2025-05-20 06:20:20 -04:00
|
|
|
.\" Man page generated from reStructuredText.
|
|
|
|
|
.
|
|
|
|
|
.
|
|
|
|
|
.nr rst2man-indent-level 0
|
|
|
|
|
.
|
|
|
|
|
.de1 rstReportMargin
|
|
|
|
|
\\$1 \\n[an-margin]
|
|
|
|
|
level \\n[rst2man-indent-level]
|
|
|
|
|
level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
|
|
|
|
|
-
|
|
|
|
|
\\n[rst2man-indent0]
|
|
|
|
|
\\n[rst2man-indent1]
|
|
|
|
|
\\n[rst2man-indent2]
|
|
|
|
|
..
|
|
|
|
|
.de1 INDENT
|
|
|
|
|
.\" .rstReportMargin pre:
|
|
|
|
|
. RS \\$1
|
|
|
|
|
. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
|
|
|
|
|
. nr rst2man-indent-level +1
|
|
|
|
|
.\" .rstReportMargin post:
|
|
|
|
|
..
|
|
|
|
|
.de UNINDENT
|
|
|
|
|
. RE
|
|
|
|
|
.\" indent \\n[an-margin]
|
|
|
|
|
.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
|
|
|
|
|
.nr rst2man-indent-level -1
|
|
|
|
|
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
|
|
|
|
|
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
|
|
|
|
|
..
|
|
|
|
|
.TH "UNBOUND-HOST" "1" "@date@" "@version@" "Unbound"
|
|
|
|
|
.SH NAME
|
|
|
|
|
unbound-host \- Unbound @version@ DNS lookup utility.
|
|
|
|
|
.SH SYNOPSIS
|
|
|
|
|
.sp
|
|
|
|
|
\fBunbound\-host\fP [\fB\-C configfile\fP] [\fB\-vdhr46D\fP] [\fB\-c class\fP]
|
|
|
|
|
[\fB\-t type\fP] [\fB\-y key\fP] [\fB\-f keyfile\fP] [\fB\-F namedkeyfile\fP] hostname
|
|
|
|
|
.SH DESCRIPTION
|
|
|
|
|
.sp
|
|
|
|
|
\fBunbound\-host\fP uses the Unbound validating resolver to query for the hostname
|
|
|
|
|
and display results.
|
|
|
|
|
With the \fI\%\-v\fP option it displays validation status: secure, insecure,
|
|
|
|
|
bogus (security failure).
|
|
|
|
|
.sp
|
|
|
|
|
By default it reads no configuration file whatsoever.
|
|
|
|
|
It attempts to reach the internet root servers.
|
|
|
|
|
With \fI\%\-C\fP an unbound config file and with \fI\%\-r\fP \fBresolv.conf\fP
|
|
|
|
|
can be read.
|
|
|
|
|
.sp
|
2007-12-07 04:03:29 -05:00
|
|
|
The available options are:
|
2025-05-20 06:20:20 -04:00
|
|
|
.INDENT 0.0
|
2008-01-10 10:46:55 -05:00
|
|
|
.TP
|
2025-05-20 06:20:20 -04:00
|
|
|
.B hostname
|
2007-12-07 04:03:29 -05:00
|
|
|
This name is resolved (looked up in the DNS).
|
|
|
|
|
If a IPv4 or IPv6 address is given, a reverse lookup is performed.
|
2025-05-20 06:20:20 -04:00
|
|
|
.UNINDENT
|
|
|
|
|
.INDENT 0.0
|
2008-01-10 10:46:55 -05:00
|
|
|
.TP
|
|
|
|
|
.B \-h
|
2007-12-07 04:03:29 -05:00
|
|
|
Show the version and commandline option help.
|
2025-05-20 06:20:20 -04:00
|
|
|
.UNINDENT
|
|
|
|
|
.INDENT 0.0
|
2008-01-10 10:46:55 -05:00
|
|
|
.TP
|
|
|
|
|
.B \-v
|
2007-12-07 04:03:29 -05:00
|
|
|
Enable verbose output and it shows validation results, on every line.
|
2025-05-20 06:20:20 -04:00
|
|
|
Secure means that the NXDOMAIN (no such domain name), nodata (no such
|
|
|
|
|
data) or positive data response validated correctly with one of the
|
|
|
|
|
keys.
