A}Dt*A}|HaHjH5SkHD1̵LBA}|t@8@|A}0tA}4tA f H|$ H|$H L"L *L聛AM\|E]dE`EM0E#H=j1n AM A AU4fA uAE fADž H|$`L~AE4t1)H=TH=j1$ AvH I${LZ h4sfD˽Ht$8蚴H5TH¿1H lEE E"|$t1nHdz L1%H|$ 4(H|$ H L=(L赙EuxEHt$`HH|$ A}8H|$H۾L L'LSjH= h1H̯ II`H0螾H5g,I`'H=uSH=h1eAE4D$H Ht$`L1H|$ H0 M=oIpaA}8(MH=U11҉L&IpE1L1Ҿ=H5g+H=RTHD$`HDŽ$DŽ$fDŽ$fDŽ$DŽ$HD$(HDŽ$HDŽ$I L$01f=L$8'E1f=AH=g1C8H|$(AD$pH(蒴HL$xHL$@[H$`L$Ld$Ll$IHT$@H|$(HD$x薿HD$xHh@HtHPHmHuH|$( t1HBDf$H=f1 1LL.H5\ *LD$0蠼DSEEDCED;k0H=gD1CDk4H((C<LLHɵDkE4D[$Eu;f(H=eCC41AC@fDfvD;k0H=fD1PH=e1CDk0DDL$8E&|$0DڻH=e1Ll$Ld$H[ I$A|$pHH|$`LxIDžH|$`fADž L1xHN AE4@H@ Ht$`LH aH=N!=FEw@H 8H=> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.16.tuxcare.els4 <<>>Where: domain is in the Domain Name System q-class is one of (in,hs,ch,...) [default: in] q-type is one of (a,any,mx,ns,soa,hinfo,axfr,txt,...) [default:a] (Use ixfr=version for type ixfr) q-opt is one of: -4 (use IPv4 query transport only) -6 (use IPv6 query transport only) -b address[#port] (bind to source address/port) -c class (specify query class) -f filename (batch mode) -i (use IP6.INT for IPv6 reverse lookups) -k keyfile (specify tsig key file) -m (enable memory usage debugging) -p port (specify port number) -q name (specify query name) -t type (specify query type) -u (display times in usec instead of msec) -x dot-notation (shortcut for reverse lookups) -y [hmac:]name:key (specify named base64 tsig key) d-opt is of the form +keyword[=value], where keyword is: +[no]aaflag (Set AA flag in query (+[no]aaflag)) +[no]aaonly (Set AA flag in query (+[no]aaflag)) +[no]additional (Control display of additional section) +[no]adflag (Set AD flag in query (default on)) +[no]all (Set or clear all display flags) +[no]answer (Control display of answer section) +[no]authority (Control display of authority section) +[no]badcookie (Retry BADCOOKIE responses) +[no]besteffort (Try to parse even illegal messages) +bufsize=### (Set EDNS0 Max UDP packet size) +[no]cdflag (Set checking disabled flag in query) +[no]class (Control display of class in records) +[no]cmd (Control display of command line) +[no]comments (Control display of comment lines) +[no]cookie (Add a COOKIE option to the request) +[no]crypto (Control display of cryptographic fields in records) +[no]defname (Use search list (+[no]search)) +[no]dnssec (Request DNSSEC records) +domain=### (Set default domainname) +[no]dscp[=###] (Set the DSCP value to ### [0..63]) +[no]edns[=###] (Set EDNS version) [0] +ednsflags=### (Set EDNS flag bits) +[no]ednsnegotiation (Set EDNS version negotiation) +ednsopt=###[:value] (Send specified EDNS option) +noednsopt (Clear list of +ednsopt options) +[no]expire (Request time to expire) +[no]fail (Don't try next server on SERVFAIL) +[no]header-only (Send query without a question section) +[no]identify (ID responders in short answers) +[no]idnin (Parse IDN names) +[no]idnout (Convert IDN response) +[no]ignore (Don't revert to TCP for TC responses.) +[no]keepopen (Keep the TCP socket open between queries) +[no]mapped (Allow mapped IPv4 over IPv6) +[no]multiline (Print records in an expanded format) +ndots=### (Set search NDOTS value) +[no]nsid (Request Name Server ID) +[no]nssearch (Search all authoritative nameservers) +[no]onesoa (AXFR prints only one soa record) +[no]opcode=### (Set the opcode of the request) +[no]qr (Print question before sending) +[no]question (Control display of question section) +[no]rdflag (Recursive mode (+[no]recurse)) +[no]recurse (Recursive mode (+[no]rdflag)) +retry=### (Set number of UDP retries) [2] +[no]rrcomments (Control display of per-record comments) +[no]search (Set whether to use searchlist) +[no]short (Display nothing except short form of answer) +[no]showsearch (Search with intermediate