1DELV(1) BIND 9 DELV(1)
2
3
4
6 delv - DNS lookup and validation utility
7
9 delv [@server] [ [-4] | [-6] ] [-a anchor-file] [-b address] [-c class]
10 [-d level] [-i] [-m] [-p port#] [-q name] [-t type] [-x addr] [name]
11 [type] [class] [queryopt...]
12
13 delv [-h]
14
15 delv [-v]
16
17 delv [queryopt...] [query...]
18
20 delv is a tool for sending DNS queries and validating the results, us‐
21 ing the same internal resolver and validator logic as named.
22
23 delv sends to a specified name server all queries needed to fetch and
24 validate the requested data; this includes the original requested
25 query, subsequent queries to follow CNAME or DNAME chains, queries for
26 DNSKEY, and DS records to establish a chain of trust for DNSSEC valida‐
27 tion. It does not perform iterative resolution, but simulates the be‐
28 havior of a name server configured for DNSSEC validating and forward‐
29 ing.
30
31 By default, responses are validated using the built-in DNSSEC trust an‐
32 chor for the root zone ("."). Records returned by delv are either fully
33 validated or were not signed. If validation fails, an explanation of
34 the failure is included in the output; the validation process can be
35 traced in detail. Because delv does not rely on an external server to
36 carry out validation, it can be used to check the validity of DNS re‐
37 sponses in environments where local name servers may not be trustwor‐
38 thy.
39
40 Unless it is told to query a specific name server, delv tries each of
41 the servers listed in /etc/resolv.conf. If no usable server addresses
42 are found, delv sends queries to the localhost addresses (127.0.0.1 for
43 IPv4, ::1 for IPv6).
44
45 When no command-line arguments or options are given, delv performs an
46 NS query for "." (the root zone).
47
49 A typical invocation of delv looks like:
50
51 delv @server name type
52
53 where:
54
55 server is the name or IP address of the name server to query. This can
56 be an IPv4 address in dotted-decimal notation or an IPv6 address
57 in colon-delimited notation. When the supplied server argument
58 is a hostname, delv resolves that name before querying that name
59 server (note, however, that this initial lookup is not validated
60 by DNSSEC).
61
62 If no server argument is provided, delv consults /etc/re‐
63 solv.conf; if an address is found there, it queries the name
64 server at that address. If either of the -4 or -6 options is in
65 use, then only addresses for the corresponding transport are
66 tried. If no usable addresses are found, delv sends queries to
67 the localhost addresses (127.0.0.1 for IPv4, ::1 for IPv6).
68
69 name is the domain name to be looked up.
70
71 type indicates what type of query is required - ANY, A, MX, etc.
72 type can be any valid query type. If no type argument is sup‐
73 plied, delv performs a lookup for an A record.
74
76 -a anchor-file
77 This option specifies a file from which to read DNSSEC trust an‐
78 chors. The default is /etc/bind.keys, which is included with
79 BIND 9 and contains one or more trust anchors for the root zone
80 (".").
81
82 Keys that do not match the root zone name are ignored. An alter‐
83 nate key name can be specified using the +root option.
84
85 Note: When reading the trust anchor file, delv treats trust-an‐
86 chors, initial-key, and static-key identically. That is, for a
87 managed key, it is the initial key that is trusted; RFC 5011 key
88 management is not supported. delv does not consult the man‐
89 aged-keys database maintained by named, which means that if ei‐
90 ther of the keys in /etc/bind.keys is revoked and rolled over,
91 /etc/bind.keys must be updated to use DNSSEC validation in delv.
92
93 -b address
94 This option sets the source IP address of the query to address.
95 This must be a valid address on one of the host's network inter‐
96 faces, or 0.0.0.0, or ::. An optional source port may be speci‐
97 fied by appending #<port>
98
99 -c class
100 This option sets the query class for the requested data. Cur‐
101 rently, only class "IN" is supported in delv and any other value
102 is ignored.
