1DELV(1)                             BIND 9                             DELV(1)
2
3
4

NAME

6       delv - DNS lookup and validation utility
7

SYNOPSIS

9       delv [@server] [ [-4] | [-6] ] [-a anchor-file] [-b address] [-c class]
10       [-d level] [-i] [-m] [-p port#] [-q name] [-t type]  [-x  addr]  [name]
11       [type] [class] [queryopt...]
12
13       delv [-h]
14
15       delv [-v]
16
17       delv [queryopt...] [query...]
18

DESCRIPTION

20       delv  is a tool for sending DNS queries and validating the results, us‐
21       ing the same internal resolver and validator logic as named.
22
23       delv sends to a specified name server all queries needed to  fetch  and
24       validate  the  requested  data;  this  includes  the original requested
25       query, subsequent queries to follow CNAME or DNAME chains, queries  for
26       DNSKEY, and DS records to establish a chain of trust for DNSSEC valida‐
27       tion. It does not perform iterative resolution, but simulates  the  be‐
28       havior  of  a name server configured for DNSSEC validating and forward‐
29       ing.
30
31       By default, responses are validated using the built-in DNSSEC trust an‐
32       chor for the root zone ("."). Records returned by delv are either fully
33       validated or were not signed. If validation fails,  an  explanation  of
34       the  failure  is  included in the output; the validation process can be
35       traced in detail. Because delv does not rely on an external  server  to
36       carry  out  validation, it can be used to check the validity of DNS re‐
37       sponses in environments where local name servers may not  be  trustwor‐
38       thy.
39
40       Unless  it  is told to query a specific name server, delv tries each of
41       the servers listed in /etc/resolv.conf. If no usable  server  addresses
42       are found, delv sends queries to the localhost addresses (127.0.0.1 for
43       IPv4, ::1 for IPv6).
44
45       When no command-line arguments or options are given, delv  performs  an
46       NS query for "." (the root zone).
47

SIMPLE USAGE

49       A typical invocation of delv looks like:
50
51          delv @server name type
52
53       where:
54
55       server is  the name or IP address of the name server to query. This can
56              be an IPv4 address in dotted-decimal notation or an IPv6 address
57              in  colon-delimited  notation. When the supplied server argument
58              is a hostname, delv resolves that name before querying that name
59              server (note, however, that this initial lookup is not validated
60              by DNSSEC).
61
62              If no  server  argument  is  provided,  delv  consults  /etc/re‐
63              solv.conf;  if  an  address  is found there, it queries the name
64              server at that address. If either of the -4 or -6 options is  in
65              use,  then  only  addresses  for the corresponding transport are
66              tried. If no usable addresses are found, delv sends  queries  to
67              the localhost addresses (127.0.0.1 for IPv4, ::1 for IPv6).
68
69       name   is the domain name to be looked up.
70
71       type   indicates  what  type  of  query  is required - ANY, A, MX, etc.
72              type can be any valid query type. If no type  argument  is  sup‐
73              plied, delv performs a lookup for an A record.
74

