1dnsviz-print(1)             General Commands Manual            dnsviz-print(1)
2
3
4

NAME

6       dnsviz-print - print the assessment of diagnostic DNS queries
7

SYNOPSIS

9       dnsviz print [ options ] [ domain_name... ]
10

DESCRIPTION

12       Process  the  results  of  diagnostic DNS queries previously performed,
13       e.g., using dnsviz-probe(1), to assess the health of the associated DNS
14       deployments  for  one  or  more domain names specified.  The results of
15       this processing are presented in textual output.
16
17       The source of the diagnostic query input is  either  a  file  specified
18       with -r or standard input.
19
20       Domain names to be processed may be passed either as command-line argu‐
21       ments, in a file (using the -f option), or simply implied using the di‐
22       agnostic query input.  The latter is the preferred methodology (and the
23       simplest) and is useful, except in cases where the input contains diag‐
24       nostic queries for multiple domain names, only a subset of which are to
25       be processed.
26
27       If -f is not used and no domain names are supplied on the command line,
28       then the domain names to be processed are extracted from the diagnostic
29       query input.  If the -f option is used, then names may not be specified
30       on the command line.
31
32       The domain names passed as input are fully-qualified domain names, such
33       as example.com, www.example.com,  _443._tcp.example.com,  1.2.0.192.in-
34       addr.arpa,  or  8.b.d.0.1.0.0.2.ip6.arpa.   Because  it is implied that
35       specified domain names are fully qualified, no trailing dot  is  neces‐
36       sary.
37
38       The  output is appropriate for terminal or text file output, using col‐
39       ors (where supported by the terminal) and symbols to  designate  status
40       and errors in a loosely-defined textual format.
41
42

OPTIONS

44       -f, --names-file filename
45              Read names from a file (one name per line), instead of from com‐
46              mand line.
47
48              If this option is used, then names may not be specified  on  the
49              command line.
50
51       -r, --input-file filename
52              Read  diagnostic query input from the specified file, instead of
53              from standard input.
54
55       -t, --trusted-keys-file filename
56              Use trusted keys from the specified file when  processing  diag‐
57              nostic  queries.   This  overrides the default behavior of using
58              the installed keys for the root zone.
59
60              The format of this file is master zone file  format  and  should
61              contain  DNSKEY records that correspond to one more trusted keys
62              for one or more DNS zones.
63
64              This option may be used multiple times on the command line.
65
66       -a, --algorithms alg[,alg...]
67              Support only the DNSSEC algorithms specified.  If this option is
68              used, any algorithms not specified will appear as "unsupported."
69              The status of any RRSIG records corresponding to unsupported al‐
70              gorithms will be unknown.  Additionally, when a zone has only DS
71              records with unsupported algorithms, the zone is treated as "in‐
72              secure", assuming the DS records are properly authenticated.
73
74       -d, --digest-algorithms digest_alg[,digest_alg...]
75              Support  only  the  DNSSEC digest algorithms specified.  If this
76              option is used, any digest algorithms not specified will  appear
77              as "unsupported."  The status of any DS records corresponding to
78              unsupported digest algorithms will  be  unknown.   Additionally,
79              when  a  zone  has only DS records with unsupported digest algo‐
80              rithms, the zone is  treated  as  "insecure",  assuming  the  DS
81              records are properly authenticated.
82
83       -b, --validate-prohibited-algs
84              Validate  algorithms  for  which validation is otherwise prohib‐
85              ited.  Current DNSSEC specification  prohibits  validators  from
86              validating  older,  weaker algorithms associated with DNSKEY and
87              DS records (see RFC 8624).  If this option is used, then a warn‐
88              ing  will  be  still be issued for DNSSEC records that use these
89              older algorithms, but the code will still assess  their  crypto‐
90              graphic status, rather than ignoring them.
91
92       -C, --enforce-cookies
93              Enforce DNS cookies strictly. Require a server to return a "BAD‐
94              COOKIE" response when a query contains a COOKIE option  with  no
95              server cookie or with an invalid server cookie.
96
97       -P, --allow-private
98              Allow  private  IP  addresses for authoritative DNS servers.  By
99              default, if the IP address  corresponding  to  an  authoritative
100              server  is  in  IP  address space designated as "private", it is
101              flagged as an error.  However, there are some cases  where  this
102              is  allowed.   For example, if the diagnostic queries are issued
103              to servers in an experimental environment, this might be permis‐
104              sible.
105
106       -R, --rr-types type[,type...]
107              Process  queries  of only the specified type(s) (e.g., A, AAAA).
108              The default is to process all types queried as part of the diag‐
109              nostic input.
110
111       -O, --derive-filename
112              Save the output to a file, whose name is derived from the domain
113              name.
114
115              If this option is used when the diagnostic queries  of  multiple
116              domain  names  are  being  processed, a file will be created for
117              each domain name processed.
118
119       -o, --output-file filename
120              Write the output to the specified file instead  of  to  standard
121              output, which is the default.
122
123              If  this  option is used when the diagnostic queries of multiple
124              domain name are being processed, a single file (the  one  speci‐
125              fied)  will be created, which will contain the collective output
126              for all domain names processed.
127
128
129       -h     Display the usage and exit.
130
131

