1dnsviz-grok(1) General Commands Manual dnsviz-grok(1)
2
6 dnsviz-grok - assess diagnostic DNS queries
7
9 dnsviz grok [ options ] [ domain_name... ]
10
12 Process the results of diagnostic DNS queries previously performed,
13 e.g., using dnsviz-probe(1), to assess the health of the associated DNS
14 deployments for one or more domain names specified. The results of
15 this processing are serialized into JSON format for further program‐
16 matic diagnostics or alerts.
17 The source of the diagnostic query input is either a file specified
19 with -r or standard input.
20 Domain names to be processed may be passed either as command-line argu‐
22 ments, in a file (using the -f option), or simply implied using the di‐
23 agnostic query input. The latter is the preferred methodology (and the
24 simplest) and is useful, except in cases where the input contains diag‐
25 nostic queries for multiple domain names, only a subset of which are to
26 be processed.
27 If -f is not used and no domain names are supplied on the command line,
29 then the domain names to be processed are extracted from the diagnostic
30 query input. If the -f option is used, then names may not be specified
31 on the command line.
32 The domain names passed as input are fully-qualified domain names, such
34 as example.com, www.example.com, _443._tcp.example.com, 1.2.0.192.in-
35 addr.arpa, or 8.b.d.0.1.0.0.2.ip6.arpa. Because it is implied that
36 specified domain names are fully qualified, no trailing dot is neces‐
37 sary.
38
41 -f, --names-file filename
42 Read names from a file (one name per line), instead of from com‐
43 mand line.
44 If this option is used, then names may not be specified on the
46 command line.
47 -r, --input-file filename
49 Read diagnostic query input from the specified file, instead of
50 from standard input.
51 -t, --trusted-keys-file filename
53 Use trusted keys from the specified file when processing diag‐
54 nostic queries. This overrides the default behavior of using
55 the installed keys for the root zone.
56 The format of this file is master zone file format and should
58 contain DNSKEY records that correspond to one more trusted keys
59 for one or more DNS zones.
60 This option may be used multiple times on the command line.
62 -a, --algorithms alg[,alg...]
64 Support only the DNSSEC algorithms specified. If this option is
65 used, any algorithms not specified will appear as "unsupported."
66 The status of any RRSIG records corresponding to unsupported al‐
67 gorithms will be unknown. Additionally, when a zone has only DS
68 records with unsupported algorithms, the zone is treated as "in‐
69 secure", assuming the DS records are properly authenticated.
70 -d, --digest-algorithms digest_alg[,digest_alg...]
72 Support only the DNSSEC digest algorithms specified. If this
73 option is used, any digest algorithms not specified will appear
74 as "unsupported." The status of any DS records corresponding to
75 unsupported digest algorithms will be unknown. Additionally,
76 when a zone has only DS records with unsupported digest algo‐
77 rithms, the zone is treated as "insecure", assuming the DS
78 records are properly authenticated.
79 -b, --validate-prohibited-algs
81 Validate algorithms for which validation is otherwise prohib‐
82 ited. Current DNSSEC specification prohibits validators from
83 validating older, weaker algorithms associated with DNSKEY and
84 DS records (see RFC 8624). If this option is used, then a warn‐
85 ing will be still be issued for DNSSEC records that use these
86 older algorithms, but the code will still assess their crypto‐
87 graphic status, rather than ignoring them.
88 -C, --enforce-cookies
90 Enforce DNS cookies strictly. Require a server to return a "BAD‐
91 COOKIE" response when a query contains a COOKIE option with no
92 server cookie or with an invalid server cookie.
93 -P, --allow-private
95 Allow private IP addresses for authoritative DNS servers. By
96 default, if the IP address corresponding to an authoritative
97 server is in IP address space designated as "private", it is
98 flagged as an error. However, there are some cases where this
99 is allowed. For example, if the diagnostic queries are issued
100 to servers in an experimental environment, this might be permis‐
101 sible.
102 -o, --output-file filename
104 Write the output to the specified file instead of to standard
105 output, which is the default.
106 -c, --minimize-output
108 Format JSON output minimally instead of "pretty" (i.e., with in‐
109 dentation and newlines).
110 -l, --log-level level
112 Display only information at the specified log priority or
113 higher. Valid values (in increasing order of priority) are:
114 "error", "warning", "info", and "debug". The default is "de‐
115 bug".
116 -h, --help
118 Display the usage and exit.
119
122 The exit codes are:
123 0 Program terminated normally.
125 1 Incorrect usage.
127 2 Required package dependencies were not found.
129 3 There was an error processing the input or saving the output.
131 4 Program execution was interrupted, or an unknown error occurred.
133
135 dnsviz(1), dnsviz-probe(1), dnsviz-graph(1), dnsviz-print(1), dnsviz-
136 query(1)
1370.9.4 27 Sep 2021 dnsviz-grok(1)