dnsviz-print(1) User Commands dnsviz-print(1)
dnsviz-print - print the assessment of diagnostic DNS queries
dnsviz print [ options ] [ domain_name... ]
Process the results of diagnostic DNS queries previously performed,
e.g., using dnsviz-probe(1), to assess the health of the associated
DNS deployments for one or more domain names specified. The results
of this processing are presented in textual output.
The source of the diagnostic query input is either a file specified
with -r or standard input.
Domain names to be processed may be passed either as command-line
arguments, in a file (using the -f option), or simply implied using
the diagnostic query input. The latter is the preferred methodology
(and the simplest) and is useful, except in cases where the input
contains diagnostic queries for multiple domain names, only a subset
of which are to be processed.
If -f is not used and no domain names are supplied on the command
line, then the domain names to be processed are extracted from the
diagnostic query input. If the -f option is used, then names may not
be specified on the command line.
The domain names passed as input are fully-qualified domain names,
such as example.com, www.example.com, _443._tcp.example.com,
1.2.0.192.in-addr.arpa, or 8.b.d.0.1.0.0.2.ip6.arpa. Because it is
implied that specified domain names are fully qualified, no trailing
dot is necessary.
The output is appropriate for terminal or text file output, using
colors (where supported by the terminal) and symbols to designate
status and errors in a loosely-defined textual format.
-f, --names-file filename
Read names from a file (one name per line), instead of from
command line.
If this option is used, then names may not be specified on the
command line.
-r, --input-file filename
Read diagnostic query input from the specified file, instead
of from standard input.
-t, --trusted-keys-file filename
Use trusted keys from the specified file when processing
diagnostic queries. This overrides the default behavior of
using the installed keys for the root zone.
The format of this file is master zone file format and should
contain DNSKEY records that correspond to one more trusted
keys for one or more DNS zones.
This option may be used multiple times on the command line.
-S, --show-colors
Use terminal colors even if output is not a TTY or colors are
not supported. Normally dnsviz-print(1) detects terminal
capabilities and uses colors only where supported. This
option overrides this detection and always includes terminal
colors in the output.
-a, --algorithms alg[,alg...]
Support only the DNSSEC algorithms specified. If this option
is used, any algorithms not specified will appear as
"unsupported." The status of any RRSIG records corresponding
to unsupported algorithms will be unknown. Additionally, when
a zone has only DS records with unsupported algorithms, the
zone is treated as "insecure", assuming the DS records are
properly authenticated.
-d, --digest-algorithms digest_alg[,digest_alg...]
Support only the DNSSEC digest algorithms specified. If this
option is used, any digest algorithms not specified will
appear as "unsupported." The status of any DS records
corresponding to unsupported digest algorithms will be
unknown. Additionally, when a zone has only DS records with
unsupported digest algorithms, the zone is treated as
"insecure", assuming the DS records are properly
authenticated.
--ignore-rfc8624
Ignore errors associated with RFC 8624, DNSSEC algorithm
implementation requirements. RFC 8624 designates some DNSSEC
signing algorithms and some DS digest algorithms as prohibited
("MUST NOT") or not recommended for validation and/or signing.
If this option is used, then no warnings will be issued, and
the code will still assess their cryptographic status, rather
than ignoring them.
--ignore-rfc9276
Ignore errors associated with RFC 9276, NSEC3 parameter
settings. RFC 9276 specifies that if NSEC3 is used, the
iterations count must be 0 and the salt length must be 0. If
this option is used, then no warnings will be issued for NSEC3
records that violate this specification.
-C, --enforce-cookies
Enforce DNS cookies strictly. Require a server to return a
"BADCOOKIE" response when a query contains a COOKIE option
with no server cookie or with an invalid server cookie.
-P, --allow-private
Allow private IP addresses for authoritative DNS servers. By
default, if the IP address corresponding to an authoritative
server is in IP address space designated as "private", it is
flagged as an error. However, there are some cases where this
is allowed. For example, if the diagnostic queries are issued
to servers in an experimental environment, this might be
permissible.
--trust-cdnskey-cds
Trust all CDNSKEY and CDS records, even if they are not
"signed with a key that is represented in both the current
DNSKEY and DS RRsets" (RFC 7344). This is allowed if "the
Parent uses the CDS or CDNSKEY RRset for initial enrollment;
in that case, the Parent validates the CDS/CDNSKEY through
some other means" (RFC 7344). Because there is no way for
DNSViz to discover the out-of-band means with which the parent
might have validated the CDNSKEY and/or CDS records, this
trust is signaled with the use of the --trust-cdnskey-cds
command-line option.
