1DELV(1)                              BIND9                             DELV(1)
2
3
4

NAME

6       delv - DNS lookup and validation utility
7

SYNOPSIS

9       delv [@server] [[-4] | [-6]] [-a anchor-file] [-b address] [-c class]
10            [-d level] [-i] [-m] [-p port#] [-q name] [-t type] [-x addr]
11            [name] [type] [class] [queryopt...]
12
13       delv [-h]
14
15       delv [-v]
16
17       delv [queryopt...] [query...]
18

DESCRIPTION

20       delv is a tool for sending DNS queries and validating the results,
21       using the same internal resolver and validator logic as named.
22
23       delv will send to a specified name server all queries needed to fetch
24       and validate the requested data; this includes the original requested
25       query, subsequent queries to follow CNAME or DNAME chains, and queries
26       for DNSKEY, DS and DLV records to establish a chain of trust for DNSSEC
27       validation. It does not perform iterative resolution, but simulates the
28       behavior of a name server configured for DNSSEC validating and
29       forwarding.
30
31       By default, responses are validated using built-in DNSSEC trust anchor
32       for the root zone ("."). Records returned by delv are either fully
33       validated or were not signed. If validation fails, an explanation of
34       the failure is included in the output; the validation process can be
35       traced in detail. Because delv does not rely on an external server to
36       carry out validation, it can be used to check the validity of DNS
37       responses in environments where local name servers may not be
38       trustworthy.
39
40       Unless it is told to query a specific name server, delv will try each
41       of the servers listed in /etc/resolv.conf. If no usable server
42       addresses are found, delv will send queries to the localhost addresses
43       (127.0.0.1 for IPv4, ::1 for IPv6).
44
45       When no command line arguments or options are given, delv will perform
46       an NS query for "." (the root zone).
47

SIMPLE USAGE

49       A typical invocation of delv looks like:
50
51            delv @server name type
52
53       where:
54
55       server
56           is the name or IP address of the name server to query. This can be
57           an IPv4 address in dotted-decimal notation or an IPv6 address in
58           colon-delimited notation. When the supplied server argument is a
59           hostname, delv resolves that name before querying that name server
60           (note, however, that this initial lookup is not validated by
61           DNSSEC).
62
63           If no server argument is provided, delv consults /etc/resolv.conf;
64           if an address is found there, it queries the name server at that
65           address. If either of the -4 or -6 options are in use, then only
66           addresses for the corresponding transport will be tried. If no
67           usable addresses are found, delv will send queries to the localhost
68           addresses (127.0.0.1 for IPv4, ::1 for IPv6).
69
70       name
71           is the domain name to be looked up.
72
73       type
74           indicates what type of query is required — ANY, A, MX, etc.  type
75           can be any valid query type. If no type argument is supplied, delv
76           will perform a lookup for an A record.
77