OUTPUT

133       The following is an example of the output:
134
135       . [.]
136       [.]  DNSKEY: 8/1518/256 [.], 8/19036/257 [.]
137       [.]    RRSIG: ./8/19036 (2015-08-20 - 2015-09-03) [.]
138       com [.] [.]
139       [.]  DS: 8/30909/2 [.]
140       [.]    RRSIG: ./8/1518 (2015-08-26 - 2015-09-05) [.]
141       [.]  DNSKEY: 8/30909/257 [.], 8/35864/256 [.]
142       [.]    RRSIG: com/8/30909 (2015-08-24 - 2015-08-31) [.]
143       example.com [.] [.]
144       [.]  DS: 8/31406/1 [.], 8/31406/2 [.], 8/31589/1  [-],  8/31589/2  [-],
145       8/43547/1 [-], 8/43547/2 [-]
146       [.]    RRSIG: com/8/35864 (2015-08-24 - 2015-08-31) [.]
147       [.]  DNSKEY: 8/54108/256 [.], 8/31406/257 [.], 8/63870/256 [.]
148       [.]    RRSIG: example.com/8/31406 (2015-08-24 - 2015-09-14) [.]
149       www.example.com
150       [.]  A: 192.0.2.1
151       [.]    RRSIG: example.com/8/31406 (2015-08-24 - 2015-09-14) [.]
152       non-existent.example.com
153       [.]  A: NXDOMAIN
154       [.]     SOA: sns.dns.icann.org. noc.dns.icann.org. 2015082401 7200 3600
155       1209600 3600
156       [.]      RRSIG: example.com/8/54108 (2015-08-24 - 2015-09-14) [.]
157       [.]    PROOF:  [.]
158       [.]      NSEC: example.com. www.example.com. A NS SOA  TXT  AAAA  RRSIG
159       NSEC DNSKEY
160       [.]        RRSIG: example.com/8/54108 (2015-08-21 - 2015-09-11) [.]
161
162
163   Domain Names
164       The  output  above is divided into several sections, each corresponding
165       to the domain name that starts the section (e.g.,  example.com).   Fol‐
166       lowing  the  headers  of names that correspond to zones are two sets of
167       characters, each within brackets.  The characters within the first  set
168       of  brackets  represent  the status of the zone.  The characters within
169       the second set of brackets represent the status of the delegation (note
170       that  this  second  set of bracketed characters will not be present for
171       the root zone).
172
173       The first character within each set of brackets is one of  the  follow‐
174       ing:
175
176
177       .      secure zone or delegation
178
179       -      insecure zone or delegation
180
181       !      bogus zone or delegation
182
183       ?      lame or incomplete delegation
184
185
186       If  there  is a second character within the brackets, it represents the
187       following:
188
189
190       !      errors are present
191
192       ?      warnings are present
193
194
195       For example, an insecure delegation with warnings  is  represented  as:
196       [-?]  And a secure delegation with no errors is shown as: [.]
197
198
199   Query Responses
200       The  lines  in  each  section, below the header, represent responses to
201       queries for that name from one or more servers.  The bracketed  charac‐
202       ters  at the far left of each line represent the status of the response
203       or response component on the rest of the line.  The first character  in
204       the brackets represents the authentication status:
205
206
207       .      secure
208
209       -      insecure
210
211       !      bogus
212
213
214       If  there  is a second character within the brackets, it represents the
215       following:
216
217
218       !      errors are present
219
220       ?      warnings are present
221
222
223       For example, an insecure status with warnings is represented  as:  [-?]
