ISO8859-1w& 4%Sy*    K '9Qf"y(!+ /4,dJX "w!"%#%$%&/'&N(!u)*++, -!.!#/E0)c1+23 4 567892:/K; {<&=$>6?3@;<AFxB C0D9E)7FCaGCH9I>#J/bK/L&MQNE;O/PJQKR' HS< pT U1 V W1!X(!LY=!uZ6![&!\"]5"(^$"^_"`P"aF"bK#3c&#d:#e2#fA$g3$VhN$i;$jm%k2%lQ%m7&n-&@o.&npI&qP&r '8s'Yt 'tuF'v"'w'Invalid option: +%s ;; Warning, extra class option ;; Warning, ignoring invalid class %s ;; Warning, extra type option ;; Warning, ignoring invalid type %s Invalid IP address %s Invalid option: -%s ;; Warning, ixfr requires a serial number ;; Warning, extra type option ;; Warning, extra class option Usage: dig [@global-server] [domain] [q-type] [q-class] {q-opt} {global-d-opt} host [@local-server] {local-d-opt} [ host [@local-server] {local-d-opt} [...]] Use "dig -h" (or "dig -h | more") for complete list of options Where: domain is in the Domain Name System q-class is one of (in,hs,ch,...) [default: in] q-type is one of (a,any,mx,ns,soa,hinfo,axfr,txt,...) [default:a] (Use ixfr=version for type ixfr) q-opt is one of: -x dot-notation (shortcut for in-addr lookups) -i (IP6.INT reverse IPv6 lookups) -f filename (batch mode) -b address[#port] (bind to source address/port) -p port (specify port number) -q name (specify query name) -t type (specify query type) -c class (specify query class) -k keyfile (specify tsig key file) -y [hmac:]name:key (specify named base64 tsig key) -4 (use IPv4 query transport only) -6 (use IPv6 query transport only) d-opt is of the form +keyword[=value], where keyword is: +[no]vc (TCP mode) +[no]tcp (TCP mode, alternate syntax) +time=### (Set query timeout) [5] +tries=### (Set number of UDP attempts) [3] +retry=### (Set number of UDP retries) [2] +domain=### (Set default domainname) +bufsize=### (Set EDNS0 Max UDP packet size) +ndots=### (Set NDOTS value) +edns=### (Set EDNS version) +[no]search (Set whether to use searchlist) +[no]showsearch (Search with intermediate results) +[no]defname (Ditto) +[no]recurse (Recursive mode) +[no]ignore (Don't revert to TCP for TC responses.) +[no]fail (Don't try next server on SERVFAIL) +[no]besteffort (Try to parse even illegal messages) +[no]aaonly (Set AA flag in query) +[no]adflag (Set AD flag in query) +[no]cdflag (Set CD flag in query) +[no]cl (Control display of class in records) +[no]cmd (Control display of command line) +[no]comments (Control display of comment lines) +[no]question (Control display of question) +[no]answer (Control display of answer) +[no]authority (Control display of authority) +[no]additional (Control display of additional) +[no]stats (Control display of statistics) +[no]short (Disable everything except short form of answer) +[no]ttlid (Control display of ttls in records) +[no]all (Set or clear all display flags) +[no]qr (Print question before sending) +[no]nssearch (Search all authoritative nameservers) +[no]identify (ID responders in short answers) +[no]trace (Trace delegation down from root) +[no]dnssec (Request DNSSEC records) %s '%s' must be numeric%s '%s' out of rangeinvalid address %sCouldn't open specified batch fileWarning, ignoring invalid TSIG algorithmcouldn't get address for '%s': %sWARNING -- Some TSIG could not be validatedWARNING -- TSIG key was not used WARNING: recursion requested but not availableWARNING: Messages has %u extra byte%s at endcan't find IPv4 networkingWarning: invalid type: %sWarning: invalid class: %scan't find IPv4 networking +[no]sigchase (Chase DNSSEC signatures) +trusted-key=#### (Trusted Key when chasing DNSSEC sigs) +[no]topdown (Do DNSSEC validation top down mode) +[no]multiline (Print records in an expanded format) global d-opts and servers (before host name) affect all queries. local d-opts and servers (after host name) affect only that lookup. -h (print help and exit) -v (print version and exit) Couldn't read key from %s: %s Memory allocation failure in %s:%dToo many lookupscan't find