version 1.3, 2019/02/24 20:01:26 |
version 1.4, 2020/05/24 19:46:11 |
|
|
.\" $NetBSD$ |
.\" $NetBSD$ |
.\" |
.\" |
.\" Copyright (C) 2014-2019 Internet Systems Consortium, Inc. ("ISC") |
.\" Copyright (C) 2014-2020 Internet Systems Consortium, Inc. ("ISC") |
.\" |
.\" |
.\" This Source Code Form is subject to the terms of the Mozilla Public |
.\" This Source Code Form is subject to the terms of the Mozilla Public |
.\" License, v. 2.0. If a copy of the MPL was not distributed with this |
.\" License, v. 2.0. If a copy of the MPL was not distributed with this |
Line 55 is a tool for sending DNS queries and va |
|
Line 55 is a tool for sending DNS queries and va |
|
\fBnamed\fR\&. |
\fBnamed\fR\&. |
.PP |
.PP |
\fBdelv\fR |
\fBdelv\fR |
will send to a specified name server all queries needed to fetch and validate the requested data; this includes the original requested query, subsequent queries to follow CNAME or DNAME chains, and queries for DNSKEY, DS and DLV records to establish a chain of trust for DNSSEC validation\&. It does not perform iterative resolution, but simulates the behavior of a name server configured for DNSSEC validating and forwarding\&. |
will send to a specified name server all queries needed to fetch and validate the requested data; this includes the original requested query, subsequent queries to follow CNAME or DNAME chains, and queries for DNSKEY and DS records to establish a chain of trust for DNSSEC validation\&. It does not perform iterative resolution, but simulates the behavior of a name server configured for DNSSEC validating and forwarding\&. |
.PP |
.PP |
By default, responses are validated using built\-in DNSSEC trust anchor for the root zone ("\&.")\&. Records returned by |
By default, responses are validated using built\-in DNSSEC trust anchor for the root zone ("\&.")\&. Records returned by |
\fBdelv\fR |
\fBdelv\fR |
|
|
.sp |
.sp |
Keys that do not match the root zone name are ignored\&. An alternate key name can be specified using the |
Keys that do not match the root zone name are ignored\&. An alternate key name can be specified using the |
\fB+root=NAME\fR |
\fB+root=NAME\fR |
options\&. DNSSEC Lookaside Validation can also be turned on by using the |
options\&. |
\fB+dlv=NAME\fR |
|
to specify the name of a zone containing DLV records\&. |
|
.sp |
.sp |
Note: When reading the trust anchor file, |
Note: When reading the trust anchor file, |
\fBdelv\fR |
\fBdelv\fR |
treats |
treats |
\fBmanaged\-keys\fR |
\fBtrust\-anchors\fR\fBinitial\-key\fR |
statements and |
and |
\fBtrusted\-keys\fR |
\fBstatic\-key\fR |
statements identically\&. That is, for a managed key, it is the |
entries identically\&. That is, even if a key is configured with |
\fIinitial\fR |
\fBinitial\-key\fR, indicating that it is meant to be used only as an initializing key for RFC 5011 key maintenance, it is still treated by |
key that is trusted; RFC 5011 key management is not supported\&. |
\fBdelv\fR |
|
as if it had been configured as a |
|
\fBstatic\-key\fR\&. |
\fBdelv\fR |
\fBdelv\fR |
will not consult the managed\-keys database maintained by |
does not consult the managed keys database maintained by |
\fBnamed\fR\&. This means that if either of the keys in |
\fBnamed\fR\&. This means that if either of the keys in |
/etc/bind\&.keys |
/etc/bind\&.keys |
is revoked and rolled over, it will be necessary to update |
is revoked and rolled over, it will be necessary to update |
Line 392 output\&. The default is to do so\&. Not |
|
Line 392 output\&. The default is to do so\&. Not |
|
control whether to request DNSSEC records or whether to validate them\&. DNSSEC records are always requested, and validation will always occur unless suppressed by the use of |
control whether to request DNSSEC records or whether to validate them\&. DNSSEC records are always requested, and validation will always occur unless suppressed by the use of |
\fB\-i\fR |
\fB\-i\fR |
or |
or |
\fB+noroot\fR |
\fB+noroot\fR\&. |
and |
|
\fB+nodlv\fR\&. |
|
.RE |
.RE |
.PP |
.PP |
\fB+[no]root[=ROOT]\fR |
\fB+[no]root[=ROOT]\fR |
.RS 4 |
.RS 4 |
Indicates whether to perform conventional (non\-lookaside) DNSSEC validation, and if so, specifies the name of a trust anchor\&. The default is to validate using a trust anchor of "\&." (the root zone), for which there is a built\-in key\&. If specifying a different trust anchor, then |
Indicates whether to perform conventional DNSSEC validation, and if so, specifies the name of a trust anchor\&. The default is to validate using a trust anchor of "\&." (the root zone), for which there is a built\-in key\&. If specifying a different trust anchor, then |
\fB\-a\fR |
\fB\-a\fR |
must be used to specify a file containing the key\&. |
must be used to specify a file containing the key\&. |
.RE |
.RE |
.PP |
.PP |
\fB+[no]dlv[=DLV]\fR |
|
.RS 4 |
|
Indicates whether to perform DNSSEC lookaside validation, and if so, specifies the name of the DLV trust anchor\&. The |
|
\fB\-a\fR |
|
option must also be used to specify a file containing the DLV key\&. |
|
.RE |
|
.PP |
|
\fB+[no]tcp\fR |
\fB+[no]tcp\fR |
.RS 4 |
.RS 4 |
Controls whether to use TCP when sending queries\&. The default is to use UDP unless a truncated response has been received\&. |
Controls whether to use TCP when sending queries\&. The default is to use UDP unless a truncated response has been received\&. |
Line 420 Controls whether to use TCP when sending |
|
Line 411 Controls whether to use TCP when sending |
|
.RS 4 |
.RS 4 |
Print all RDATA in unknown RR type presentation format (RFC 3597)\&. The default is to print RDATA for known types in the type\*(Aqs presentation format\&. |
Print all RDATA in unknown RR type presentation format (RFC 3597)\&. The default is to print RDATA for known types in the type\*(Aqs presentation format\&. |
.RE |
.RE |
|
.PP |
|
\fB+[no]yaml\fR |
|
.RS 4 |
|
Print response data in YAML format\&. |
|
.RE |
.SH "FILES" |
.SH "FILES" |
.PP |
.PP |
/etc/bind\&.keys |
/etc/bind\&.keys |
|
|
\fBInternet Systems Consortium, Inc\&.\fR |
\fBInternet Systems Consortium, Inc\&.\fR |
.SH "COPYRIGHT" |
.SH "COPYRIGHT" |
.br |
.br |
Copyright \(co 2014-2019 Internet Systems Consortium, Inc. ("ISC") |
Copyright \(co 2014-2020 Internet Systems Consortium, Inc. ("ISC") |
.br |
.br |