NAME¶
unbound-host - unbound DNS lookup utility
SYNOPSIS¶
unbound-host [
-vdhr46] [
-c class] [
-t
type]
hostname [
-y key] [
-f keyfile]
[
-F namedkeyfile] [
-C configfile]
DESCRIPTION¶
Unbound-host uses the unbound validating resolver to query for the
hostname and display results. With the
-v option it displays validation
status: secure, insecure, bogus (security failure).
By default it reads no configuration file whatsoever. It attempts to reach the
internet root servers. With
-C an unbound config file and with
-r resolv.conf can be read.
The available options are:
- hostname
- This name is resolved (looked up in the DNS). If a IPv4 or
IPv6 address is given, a reverse lookup is performed.
- -h
- Show the version and commandline option help.
- -v
- Enable verbose output and it shows validation results, on
every line. Secure means that the NXDOMAIN (no such domain name), nodata
(no such data) or positive data response validated correctly with one of
the keys. Insecure means that that domain name has no security set up for
it. Bogus (security failure) means that the response failed one or more
checks, it is likely wrong, outdated, tampered with, or broken.
- -d
- Enable debug output to stderr. One -d shows what the
resolver and validator are doing and may tell you what is going on. More
times, -d -d, gives a lot of output, with every packet sent and
received.
- -c class
- Specify the class to lookup for, the default is IN the
internet class.
- -t type
- Specify the type of data to lookup. The default looks for
IPv4, IPv6 and mail handler data, or domain name pointers for reverse
queries.
- -y key
- Specify a public key to use as trust anchor. This is the
base for a chain of trust that is built up from the trust anchor to the
response, in order to validate the response message. Can be given as a DS
or DNSKEY record. For example -y "example.com DS 31560 5 1
1CFED84787E6E19CCF9372C1187325972FE546CD".
- -f keyfile
- Reads keys from a file. Every line has a DS or DNSKEY
record, in the format as for -y. The zone file format, the same as dig and
drill produce.
- -F namedkeyfile
- Reads keys from a BIND-style named.conf file. Only the
trusted-key {}; entries are read.
- -C configfile
- Uses the specified unbound.conf to prime
libunbound(3).
- -r
- Read /etc/resolv.conf, and use the forward DNS servers from
there (those could have been set by DHCP). More info in
resolv.conf(5). Breaks validation if those servers do not support
DNSSEC.
- -4
- Use solely the IPv4 network for sending packets.
- -6
- Use solely the IPv6 network for sending packets.
EXAMPLES¶
Some examples of use. The keys shown below are fakes, thus a security failure is
encountered.
$ unbound-host www.example.com
$ unbound-host -v -y "example.com DS 31560 5 1
1CFED84787E6E19CCF9372C1187325972FE546CD" www.example.com
$ unbound-host -v -y "example.com DS 31560 5 1
1CFED84787E6E19CCF9372C1187325972FE546CD" 192.0.2.153
EXIT CODE¶
The unbound-host program exits with status code 1 on error, 0 on no error. The
data may not be available on exit code 0, exit code 1 means the lookup
encountered a fatal error.
SEE ALSO¶
unbound.conf(5),
unbound(8).