either v4 or v6 networking'%s' is not in legal name syntax (%s)memory allocation failure'%s' is not a legal name (%s)Couldn't find server '%s': %s)Couldn't find server '%s' (h_errno=%d)couldn't get address for '%s': %smemory allocation failureadd_nameserver failedNo trusted key,+sigchase option is disabled BAD REFERRALcouldn't get address for '%s': %sidn api initialization failed: %sError in the queried type: %d Launch a query to find a RRset of type get_trusted_key(): trusted key not found %sNo trusted keyns name: %sns name: with nameservers: ERROR :is not a subdomain of:FAILEDNS RRset is missing to continue validation: FAILEDOk, find a Trusted Key in the DNSKEY RRset: %d VERIFYINGOops: impossible to build new DS rdataOK a DS valids a DNSKEY in the RRsetNow verify that this DNSKEY validates the DNSKEY RRset This DS is NOT the DS for the chasing KEY: FAILEDno response but there is a delegation in authority section:no response and no delegation in authority section but a reference to:NO ANSWERS: DNSKEY is missing to continue validation: FAILEDRRSIG of DNSKEY is missing to continue validation: FAILEDchain of trust can't be validated: FAILED RRset is missing to continue validation SHOULD NOT APPEND: FAILED RRSIG is missing to continue validation SHOULD NOT APPEND: FAILEDWe are in a Grand Father Problem: See 2.2.1 in RFC 3568 and we try to continue chain of trust validation of the zone:NSset is missing to continue validation: FAILEDDSset is missing to continue validation: FAILEDImpossible to verify the DSset: FAILED Impossible to verify the non-existence,the NSEC RRset can't be validated: FAILED Impossible to verify the NSEC RR to prove the non-existence : FAILED Impossible to verify the non-existence: FAILEDOK the query doesn't have response butwe have validate this fact : SUCCESSRRsig of RRset is missing to continue validation SHOULD NOT APPEND: FAILEDImpossible to verify the RRset : FAILEDFINISH : we have validate the DNSSEC chain of trust: SUCCESSNo Answers: Validation FAILED RRSIG is missing for continue validation: FAILEDRRSIG of the RRset to chase: DNSKEY is missing to continue validation: FAILEDDNSKEYset that signs the RRset to chase:RRSIG for DNSKEY is missing to continue validation : FAILED RRSIG of the DNSKEYset that signs the RRset to chase: WARNING There is no DS for the zone: DSset of the DNSKEYset WARNING : NO RRSIG DS : RRSIG DS should come with DS RRSIG of the DSset of the DNSKEYsetNo trusted keys presentImpossible to verify the Non-existence,the NSEC RRset can't be validated: FAILEDNo Answers and impossible to prove the unsecurity : Validation FAILEDAn NSEC prove the non-existence of a answers,Now we want validate this NSECWE HAVE MATERIAL, WE NOW DO VALIDATIONNo DNSKEY is valid to check the RRSIG of the RRset: FAILEDOK We found DNSKEY (or more) to validate the RRsetOk this DNSKEY is a Trusted Key, DNSSEC validation is ok: SUCCESSNow, we are going to validate this DNSKEY by the DSthe DNSKEY isn't trusted-key and there isn't DS to validate the DNSKEY: FAILED ERROR no DS validates a DNSKEY in the DNSKEY RRset: FAILED OK this DNSKEY (validated by the DS) validates the RRset of the DNSKEYs, thus the DNSKEY validates the RRset Now, we want to validate the DS : recursive call nothing in authority section : impossible to validate the non-existence : FAILEDThere is a NSEC for this zone in the AUTHORITY section:OK the NSEC said that the type doesn't exist OK the NSEC said that the type doesn't exist We want to prove the non-existance of a type of rdata %d or of the zone: nothing in authority section : impossible to validate the non-existence : FAILEDWe have a NSEC for this zone :OKprove_nx: ERROR type existprove_nx: OK type does not existthere is no NSEC for this zone: validating that the zone doesn't existmemory allocation failure in %s:%dlwres_context_create failed