OPTIONS

79       -a anchor-file
80           Specifies a file from which to read DNSSEC trust anchors. The
81           default is /etc/bind.keys, which is included with BIND 9 and
82           contains one or more trust anchors for the root zone (".").
83
84           Keys that do not match the root zone name are ignored. An alternate
85           key name can be specified using the +root=NAME options. DNSSEC
86           Lookaside Validation can also be turned on by using the +dlv=NAME
87           to specify the name of a zone containing DLV records.
88
89           Note: When reading the trust anchor file, delv treats managed-keys
90           statements and trusted-keys statements identically. That is, for a
91           managed key, it is the initial key that is trusted; RFC 5011 key
92           management is not supported.  delv will not consult the
93           managed-keys database maintained by named. This means that if
94           either of the keys in /etc/bind.keys is revoked and rolled over, it
95           will be necessary to update /etc/bind.keys to use DNSSEC validation
96           in delv.
97
98       -b address
99           Sets the source IP address of the query to address. This must be a
100           valid address on one of the host's network interfaces or "0.0.0.0"
101           or "::". An optional source port may be specified by appending
102           "#<port>"
103
104       -c class
105           Sets the query class for the requested data. Currently, only class
106           "IN" is supported in delv and any other value is ignored.
107
108       -d level
109           Set the systemwide debug level to level. The allowed range is from
110           0 to 99. The default is 0 (no debugging). Debugging traces from
111           delv become more verbose as the debug level increases. See the
112           +mtrace, +rtrace, and +vtrace options below for additional
113           debugging details.
114
115       -h
116           Display the delv help usage output and exit.
117
118       -i
119           Insecure mode. This disables internal DNSSEC validation. (Note,
120           however, this does not set the CD bit on upstream queries. If the
121           server being queried is performing DNSSEC validation, then it will
122           not return invalid data; this can cause delv to time out. When it
123           is necessary to examine invalid data to debug a DNSSEC problem, use
124           dig +cd.)
125
126       -m
127           Enables memory usage debugging.
128
129       -p port#
130           Specifies a destination port to use for queries instead of the
131           standard DNS port number 53. This option would be used with a name
132           server that has been configured to listen for queries on a
133           non-standard port number.
134
135       -q name
136           Sets the query name to name. While the query name can be specified
137           without using the -q, it is sometimes necessary to disambiguate
138           names from types or classes (for example, when looking up the name
139           "ns", which could be misinterpreted as the type NS, or "ch", which
140           could be misinterpreted as class CH).
141
142       -t type
143           Sets the query type to type, which can be any valid query type
144           supported in BIND 9 except for zone transfer types AXFR and IXFR.
145           As with -q, this is useful to distinguish query name type or class
146           when they are ambiguous. it is sometimes necessary to disambiguate
147           names from types.
148
149           The default query type is "A", unless the -x option is supplied to
150           indicate a reverse lookup, in which case it is "PTR".
151
152       -v
153           Print the delv version and exit.
154
155       -x addr
156           Performs a reverse lookup, mapping an addresses to a name.  addr is
157           an IPv4 address in dotted-decimal notation, or a colon-delimited
158           IPv6 address. When -x is used, there is no need to provide the name
159           or type arguments.  delv automatically performs a lookup for a name
160           like 11.12.13.10.in-addr.arpa and sets the query type to PTR. IPv6
161           addresses are looked up using nibble format under the IP6.ARPA
162           domain.
163
164       -4
165           Forces delv to only use IPv4.
166
167       -6
168           Forces delv to only use IPv6.
169