--multi-signer
Don't issue errors for missing KSKs with DS RRs. Typically an
error is issued if a given DNSKEY is not found in the DNSKEY
RRset returned by one or more servers. If --multi-signer is
specified, then no error is issued, in the case that 1) the
DNSKEY is not signing any non-DNSKEY RRsets (i.e., is a zone-
signing key or ZSK) and 2) the DNSKEY corresponds to a DS
record in the parent. This corresponds to the Model 2 use
case in RFC 8901.
-R, --rr-types type[,type...]
Process queries of only the specified type(s) (e.g., A, AAAA).
The default is to process all types queried as part of the
diagnostic input.
-O, --derive-filename
Save the output to a file, whose name is derived from the
domain name.
If this option is used when the diagnostic queries of multiple
domain names are being processed, a file will be created for
each domain name processed.
-o, --output-file filename
Write the output to the specified file instead of to standard
output, which is the default.
If this option is used when the diagnostic queries of multiple
domain name are being processed, a single file (the one
specified) will be created, which will contain the collective
output for all domain names processed.
-h Display the usage and exit.
The following is an example of the output:
. [.]
[.] DNSKEY: 8/1518/256 [.], 8/19036/257 [.]
[.] RRSIG: ./8/19036 (2015-08-20 - 2015-09-03) [.]
com [.] [.]
[.] DS: 8/30909/2 [.]
[.] RRSIG: ./8/1518 (2015-08-26 - 2015-09-05) [.]
[.] DNSKEY: 8/30909/257 [.], 8/35864/256 [.]
[.] RRSIG: com/8/30909 (2015-08-24 - 2015-08-31) [.]
example.com [.] [.]
[.] DS: 8/31406/1 [.], 8/31406/2 [.], 8/31589/1 [-], 8/31589/2 [-],
8/43547/1 [-], 8/43547/2 [-]
[.] RRSIG: com/8/35864 (2015-08-24 - 2015-08-31) [.]
[.] DNSKEY: 8/54108/256 [.], 8/31406/257 [.], 8/63870/256 [.]
[.] RRSIG: example.com/8/31406 (2015-08-24 - 2015-09-14) [.]
www.example.com
[.] A: 192.0.2.1
[.] RRSIG: example.com/8/31406 (2015-08-24 - 2015-09-14) [.]
non-existent.example.com
[.] A: NXDOMAIN
[.] SOA: sns.dns.icann.org. noc.dns.icann.org. 2015082401 7200
3600 1209600 3600
[.] RRSIG: example.com/8/54108 (2015-08-24 - 2015-09-14) [.]
[.] PROOF: [.]
[.] NSEC: example.com. www.example.com. A NS SOA TXT AAAA RRSIG
NSEC DNSKEY
[.] RRSIG: example.com/8/54108 (2015-08-21 - 2015-09-11) [.]
The output above is divided into several sections, each corresponding
to the domain name that starts the section (e.g., example.com).
Following the headers of names that correspond to zones are two sets
of characters, each within brackets. The characters within the first
set of brackets represent the status of the zone. The characters
within the second set of brackets represent the status of the
delegation (note that this second set of bracketed characters will
not be present for the root zone).
The first character within each set of brackets is one of the
following:
. secure zone or delegation
- insecure zone or delegation
! bogus zone or delegation
? lame or incomplete delegation
If there is a second character within the brackets, it represents the
following:
! errors are present
? warnings are present
For example, an insecure delegation with warnings is represented as:
[-?] And a secure delegation with no errors is shown as: [.]
The lines in each section, below the header, represent responses to
queries for that name from one or more servers. The bracketed
characters at the far left of each line represent the status of the
response or response component on the rest of the line. The first
character in the brackets represents the authentication status:
. secure
- insecure
! bogus
If there is a second character within the brackets, it represents the
following:
! errors are present
? warnings are present
For example, an insecure status with warnings is represented as: [-?]
And a secure status with no errors is shown as: [.]