OPTIONS

76       -a anchor-file
77              This option specifies a file from which to read DNSSEC trust an‐
78              chors. The default is /etc/bind.keys,  which  is  included  with
79              BIND  9 and contains one or more trust anchors for the root zone
80              (".").
81
82              Keys that do not match the root zone name are ignored. An alter‐
83              nate key name can be specified using the +root option.
84
85              Note:  When reading the trust anchor file, delv treats trust-an‐
86              chors, initial-key, and static-key identically. That is,  for  a
87              managed key, it is the initial key that is trusted; RFC 5011 key
88              management is not supported. delv  does  not  consult  the  man‐
89              aged-keys  database maintained by named, which means that if ei‐
90              ther of the keys in /etc/bind.keys is revoked and  rolled  over,
91              /etc/bind.keys must be updated to use DNSSEC validation in delv.
92
93       -b address
94              This  option sets the source IP address of the query to address.
95              This must be a valid address on one of the host's network inter‐
96              faces,  or 0.0.0.0, or ::. An optional source port may be speci‐
97              fied by appending #<port>
98
99       -c class
100              This option sets the query class for the  requested  data.  Cur‐
101              rently, only class "IN" is supported in delv and any other value
102              is ignored.
103
104       -d level
105              This option sets the systemwide debug level to  level.  The  al‐
106              lowed  range  is  from 0 to 99. The default is 0 (no debugging).
107              Debugging traces from delv become  more  verbose  as  the  debug
108              level  increases.  See the +mtrace, +rtrace, and +vtrace options
109              below for additional debugging details.
110
111       -h     This option displays the delv help usage output and exits.
112
113       -i     This option sets insecure mode, which disables  internal  DNSSEC
114              validation. (Note, however, that this does not set the CD bit on
115              upstream queries. If the  server  being  queried  is  performing
116              DNSSEC  validation,  then  it does not return invalid data; this
117              can cause delv to time out. When it is necessary to examine  in‐
118              valid data to debug a DNSSEC problem, use dig +cd.)
119
120       -m     This option enables memory usage debugging.
121
122       -p port#
123              This option specifies a destination port to use for queries, in‐
124              stead of the standard DNS port number 53. This  option  is  used
125              with  a  name  server  that  has  been  configured to listen for
126              queries on a non-standard port number.
127
128       -q name
129              This option sets the query name to name. While  the  query  name
130              can  be  specified  without using the -q option, it is sometimes
131              necessary to disambiguate names from types or classes (for exam‐
132              ple,  when  looking  up  the name "ns", which could be misinter‐
133              preted as the type NS, or "ch", which could be misinterpreted as
134              class CH).
135
136       -t type
137              This  option sets the query type to type, which can be any valid
138              query type supported in BIND 9 except for  zone  transfer  types
139              AXFR  and  IXFR.  As  with  -q,  this  is  useful to distinguish
140              query-name types or classes when they are ambiguous. It is some‐
141              times necessary to disambiguate names from types.
142
143              The  default query type is "A", unless the -x option is supplied
144              to indicate a reverse lookup, in which case it is "PTR".
145
146       -v     This option prints the delv version and exits.
147
148       -x addr
149              This option performs a reverse lookup, mapping an address  to  a
150              name.  addr  is an IPv4 address in dotted-decimal notation, or a
151              colon-delimited IPv6 address. When -x is used, there is no  need
152              to  provide  the name or type arguments; delv automatically per‐
153              forms a lookup for a name like 11.12.13.10.in-addr.arpa and sets
154              the query type to PTR. IPv6 addresses are looked up using nibble
155              format under the IP6.ARPA domain.
156
157       -4     This option forces delv to only use IPv4.
158
159       -6     This option forces delv to only use IPv6.
160

