1dnsviz-print(1) General Commands Manual dnsviz-print(1)
2
3
4
6 dnsviz-print - print the assessment of diagnostic DNS queries
7
9 dnsviz print [ options ] [ domain_name... ]
10
12 Process the results of diagnostic DNS queries previously performed,
13 e.g., using dnsviz-probe(1), to assess the health of the associated DNS
14 deployments for one or more domain names specified. The results of
15 this processing are presented in textual output.
16
17 The source of the diagnostic query input is either a file specified
18 with -r or standard input.
19
20 Domain names to be processed may be passed either as command-line argu‐
21 ments, in a file (using the -f option), or simply implied using the di‐
22 agnostic query input. The latter is the preferred methodology (and the
23 simplest) and is useful, except in cases where the input contains diag‐
24 nostic queries for multiple domain names, only a subset of which are to
25 be processed.
26
27 If -f is not used and no domain names are supplied on the command line,
28 then the domain names to be processed are extracted from the diagnostic
29 query input. If the -f option is used, then names may not be specified
30 on the command line.
31
32 The domain names passed as input are fully-qualified domain names, such
33 as example.com, www.example.com, _443._tcp.example.com, 1.2.0.192.in-
34 addr.arpa, or 8.b.d.0.1.0.0.2.ip6.arpa. Because it is implied that
35 specified domain names are fully qualified, no trailing dot is neces‐
36 sary.
37
38 The output is appropriate for terminal or text file output, using col‐
39 ors (where supported by the terminal) and symbols to designate status
40 and errors in a loosely-defined textual format.
41
42
44 -f, --names-file filename
45 Read names from a file (one name per line), instead of from com‐
46 mand line.
47
48 If this option is used, then names may not be specified on the
49 command line.
50
51 -r, --input-file filename
52 Read diagnostic query input from the specified file, instead of
53 from standard input.
54
55 -t, --trusted-keys-file filename
56 Use trusted keys from the specified file when processing diag‐
57 nostic queries. This overrides the default behavior of using
58 the installed keys for the root zone.
59
60 The format of this file is master zone file format and should
61 contain DNSKEY records that correspond to one more trusted keys
62 for one or more DNS zones.
63
64 This option may be used multiple times on the command line.
65
66 -a, --algorithms alg[,alg...]
67 Support only the DNSSEC algorithms specified. If this option is
68 used, any algorithms not specified will appear as "unsupported."
69 The status of any RRSIG records corresponding to unsupported al‐
70 gorithms will be unknown. Additionally, when a zone has only DS
71 records with unsupported algorithms, the zone is treated as "in‐
72 secure", assuming the DS records are properly authenticated.
73
74 -d, --digest-algorithms digest_alg[,digest_alg...]
75 Support only the DNSSEC digest algorithms specified. If this
76 option is used, any digest algorithms not specified will appear
77 as "unsupported." The status of any DS records corresponding to
78 unsupported digest algorithms will be unknown. Additionally,
79 when a zone has only DS records with unsupported digest algo‐
80 rithms, the zone is treated as "insecure", assuming the DS
81 records are properly authenticated.
82
83 -b, --validate-prohibited-algs
84 Validate algorithms for which validation is otherwise prohib‐
85 ited. Current DNSSEC specification prohibits validators from
86 validating older, weaker algorithms associated with DNSKEY and
87 DS records (see RFC 8624). If this option is used, then a warn‐
88 ing will be still be issued for DNSSEC records that use these
89 older algorithms, but the code will still assess their crypto‐
90 graphic status, rather than ignoring them.
91
92 -C, --enforce-cookies
93 Enforce DNS cookies strictly. Require a server to return a "BAD‐
94 COOKIE" response when a query contains a COOKIE option with no
95 server cookie or with an invalid server cookie.
96
97 -P, --allow-private
98 Allow private IP addresses for authoritative DNS servers. By
99 default, if the IP address corresponding to an authoritative
100 server is in IP address space designated as "private", it is
101 flagged as an error. However, there are some cases where this
102 is allowed. For example, if the diagnostic queries are issued
103 to servers in an experimental environment, this might be permis‐
104 sible.
105
106 -R, --rr-types type[,type...]
107 Process queries of only the specified type(s) (e.g., A, AAAA).
108 The default is to process all types queried as part of the diag‐
109 nostic input.
110
111 -O, --derive-filename
112 Save the output to a file, whose name is derived from the domain
113 name.
114
115 If this option is used when the diagnostic queries of multiple
116 domain names are being processed, a file will be created for
117 each domain name processed.
118
119 -o, --output-file filename
120 Write the output to the specified file instead of to standard
121 output, which is the default.
122
123 If this option is used when the diagnostic queries of multiple
124 domain name are being processed, a single file (the one speci‐
125 fied) will be created, which will contain the collective output
126 for all domain names processed.
127
128
129 -h Display the usage and exit.
130
131
133 The following is an example of the output:
134
135 . [.]
136 [.] DNSKEY: 8/1518/256 [.], 8/19036/257 [.]
137 [.] RRSIG: ./8/19036 (2015-08-20 - 2015-09-03) [.]
138 com [.] [.]
139 [.] DS: 8/30909/2 [.]
140 [.] RRSIG: ./8/1518 (2015-08-26 - 2015-09-05) [.]
141 [.] DNSKEY: 8/30909/257 [.], 8/35864/256 [.]
142 [.] RRSIG: com/8/30909 (2015-08-24 - 2015-08-31) [.]
143 example.com [.] [.]