The status of the response is followed by the type corresponding to
the query or response. For example, "A" means that data following is
in response to a query of type A (IPv4 address) for the name of the
corresponding section. When the response is positive (i.e., there is
data in the answer section), the corresponding data is shown on the
right (with some exceptions) as a comma-separated set of records
within the RRset. DNSKEY, DS, and RRSIG records show an abbreviated
format of their records, as follows:
DNSKEY:
<algorithm number>/<key tag>/<flags>
Example: 8/35864/256
DS: <algorithm number>/<key tag>/<digest type>
Example: 8/30909/2
RRSIG: <signer>/<algorithm number>/<key tag> (<inception> -
<expiration>)
Example: com/8/35864 (2015-08-24 - 2015-08-31)
Following each record within a DNSKEY, DS, or RRSIG response is a
bracketed set of characters, the first of which represents validity:
. valid
- indeterminate
! invalid/expired/premature
? indeterminate due to unknown algorithm
If there is a second character within the brackets, it represents the
following:
! errors are present
? warnings are present
For example, a DNSKEY with warnings is shown as: [.?] A DS
corresponding to a non-existent DNSKEY is represented as: [-].
RRSIGs are shown below the RRset they cover, indented from the RRset.
If a response is negative, then the appropriate "NODATA" or
"NXDOMAIN" text is shown adjacent the type queried, e.g., "A:
NXDOMAIN". If there was an SOA record and/or NSEC(3) proof, then
they are listed below, indented from the query type.
The NSEC or NSEC3 records (and their RRSIGs) comprising a proof are
grouped by indentation under the title "PROOF" which is itself
indented under the negative response line. Following "PROOF" is a
bracketed set of characters with the same meaning as those used for
DS, DNSKEY, and RRSIG.
Textual errors and warnings are listed below the response components
with which the issues are associated. Each error or warning is
listed on its own line and prefaced with "E:" or "W:", signifying
whether it is an error or warning, respectively.
The exit codes are:
0 Program terminated normally.
1 Incorrect usage.
2 Required package dependencies were not found.
3 There was an error processing the input or saving the output.
4 Program execution was interrupted, or an unknown error
occurred.
dnsviz(1), dnsviz-probe(1), dnsviz-grok(1), dnsviz-graph(1),
dnsviz-query(1)
0.11.1 21 April 2025 dnsviz-print(1)
NAME
dnsviz-print - print the assessment of diagnostic DNS queries
SYNOPSIS
dnsviz print [ options ] [ domain_name... ]
DESCRIPTION
Process the results of diagnostic DNS queries previously performed,
e.g., using dnsviz-probe(1), to assess the health of the associated
DNS deployments for one or more domain names specified. The results
of this processing are presented in textual output.
The source of the diagnostic query input is either a file specified
with -r or standard input.
Domain names to be processed may be passed either as command-line
arguments, in a file (using the -f option), or simply implied using
the diagnostic query input. The latter is the preferred methodology
(and the simplest) and is useful, except in cases where the input
contains diagnostic queries for multiple domain names, only a subset
of which are to be processed.
If -f is not used and no domain names are supplied on the command
line, then the domain names to be processed are extracted from the
diagnostic query input. If the -f option is used, then names may not
be specified on the command line.
The domain names passed as input are fully-qualified domain names,
such as example.com, www.example.com, _443._tcp.example.com,
1.2.0.192.in-addr.arpa, or 8.b.d.0.1.0.0.2.ip6.arpa. Because it is
implied that specified domain names are fully qualified, no trailing
dot is necessary.
The output is appropriate for terminal or text file output, using
colors (where supported by the terminal) and symbols to designate
status and errors in a loosely-defined textual format.
OPTIONS
-f, --names-file filename
Read names from a file (one name per line), instead of from
command line.
If this option is used, then names may not be specified on the
command line.
-r, --input-file filename
Read diagnostic query input from the specified file, instead
of from standard input.
-t, --trusted-keys-file filename
Use trusted keys from the specified file when processing
diagnostic queries. This overrides the default behavior of
using the installed keys for the root zone.
The format of this file is master zone file format and should
contain DNSKEY records that correspond to one more trusted
keys for one or more DNS zones.
This option may be used multiple times on the command line.
-S, --show-colors
Use terminal colors even if output is not a TTY or colors are
not supported. Normally dnsviz-print(1) detects terminal
capabilities and uses colors only where supported. This
option overrides this detection and always includes terminal
colors in the output.
-a, --algorithms alg[,alg...]