103
104 -d level
105 This option sets the systemwide debug level to level. The al‐
106 lowed range is from 0 to 99. The default is 0 (no debugging).
107 Debugging traces from delv become more verbose as the debug
108 level increases. See the +mtrace, +rtrace, and +vtrace options
109 below for additional debugging details.
110
111 -h This option displays the delv help usage output and exits.
112
113 -i This option sets insecure mode, which disables internal DNSSEC
114 validation. (Note, however, that this does not set the CD bit on
115 upstream queries. If the server being queried is performing
116 DNSSEC validation, then it does not return invalid data; this
117 can cause delv to time out. When it is necessary to examine in‐
118 valid data to debug a DNSSEC problem, use dig +cd.)
119
120 -m This option enables memory usage debugging.
121
122 -p port#
123 This option specifies a destination port to use for queries, in‐
124 stead of the standard DNS port number 53. This option is used
125 with a name server that has been configured to listen for
126 queries on a non-standard port number.
127
128 -q name
129 This option sets the query name to name. While the query name
130 can be specified without using the -q option, it is sometimes
131 necessary to disambiguate names from types or classes (for exam‐
132 ple, when looking up the name "ns", which could be misinter‐
133 preted as the type NS, or "ch", which could be misinterpreted as
134 class CH).
135
136 -t type
137 This option sets the query type to type, which can be any valid
138 query type supported in BIND 9 except for zone transfer types
139 AXFR and IXFR. As with -q, this is useful to distinguish
140 query-name types or classes when they are ambiguous. It is some‐
141 times necessary to disambiguate names from types.
142
143 The default query type is "A", unless the -x option is supplied
144 to indicate a reverse lookup, in which case it is "PTR".
145
146 -v This option prints the delv version and exits.
147
148 -x addr
149 This option performs a reverse lookup, mapping an address to a
150 name. addr is an IPv4 address in dotted-decimal notation, or a
151 colon-delimited IPv6 address. When -x is used, there is no need
152 to provide the name or type arguments; delv automatically per‐
153 forms a lookup for a name like 11.12.13.10.in-addr.arpa and sets
154 the query type to PTR. IPv6 addresses are looked up using nibble
155 format under the IP6.ARPA domain.
156
157 -4 This option forces delv to only use IPv4.
158
159 -6 This option forces delv to only use IPv6.
160
162 delv provides a number of query options which affect the way results
163 are displayed, and in some cases the way lookups are performed.
164
165 Each query option is identified by a keyword preceded by a plus sign
166 (+). Some keywords set or reset an option. These may be preceded by the
167 string no to negate the meaning of that keyword. Other keywords assign
168 values to options like the timeout interval. They have the form +key‐
169 word=value. The query options are:
170
171 +cdflag, +nocdflag
172 This option controls whether to set the CD (checking disabled)
173 bit in queries sent by delv. This may be useful when trou‐
174 bleshooting DNSSEC problems from behind a validating resolver. A
175 validating resolver blocks invalid responses, making it diffi‐
176 cult to retrieve them for analysis. Setting the CD flag on
177 queries causes the resolver to return invalid responses, which
178 delv can then validate internally and report the errors in de‐
179 tail.
180
181 +class, +noclass
182 This option controls whether to display the CLASS when printing
183 a record. The default is to display the CLASS.
184
185 +ttl, +nottl
186 This option controls whether to display the TTL when printing a
187 record. The default is to display the TTL.
188
189 +rtrace, +nortrace
190 This option toggles resolver fetch logging. This reports the
191 name and type of each query sent by delv in the process of car‐
192 rying out the resolution and validation process, including the
193 original query and all subsequent queries to follow CNAMEs and
194 to establish a chain of trust for DNSSEC validation.
195
196 This is equivalent to setting the debug level to 1 in the "re‐
197 solver" logging category. Setting the systemwide debug level to
198 1 using the -d option produces the same output, but affects
199 other logging categories as well.