QUERY OPTIONS

171       delv provides a number of query options which affect the way results
172       are displayed, and in some cases the way lookups are performed.
173
174       Each query option is identified by a keyword preceded by a plus sign
175       (+). Some keywords set or reset an option. These may be preceded by the
176       string no to negate the meaning of that keyword. Other keywords assign
177       values to options like the timeout interval. They have the form
178       +keyword=value. The query options are:
179
180       +[no]cdflag
181           Controls whether to set the CD (checking disabled) bit in queries
182           sent by delv. This may be useful when troubleshooting DNSSEC
183           problems from behind a validating resolver. A validating resolver
184           will block invalid responses, making it difficult to retrieve them
185           for analysis. Setting the CD flag on queries will cause the
186           resolver to return invalid responses, which delv can then validate
187           internally and report the errors in detail.
188
189       +[no]class
190           Controls whether to display the CLASS when printing a record. The
191           default is to display the CLASS.
192
193       +[no]ttl
194           Controls whether to display the TTL when printing a record. The
195           default is to display the TTL.
196
197       +[no]rtrace
198           Toggle resolver fetch logging. This reports the name and type of
199           each query sent by delv in the process of carrying out the
200           resolution and validation process: this includes including the
201           original query and all subsequent queries to follow CNAMEs and to
202           establish a chain of trust for DNSSEC validation.
203
204           This is equivalent to setting the debug level to 1 in the
205           "resolver" logging category. Setting the systemwide debug level to
206           1 using the -d option will product the same output (but will affect
207           other logging categories as well).
208
209       +[no]mtrace
210           Toggle message logging. This produces a detailed dump of the
211           responses received by delv in the process of carrying out the
212           resolution and validation process.
213
214           This is equivalent to setting the debug level to 10 for the
215           "packets" module of the "resolver" logging category. Setting the
216           systemwide debug level to 10 using the -d option will produce the
217           same output (but will affect other logging categories as well).
218
219       +[no]vtrace
220           Toggle validation logging. This shows the internal process of the
221           validator as it determines whether an answer is validly signed,
222           unsigned, or invalid.
223
224           This is equivalent to setting the debug level to 3 for the
225           "validator" module of the "dnssec" logging category. Setting the
226           systemwide debug level to 3 using the -d option will produce the
227           same output (but will affect other logging categories as well).
228
229       +[no]short
230           Provide a terse answer. The default is to print the answer in a
231           verbose form.
232
233       +[no]comments
234           Toggle the display of comment lines in the output. The default is
235           to print comments.
236
237       +[no]rrcomments
238           Toggle the display of per-record comments in the output (for
239           example, human-readable key information about DNSKEY records). The
240           default is to print per-record comments.
241
242       +[no]crypto
243           Toggle the display of cryptographic fields in DNSSEC records. The
244           contents of these field are unnecessary to debug most DNSSEC
245           validation failures and removing them makes it easier to see the
246           common failures. The default is to display the fields. When omitted
247           they are replaced by the string "[omitted]" or in the DNSKEY case
248           the key id is displayed as the replacement, e.g. "[ key id = value
249           ]".
250
251       +[no]trust
252           Controls whether to display the trust level when printing a record.
253           The default is to display the trust level.
254
255       +[no]split[=W]
256           Split long hex- or base64-formatted fields in resource records into
257           chunks of W characters (where W is rounded up to the nearest
258           multiple of 4).  +nosplit or +split=0 causes fields not to be split
259           at all. The default is 56 characters, or 44 characters when
260           multiline mode is active.
261
262       +[no]all
263           Set or clear the display options +[no]comments, +[no]rrcomments,
264           and +[no]trust as a group.
265
266       +[no]multiline
267           Print long records (such as RRSIG, DNSKEY, and SOA records) in a
268           verbose multi-line format with human-readable comments. The default
269           is to print each record on a single line, to facilitate machine
270           parsing of the delv output.
271
272       +[no]dnssec
273           Indicates whether to display RRSIG records in the delv output. The
274           default is to do so. Note that (unlike in dig) this does not
275           control whether to request DNSSEC records or whether to validate
276           them. DNSSEC records are always requested, and validation will
277           always occur unless suppressed by the use of -i or +noroot and
278           +nodlv.
279
280       +[no]root[=ROOT]
281           Indicates whether to perform conventional (non-lookaside) DNSSEC
282           validation, and if so, specifies the name of a trust anchor. The
283           default is to validate using a trust anchor of "." (the root zone),
284           for which there is a built-in key. If specifying a different trust
285           anchor, then -a must be used to specify a file containing the key.
286
287       +[no]dlv[=DLV]
288           Indicates whether to perform DNSSEC lookaside validation, and if
289           so, specifies the name of the DLV trust anchor. The -a option must
290           also be used to specify a file containing the DLV key.
291
292       +[no]tcp
293           Controls whether to use TCP when sending queries. The default is to
294           use UDP unless a truncated response has been received.
295
296       +[no]unknownformat
297           Print all RDATA in unknown RR type presentation format (RFC 3597).
298           The default is to print RDATA for known types in the type's
299           presentation format.
300

FILES

302       /etc/bind.keys
303
304       /etc/resolv.conf
305

SEE ALSO

307       dig(1), named(8), RFC4034, RFC4035, RFC4431, RFC5074, RFC5155.
308

AUTHOR

310       Internet Systems Consortium, Inc.
311
313       Copyright © 2014-2021 Internet Systems Consortium, Inc. ("ISC")
314
315
316
317ISC                               2014-04-23                           DELV(1)
Impressum