Support only the DNSSEC algorithms specified. If this option
is used, any algorithms not specified will appear as
"unsupported." The status of any RRSIG records corresponding
to unsupported algorithms will be unknown. Additionally, when
a zone has only DS records with unsupported algorithms, the
zone is treated as "insecure", assuming the DS records are
properly authenticated.
-d, --digest-algorithms digest_alg[,digest_alg...]
Support only the DNSSEC digest algorithms specified. If this
option is used, any digest algorithms not specified will
appear as "unsupported." The status of any DS records
corresponding to unsupported digest algorithms will be
unknown. Additionally, when a zone has only DS records with
unsupported digest algorithms, the zone is treated as
"insecure", assuming the DS records are properly
authenticated.
--ignore-rfc8624
Ignore errors associated with RFC 8624, DNSSEC algorithm
implementation requirements. RFC 8624 designates some DNSSEC
signing algorithms and some DS digest algorithms as prohibited
("MUST NOT") or not recommended for validation and/or signing.
If this option is used, then no warnings will be issued, and
the code will still assess their cryptographic status, rather
than ignoring them.
--ignore-rfc9276
Ignore errors associated with RFC 9276, NSEC3 parameter
settings. RFC 9276 specifies that if NSEC3 is used, the
iterations count must be 0 and the salt length must be 0. If
this option is used, then no warnings will be issued for NSEC3
records that violate this specification.
-C, --enforce-cookies
Enforce DNS cookies strictly. Require a server to return a
"BADCOOKIE" response when a query contains a COOKIE option
with no server cookie or with an invalid server cookie.
-P, --allow-private
Allow private IP addresses for authoritative DNS servers. By
default, if the IP address corresponding to an authoritative
server is in IP address space designated as "private", it is
flagged as an error. However, there are some cases where this
is allowed. For example, if the diagnostic queries are issued
to servers in an experimental environment, this might be
permissible.
--trust-cdnskey-cds
Trust all CDNSKEY and CDS records, even if they are not
"signed with a key that is represented in both the current
DNSKEY and DS RRsets" (RFC 7344). This is allowed if "the
Parent uses the CDS or CDNSKEY RRset for initial enrollment;
in that case, the Parent validates the CDS/CDNSKEY through
some other means" (RFC 7344). Because there is no way for
DNSViz to discover the out-of-band means with which the parent
might have validated the CDNSKEY and/or CDS records, this
trust is signaled with the use of the --trust-cdnskey-cds
command-line option.
--multi-signer
Don't issue errors for missing KSKs with DS RRs. Typically an
error is issued if a given DNSKEY is not found in the DNSKEY
RRset returned by one or more servers. If --multi-signer is
specified, then no error is issued, in the case that 1) the
DNSKEY is not signing any non-DNSKEY RRsets (i.e., is a zone-
signing key or ZSK) and 2) the DNSKEY corresponds to a DS
record in the parent. This corresponds to the Model 2 use
case in RFC 8901.
-R, --rr-types type[,type...]
Process queries of only the specified type(s) (e.g., A, AAAA).
The default is to process all types queried as part of the
diagnostic input.
-O, --derive-filename
Save the output to a file, whose name is derived from the
domain name.
If this option is used when the diagnostic queries of multiple
domain names are being processed, a file will be created for
each domain name processed.
-o, --output-file filename
Write the output to the specified file instead of to standard
output, which is the default.
If this option is used when the diagnostic queries of multiple
domain name are being processed, a single file (the one
specified) will be created, which will contain the collective
output for all domain names processed.
-h Display the usage and exit.
OUTPUT
The following is an example of the output:
. [.]
[.] DNSKEY: 8/1518/256 [.], 8/19036/257 [.]
[.] RRSIG: ./8/19036 (2015-08-20 - 2015-09-03) [.]
com [.] [.]
[.] DS: 8/30909/2 [.]
[.] RRSIG: ./8/1518 (2015-08-26 - 2015-09-05) [.]
[.] DNSKEY: 8/30909/257 [.], 8/35864/256 [.]
[.] RRSIG: com/8/30909 (2015-08-24 - 2015-08-31) [.]
example.com [.] [.]
[.] DS: 8/31406/1 [.], 8/31406/2 [.], 8/31589/1 [-], 8/31589/2 [-],
8/43547/1 [-], 8/43547/2 [-]
[.] RRSIG: com/8/35864 (2015-08-24 - 2015-08-31) [.]
[.] DNSKEY: 8/54108/256 [.], 8/31406/257 [.], 8/63870/256 [.]