|
2007-12-07 04:03:29 -05:00
|
|
|
Insecure means that that domain name has no security set up for it.
|
2025-05-20 06:20:20 -04:00
|
|
|
Bogus (security failure) means that the response failed one or more
|
|
|
|
|
checks, it is likely wrong, outdated, tampered with, or broken.
|
|
|
|
|
.UNINDENT
|
|
|
|
|
.INDENT 0.0
|
2008-01-10 10:46:55 -05:00
|
|
|
.TP
|
|
|
|
|
.B \-d
|
2025-05-20 06:20:20 -04:00
|
|
|
Enable debug output to stderr.
|
|
|
|
|
One \fI\%\-d\fP shows what the resolver and validator are doing and may
|
|
|
|
|
tell you what is going on.
|
|
|
|
|
More times, \fI\%\-d\fP \fI\%\-d\fP, gives a lot of output, with every
|
|
|
|
|
packet sent and received.
|
|
|
|
|
.UNINDENT
|
|
|
|
|
.INDENT 0.0
|
2008-01-10 10:46:55 -05:00
|
|
|
.TP
|
2025-05-20 06:20:20 -04:00
|
|
|
.B \-c <class>
|
|
|
|
|
Specify the class to lookup for, the default is IN the internet
|
|
|
|
|
class.
|
|
|
|
|
.UNINDENT
|
|
|
|
|
.INDENT 0.0
|
2008-01-10 10:46:55 -05:00
|
|
|
.TP
|
2025-05-20 06:20:20 -04:00
|
|
|
.B \-t <type>
|
|
|
|
|
Specify the type of data to lookup.
|
|
|
|
|
The default looks for IPv4, IPv6 and mail handler data, or domain name
|
|
|
|
|
pointers for reverse queries.
|
|
|
|
|
.UNINDENT
|
|
|
|
|
.INDENT 0.0
|
2008-01-10 10:46:55 -05:00
|
|
|
.TP
|
2025-05-20 06:20:20 -04:00
|
|
|
.B \-y <key>
|
|
|
|
|
Specify a public key to use as trust anchor.
|
|
|
|
|
This is the base for a chain of trust that is built up from the trust
|
|
|
|
|
anchor to the response, in order to validate the response message.
|
|
|
|
|
Can be given as a DS or DNSKEY record.
|
|
|
|
|
For example:
|
|
|
|
|
.INDENT 7.0
|
|
|
|
|
.INDENT 3.5
|
|
|
|
|
.sp
|
|
|
|
|
.nf
|
|
|
|
|
.ft C
|
|
|
|
|
\-y \(dqexample.com DS 31560 5 1 1CFED84787E6E19CCF9372C1187325972FE546CD\(dq
|
|
|
|
|
.ft P
|
|
|
|
|
.fi
|
|
|
|
|
.UNINDENT
|
|
|
|
|
.UNINDENT
|
|
|
|
|
.UNINDENT
|
|
|
|
|
.INDENT 0.0
|
2008-01-10 10:46:55 -05:00
|
|
|
.TP
|
2014-05-23 03:30:02 -04:00
|
|
|
.B \-D
|
2025-05-20 06:20:20 -04:00
|
|
|
Enables DNSSEC validation.
|
|
|
|
|
Reads the root anchor from the default configured root anchor at the
|
|
|
|
|
default location, \fB@UNBOUND_ROOTKEY_FILE@\fP\&.
|
|
|
|
|
.UNINDENT
|
|
|
|
|
.INDENT 0.0
|
2014-05-23 03:30:02 -04:00
|
|
|
.TP
|
2025-05-20 06:20:20 -04:00
|
|
|
.B \-f <keyfile>
|
|
|
|
|
Reads keys from a file.
|
|
|
|
|
Every line has a DS or DNSKEY record, in the format as for \fI\%\-y\fP\&.
|
|
|
|
|
The zone file format, the same as \fBdig\fP and \fBdrill\fP produce.
|
|
|
|
|
.UNINDENT
|
|
|
|
|
.INDENT 0.0
|
2008-01-10 10:46:55 -05:00
|
|
|
.TP
|
2025-05-20 06:20:20 -04:00
|
|
|
.B \-F <namedkeyfile>
|
|
|
|
|
Reads keys from a BIND\-style \fBnamed.conf\fP file.
