Provided by: dnsviz_0.6.6-1_all 
NAME
dnsviz-print - print the assessment of diagnostic DNS queries
SYNOPSIS
dnsviz print [ options ] [ domain_name... ]
DESCRIPTION
Process the results of diagnostic DNS queries previously performed, e.g., using dnsviz-
probe(1), to assess the health of the associated DNS deployments for one or more domain
names specified. The results of this processing are presented in textual output.
The source of the diagnostic query input is either a file specified with -r or standard
input.
Domain names to be processed may be passed either as command-line arguments, in a file
(using the -f option), or simply implied using the diagnostic query input. The latter is
the preferred methodology (and the simplest) and is useful, except in cases where the
input contains diagnostic queries for multiple domain names, only a subset of which are to
be processed.
If -f is not used and no domain names are supplied on the command line, then the domain
names to be processed are extracted from the diagnostic query input. If the -f option is
used, then names may not be specified on the command line.
The domain names passed as input are fully-qualified domain names, such as example.com,
www.example.com, _443._tcp.example.com, 1.2.0.192.in-addr.arpa, or
8.b.d.0.1.0.0.2.ip6.arpa. Because it is implied that specified domain names are fully
qualified, no trailing dot is necessary.
The output is appropriate for terminal or text file output, using colors (where supported
by the terminal) and symbols to designate status and errors in a loosely-defined textual
format.
OPTIONS
-f filename
Read names from a file (one name per line), instead of from command line.
If this option is used, then names may not be specified on the command line.
-r filename
Read diagnostic query input from the specified file, instead of from standard
input.
-t filename
Specify a file that contains trusted keys for processing diagnostic queries. This
overrides the default behavior of using the built-in keys for the root zone.
The format of this file is master zone file format and should contain DNSKEY
records that correspond to one more trusted keys for one or more DNS zones.
This option may be used multiple times on the command line.
-R type[,type...]
Process queries of only the specified type(s) (e.g., A, AAAA). The default is to
process all types queried as part of the diagnostic input.
-O Save the output to a file, whose name is derived from the domain name.
If this option is used when the diagnostic queries of multiple domain names are
being processed, a file will be created for each domain name processed.
-o filename
Write the output to the specified file instead of to standard output, which is the
default.
If this option is used when the diagnostic queries of multiple domain name are
being processed, a single file (the one specified) will be created, which will
contain the collective output for all domain names processed.
-h Display the usage and exit.
OUTPUT
The following is an example of the output:
. [.]
[.] DNSKEY: 8/1518/256 [.], 8/19036/257 [.]
[.] RRSIG: ./8/19036 (2015-08-20 - 2015-09-03) [.]
com [.] [.]
[.] DS: 8/30909/2 [.]
[.] RRSIG: ./8/1518 (2015-08-26 - 2015-09-05) [.]
[.] DNSKEY: 8/30909/257 [.], 8/35864/256 [.]
[.] RRSIG: com/8/30909 (2015-08-24 - 2015-08-31) [.]
example.com [.] [.]
[.] DS: 8/31406/1 [.], 8/31406/2 [.], 8/31589/1 [-], 8/31589/2 [-], 8/43547/1 [-],
8/43547/2 [-]
[.] RRSIG: com/8/35864 (2015-08-24 - 2015-08-31) [.]
[.] DNSKEY: 8/54108/256 [.], 8/31406/257 [.], 8/63870/256 [.]
[.] RRSIG: example.com/8/31406 (2015-08-24 - 2015-09-14) [.]
www.example.com
[.] A: 192.0.2.1
[.] RRSIG: example.com/8/31406 (2015-08-24 - 2015-09-14) [.]
non-existent.example.com
[.] A: NXDOMAIN
[.] SOA: sns.dns.icann.org. noc.dns.icann.org. 2015082401 7200 3600 1209600 3600
[.] RRSIG: example.com/8/54108 (2015-08-24 - 2015-09-14) [.]
[.] PROOF: [.]
[.] NSEC: example.com. www.example.com. A NS SOA TXT AAAA RRSIG NSEC DNSKEY
[.] RRSIG: example.com/8/54108 (2015-08-21 - 2015-09-11) [.]
Domain Names
The output above is divided into several sections, each corresponding to the domain name
that starts the section (e.g., example.com). Following the headers of names that
correspond to zones are two sets of characters, each within brackets. The characters
within the first set of brackets represent the status of the zone. The characters within
the second set of brackets represent the status of the delegation (note that this second
set of bracketed characters will not be present for the root zone).
The first character within each set of brackets is one of the following:
. secure zone or delegation
- insecure zone or delegation
! bogus zone or delegation
? lame or incomplete delegation
If there is a second character within the brackets, it represents the following:
! errors are present
? warnings are present
For example, an insecure delegation with warnings is represented as: [-?] And a secure
delegation with no errors is shown as: [.]
Query Responses
The lines in each section, below the header, represent responses to queries for that name
from one or more servers. The bracketed characters at the far left of each line represent
the status of the response or response component on the rest of the line. The first
character in the brackets represents the authentication status:
. secure
- insecure
! bogus
If there is a second character within the brackets, it represents the following:
! errors are present
? warnings are present
For example, an insecure status with warnings is represented as: [-?] And a secure status
with no errors is shown as: [.]
The status of the response is followed by the type corresponding to the query or response.
For example, "A" means that data following is in response to a query of type A (IPv4
address) for the name of the corresponding section. When the response is positive (i.e.,
there is data in the answer section), the corresponding data is shown on the right (with
some exceptions) as a comma-separated set of records within the RRset. DNSKEY, DS, and
RRSIG records show an abbreviated format of their records, as follows:
DNSKEY:
<algorithm number>/<key tag>/<flags>
Example: 8/35864/256
DS: <algorithm number>/<key tag>/<digest type>
Example: 8/30909/2
RRSIG: <signer>/<algorithm number>/<key tag> (<inception> - <expiration>)
Example: com/8/35864 (2015-08-24 - 2015-08-31)
Following each record within a DNSKEY, DS, or RRSIG response is a bracketed set of
characters, the first of which represents validity:
. valid
- indeterminate
! invalid/expired/premature
? indeterminate due to unknown algorithm
If there is a second character within the brackets, it represents the following:
! errors are present
? warnings are present
For example, a DNSKEY with warnings is shown as: [.?] A DS corresponding to a non-
existent DNSKEY is represented as: [-].
RRSIGs are shown below the RRset they cover, indented from the RRset.
Negative Responses
If a response is negative, then the appropriate "NODATA" or "NXDOMAIN" text is shown
adjacent the type queried, e.g., "A: NXDOMDAIN". If there was an SOA record and/or
NSEC(3) proof, then they are listed below, indented from the query type.
The NSEC or NSEC3 records (and their RRSIGs) comprising a proof are grouped by indentation
under the title "PROOF" which is itself indented under the negative response line.
Following "PROOF" is a bracketed set of characters with the same meaning as those used for
DS, DNSKEY, and RRSIG.
Errors and Warnings
Textual errors and warnings are listed below the response components with which the issues
are associated. Each error or warning is listed on its own line and prefaced with "E:" or
"W:", signifying whether it is an error or warning, respectively.
EXIT CODES
The exit codes are:
0 Program terminated normally.
1 Incorrect usage.
2 Required package dependencies were not found.
3 There was an error processing the input or saving the output.
4 Program execution was interrupted, or an unknown error ocurred.
SEE ALSO
dnsviz(1), dnsviz-probe(1), dnsviz-grok(1), dnsviz-graph(1), dnsviz-query(1)