Provided by: dnsviz_0.9.3-1_all bug

NAME

       dnsviz-print - print the assessment of diagnostic DNS queries

SYNOPSIS

       dnsviz print [ options ] [ domain_name... ]

DESCRIPTION

       Process  the  results  of diagnostic DNS queries previously performed, e.g., using dnsviz-
       probe(1), to assess the health of the associated DNS deployments for one  or  more  domain
       names specified.  The results of this processing are presented in textual output.

       The  source  of  the diagnostic query input is either a file specified with -r or standard
       input.

       Domain names to be processed may be passed either as command-line  arguments,  in  a  file
       (using  the -f option), or simply implied using the diagnostic query input.  The latter is
       the preferred methodology (and the simplest) and is useful,  except  in  cases  where  the
       input contains diagnostic queries for multiple domain names, only a subset of which are to
       be processed.

       If -f is not used and no domain names are supplied on the command line,  then  the  domain
       names  to be processed are extracted from the diagnostic query input.  If the -f option is
       used, then names may not be specified on the command line.

       The domain names passed as input are fully-qualified domain names,  such  as  example.com,
       www.example.com,         _443._tcp.example.com,         1.2.0.192.in-addr.arpa,         or
       8.b.d.0.1.0.0.2.ip6.arpa.  Because it is implied that specified  domain  names  are  fully
       qualified, no trailing dot is necessary.

       The  output is appropriate for terminal or text file output, using colors (where supported
       by the terminal) and symbols to designate status and errors in a  loosely-defined  textual
       format.

OPTIONS

       -f, --names-file filename
              Read names from a file (one name per line), instead of from command line.

              If this option is used, then names may not be specified on the command line.

       -r, --input-file filename
              Read  diagnostic  query  input  from  the  specified file, instead of from standard
              input.

       -t, --trusted-keys-file filename
              Use trusted keys from the specified file when processing diagnostic queries.   This
              overrides the default behavior of using the installed keys for the root zone.

              The  format  of  this  file  is  master  zone file format and should contain DNSKEY
              records that correspond to one more trusted keys for one or more DNS zones.

              This option may be used multiple times on the command line.

       -a, --algorithms alg[,alg...]
              Support only the  DNSSEC  algorithms  specified.   If  this  option  is  used,  any
              algorithms  not  specified  will  appear as "unsupported."  The status of any RRSIG
              records corresponding to unsupported algorithms  will  be  unknown.   Additionally,
              when a zone has only DS records with unsupported algorithms, the zone is treated as
              "insecure", assuming the DS records are properly authenticated.

       -d, --digest-algorithms digest_alg[,digest_alg...]
              Support only the DNSSEC digest algorithms specified.  If this option is  used,  any
              digest algorithms not specified will appear as "unsupported."  The status of any DS
              records  corresponding  to  unsupported  digest   algorithms   will   be   unknown.
              Additionally,  when  a zone has only DS records with unsupported digest algorithms,
              the  zone  is  treated  as  "insecure",  assuming  the  DS  records  are   properly
              authenticated.

       -b, --validate-prohibited-algs
              Validate  algorithms  for which validation is otherwise prohibited.  Current DNSSEC
              specification  prohibits  validators  from  validating  older,  weaker   algorithms
              associated with DNSKEY and DS records (see RFC 8624).  If this option is used, then
              a warning will be  still  be  issued  for  DNSSEC  records  that  use  these  older
              algorithms,  but the code will still assess their cryptographic status, rather than
              ignoring them.

       -C, --enforce-cookies
              Enforce DNS cookies strictly. Require a server to  return  a  "BADCOOKIE"  response
              when  a  query  contains  a  COOKIE option with no server cookie or with an invalid
              server cookie.

       -P, --allow-private
              Allow private IP addresses for authoritative DNS servers.  By default,  if  the  IP
              address  corresponding to an authoritative server is in IP address space designated
              as "private", it is flagged as an error.  However, there are some cases where  this
              is  allowed.   For  example,  if the diagnostic queries are issued to servers in an
              experimental environment, this might be permissible.

       -R, --rr-types type[,type...]
              Process queries of only the specified type(s) (e.g., A, AAAA).  The default  is  to
              process all types queried as part of the diagnostic input.

       -O, --derive-filename
              Save the output to a file, whose name is derived from the domain name.

              If  this  option  is  used when the diagnostic queries of multiple domain names are
              being processed, a file will be created for each domain name processed.

       -o, --output-file filename
              Write the output to the specified file instead of to standard output, which is  the
              default.

              If  this  option  is  used  when the diagnostic queries of multiple domain name are
              being processed, a single file (the one specified)  will  be  created,  which  will
              contain the collective output for all domain names processed.

       -h     Display the usage and exit.