results) +[no]sigchase (Chase DNSSEC signatures) +[no]split=## (Split hex/base64 fields into chunks) +[no]stats (Control display of statistics) +subnet=addr (Set edns-client-subnet option) +[no]tcp (TCP mode (+[no]vc)) +timeout=### (Set query timeout) [5] +[no]topdown (Do +sigchase in top-down mode) +[no]trace (Trace delegation down from root [+dnssec]) +trusted-key=#### (Trusted Key to use with +sigchase) +tries=### (Set number of UDP attempts) [3] +[no]ttlid (Control display of ttls in records) +[no]ttlunits (Display TTLs in human-readable units) +[no]unknownformat (Print RDATA in RFC 3597 "unknown" format) +[no]vc (TCP mode (+[no]tcp)) +[no]zflag (Set Z flag in query) global d-opts and servers (before host name) affect all queries. local d-opts and servers (after host name) affect only that lookup. -h (print help and exit) -v (print version and exit) DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.16.tuxcare.els4 ;; Warning, extra class option ;; Warning, ignoring invalid class %s ;; Warning, extra type option ;; Warning, ignoring invalid type %s couldn't get address for '%s': %s: skipping lookup ednsopt no code point specified;; Warning, split must be a multiple of 4; adjusting to %u ;; Warning, ixfr requires a serial number couldn't open specified batch file;; WARNING: .local is reserved for Multicast DNS ;; You are currently testing what happens when an mDNS query is leaked to DNS;; ->>HEADER<<- opcode: %s, status: %s, id: %u ; QUERY: %u, ANSWER: %u, AUTHORITY: %u, ADDITIONAL: %u ;; WARNING: recursion requested but not available ;; WARNING: EDNS query returned status %s - retry with '%s+noedns' ;; WARNING: Message has %u extra byte%s at end Query time: %ld msec ;; SERVER: %s(%s) ;; WHEN: %s ;; MSG SIZE rcvd: %u can't find IPv4 networking can't find IPv6 networking Couldn't parse port number invalid address %s looking up %s ixfr= Couldn't parse serial number Invalid IP address %s Invalid option: -%s no valid addresses for '%s' ;; Invalid option %s %s ;; Sending:;; Got answer:;; flags: qr aa tc rd ra ad cd; MBZ: 0x4 in %llu us. in %llu ms. only one of -4 and -6 allowed IQUERY STATUS RESERVED3 NOTIFY UPDATE RESERVED6 RESERVED7 RESERVED8 RESERVED9 RESERVED10 RESERVED11 RESERVED12 RESERVED13 RESERVED14 RESERVED15 Warning: Client COOKIE mismatch;; Warning: COOKIE bad token (too short) couldn't get address for '%s': %s invalid prefix length in '%s': %s ;; Warning, ignoring invalid TSIG algorithm %s key must have algorithm and secret;; Couldn't create key %s: bad algorithm Couldn't read key from %s: %s unable to generate cookie secret can't find either v4 or v6 networking convert textname to IDN encoding convert origin to IDN encoding '%s' is not in legal name syntax (%s) couldn't get address for '%s': %s Error in the queried type: %d Launch a query to find a RRset of type No trusted key, +sigchase option is disabled isn't a subdomain of any Trusted Keys: +sigchase option is disabled ;; Skipping server %s, incompatible address family ;; Skipping mapped address '%s' ;; Connection to %s(%s) for %s failed: %s. ;; communications error to %s: %s connection timed out; no servers could be reached ;; Ok, find a Trusted Key in the DNSKEY RRset: %d key ;; OK a DS valids a DNSKEY in the RRset;; Now verify that this DNSKEY validates the DNSKEY RRset;; This DS is NOT the DS for the chasing KEY: FAILED Launch a query to find a RRset of type ;; NS RRset is missing to continue validation: FAILED ;; No Answers: Validation FAILED ;; RRSIG is missing for continue validation: FAILED ;; RRSIG of the RRset to chase: ;; DNSKEY is missing to continue validation: FAILED ;; DNSKEYset that signs the RRset to chase: ;; RRSIG for DNSKEY is missing to continue validation : FAILED RRSIG of the DNSKEYset