNSSEC validation, then it will
122 not return invalid data; this can cause delv to time out. When it
123 is necessary to examine invalid data to debug a DNSSEC problem, use
124 dig +cd.)
125
126 -m
127 Enables memory usage debugging.
128
129 -p port#
130 Specifies a destination port to use for queries instead of the
131 standard DNS port number 53. This option would be used with a name
132 server that has been configured to listen for queries on a
133 non-standard port number.
134
135 -q name
136 Sets the query name to name. While the query name can be specified
137 without using the -q, it is sometimes necessary to disambiguate
138 names from types or classes (for example, when looking up the name
139 "ns", which could be misinterpreted as the type NS, or "ch", which
140 could be misinterpreted as class CH).
141
142 -t type
143 Sets the query type to type, which can be any valid query type
144 supported in BIND 9 except for zone transfer types AXFR and IXFR.
145 As with -q, this is useful to distinguish query name type or class
146 when they are ambiguous. it is sometimes necessary to disambiguate
147 names from types.
148
149 The default query type is "A", unless the -x option is supplied to
150 indicate a reverse lookup, in which case it is "PTR".
151
152 -v
153 Print the delv version and exit.
154
155 -x addr
156 Performs a reverse lookup, mapping an addresses to a name. addr is
157 an IPv4 address in dotted-decimal notation, or a colon-delimited
158 IPv6 address. When -x is used, there is no need to provide the name
159 or type arguments. delv automatically performs a lookup for a name
160 like 11.12.13.10.in-addr.arpa and sets the query type to PTR. IPv6
161 addresses are looked up using nibble format under the IP6.ARPA
162 domain.
163
164 -4
165 Forces delv to only use IPv4.
166
167 -6
168 Forces delv to only use IPv6.
169
171 delv provides a number of query options which affect the way results
172 are displayed, and in some cases the way lookups are performed.
173
174 Each query option is identified by a keyword preceded by a plus sign
175 (+). Some keywords set or reset an option. These may be preceded by the
176 string no to negate the meaning of that keyword. Other keywords assign
177 values to options like the timeout interval. They have the form
178 +keyword=value. The query options are:
179
180 +[no]cdflag
181 Controls whether to set the CD (checking disabled) bit in queries
182 sent by delv. This may be useful when troubleshooting DNSSEC
183 problems from behind a validating resolver. A validating resolver
184 will block invalid responses, making it difficult to retrieve them
185 for analysis. Setting the CD flag on queries will cause the
186 resolver to return invalid responses, which delv can then validate
187 internally and report the errors in detail.
188
189 +[no]class
190 Controls whether to display the CLASS when printing a record. The
191 default is to display the CLASS.
192
193 +[no]ttl
194 Controls whether to display the TTL when printing a record. The
195 default is to display the TTL.
196
197 +[no]rtrace
198 Toggle resolver fetch logging. This reports the name and type of
199 each query sent by delv in the process of carrying out the
200 resolution and validation process: this includes including the
201 original query and all subsequent queries to follow CNAMEs and to
202 establish a chain of trust for DNSSEC validation.
203
204 This is equivalent to setting the debug level to 1 in the
205 "resolver" logging category. Setting the systemwide debug level to
206 1 using the -d option will product the same output (but will affect
207 other logging categories as well).
208
209 +[no]mtrace
210 Toggle message logging. This produces a detailed dump of the
211 responses received by delv in the process of carrying out the
212 resolution and validation process.
213
214 This is equivalent to setting the debug level to 10 for the
215 "packets" module of the "resolver" logging category. Setting the
216 systemwide debug level to 10 using the -d option will produce the
217 same output (but will affect other logging categories as well).
218
219 +[no]vtrace
220 Toggle validation logging. This shows the internal process of the
221 validator as it determines whether an answer is validly signed,
222 unsigned, or invalid.
223
224 This is equivalent to setting the debug level to 3 for the
225 "validator" module of the "dnssec" logging category. Setting the
226 systemwide debug level to 3 using the -d option will produce the
227 same output (but will affect other logging categories as well).
228
229 +[no]short
230 Provide a terse answer. The default is to print the answer in a
231 verbose form.
232
233 +[no]comments
234 Toggle the display of comment lines in the output. The default is
235 to print comments.
236
237 +[no]rrcomments
238 Toggle the display of per-record comments in the output (for
239 example, human-readable key information about DNSKEY records). The
240 default is to print per-record comments.
241
242 +[no]crypto
243 Toggle the display of cryptographic fields in DNSSEC records. The
244 contents of these field are unnecessary to debug most DNSSEC
245 validation failures and removing them makes it easier to see the
246 common failures. The default is to display the fields. When omitted
247 they are replaced by the string "[omitted]" or in the DNSKEY case
248 the key id is displayed as the replacement, e.g. "[ key id = value
249 ]".
250
251 +[no]trust
252 Controls whether to display the trust level when printing a record.
253 The default is to display the trust level.
254
255 +[no]split[=W]
256 Split long hex- or base64-formatted fields in resource records into
257 chunks of W characters (where W is rounded up to the nearest
258 multiple of 4). +nosplit or +split=0 causes fields not to be split
259 at all. The default is 56 characters, or 44 characters when
260 multiline mode is active.
261
262 +[no]all
263 Set or clear the display options +[no]comments, +[no]rrcomments,
264 and +[no]trust as a group.
265
266 +[no]multiline
267 Print long records (such as RRSIG, DNSKEY, and SOA records) in a
268 verbose multi-line format with human-readable comments. The default
269 is to print each record on a single line, to facilitate machine
270 parsing of the delv output.
271
272 +[no]dnssec
273 Indicates whether to display RRSIG records in the delv output. The
274 default is to do so. Note that (unlike in dig) this does not
275 control whether to request DNSSEC records or whether to validate
276 them. DNSSEC records are always requested, and validation will
277 always occur unless suppressed by the use of -i or +noroot and
278 +nodlv.
279
280 +[no]root[=ROOT]
281 Indicates whether to perform conventional (non-lookaside) DNSSEC
282 validation, and if so, specifies the name of a trust anchor. The
283 default is to validate using a trust anchor of "." (the root zone),
284 for which there is a built-in key. If specifying a different trust
285 anchor, then -a must be used to specify a file containing the key.
286
287 +[no]dlv[=DLV]
288 Indicates whether to perform DNSSEC lookaside validation, and if
289 so, specifies the name of the DLV trust anchor. The -a option must
290 also be used to specify a file containing the DLV key.
291
292 +[no]tcp
293 Controls whether to use TCP when sending queries. The default is to
294 use UDP unless a truncated response has been received.
295
296 +[no]unknownformat
297 Print all RDATA in unknown RR type presentation format (RFC 3597).
298 The default is to print RDATA for known types in the type's
299 presentation format.
300
302 /etc/bind.keys
303
304 /etc/resolv.conf
305
307 dig(1), named(8), RFC4034, RFC4035, RFC4431, RFC5074, RFC5155.
308
310 Internet Systems Consortium, Inc.
311
313 Copyright © 2014-2021 Internet Systems Consortium, Inc. ("ISC")
314
315
316
317ISC 2014-04-23 DELV(1)