OUTPUT

       The following is an example of the output:

       . [.]
       [.]  DNSKEY: 8/1518/256 [.], 8/19036/257 [.]
       [.]    RRSIG: ./8/19036 (2015-08-20 - 2015-09-03) [.]
       com [.] [.]
       [.]  DS: 8/30909/2 [.]
       [.]    RRSIG: ./8/1518 (2015-08-26 - 2015-09-05) [.]
       [.]  DNSKEY: 8/30909/257 [.], 8/35864/256 [.]
       [.]    RRSIG: com/8/30909 (2015-08-24 - 2015-08-31) [.]
       example.com [.] [.]
       [.]   DS:  8/31406/1  [.],  8/31406/2  [.],  8/31589/1  [-], 8/31589/2 [-], 8/43547/1 [-],
       8/43547/2 [-]
       [.]    RRSIG: com/8/35864 (2015-08-24 - 2015-08-31) [.]
       [.]  DNSKEY: 8/54108/256 [.], 8/31406/257 [.], 8/63870/256 [.]
       [.]    RRSIG: example.com/8/31406 (2015-08-24 - 2015-09-14) [.]
       www.example.com
       [.]  A: 192.0.2.1
       [.]    RRSIG: example.com/8/31406 (2015-08-24 - 2015-09-14) [.]
       non-existent.example.com
       [.]  A: NXDOMAIN
       [.]    SOA: sns.dns.icann.org. noc.dns.icann.org. 2015082401 7200 3600 1209600 3600
       [.]      RRSIG: example.com/8/54108 (2015-08-24 - 2015-09-14) [.]
       [.]    PROOF:  [.]
       [.]      NSEC: example.com. www.example.com. A NS SOA TXT AAAA RRSIG NSEC DNSKEY
       [.]        RRSIG: example.com/8/54108 (2015-08-21 - 2015-09-11) [.]

   Domain Names
       The output above is divided into several sections, each corresponding to the  domain  name
       that  starts  the  section  (e.g.,  example.com).   Following  the  headers  of names that
       correspond to zones are two sets of characters,  each  within  brackets.   The  characters
       within  the first set of brackets represent the status of the zone.  The characters within
       the second set of brackets represent the status of the delegation (note that  this  second
       set of bracketed characters will not be present for the root zone).

       The first character within each set of brackets is one of the following:

       .      secure zone or delegation

       -      insecure zone or delegation

       !      bogus zone or delegation

       ?      lame or incomplete delegation

       If there is a second character within the brackets, it represents the following:

       !      errors are present

       ?      warnings are present

       For  example,  an  insecure delegation with warnings is represented as: [-?]  And a secure
       delegation with no errors is shown as: [.]

   Query Responses
       The lines in each section, below the header, represent responses to queries for that  name
       from one or more servers.  The bracketed characters at the far left of each line represent
       the status of the response or response component on the  rest  of  the  line.   The  first
       character in the brackets represents the authentication status:

       .      secure

       -      insecure

       !      bogus

       If there is a second character within the brackets, it represents the following:

       !      errors are present

       ?      warnings are present

       For example, an insecure status with warnings is represented as: [-?]  And a secure status
       with no errors is shown as: [.]

       The status of the response is followed by the type corresponding to the query or response.
       For  example,  "A"  means  that  data  following is in response to a query of type A (IPv4
       address) for the name of the corresponding section.  When the response is positive  (i.e.,
       there  is  data in the answer section), the corresponding data is shown on the right (with
       some exceptions) as a comma-separated set of records within the RRset.   DNSKEY,  DS,  and
       RRSIG records show an abbreviated format of their records, as follows:

       DNSKEY:
              <algorithm number>/<key tag>/<flags>

              Example: 8/35864/256

       DS:    <algorithm number>/<key tag>/<digest type>

              Example: 8/30909/2

       RRSIG: <signer>/<algorithm number>/<key tag> (<inception> - <expiration>)

              Example: com/8/35864 (2015-08-24 - 2015-08-31)

       Following  each  record  within  a  DNSKEY,  DS,  or  RRSIG response is a bracketed set of
       characters, the first of which represents validity:

       .      valid

       -      indeterminate

       !      invalid/expired/premature

       ?      indeterminate due to unknown algorithm

       If there is a second character within the brackets, it represents the following:

       !      errors are present

       ?      warnings are present

       For example, a DNSKEY with warnings is shown as:  [.?]   A  DS  corresponding  to  a  non-
       existent DNSKEY is represented as: [-].

       RRSIGs are shown below the RRset they cover, indented from the RRset.

   Negative Responses
       If  a  response  is  negative,  then  the appropriate "NODATA" or "NXDOMAIN" text is shown
       adjacent the type queried, e.g., "A: NXDOMDAIN".   If  there  was  an  SOA  record  and/or
       NSEC(3) proof, then they are listed below, indented from the query type.

       The NSEC or NSEC3 records (and their RRSIGs) comprising a proof are grouped by indentation
       under the title "PROOF" which  is  itself  indented  under  the  negative  response  line.
       Following "PROOF" is a bracketed set of characters with the same meaning as those used for
       DS, DNSKEY, and RRSIG.

   Errors and Warnings
       Textual errors and warnings are listed below the response components with which the issues
       are associated.  Each error or warning is listed on its own line and prefaced with "E:" or
       "W:", signifying whether it is an error or warning, respectively.

EXIT CODES

       The exit codes are:

       0      Program terminated normally.

       1      Incorrect usage.

       2      Required package dependencies were not found.

       3      There was an error processing the input or saving the output.

       4      Program execution was interrupted, or an unknown error occurred.

SEE ALSO

       dnsviz(1), dnsviz-probe(1), dnsviz-grok(1), dnsviz-graph(1), dnsviz-query(1)