Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
dnsviz-print(1)		    General Commands Manual	       dnsviz-print(1)

       dnsviz-print - print the	assessment of diagnostic DNS queries

       dnsviz print [ options ]	[ domain_name... ]

       Process	the  results  of  diagnostic DNS queries previously performed,
       e.g., using dnsviz-probe(1), to assess the health of the	associated DNS
       deployments  for	 one  or  more domain names specified.	The results of
       this processing are presented in	textual	output.

       The source of the diagnostic query input	is  either  a  file  specified
       with -r or standard input.

       Domain names to be processed may	be passed either as command-line argu-
       ments, in a file	(using the -f option), or simply implied using the di-
       agnostic	query input.  The latter is the	preferred methodology (and the
       simplest) and is	useful,	except in cases	where the input	contains diag-
       nostic queries for multiple domain names, only a	subset of which	are to
       be processed.

       If -f is	not used and no	domain names are supplied on the command line,
       then the	domain names to	be processed are extracted from	the diagnostic
       query input.  If	the -f option is used, then names may not be specified
       on the command line.

       The domain names	passed as input	are fully-qualified domain names, such
       as,,,,  or   Because  it is implied that
       specified domain	names are fully	qualified, no trailing dot  is	neces-

       The  output is appropriate for terminal or text file output, using col-
       ors (where supported by the terminal) and symbols to  designate	status
       and errors in a loosely-defined textual format.

       -f filename
	      Read names from a	file (one name per line), instead of from com-
	      mand line.

	      If this option is	used, then names may not be specified  on  the
	      command line.

       -r filename
	      Read  diagnostic query input from	the specified file, instead of
	      from standard input.

       -t filename
	      Specify a	file that contains trusted keys	for  processing	 diag-
	      nostic  queries.	 This  overrides the default behavior of using
	      the built-in keys	for the	root zone.

	      The format of this file is master	zone file  format  and	should
	      contain  DNSKEY records that correspond to one more trusted keys
	      for one or more DNS zones.

	      This option may be used multiple times on	the command line.

       -R type[,type...]
	      Process queries of only the specified type(s) (e.g.,  A,	AAAA).
	      The default is to	process	all types queried as part of the diag-
	      nostic input.

       -O     Save the output to a file, whose name is derived from the	domain

	      If  this	option is used when the	diagnostic queries of multiple
	      domain names are being processed,	a file	will  be  created  for
	      each domain name processed.

       -o filename
	      Write  the  output  to the specified file	instead	of to standard
	      output, which is the default.

	      If this option is	used when the diagnostic queries  of  multiple
	      domain  name  are	being processed, a single file (the one	speci-
	      fied) will be created, which will	contain	the collective	output
	      for all domain names processed.

       -h     Display the usage	and exit.

       The following is	an example of the output:

       . [.]
       [.]  DNSKEY: 8/1518/256 [.], 8/19036/257	[.]
       [.]    RRSIG: ./8/19036 (2015-08-20 - 2015-09-03) [.]
       com [.] [.]
       [.]  DS:	8/30909/2 [.]
       [.]    RRSIG: ./8/1518 (2015-08-26 - 2015-09-05)	[.]
       [.]  DNSKEY: 8/30909/257	[.], 8/35864/256 [.]
       [.]    RRSIG: com/8/30909 (2015-08-24 - 2015-08-31) [.] [.] [.]
       [.]   DS:  8/31406/1  [.], 8/31406/2 [.], 8/31589/1 [-],	8/31589/2 [-],
       8/43547/1 [-], 8/43547/2	[-]
       [.]    RRSIG: com/8/35864 (2015-08-24 - 2015-08-31) [.]
       [.]  DNSKEY: 8/54108/256	[.], 8/31406/257 [.], 8/63870/256 [.]
       [.]    RRSIG: (2015-08-24 - 2015-09-14) [.]
       [.]  A:
       [.]    RRSIG: (2015-08-24 - 2015-09-14) [.]
       [.]  A: NXDOMAIN
       [.]    SOA: 2015082401 7200  3600
       1209600 3600
       [.]	RRSIG: (2015-08-24 - 2015-09-14) [.]
       [.]    PROOF:  [.]
       [.]	  RRSIG: (2015-08-21 - 2015-09-11) [.]

