1DELV(1) BIND 9 DELV(1)
2
6 delv - DNS lookup and validation utility
7
9 delv [@server] [ [-4] | [-6] ] [-a anchor-file] [-b address] [-c class]
10 [-d level] [-i] [-m] [-p port#] [-q name] [-t type] [-x addr] [name]
11 [type] [class] [queryopt...]
12 delv [-h]
14 delv [-v]
16 delv [queryopt...] [query...]
18
20 delv is a tool for sending DNS queries and validating the results, us‐
21 ing the same internal resolver and validator logic as named.
22 delv sends to a specified name server all queries needed to fetch and
24 validate the requested data; this includes the original requested
25 query, subsequent queries to follow CNAME or DNAME chains, queries for
26 DNSKEY, and DS records to establish a chain of trust for DNSSEC valida‐
27 tion. It does not perform iterative resolution, but simulates the be‐
28 havior of a name server configured for DNSSEC validating and forward‐
29 ing.
30 By default, responses are validated using the built-in DNSSEC trust an‐
32 chor for the root zone ("."). Records returned by delv are either fully
33 validated or were not signed. If validation fails, an explanation of
34 the failure is included in the output; the validation process can be
35 traced in detail. Because delv does not rely on an external server to
36 carry out validation, it can be used to check the validity of DNS re‐
37 sponses in environments where local name servers may not be trustwor‐
38 thy.
39 Unless it is told to query a specific name server, delv tries each of
41 the servers listed in /etc/resolv.conf. If no usable server addresses
42 are found, delv sends queries to the localhost addresses (127.0.0.1 for
43 IPv4, ::1 for IPv6).
44 When no command-line arguments or options are given, delv performs an
46 NS query for "." (the root zone).
47
49 A typical invocation of delv looks like:
50 delv @server name type
52 where:
54 server is the name or IP address of the name server to query. This can
56 be an IPv4 address in dotted-decimal notation or an IPv6 address
57 in colon-delimited notation. When the supplied server argument
58 is a hostname, delv resolves that name before querying that name
59 server (note, however, that this initial lookup is not validated
60 by DNSSEC).
61 If no server argument is provided, delv consults /etc/re‐
63 solv.conf; if an address is found there, it queries the name
64 server at that address. If either of the -4 or -6 options is in
65 use, then only addresses for the corresponding transport are
66 tried. If no usable addresses are found, delv sends queries to
67 the localhost addresses (127.0.0.1 for IPv4, ::1 for IPv6).
68 name is the domain name to be looked up.
70 type indicates what type of query is required - ANY, A, MX, etc.
72 type can be any valid query type. If no type argument is sup‐
73 plied, delv performs a lookup for an A record.
74
76 -a anchor-file
77 This option specifies a file from which to read an alternate
78 DNSSEC root zone trust anchor.
79 By default, keys that do not match the root zone name (.) are
81 ignored. If an alternate key name is desired, it can be speci‐
82 fied using the +root option.
83 Note: When reading trust anchors, delv treats trust-anchors,
85 initial-key, and static-key identically. That is, for a managed
86 key, it is the initial key that is trusted; RFC 5011 key manage‐
87 ment is not supported. delv does not consult the managed-keys
88 database maintained by named. This means that if the default key
89 built in to delv is revoked, delv must be updated to a newer
90 version in order to continue validating.
91 -b address
93 This option sets the source IP address of the query to address.
94 This must be a valid address on one of the host's network inter‐
95 faces, or 0.0.0.0, or ::. An optional source port may be speci‐
96 fied by appending #<port>
97 -c class
99 This option sets the query class for the requested data. Cur‐
100 rently, only class "IN" is supported in delv and any other value
101 is ignored.
102 -d level
104 This option sets the systemwide debug level to level. The al‐
105 lowed range is from 0 to 99. The default is 0 (no debugging).
106 Debugging traces from delv become more verbose as the debug
107 level increases. See the +mtrace, +rtrace, and +vtrace options
108 below for additional debugging details.
109 -h This option displays the delv help usage output and exits.
111 -i This option sets insecure mode, which disables internal DNSSEC
113 validation. (Note, however, that this does not set the CD bit on
114 upstream queries. If the server being queried is performing
115 DNSSEC validation, then it does not return invalid data; this
116 can cause delv to time out. When it is necessary to examine in‐
117 valid data to debug a DNSSEC problem, use dig +cd.)
118 -m This option enables memory usage debugging.
120 -p port#
122 This option specifies a destination port to use for queries, in‐
123 stead of the standard DNS port number 53. This option is used
124 with a name server that has been configured to listen for
125 queries on a non-standard port number.
126 -q name
128 This option sets the query name to name. While the query name
129 can be specified without using the -q option, it is sometimes
130 necessary to disambiguate names from types or classes (for exam‐
131 ple, when looking up the name "ns", which could be misinter‐
132 preted as the type NS, or "ch", which could be misinterpreted as
133 class CH).
134 -t type
136 This option sets the query type to type, which can be any valid
137 query type supported in BIND 9 except for zone transfer types
138 AXFR and IXFR. As with -q, this is useful to distinguish
139 query-name types or classes when they are ambiguous. It is some‐
140 times necessary to disambiguate names from types.
141 The default query type is "A", unless the -x option is supplied
143 to indicate a reverse lookup, in which case it is "PTR".
144 -v This option prints the delv version and exits.
146 -x addr
148 This option performs a reverse lookup, mapping an address to a
149 name. addr is an IPv4 address in dotted-decimal notation, or a
150 colon-delimited IPv6 address. When -x is used, there is no need
151 to provide the name or type arguments; delv automatically per‐
152 forms a lookup for a name like 11.12.13.10.in-addr.arpa and sets
153 the query type to PTR. IPv6 addresses are looked up using nibble
154 format under the IP6.ARPA domain.
155 -4 This option forces delv to only use IPv4.
157 -6 This option forces delv to only use IPv6.
159
161 delv provides a number of query options which affect the way results
162 are displayed, and in some cases the way lookups are performed.
163 Each query option is identified by a keyword preceded by a plus sign
165 (+). Some keywords set or reset an option. These may be preceded by the
166 string no to negate the meaning of that keyword. Other keywords assign
167 values to options like the timeout interval. They have the form +key‐
168 word=value. The query options are:
169 +cdflag, +nocdflag
171 This option controls whether to set the CD (checking disabled)
172 bit in queries sent by delv. This may be useful when trou‐
173 bleshooting DNSSEC problems from behind a validating resolver. A
174 validating resolver blocks invalid responses, making it diffi‐
175 cult to retrieve them for analysis. Setting the CD flag on
176 queries causes the resolver to return invalid responses, which
177 delv can then validate internally and report the errors in de‐
178 tail.
179 +class, +noclass
181 This option controls whether to display the CLASS when printing
182 a record. The default is to display the CLASS.
183 +hint=FILE, +nohint
185 This option specifies a filename from which to load root hints;
186 this will be used to find the root name servers when name server
187 mode (delv +ns) is in use. If the option is not specified,
188 built-in root hints will be used.
189 +ns, +nons
191 This option toggles name server mode. When this option is in
192 use, the delv process instantiates a full recursive resolver,
193 and uses that to look up the requested query name and type.
194 Turning on this option also activates +mtrace, +strace and
195 +rtrace, so that every iterative query will be logged, including
196 the full response messages from each authoritatve server. These
197 logged messages will be written to stdout rather than stderr as
198 usual, so that the full trace can be captured more easily.
199 This is intended to be similar to the behavior of dig +trace,
201 but because it uses the same code as named, it much more accu‐
202 rately replicates the behavior of a recursive name server with a
203 cold cache that is processing a recursive query.
204 +qmin[=MODE], +noqmin
206 When used with +ns, this option enables QNAME minimization mode.
207 Valid options of MODE are relaxed and strict. By default, QNAME
208 minimization is disabled. If +qmin is specified but MODE is
209 omitted, then relaxed mode will be used.
210 +ttl, +nottl
212 This option controls whether to display the TTL when printing a
213 record. The default is to display the TTL.
214 +rtrace, +nortrace
216 This option toggles resolver fetch logging. This reports the
217 name and type of each query sent by delv in the process of car‐
218 rying out the resolution and validation process, including the
219 original query and all subsequent queries to follow CNAMEs and
220 to establish a chain of trust for DNSSEC validation.
221 This is equivalent to setting the debug level to 1 in the "re‐
223 solver" logging category. Setting the systemwide debug level to
224 1 using the -d option produces the same output, but affects
225 other logging categories as well.
226 +mtrace, +nomtrace
228 This option toggles logging of messages received. This produces
229 a detailed dump of the responses received by delv in the process
230 of carrying out the resolution and validation process.
231 This is equivalent to setting the debug level to 10 for the
233 "packets" module of the "resolver" logging category. Setting the
234 systemwide debug level to 10 using the -d option produces the
235 same output, but affects other logging categories as well.
236 +strace, +nostrace
238 This option toggles logging of messages sent. This produces a
239 detailed dump of the queries sent by delv in the process of car‐
240 rying out the resolution and validation process. Turning on this
241 option also activates +mtrace.
242 This is equivalent to setting the debug level to 11 for the
244 "packets" module of the "resolver" logging category. Setting the
245 systemwide debug level to 11 using the -d option produces the
246 same output, but affects other logging categories as well.
247 +vtrace, +novtrace
249 This option toggles validation logging. This shows the internal
250 process of the validator as it determines whether an answer is
251 validly signed, unsigned, or invalid.
252 This is equivalent to setting the debug level to 3 for the "val‐
254 idator" module of the "dnssec" logging category. Setting the
255 systemwide debug level to 3 using the -d option produces the
256 same output, but affects other logging categories as well.
257 +short, +noshort
259 This option toggles between verbose and terse answers. The de‐
260 fault is to print the answer in a verbose form.
261 +comments, +nocomments
263 This option toggles the display of comment lines in the output.
264 The default is to print comments.
265 +rrcomments, +norrcomments
267 This option toggles the display of per-record comments in the
268 output (for example, human-readable key information about DNSKEY
269 records). The default is to print per-record comments.
270 +crypto, +nocrypto
272 This option toggles the display of cryptographic fields in
273 DNSSEC records. The contents of these fields are unnecessary to
274 debug most DNSSEC validation failures and removing them makes it
275 easier to see the common failures. The default is to display the
276 fields. When omitted, they are replaced by the string [omitted]
277 or, in the DNSKEY case, the key ID is displayed as the replace‐
278 ment, e.g. [ key id = value ].
279 +trust, +notrust
281 This option controls whether to display the trust level when
282 printing a record. The default is to display the trust level.
283 +split[=W], +nosplit
285 This option splits long hex- or base64-formatted fields in re‐
286 source records into chunks of W characters (where W is rounded
287 up to the nearest multiple of 4). +nosplit or +split=0 causes
288 fields not to be split at all. The default is 56 characters, or
289 44 characters when multiline mode is active.
290 +all, +noall
292 This option sets or clears the display options +comments,
293 +rrcomments, and +trust as a group.
294 +multiline, +nomultiline
296 This option prints long records (such as RRSIG, DNSKEY, and SOA
297 records) in a verbose multi-line format with human-readable com‐
298 ments. The default is to print each record on a single line, to
299 facilitate machine parsing of the delv output.
300 +dnssec, +nodnssec
302 This option indicates whether to display RRSIG records in the
303 delv output. The default is to do so. Note that (unlike in dig)
304 this does not control whether to request DNSSEC records or to
305 validate them. DNSSEC records are always requested, and valida‐
306 tion always occurs unless suppressed by the use of -i or
307 +noroot.
308 +root[=ROOT], +noroot
310 This option indicates whether to perform conventional DNSSEC
311 validation, and if so, specifies the name of a trust anchor. The
312 default is to validate using a trust anchor of "." (the root
313 zone), for which there is a built-in key. If specifying a dif‐
314 ferent trust anchor, then -a must be used to specify a file con‐
315 taining the key.
316 +tcp, +notcp
318 This option controls whether to use TCP when sending queries.
319 The default is to use UDP unless a truncated response has been
320 received.
321 +unknownformat, +nounknownformat
323 This option prints all RDATA in unknown RR-type presentation
324 format (RFC 3597). The default is to print RDATA for known
325 types in the type's presentation format.
326 +yaml, +noyaml
328 This option prints response data in YAML format.
329
331 /etc/resolv.conf
332
334 dig(1), named(8), RFC 4034, RFC 4035, RFC 4431, RFC 5074, RFC 5155.
335
337 Internet Systems Consortium
338
340 2023, Internet Systems Consortium
3419.19.18 DELV(1)