|
|
|
|
|
Only the \fBtrusted\-key {};\fP entries are read.
|
|
|
|
|
.UNINDENT
|
|
|
|
|
.INDENT 0.0
|
2008-02-19 03:11:38 -05:00
|
|
|
.TP
|
2025-05-20 06:20:20 -04:00
|
|
|
.B \-C <configfile>
|
|
|
|
|
Uses the specified unbound.conf to prime \fI\%libunbound(3)\fP\&.
|
2018-06-21 08:51:14 -04:00
|
|
|
Pass it as first argument if you want to override some options from the
|
|
|
|
|
config file with further arguments on the commandline.
|
2025-05-20 06:20:20 -04:00
|
|
|
.UNINDENT
|
|
|
|
|
.INDENT 0.0
|
2008-06-02 09:14:12 -04:00
|
|
|
.TP
|
|
|
|
|
.B \-r
|
2025-05-20 06:20:20 -04:00
|
|
|
Read \fB/etc/resolv.conf\fP, and use the forward DNS servers from
|
|
|
|
|
there (those could have been set by DHCP).
|
|
|
|
|
More info in \fIresolv.conf(5)\fP\&.
|
2008-06-02 09:14:12 -04:00
|
|
|
Breaks validation if those servers do not support DNSSEC.
|
2025-05-20 06:20:20 -04:00
|
|
|
.UNINDENT
|
|
|
|
|
.INDENT 0.0
|
2009-01-16 05:38:19 -05:00
|
|
|
.TP
|
|
|
|
|
.B \-4
|
|
|
|
|
Use solely the IPv4 network for sending packets.
|
2025-05-20 06:20:20 -04:00
|
|
|
.UNINDENT
|
|
|
|
|
.INDENT 0.0
|
2009-01-16 05:38:19 -05:00
|
|
|
.TP
|
|
|
|
|
.B \-6
|
|
|
|
|
Use solely the IPv6 network for sending packets.
|
2025-05-20 06:20:20 -04:00
|
|
|
.UNINDENT
|
|
|
|
|
.SH EXAMPLES
|
|
|
|
|
.sp
|
|
|
|
|
Some examples of use.
|
|
|
|
|
The keys shown below are fakes, thus a security failure is encountered.
|
|
|
|
|
.INDENT 0.0
|
|
|
|
|
.INDENT 3.5
|
|
|
|
|
.sp
|
|
|
|
|
.nf
|
|
|
|
|
.ft C
|
2008-01-10 10:46:55 -05:00
|
|
|
$ unbound\-host www.example.com
|
2025-05-20 06:20:20 -04:00
|
|
|
|
|
|
|
|
$ unbound\-host \-v \-y \(dqexample.com DS 31560 5 1 1CFED84787E6E19CCF9372C1187325972FE546CD\(dq www.example.com
|
|
|
|
|
|
|
|
|
|
$ unbound\-host \-v \-y \(dqexample.com DS 31560 5 1 1CFED84787E6E19CCF9372C1187325972FE546CD\(dq 192.0.2.153
|
|
|
|
|
.ft P
|
|
|
|
|
.fi
|
|
|
|
|
.UNINDENT
|
|
|
|
|
.UNINDENT
|
|
|
|
|
.SH EXIT CODE
|
|
|
|
|
.sp
|
|
|
|
|
The \fBunbound\-host\fP program exits with status code 1 on error, 0 on no error.
|
|
|
|
|
The data may not be available on exit code 0, exit code 1 means the lookup
|
|
|
|
|
encountered a fatal error.
|
|
|
|
|
.SH SEE ALSO
|
|
|
|
|
.sp
|
|
|
|
|
\fI\%unbound.conf(5)\fP,
|
|
|
|
|
\fI\%unbound(8)\fP\&.
|
|
|
|
|
.SH AUTHOR
|
|
|
|
|
Unbound developers are mentioned in the CREDITS file in the distribution.
|
|
|
|
|
.SH COPYRIGHT
|
|
|
|
|
1999-2025, NLnet Labs
|
|
|
|
|
.\" Generated by docutils manpage writer.
|
|
|
|
|
.
|