[.] RRSIG: example.com/8/31406 (2015-08-24 - 2015-09-14) [.]
www.example.com
[.] A: 192.0.2.1
[.] RRSIG: example.com/8/31406 (2015-08-24 - 2015-09-14) [.]
non-existent.example.com
[.] A: NXDOMAIN
[.] SOA: sns.dns.icann.org. noc.dns.icann.org. 2015082401 7200
3600 1209600 3600
[.] RRSIG: example.com/8/54108 (2015-08-24 - 2015-09-14) [.]
[.] PROOF: [.]
[.] NSEC: example.com. www.example.com. A NS SOA TXT AAAA RRSIG
NSEC DNSKEY
[.] RRSIG: example.com/8/54108 (2015-08-21 - 2015-09-11) [.]
Domain Names
The output above is divided into several sections, each corresponding
to the domain name that starts the section (e.g., example.com).
Following the headers of names that correspond to zones are two sets
of characters, each within brackets. The characters within the first
set of brackets represent the status of the zone. The characters
within the second set of brackets represent the status of the
delegation (note that this second set of bracketed characters will
not be present for the root zone).
The first character within each set of brackets is one of the
following:
. secure zone or delegation
- insecure zone or delegation
! bogus zone or delegation
? lame or incomplete delegation
If there is a second character within the brackets, it represents the
following:
! errors are present
? warnings are present
For example, an insecure delegation with warnings is represented as:
[-?] And a secure delegation with no errors is shown as: [.]
Query Responses
The lines in each section, below the header, represent responses to
queries for that name from one or more servers. The bracketed
characters at the far left of each line represent the status of the
response or response component on the rest of the line. The first
character in the brackets represents the authentication status:
. secure
- insecure
! bogus
If there is a second character within the brackets, it represents the
following:
! errors are present
? warnings are present
For example, an insecure status with warnings is represented as: [-?]
And a secure status with no errors is shown as: [.]
The status of the response is followed by the type corresponding to
the query or response. For example, "A" means that data following is
in response to a query of type A (IPv4 address) for the name of the
corresponding section. When the response is positive (i.e., there is
data in the answer section), the corresponding data is shown on the
right (with some exceptions) as a comma-separated set of records
within the RRset. DNSKEY, DS, and RRSIG records show an abbreviated
format of their records, as follows:
DNSKEY:
<algorithm number>/<key tag>/<flags>
Example: 8/35864/256
DS: <algorithm number>/<key tag>/<digest type>
Example: 8/30909/2
RRSIG: <signer>/<algorithm number>/<key tag> (<inception> -
<expiration>)
Example: com/8/35864 (2015-08-24 - 2015-08-31)
Following each record within a DNSKEY, DS, or RRSIG response is a
bracketed set of characters, the first of which represents validity:
. valid
- indeterminate
! invalid/expired/premature
? indeterminate due to unknown algorithm
If there is a second character within the brackets, it represents the
following:
! errors are present
? warnings are present
For example, a DNSKEY with warnings is shown as: [.?] A DS
corresponding to a non-existent DNSKEY is represented as: [-].
RRSIGs are shown below the RRset they cover, indented from the RRset.
Negative Responses
If a response is negative, then the appropriate "NODATA" or
"NXDOMAIN" text is shown adjacent the type queried, e.g., "A:
NXDOMAIN". If there was an SOA record and/or NSEC(3) proof, then
they are listed below, indented from the query type.
The NSEC or NSEC3 records (and their RRSIGs) comprising a proof are
grouped by indentation under the title "PROOF" which is itself
indented under the negative response line. Following "PROOF" is a
bracketed set of characters with the same meaning as those used for
DS, DNSKEY, and RRSIG.
Errors and Warnings
Textual errors and warnings are listed below the response components
with which the issues are associated. Each error or warning is
listed on its own line and prefaced with "E:" or "W:", signifying
whether it is an error or warning, respectively.
EXIT CODES
The exit codes are:
0 Program terminated normally.
1 Incorrect usage.
2 Required package dependencies were not found.
3 There was an error processing the input or saving the output.
4 Program execution was interrupted, or an unknown error
occurred.
SEE ALSO
dnsviz(1), dnsviz-probe(1), dnsviz-grok(1), dnsviz-graph(1),
dnsviz-query(1)
0.11.1 21 April 2025 dnsviz-print(1)