that signs the RRset to chase: ;; WARNING There is no DS for the zone: ;; WARNING : NO RRSIG DS : RRSIG DS should come with DS ;; RRSIG of the DSset of the DNSKEYset;; nothing in authority section : impossible to validate the non-existence : FAILED There is a NSEC for this zone in the AUTHORITY section:;; no RRSIG NSEC in authority section: impossible to validate the non-existence: FAILED OK the NSEC said that the type doesn't exist There isn't RRSIG NSEC for the zone We want to prove the non-existence of a type of rdata %d or of the zone: We have a NSEC for this zone : OK prove_nx: OK type does not exist there is no NSEC for this zone: validating that the zone doesn't exist no answer or authority section no response but there is a delegation in authority section: no response and no delegation in authority section but a reference to: ;; RRSIG of DNSKEY is missing to continue validation: FAILED chain of trust can't be validated: FAILED ;; RRset is missing to continue validation SHOULD NOT APPEND: FAILED ;; RRSIG is missing to continue validation SHOULD NOT APPEND: FAILED ;; We are in a Grand Father Problem: See 2.2.1 in RFC 3658;; and we try to continue chain of trust validation of the zone: ;; NSset is missing to continue validation: FAILED ;; DSset is missing to continue validation: FAILED ;; Impossible to verify the DSset: FAILED ;; Impossible to verify the non-existence, the NSEC RRset can't be validated: FAILED ;; Impossible to verify the NSEC RR to prove the non-existence : FAILED ;; Impossible to verify the non-existence: FAILED ;; OK the query doesn't have response but we have validate this fact : SUCCESS ;; RRsig of RRset is missing to continue validation SHOULD NOT APPEND: FAILED ;; Impossible to verify the RRset : FAILED ;; FINISH : we have validate the DNSSEC chain of trust: SUCCESS ;; Impossible to verify the Non-existence, the NSEC RRset can't be validated: FAILED No Answers and impossible to prove the unsecurity : Validation FAILED An NSEC prove the non-existence of a answers, Now we want validate this NSEC ;; WE HAVE MATERIAL, WE NOW DO VALIDATION;; No DNSKEY is valid to check the RRSIG of the RRset: FAILED;; OK We found DNSKEY (or more) to validate the RRset ;; Ok this DNSKEY is a Trusted Key, DNSSEC validation is ok: SUCCESS ;; Now, we are going to validate this DNSKEY by the DS;; the DNSKEY isn't trusted-key and there isn't DS to validate the DNSKEY: FAILED;; ERROR no DS validates a DNSKEY in the DNSKEY RRset: FAILED;; OK this DNSKEY (validated by the DS) validates the RRset of the DNSKEYs, thus the DNSKEY validates the RRset;; Now, we want to validate the DS : recursive call ;; reply from unexpected source: %s, expected %s ;; %s: ID mismatch: expected ID %u, got %u ;; ERROR: short (< header size) message Warning: ID mismatch: expected ID %u, got %u ;; Warning: short (< header size) message received;; Warning: query response not set;; Warning: Message parser reports malformed message packet.;; Question section mismatch: got %s/%s/%s ;; BADVERS, retrying with EDNS version %u. ;; Truncated, retrying in TCP mode.;; Got %s from %s, trying next server ;; Couldn't verify signature: %s ;; expected opt record in response Memory allocation failure in %s:%d; Transfer failed. Didn't start with SOA answer. invalid %s '%s': %s %s: out of memory Got %s in recv cancel handler;; communications error: %s getting initial query ;; Got bad packet: %s %u bytes %02x ;; BADCOOKIE, retrying%s. after parse got an SOA this is the first serial %u got up to date response doing axfr, got second SOA doing ixfr, got empty zone this is the second serial %u got a match for ixfr done with ixfr meaningless soa %u NSID DAU DHU N3U ECS EXPIRE COOKIE KEEPALIVE PADDING PADCHAIN KEY-TAG DEVICEID 