QUERY OPTIONS

162       delv provides a number of query options which affect  the  way  results
163       are displayed, and in some cases the way lookups are performed.
164
165       Each  query  option  is identified by a keyword preceded by a plus sign
166       (+). Some keywords set or reset an option. These may be preceded by the
167       string  no to negate the meaning of that keyword. Other keywords assign
168       values to options like the timeout interval. They have the  form  +key‐
169       word=value. The query options are:
170
171       +cdflag, +nocdflag
172              This  option  controls whether to set the CD (checking disabled)
173              bit in queries sent by delv.  This  may  be  useful  when  trou‐
174              bleshooting DNSSEC problems from behind a validating resolver. A
175              validating resolver blocks invalid responses, making  it  diffi‐
176              cult  to  retrieve  them  for  analysis.  Setting the CD flag on
177              queries causes the resolver to return invalid  responses,  which
178              delv  can  then validate internally and report the errors in de‐
179              tail.
180
181       +class, +noclass
182              This option controls whether to display the CLASS when  printing
183              a record. The default is to display the CLASS.
184
185       +ttl, +nottl
186              This  option controls whether to display the TTL when printing a
187              record. The default is to display the TTL.
188
189       +rtrace, +nortrace
190              This option toggles resolver fetch  logging.  This  reports  the
191              name  and type of each query sent by delv in the process of car‐
192              rying out the resolution and validation process,  including  the
193              original  query  and all subsequent queries to follow CNAMEs and
194              to establish a chain of trust for DNSSEC validation.
195
196              This is equivalent to setting the debug level to 1 in  the  "re‐
197              solver"  logging category. Setting the systemwide debug level to
198              1 using the -d option produces  the  same  output,  but  affects
199              other logging categories as well.
200
201       +mtrace, +nomtrace
202              This  option  toggles  message logging. This produces a detailed
203              dump of the responses received by delv in the process of  carry‐
204              ing out the resolution and validation process.
205
206              This  is  equivalent  to  setting  the debug level to 10 for the
207              "packets" module of the "resolver" logging category. Setting the
208              systemwide  debug  level  to 10 using the -d option produces the
209              same output, but affects other logging categories as well.
210
211       +vtrace, +novtrace
212              This option toggles validation logging. This shows the  internal
213              process  of  the validator as it determines whether an answer is
214              validly signed, unsigned, or invalid.
215
216              This is equivalent to setting the debug level to 3 for the "val‐
217              idator"  module  of  the  "dnssec" logging category. Setting the
218              systemwide debug level to 3 using the  -d  option  produces  the
219              same output, but affects other logging categories as well.
220
221       +short, +noshort
222              This  option  toggles between verbose and terse answers. The de‐
223              fault is to print the answer in a verbose form.
224
225       +comments, +nocomments
226              This option toggles the display of comment lines in the  output.
227              The default is to print comments.
228
229       +rrcomments, +norrcomments
230              This  option  toggles  the display of per-record comments in the
231              output (for example, human-readable key information about DNSKEY
232              records). The default is to print per-record comments.
233
234       +crypto, +nocrypto
235              This  option  toggles  the  display  of  cryptographic fields in
236              DNSSEC records. The contents of these fields are unnecessary  to
237              debug most DNSSEC validation failures and removing them makes it
238              easier to see the common failures. The default is to display the
239              fields.  When omitted, they are replaced by the string [omitted]
240              or, in the DNSKEY case, the key ID is displayed as the  replace‐
241              ment, e.g. [ key id = value ].
242
243       +trust, +notrust
244              This  option  controls  whether  to display the trust level when
245              printing a record.  The default is to display the trust level.
246
247       +split[=W], +nosplit
248              This option splits long hex- or base64-formatted fields  in  re‐
249              source  records  into chunks of W characters (where W is rounded
250              up to the nearest multiple of 4). +nosplit  or  +split=0  causes
251              fields  not to be split at all. The default is 56 characters, or
252              44 characters when multiline mode is active.
253
254       +all, +noall
255              This option  sets  or  clears  the  display  options  +comments,
256              +rrcomments, and +trust as a group.
257
258       +multiline, +nomultiline
259              This  option prints long records (such as RRSIG, DNSKEY, and SOA
260              records) in a verbose multi-line format with human-readable com‐
261              ments.  The default is to print each record on a single line, to
262              facilitate machine parsing of the delv output.
263
264       +dnssec, +nodnssec
265              This option indicates whether to display RRSIG  records  in  the
266              delv output.  The default is to do so. Note that (unlike in dig)
267              this does not control whether to request DNSSEC  records  or  to
268              validate  them. DNSSEC records are always requested, and valida‐
269              tion always occurs  unless  suppressed  by  the  use  of  -i  or
270              +noroot.
271
272       +root[=ROOT], +noroot
273              This  option  indicates  whether  to perform conventional DNSSEC
274              validation, and if so, specifies the name of a trust anchor. The
275              default  is  to  validate  using a trust anchor of "." (the root
276              zone), for which there is a built-in key. If specifying  a  dif‐
277              ferent trust anchor, then -a must be used to specify a file con‐
278              taining the key.
279
280       +tcp, +notcp
281              This option controls whether to use TCP  when  sending  queries.
282              The  default  is to use UDP unless a truncated response has been
283              received.
284
285       +unknownformat, +nounknownformat
286              This option prints all RDATA  in  unknown  RR-type  presentation
287              format  (RFC  3597).   The  default  is to print RDATA for known
288              types in the type's presentation format.
289
290       +yaml, +noyaml
291              This option prints response data in YAML format.
292

FILES

294       /etc/bind.keys
295
296       /etc/resolv.conf
297

SEE ALSO

299       dig(1), named(8), RFC 4034, RFC 4035, RFC 4431, RFC 5074, RFC 5155.
300

AUTHOR

302       Internet Systems Consortium
303
305       2023, Internet Systems Consortium
306
307
308
309
3109.18.11                                                                DELV(1)
Impressum