NAME

       dnsviz-grok - assess diagnostic DNS queries

SYNOPSIS

       dnsviz grok [ options ] [ domain_name... ]

DESCRIPTION

       Process  the  results  of diagnostic DNS queries previously performed, e.g., using dnsviz-
       probe(1), to assess the health of the associated DNS deployments for one  or  more  domain
       names  specified.   The  results  of  this  processing are serialized into JSON format for
       further programmatic diagnostics or alerts.

       The source of the diagnostic query input is either a file specified with  -r  or  standard
       input.

       Domain  names  to  be  processed may be passed either as command-line arguments, in a file
       (using the -f option), or simply implied using the diagnostic query input.  The latter  is
       the  preferred  methodology  (and  the  simplest) and is useful, except in cases where the
       input contains diagnostic queries for multiple domain names, only a subset of which are to
       be processed.

       If  -f  is  not used and no domain names are supplied on the command line, then the domain
       names to be processed are extracted from the diagnostic query input.  If the -f option  is
       used, then names may not be specified on the command line.

       The  domain  names  passed as input are fully-qualified domain names, such as example.com,
       www.example.com,         _443._tcp.example.com,         1.2.0.192.in-addr.arpa,         or
       8.b.d.0.1.0.0.2.ip6.arpa.   Because  it  is  implied that specified domain names are fully
       qualified, no trailing dot is necessary.

OPTIONS

       -f, --names-file filename
              Read names from a file (one name per line), instead of from command line.

              If this option is used, then names may not be specified on the command line.

       -r, --input-file filename
              Read diagnostic query input from the  specified  file,  instead  of  from  standard
              input.

       -t, --trusted-keys-file filename
              Use  trusted keys from the specified file when processing diagnostic queries.  This
              overrides the default behavior of using the installed keys for the root zone.

              The format of this file is master  zone  file  format  and  should  contain  DNSKEY
              records that correspond to one more trusted keys for one or more DNS zones.

              This option may be used multiple times on the command line.

       -a, --algorithms alg[,alg...]
              Support  only  the  DNSSEC  algorithms  specified.   If  this  option  is used, any
              algorithms not specified will appear as "unsupported."  The  status  of  any  RRSIG
              records  corresponding  to  unsupported  algorithms will be unknown.  Additionally,
              when a zone has only DS records with unsupported algorithms, the zone is treated as
              "insecure", assuming the DS records are properly authenticated.

       -d, --digest-algorithms digest_alg[,digest_alg...]
              Support  only  the DNSSEC digest algorithms specified.  If this option is used, any
              digest algorithms not specified will appear as "unsupported."  The status of any DS
              records   corresponding   to   unsupported   digest  algorithms  will  be  unknown.
              Additionally, when a zone has only DS records with unsupported  digest  algorithms,
              the   zone  is  treated  as  "insecure",  assuming  the  DS  records  are  properly
              authenticated.

       -b, --validate-prohibited-algs
              Validate algorithms for which validation is otherwise prohibited.   Current  DNSSEC
              specification   prohibits  validators  from  validating  older,  weaker  algorithms
              associated with DNSKEY and DS records (see RFC 8624).  If this option is used, then
              a  warning  will  be  still  be  issued  for  DNSSEC  records  that use these older
              algorithms, but the code will still assess their cryptographic status, rather  than
              ignoring them.

       -C, --enforce-cookies
              Enforce  DNS  cookies  strictly.  Require a server to return a "BADCOOKIE" response
              when a query contains a COOKIE option with no server  cookie  or  with  an  invalid
              server cookie.

       -P, --allow-private
              Allow  private  IP  addresses for authoritative DNS servers.  By default, if the IP
              address corresponding to an authoritative server is in IP address space  designated
              as  "private", it is flagged as an error.  However, there are some cases where this
              is allowed.  For example, if the diagnostic queries are issued  to  servers  in  an
              experimental environment, this might be permissible.

       -o, --output-file filename
              Write  the output to the specified file instead of to standard output, which is the
              default.

       -c, --minimize-output
              Format JSON output minimally  instead  of  "pretty"  (i.e.,  with  indentation  and
              newlines).

       -l, --log-level level
              Display only information at the specified log priority or higher.  Valid values (in
              increasing order of priority) are: "error", "warning", "info",  and  "debug".   The
              default is "debug".

       -h, --help
              Display the usage and exit.

EXIT CODES

       The exit codes are:

       0      Program terminated normally.

       1      Incorrect usage.

       2      Required package dependencies were not found.

       3      There was an error processing the input or saving the output.

       4      Program execution was interrupted, or an unknown error occurred.

SEE ALSO

       dnsviz(1), dnsviz-probe(1), dnsviz-graph(1), dnsviz-print(1), dnsviz-query(1)