Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

unbound-host(1) [centos man page]

unbound-host(1) 						  unbound 1.4.20						   unbound-host(1)

NAME
unbound-host - unbound DNS lookup utility SYNOPSIS
unbound-host [-vdhr46] [-c class] [-t type] hostname [-y key] [-f keyfile] [-F namedkeyfile] [-C configfile] DESCRIPTION
Unbound-host uses the unbound validating resolver to query for the hostname and display results. With the -v option it displays validation status: secure, insecure, bogus (security failure). By default it reads no configuration file whatsoever. It attempts to reach the internet root servers. With -C an unbound config file and with -r resolv.conf can be read. The available options are: hostname This name is resolved (looked up in the DNS). If a IPv4 or IPv6 address is given, a reverse lookup is performed. -h Show the version and commandline option help. -v Enable verbose output and it shows validation results, on every line. Secure means that the NXDOMAIN (no such domain name), nodata (no such data) or positive data response validated correctly with one of the keys. Insecure means that that domain name has no security set up for it. Bogus (security failure) means that the response failed one or more checks, it is likely wrong, outdated, tampered with, or broken. -d Enable debug output to stderr. One -d shows what the resolver and validator are doing and may tell you what is going on. More times, -d -d, gives a lot of output, with every packet sent and received. -c class Specify the class to lookup for, the default is IN the internet class. -t type Specify the type of data to lookup. The default looks for IPv4, IPv6 and mail handler data, or domain name pointers for reverse queries. -y key Specify a public key to use as trust anchor. This is the base for a chain of trust that is built up from the trust anchor to the response, in order to validate the response message. Can be given as a DS or DNSKEY record. For example -y "example.com DS 31560 5 1 1CFED84787E6E19CCF9372C1187325972FE546CD". -f keyfile Reads keys from a file. Every line has a DS or DNSKEY record, in the format as for -y. The zone file format, the same as dig and drill produce. -F namedkeyfile Reads keys from a BIND-style named.conf file. Only the trusted-key {}; entries are read. -C configfile Uses the specified unbound.conf to prime libunbound(3). -r Read /etc/resolv.conf, and use the forward DNS servers from there (those could have been set by DHCP). More info in resolv.conf(5). Breaks validation if those servers do not support DNSSEC. -4 Use solely the IPv4 network for sending packets. -6 Use solely the IPv6 network for sending packets. EXAMPLES
Some examples of use. The keys shown below are fakes, thus a security failure is encountered. $ unbound-host www.example.com $ unbound-host -v -y "example.com DS 31560 5 1 1CFED84787E6E19CCF9372C1187325972FE546CD" www.example.com $ unbound-host -v -y "example.com DS 31560 5 1 1CFED84787E6E19CCF9372C1187325972FE546CD" 192.0.2.153 EXIT CODE
The unbound-host program exits with status code 1 on error, 0 on no error. The data may not be available on exit code 0, exit code 1 means the lookup encountered a fatal error. SEE ALSO
unbound.conf(5), unbound(8). NLnet Labs Mar 21, 2013 unbound-host(1)

Check Out this Related Man Page

ldns-verifyzone(1)					      General Commands Manual						ldns-verifyzone(1)

NAME
ldns-verify-zone - read a DNSSEC signed zone and verify it. SYNOPSIS
ldns-verify-zone ZONEFILE DESCRIPTION
ldns-verify-zone reads a DNS zone file and verifies it. RRSIG resource records are checked against the DNSKEY set at the zone apex. Each name is checked for an NSEC(3), if appropriate. OPTIONS
-h Show usage and exit -a Apex only, check only the zone apex -e period Signatures may not expire within this period. Default no period is used. -i period Signatures must have been valid at least this long. Default signatures should just be valid now. -k file A file that contains a trusted DNSKEY or DS rr. This option may be given more than once. Alternatively, if -k is not specified, and a default trust anchor (/var/lib/unbound/root.key) exists and contains a valid DNSKEY or DS record, it will be used as the trust anchor. -p [0-100] Only check this percentage of the zone. Which names to check is determined randomly. Defaults to 100. -S Chase signature(s) to a known key. The network may be accessed to validate the zone's DNSKEYs. (implies -k) -t YYYYMMDDhhmmss | [+|-]offset Set the validation time either by an absolute time value or as an offset in seconds from the current time. -v Show the version and exit -V number Set the verbosity level (default 3): 0: Be silent 1: Print result, and any errors 2: Same as 1 for now 3: Print result, any errors, and the names that are being checked 4: Same as 3 for now 5: Print the zone after it has been read, the result, any errors, and the names that are being checked periods are given in ISO 8601 duration format: P[n]Y[n]M[n]DT[n]H[n]M[n]S If no file is given standard input is read. FILES
/var/lib/unbound/root.key The file from which trusted keys are loaded for signature chasing, when no -k option is given. SEE ALSO
unbound-anchor(8) AUTHOR
Written by the ldns team as an example for ldns usage. REPORTING BUGS
Report bugs to <ldns-team@nlnetlabs.nl>. COPYRIGHT
Copyright (C) 2008 NLnet Labs. This is free software. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PUR- POSE. 27 May 2008 ldns-verifyzone(1)
Man Page