   Domain Names
       The output above	is divided into	several	sections,  each	 corresponding
       to  the	domain name that starts	the section (e.g.,  Fol-
       lowing the headers of names that	correspond to zones are	 two  sets  of
       characters,  each within	brackets.  The characters within the first set
       of brackets represent the status	of the zone.   The  characters	within
       the second set of brackets represent the	status of the delegation (note
       that this second	set of bracketed characters will not  be  present  for
       the root	zone).

       The  first  character within each set of	brackets is one	of the follow-

       .      secure zone or delegation

       -      insecure zone or delegation

       !      bogus zone or delegation

       ?      lame or incomplete delegation

       If there	is a second character within the brackets, it  represents  the

       !      errors are present

       ?      warnings are present

       For  example,  an  insecure delegation with warnings is represented as:
       [-?]  And a secure delegation with no errors is shown as: [.]

   Query Responses
       The lines in each section, below	the  header,  represent	 responses  to
       queries	for that name from one or more servers.	 The bracketed charac-
       ters at the far left of each line represent the status of the  response
       or  response component on the rest of the line.	The first character in
       the brackets represents the authentication status:

       .      secure

       -      insecure

       !      bogus

       If there	is a second character within the brackets, it  represents  the

       !      errors are present

       ?      warnings are present

       For  example,  an insecure status with warnings is represented as: [-?]
       And a secure status with	no errors is shown as: [.]

       The status of the response is followed by the type corresponding	to the
       query  or  response.   For example, "A" means that data following is in
       response	to a query of type A (IPv4 address) for	the name of the	corre-
       sponding	 section.   When the response is positive (i.e., there is data
       in the answer section), the corresponding data is shown	on  the	 right
       (with  some  exceptions)	as a comma-separated set of records within the
       RRset.  DNSKEY, DS, and RRSIG records show  an  abbreviated  format  of
       their records, as follows:

	      <algorithm number>/<key tag>/<flags>

	      Example: 8/35864/256

       DS:    <algorithm number>/<key tag>/<digest type>

	      Example: 8/30909/2

       RRSIG: <signer>/<algorithm  number>/<key	 tag>  (<inception> - <expira-

	      Example: com/8/35864 (2015-08-24 - 2015-08-31)

       Following each record within a DNSKEY,  DS,  or	RRSIG  response	 is  a
       bracketed set of	characters, the	first of which represents validity:

       .      valid

       -      indeterminate

       !      invalid/expired/premature

       ?      indeterminate due	to unknown algorithm

       If  there  is a second character	within the brackets, it	represents the

       !      errors are present

       ?      warnings are present

       For example, a DNSKEY with warnings is shown as:	[.?]  A	DS correspond-
       ing to a	non-existent DNSKEY is represented as: [-].

       RRSIGs are shown	below the RRset	they cover, indented from the RRset.

   Negative Responses
       If  a response is negative, then	the appropriate	"NODATA" or "NXDOMAIN"
       text is shown adjacent the type	queried,  e.g.,	 "A:  NXDOMDAIN".   If
       there  was an SOA record	and/or NSEC(3) proof, then they	are listed be-
       low, indented from the query type.

       The NSEC	or NSEC3 records (and their RRSIGs)  comprising	 a  proof  are
       grouped by indentation under the	title "PROOF" which is itself indented
       under the negative response line.  Following "PROOF" is a bracketed set
       of  characters  with the	same meaning as	those used for DS, DNSKEY, and

   Errors and Warnings
       Textual errors and warnings are listed below  the  response  components
       with  which the issues are associated.  Each error or warning is	listed
       on its own line and prefaced with "E:" or "W:", signifying  whether  it
       is an error or warning, respectively.

       The exit	codes are:

       0      Program terminated normally.

       1      Incorrect	usage.

       2      Required package dependencies were not found.

       3      There was	an error processing the	input or saving	the output.

       4      Program execution	was interrupted, or an unknown error ocurred.

       dnsviz(1),  dnsviz-probe(1),  dnsviz-grok(1),  dnsviz-graph(1), dnsviz-

0.6.5				  18 Nov 2016		       dnsviz-print(1)


Want to link to this manual page? Use this URL:

home | help