144 [.] DS: 8/31406/1 [.], 8/31406/2 [.], 8/31589/1 [-], 8/31589/2 [-],
145 8/43547/1 [-], 8/43547/2 [-]
146 [.] RRSIG: com/8/35864 (2015-08-24 - 2015-08-31) [.]
147 [.] DNSKEY: 8/54108/256 [.], 8/31406/257 [.], 8/63870/256 [.]
148 [.] RRSIG: example.com/8/31406 (2015-08-24 - 2015-09-14) [.]
149 www.example.com
150 [.] A: 192.0.2.1
151 [.] RRSIG: example.com/8/31406 (2015-08-24 - 2015-09-14) [.]
152 non-existent.example.com
153 [.] A: NXDOMAIN
154 [.] SOA: sns.dns.icann.org. noc.dns.icann.org. 2015082401 7200 3600
155 1209600 3600
156 [.] RRSIG: example.com/8/54108 (2015-08-24 - 2015-09-14) [.]
157 [.] PROOF: [.]
158 [.] NSEC: example.com. www.example.com. A NS SOA TXT AAAA RRSIG
159 NSEC DNSKEY
160 [.] RRSIG: example.com/8/54108 (2015-08-21 - 2015-09-11) [.]
161
162
163 Domain Names
164 The output above is divided into several sections, each corresponding
165 to the domain name that starts the section (e.g., example.com). Fol‐
166 lowing the headers of names that correspond to zones are two sets of
167 characters, each within brackets. The characters within the first set
168 of brackets represent the status of the zone. The characters within
169 the second set of brackets represent the status of the delegation (note
170 that this second set of bracketed characters will not be present for
171 the root zone).
172
173 The first character within each set of brackets is one of the follow‐
174 ing:
175
176
177 . secure zone or delegation
178
179 - insecure zone or delegation
180
181 ! bogus zone or delegation
182
183 ? lame or incomplete delegation
184
185
186 If there is a second character within the brackets, it represents the
187 following:
188
189
190 ! errors are present
191
192 ? warnings are present
193
194
195 For example, an insecure delegation with warnings is represented as:
196 [-?] And a secure delegation with no errors is shown as: [.]
197
198
199 Query Responses
200 The lines in each section, below the header, represent responses to
201 queries for that name from one or more servers. The bracketed charac‐
202 ters at the far left of each line represent the status of the response
203 or response component on the rest of the line. The first character in
204 the brackets represents the authentication status:
205
206
207 . secure
208
209 - insecure
210
211 ! bogus
212
213
214 If there is a second character within the brackets, it represents the
215 following:
216
217
218 ! errors are present
219
220 ? warnings are present
221
222
223 For example, an insecure status with warnings is represented as: [-?]
224 And a secure status with no errors is shown as: [.]
225
226 The status of the response is followed by the type corresponding to the
227 query or response. For example, "A" means that data following is in
228 response to a query of type A (IPv4 address) for the name of the corre‐
229 sponding section. When the response is positive (i.e., there is data
230 in the answer section), the corresponding data is shown on the right
231 (with some exceptions) as a comma-separated set of records within the
232 RRset. DNSKEY, DS, and RRSIG records show an abbreviated format of
233 their records, as follows:
234
235
236 DNSKEY:
237 <algorithm number>/<key tag>/<flags>
238
239 Example: 8/35864/256
240
241 DS: <algorithm number>/<key tag>/<digest type>
242
243 Example: 8/30909/2
244
245 RRSIG: <signer>/<algorithm number>/<key tag> (<inception> - <expira‐
246 tion>)
247
248 Example: com/8/35864 (2015-08-24 - 2015-08-31)
249
250
251 Following each record within a DNSKEY, DS, or RRSIG response is a
252 bracketed set of characters, the first of which represents validity:
253
254
255 . valid
256
257
258 - indeterminate
259
260
261 ! invalid/expired/premature
262
263
264 ? indeterminate due to unknown algorithm
265
266
267 If there is a second character within the brackets, it represents the
268 following:
269
270
271 ! errors are present
272
273 ? warnings are present
274
275
276 For example, a DNSKEY with warnings is shown as: [.?] A DS correspond‐
277 ing to a non-existent DNSKEY is represented as: [-].
278
279 RRSIGs are shown below the RRset they cover, indented from the RRset.
280
281
282 Negative Responses
283 If a response is negative, then the appropriate "NODATA" or "NXDOMAIN"
284 text is shown adjacent the type queried, e.g., "A: NXDOMDAIN". If
285 there was an SOA record and/or NSEC(3) proof, then they are listed be‐
286 low, indented from the query type.
287
288 The NSEC or NSEC3 records (and their RRSIGs) comprising a proof are
289 grouped by indentation under the title "PROOF" which is itself indented
290 under the negative response line. Following "PROOF" is a bracketed set
291 of characters with the same meaning as those used for DS, DNSKEY, and
292 RRSIG.
293
294
295 Errors and Warnings
296 Textual errors and warnings are listed below the response components
297 with which the issues are associated. Each error or warning is listed
298 on its own line and prefaced with "E:" or "W:", signifying whether it
299 is an error or warning, respectively.
300
301
303 The exit codes are:
304
305 0 Program terminated normally.
306
307 1 Incorrect usage.
308
309 2 Required package dependencies were not found.
310
311 3 There was an error processing the input or saving the output.
312
313 4 Program execution was interrupted, or an unknown error occurred.
314
316 dnsviz(1), dnsviz-probe(1), dnsviz-grok(1), dnsviz-graph(1), dnsviz-
317 query(1)
318
319
320
3210.9.4 27 Sep 2021 dnsviz-print(1)