1 .\" @(#)drill.1 1.7.0 14-Jul-2004 OF;
2 .TH drill 1 "28 May 2006"
4 drill \- get (debug) information out of DNS(SEC)
22 \fBdrill\fR is a tool to designed to get all sorts of information out of the
23 DNS. It is specificly designed to be used with DNSSEC.
25 The name \fBdrill\fR is a pun on \fBdig\fR. With \fBdrill\fR you should be able
26 get even more information than with \fBdig\fR.
28 If no arguments are given class defaults to 'IN' and type to 'A'. The
29 server(s) specified in /etc/resolv.conf are used to query against.
37 Send to query to this server. If not specified use the nameservers from
38 \fI/etc/resolv.conf\fR.
42 Ask for this RR type. If type is not given on the command line it defaults
43 to 'A'. Except when doing to reverse lookup when it defaults to 'PTR'.
47 Use this class when querying.
50 \fBdrill mx miek.nl\fR
51 Show the MX records of the domain miek.nl
54 \fBdrill -S jelte.nlnetlabs.nl\fR
55 Chase any signatures in the jelte.nlnetlab.nl domain. This option is
56 only available when ldns has been compiled with openssl-support.
59 \fBdrill -TD www.example.com\fR
60 Do a DNSSEC (-D) trace (-T) from the rootservers down to www.example.com.
61 This option only works when ldns has been compiled with openssl support.
64 \fBdrill -s dnskey jelte.nlnetlabs.nl\fR
65 Show the DNSKEY record(s) for jelte.nlnetlabs.nl. For each found DNSKEY
66 record also print the DS record.
72 Enable DNSSEC in the query. When querying for DNSSEC types (DNSKEY, RRSIG,
73 DS and NSEC) this is \fInot\fR automaticly enabled.
77 Trace \fIname\fR from the root down. When using this option the @server and
78 the type arguments are not used.
82 Chase the signature(s) of 'name' to a known key or as high up in
86 \fB\-I \fIIPv4 or IPv6 address\fR
87 Source address to query from. The source address has to be present
88 on an interface of the host running drill.
92 Be more verbose. Set level to 5 to see the actual query that is sent.
96 Quiet mode, this overrules -V.
100 Read the query from a file. The query must be dumped with -w.
104 read the answer from the file instead from the network. This aids
105 in debugging and can be used to check if a query on disk is valid.
106 If the file contains binary data it is assumed to be a query in
111 Write an answer packet to file.
115 Write the query packet to file.
119 Show drill's version.
123 Show a short help message.
129 Stay on ip4. Only send queries to ip4 enabled nameservers.
133 Stay on ip6. Only send queries to ip6 enabled nameservers.
137 Use the resolver structure's fallback mechanism if the answer
138 is truncated (TC=1). If a truncated packet is received and this
139 option is set, drill will first send a new query with EDNS0
142 If the EDNS0 buffer size was already set to 512+ bytes, or the
143 above retry also results in a truncated answer, the resolver
144 structure will fall back to TCP.
148 Use size as the buffer size in the EDNS0 pseudo RR.
152 Use file instead of /etc/resolv.conf for nameserver configuration.
156 When tracing (-T), start from this domain instead of the root.
160 Use TCP/IP when querying a server
164 Use this file to read a (trusted) key from. When this options is
165 given \fBdrill\fR tries to validate the current answer with this
166 key. No chasing is done. When \fBdrill\fR is doing a secure trace, this
167 key will be used as trust anchor. Can contain a DNSKEY or a DS record.
169 Alternatively, when DNSSEC enabled tracing (\fB-TD\fR) or signature
170 chasing (\fB-S\fR), if \fB-k\fR is not specified, and a default trust anchor
171 (/etc/unbound/root.key) exists and contains a valid DNSKEY or DS record,
172 it will be used as the trust anchor.
175 \fB\-o \fImnemonic\fR
176 Use this option to set or unset specific header bits. A bit is
177 set by using the bit mnemonic in CAPITAL letters. A bit is unset when
178 the mnemonic is given in lowercase. The following mnemonics are
179 understood by \fBdrill\fR:
181 QR, qr: set, unset QueRy (default: on)
182 AA, aa: set, unset Authoritative Answer (default: off)
183 TC, tc: set, unset TrunCated (default: off)
184 RD, rd: set, unset Recursion Desired (default: on)
185 CD, cd: set, unset Checking Disabled (default: off)
186 RA, ra: set, unset Recursion Available (default: off)
187 AD, ad: set, unset Authenticated Data (default: off)
189 Thus: \fB-o CD\fR, will enable Checking Disabled, which instructs the
190 cache to not validate the answers it gives out.
194 Use this port instead of the default of 53.
198 When tracing (-T), use file as a root servers hint file.
202 When encountering a DNSKEY print the equivalent DS also.
206 Use UDP when querying a server. This is the default.
210 write the answer to a file. The file will contain a hexadecimal dump
211 of the query. This can be used in conjunction with -f.
215 Do a reverse loopup. The type argument is not used, it is preset to PTR.
218 \fB\-y \fI<name:key[:algo]>\fR
219 specify named base64 tsig key, and optional an algorithm (defaults to hmac-md5.sig-alg.reg.int)
223 don't randomize the nameserver list before sending queries.
226 The exit status is 0 if the looked up answer is secure and trusted,
228 The exit status is not 0 if the looked up answer is untrusted or bogus,
229 or an error occurred while performing the lookup.
233 /etc/unbound/root.key
234 The file from which trusted keys are loaded when no \fB-k\fR option is given.
240 Jelte Jansen and Miek Gieben. Both of NLnet Labs.
243 Report bugs to <ldns-team@nlnetlabs.nl>.
248 Copyright (c) 2004-2008 NLnet Labs.
249 Licensed under the revised BSD license. There is NO warranty; not even for MERCHANTABILITY or
250 FITNESS FOR A PARTICULAR PURPOSE.
253 \fBdig\fR(1), \fIRFC403{3,4,5}\fR.