200
201 +mtrace, +nomtrace
202 This option toggles message logging. This produces a detailed
203 dump of the responses received by delv in the process of carry‐
204 ing out the resolution and validation process.
205
206 This is equivalent to setting the debug level to 10 for the
207 "packets" module of the "resolver" logging category. Setting the
208 systemwide debug level to 10 using the -d option produces the
209 same output, but affects other logging categories as well.
210
211 +vtrace, +novtrace
212 This option toggles validation logging. This shows the internal
213 process of the validator as it determines whether an answer is
214 validly signed, unsigned, or invalid.
215
216 This is equivalent to setting the debug level to 3 for the "val‐
217 idator" module of the "dnssec" logging category. Setting the
218 systemwide debug level to 3 using the -d option produces the
219 same output, but affects other logging categories as well.
220
221 +short, +noshort
222 This option toggles between verbose and terse answers. The de‐
223 fault is to print the answer in a verbose form.
224
225 +comments, +nocomments
226 This option toggles the display of comment lines in the output.
227 The default is to print comments.
228
229 +rrcomments, +norrcomments
230 This option toggles the display of per-record comments in the
231 output (for example, human-readable key information about DNSKEY
232 records). The default is to print per-record comments.
233
234 +crypto, +nocrypto
235 This option toggles the display of cryptographic fields in
236 DNSSEC records. The contents of these fields are unnecessary to
237 debug most DNSSEC validation failures and removing them makes it
238 easier to see the common failures. The default is to display the
239 fields. When omitted, they are replaced by the string [omitted]
240 or, in the DNSKEY case, the key ID is displayed as the replace‐
241 ment, e.g. [ key id = value ].
242
243 +trust, +notrust
244 This option controls whether to display the trust level when
245 printing a record. The default is to display the trust level.
246
247 +split[=W], +nosplit
248 This option splits long hex- or base64-formatted fields in re‐
249 source records into chunks of W characters (where W is rounded
250 up to the nearest multiple of 4). +nosplit or +split=0 causes
251 fields not to be split at all. The default is 56 characters, or
252 44 characters when multiline mode is active.
253
254 +all, +noall
255 This option sets or clears the display options +comments,
256 +rrcomments, and +trust as a group.
257
258 +multiline, +nomultiline
259 This option prints long records (such as RRSIG, DNSKEY, and SOA
260 records) in a verbose multi-line format with human-readable com‐
261 ments. The default is to print each record on a single line, to
262 facilitate machine parsing of the delv output.
263
264 +dnssec, +nodnssec
265 This option indicates whether to display RRSIG records in the
266 delv output. The default is to do so. Note that (unlike in dig)
267 this does not control whether to request DNSSEC records or to
268 validate them. DNSSEC records are always requested, and valida‐
269 tion always occurs unless suppressed by the use of -i or
270 +noroot.
271
272 +root[=ROOT], +noroot
273 This option indicates whether to perform conventional DNSSEC
274 validation, and if so, specifies the name of a trust anchor. The
275 default is to validate using a trust anchor of "." (the root
276 zone), for which there is a built-in key. If specifying a dif‐
277 ferent trust anchor, then -a must be used to specify a file con‐
278 taining the key.
279
280 +tcp, +notcp
281 This option controls whether to use TCP when sending queries.
282 The default is to use UDP unless a truncated response has been
283 received.
284
285 +unknownformat, +nounknownformat
286 This option prints all RDATA in unknown RR-type presentation
287 format (RFC 3597). The default is to print RDATA for known
288 types in the type's presentation format.
289
290 +yaml, +noyaml
291 This option prints response data in YAML format.
292
294 /etc/bind.keys
295
296 /etc/resolv.conf
297
299 dig(1), named(8), RFC 4034, RFC 4035, RFC 4431, RFC 5074, RFC 5155.
300
302 Internet Systems Consortium
303
305 2023, Internet Systems Consortium
306
307
308
309
3109.18.11 DELV(1)