224       And a secure status with no errors is shown as: [.]
225
226       The status of the response is followed by the type corresponding to the
227       query or response.  For example, "A" means that data  following  is  in
228       response to a query of type A (IPv4 address) for the name of the corre‐
229       sponding section.  When the response is positive (i.e., there  is  data
230       in  the  answer  section), the corresponding data is shown on the right
231       (with some exceptions) as a comma-separated set of records  within  the
232       RRset.   DNSKEY,  DS,  and  RRSIG records show an abbreviated format of
233       their records, as follows:
234
235
236       DNSKEY:
237              <algorithm number>/<key tag>/<flags>
238
239              Example: 8/35864/256
240
241       DS:    <algorithm number>/<key tag>/<digest type>
242
243              Example: 8/30909/2
244
245       RRSIG: <signer>/<algorithm number>/<key tag>  (<inception>  -  <expira‐
246              tion>)
247
248              Example: com/8/35864 (2015-08-24 - 2015-08-31)
249
250
251       Following  each  record  within  a  DNSKEY,  DS, or RRSIG response is a
252       bracketed set of characters, the first of which represents validity:
253
254
255       .      valid
256
257
258       -      indeterminate
259
260
261       !      invalid/expired/premature
262
263
264       ?      indeterminate due to unknown algorithm
265
266
267       If there is a second character within the brackets, it  represents  the
268       following:
269
270
271       !      errors are present
272
273       ?      warnings are present
274
275
276       For example, a DNSKEY with warnings is shown as: [.?]  A DS correspond‐
277       ing to a non-existent DNSKEY is represented as: [-].
278
279       RRSIGs are shown below the RRset they cover, indented from the RRset.
280
281
282   Negative Responses
283       If a response is negative, then the appropriate "NODATA" or  "NXDOMAIN"
284       text  is  shown  adjacent  the  type queried, e.g., "A: NXDOMDAIN".  If
285       there was an SOA record and/or NSEC(3) proof, then they are listed  be‐
286       low, indented from the query type.
287
288       The  NSEC  or  NSEC3  records (and their RRSIGs) comprising a proof are
289       grouped by indentation under the title "PROOF" which is itself indented
290       under the negative response line.  Following "PROOF" is a bracketed set
291       of characters with the same meaning as those used for DS,  DNSKEY,  and
292       RRSIG.
293
294
295   Errors and Warnings
296       Textual  errors  and  warnings are listed below the response components
297       with which the issues are associated.  Each error or warning is  listed
298       on  its  own line and prefaced with "E:" or "W:", signifying whether it
299       is an error or warning, respectively.
300
301

EXIT CODES

303       The exit codes are:
304
305       0      Program terminated normally.
306
307       1      Incorrect usage.
308
309       2      Required package dependencies were not found.
310
311       3      There was an error processing the input or saving the output.
312
313       4      Program execution was interrupted, or an unknown error occurred.
314

SEE ALSO

316       dnsviz(1), dnsviz-probe(1),  dnsviz-grok(1),  dnsviz-graph(1),  dnsviz-
317       query(1)
318
319
320
3210.9.3                             11 Mar 2021                  dnsviz-print(1)
Impressum