Provided by: dnsviz_0.8.0-1.1_all bug


       dnsviz-print - print the assessment of diagnostic DNS queries


       dnsviz print [ options ] [ domain_name... ]


       Process  the  results  of diagnostic DNS queries previously performed, e.g., using dnsviz-
       probe(1), to assess the health of the associated DNS deployments for one  or  more  domain
       names specified.  The results of this processing are presented in textual output.

       The  source  of  the diagnostic query input is either a file specified with -r or standard

       Domain names to be processed may be passed either as command-line  arguments,  in  a  file
       (using  the -f option), or simply implied using the diagnostic query input.  The latter is
       the preferred methodology (and the simplest) and is useful,  except  in  cases  where  the
       input contains diagnostic queries for multiple domain names, only a subset of which are to
       be processed.

       If -f is not used and no domain names are supplied on the command line,  then  the  domain
       names  to be processed are extracted from the diagnostic query input.  If the -f option is
       used, then names may not be specified on the command line.

       The domain names passed as input are fully-qualified domain names,  such  as,,,,         or  Because it is implied that specified  domain  names  are  fully
       qualified, no trailing dot is necessary.

       The  output is appropriate for terminal or text file output, using colors (where supported
       by the terminal) and symbols to designate status and errors in a  loosely-defined  textual


       -f filename
              Read names from a file (one name per line), instead of from command line.

              If this option is used, then names may not be specified on the command line.

       -r filename
              Read  diagnostic  query  input  from  the  specified file, instead of from standard

       -t filename
              Use trusted keys from the specified file when processing diagnostic queries.   This
              overrides the default behavior of using the installed keys for the root zone.

              The  format  of  this  file  is  master  zone file format and should contain DNSKEY
              records that correspond to one more trusted keys for one or more DNS zones.

              This option may be used multiple times on the command line.

       -C     Enforce DNS cookies strictly. Require a server to  return  a  "BADCOOKIE"  response
              when  a  query  contains  a  COOKIE option with no server cookie or with an invalid
              server cookie.

       -R type[,type...]
              Process queries of only the specified type(s) (e.g., A, AAAA).  The default  is  to
              process all types queried as part of the diagnostic input.

       -O     Save the output to a file, whose name is derived from the domain name.

              If  this  option  is  used when the diagnostic queries of multiple domain names are
              being processed, a file will be created for each domain name processed.

       -o filename
              Write the output to the specified file instead of to standard output, which is  the

              If  this  option  is  used  when the diagnostic queries of multiple domain name are
              being processed, a single file (the one specified)  will  be  created,  which  will
              contain the collective output for all domain names processed.

       -h     Display the usage and exit.


       The following is an example of the output:

       . [.]
       [.]  DNSKEY: 8/1518/256 [.], 8/19036/257 [.]
       [.]    RRSIG: ./8/19036 (2015-08-20 - 2015-09-03) [.]
       com [.] [.]
       [.]  DS: 8/30909/2 [.]
       [.]    RRSIG: ./8/1518 (2015-08-26 - 2015-09-05) [.]
       [.]  DNSKEY: 8/30909/257 [.], 8/35864/256 [.]
       [.]    RRSIG: com/8/30909 (2015-08-24 - 2015-08-31) [.] [.] [.]
       [.]   DS:  8/31406/1  [.],  8/31406/2  [.],  8/31589/1  [-], 8/31589/2 [-], 8/43547/1 [-],
       8/43547/2 [-]
       [.]    RRSIG: com/8/35864 (2015-08-24 - 2015-08-31) [.]
       [.]  DNSKEY: 8/54108/256 [.], 8/31406/257 [.], 8/63870/256 [.]
       [.]    RRSIG: (2015-08-24 - 2015-09-14) [.]
       [.]  A:
       [.]    RRSIG: (2015-08-24 - 2015-09-14) [.]
       [.]  A: NXDOMAIN
       [.]    SOA: 2015082401 7200 3600 1209600 3600
       [.]      RRSIG: (2015-08-24 - 2015-09-14) [.]
       [.]    PROOF:  [.]
       [.]        RRSIG: (2015-08-21 - 2015-09-11) [.]

   Domain Names
       The output above is divided into several sections, each corresponding to the  domain  name
       that  starts  the  section  (e.g.,   Following  the  headers  of names that
       correspond to zones are two sets of characters,  each  within  brackets.   The  characters
       within  the first set of brackets represent the status of the zone.  The characters within
       the second set of brackets represent the status of the delegation (note that  this  second
       set of bracketed characters will not be present for the root zone).

       The first character within each set of brackets is one of the following:

       .      secure zone or delegation

       -      insecure zone or delegation

       !      bogus zone or delegation

       ?      lame or incomplete delegation

       If there is a second character within the brackets, it represents the following:

       !      errors are present

       ?      warnings are present

       For  example,  an  insecure delegation with warnings is represented as: [-?]  And a secure
       delegation with no errors is shown as: [.]

   Query Responses
       The lines in each section, below the header, represent responses to queries for that  name
       from one or more servers.  The bracketed characters at the far left of each line represent
       the status of the response or response component on the  rest  of  the  line.   The  first
       character in the brackets represents the authentication status:

       .      secure

       -      insecure

       !      bogus

       If there is a second character within the brackets, it represents the following:

       !      errors are present

       ?      warnings are present

       For example, an insecure status with warnings is represented as: [-?]  And a secure status
       with no errors is shown as: [.]

       The status of the response is followed by the type corresponding to the query or response.
       For  example,  "A"  means  that  data  following is in response to a query of type A (IPv4
       address) for the name of the corresponding section.  When the response is positive  (i.e.,
       there  is  data in the answer section), the corresponding data is shown on the right (with
       some exceptions) as a comma-separated set of records within the RRset.   DNSKEY,  DS,  and
       RRSIG records show an abbreviated format of their records, as follows:

              <algorithm number>/<key tag>/<flags>

              Example: 8/35864/256

       DS:    <algorithm number>/<key tag>/<digest type>

              Example: 8/30909/2

       RRSIG: <signer>/<algorithm number>/<key tag> (<inception> - <expiration>)

              Example: com/8/35864 (2015-08-24 - 2015-08-31)

       Following  each  record  within  a  DNSKEY,  DS,  or  RRSIG response is a bracketed set of
       characters, the first of which represents validity:

       .      valid

       -      indeterminate

       !      invalid/expired/premature

       ?      indeterminate due to unknown algorithm

       If there is a second character within the brackets, it represents the following:

       !      errors are present

       ?      warnings are present

       For example, a DNSKEY with warnings is shown as:  [.?]   A  DS  corresponding  to  a  non-
       existent DNSKEY is represented as: [-].

       RRSIGs are shown below the RRset they cover, indented from the RRset.

   Negative Responses
       If  a  response  is  negative,  then  the appropriate "NODATA" or "NXDOMAIN" text is shown
       adjacent the type queried, e.g., "A: NXDOMDAIN".   If  there  was  an  SOA  record  and/or
       NSEC(3) proof, then they are listed below, indented from the query type.

       The NSEC or NSEC3 records (and their RRSIGs) comprising a proof are grouped by indentation
       under the title "PROOF" which  is  itself  indented  under  the  negative  response  line.
       Following "PROOF" is a bracketed set of characters with the same meaning as those used for
       DS, DNSKEY, and RRSIG.

   Errors and Warnings
       Textual errors and warnings are listed below the response components with which the issues
       are associated.  Each error or warning is listed on its own line and prefaced with "E:" or
       "W:", signifying whether it is an error or warning, respectively.


       The exit codes are:

       0      Program terminated normally.

       1      Incorrect usage.

       2      Required package dependencies were not found.

       3      There was an error processing the input or saving the output.

       4      Program execution was interrupted, or an unknown error occurred.


       dnsviz(1), dnsviz-probe(1), dnsviz-grok(1), dnsviz-graph(1), dnsviz-query(1)