Delv
Surely you remember the old nursery rhyme that begins with "One, two, buckle my shoe." You might have forgotten that its sixth verse is "Eleven, twelve, dig and delve." How many nursery rhymes have their own Wikipedia page?
BIND 9.10 contains a new debugging tool that is a successor to dig
. So, of course, we had to name it delv
. It works very much like dig
, but it understands DNSSEC better.
delv
checks the DNSSEC validation chain using the same code that is used by the BIND 9 DNS server itself. Compared to dig +sigchase
, delv
is much closer to what really happens inside a DNS server.
Like all BIND tools, delv
is fully documented in Appendix B of the BIND ARM. In general, you should use delv
the same way you have been using dig
. But delv
is not an enhanced version of dig
; it is an entirely new program. So here are a few tips.
delv FQDN
If you just say delv name
, and name is in a signed zone, delv
will report "fully validated" and give you the RRSIG as part of the answer.
delv +multi
DNSSEC-related records are often very long. To make its output more readable, delv
has a +multi
option that formats large records into multiline reports that are readable in a standard 80-column text window. Men and Mice has provided this example of the use of +multi
:
Like dig
, delv
is fully compatible with IPv6:
delv +multi +rtrace
The command delv +rtrace
prints the extra DNS lookups that delv
needs to make while validating the reply to a query. This example is from Men and Mice:
delv +multi +vtrace
The +vtrace
option shows the entire DNSSEC chain of validation. This example again from Men and Mice: