dnsviz-grok - assess diagnostic DNS queries
dnsviz grok [ options ] [
domain_name... ]
Process the results of diagnostic DNS queries previously
performed, e.g., using dnsviz-probe(1), to assess the health of the
associated DNS deployments for one or more domain names specified. The
results of this processing are serialized into JSON format for further
programmatic diagnostics or alerts.
The source of the diagnostic query input is either a file
specified with -r or standard input.
Domain names to be processed may be passed either as command-line
arguments, in a file (using the -f option), or simply implied using
the diagnostic query input. The latter is the preferred methodology (and the
simplest) and is useful, except in cases where the input contains diagnostic
queries for multiple domain names, only a subset of which are to be
processed.
If -f is not used and no domain names are supplied on the
command line, then the domain names to be processed are extracted from the
diagnostic query input. If the -f option is used, then names may not
be specified on the command line.
The domain names passed as input are fully-qualified domain names,
such as example.com, www.example.com, _443._tcp.example.com,
1.2.0.192.in-addr.arpa, or 8.b.d.0.1.0.0.2.ip6.arpa. Because it is implied
that specified domain names are fully qualified, no trailing dot is
necessary.
- -f, --names-file
filename
- Read names from a file (one name per line), instead of from command line.
If this option is used, then names may not be specified on the
command line.
- -r, --input-file
filename
- Read diagnostic query input from the specified file, instead of from
standard input.
- -t, --trusted-keys-file
filename
- Use trusted keys from the specified file when processing diagnostic
queries. This overrides the default behavior of using the installed keys
for the root zone.
The format of this file is master zone file format and should
contain DNSKEY records that correspond to one more trusted keys for one
or more DNS zones.
This option may be used multiple times on the command
line.
- -a, --algorithms
alg[,alg...]
- Support only the DNSSEC algorithms specified. If this option is used, any
algorithms not specified will appear as "unsupported." The
status of any RRSIG records corresponding to unsupported algorithms will
be unknown. Additionally, when a zone has only DS records with unsupported
algorithms, the zone is treated as "insecure", assuming the DS
records are properly authenticated.
- -d, --digest-algorithms
digest_alg[,digest_alg...]
- Support only the DNSSEC digest algorithms specified. If this option is
used, any digest algorithms not specified will appear as
"unsupported." The status of any DS records corresponding to
unsupported digest algorithms will be unknown. Additionally, when a zone
has only DS records with unsupported digest algorithms, the zone is
treated as "insecure", assuming the DS records are properly
authenticated.
- -b,
--validate-prohibited-algs
- Validate algorithms for which validation is otherwise prohibited. Current
DNSSEC specification prohibits validators from validating older, weaker
algorithms associated with DNSKEY and DS records (see RFC 8624). If this
option is used, then a warning will be still be issued for DNSSEC records
that use these older algorithms, but the code will still assess their
cryptographic status, rather than ignoring them.
- -C,
--enforce-cookies
- Enforce DNS cookies strictly. Require a server to return a
"BADCOOKIE" response when a query contains a COOKIE option with
no server cookie or with an invalid server cookie.
- -P,
--allow-private
- Allow private IP addresses for authoritative DNS servers. By default, if
the IP address corresponding to an authoritative server is in IP address
space designated as "private", it is flagged as an error.
However, there are some cases where this is allowed. For example, if the
diagnostic queries are issued to servers in an experimental environment,
this might be permissible.
- -o, --output-file
filename
- Write the output to the specified file instead of to standard output,
which is the default.
- -c,
--minimize-output
- Format JSON output minimally instead of "pretty" (i.e., with
indentation and newlines).
- -l, --log-level
level
- Display only information at the specified log priority or higher. Valid
values (in increasing order of priority) are: "error",
"warning", "info", and "debug". The default
is "debug".
- -h, --help
- Display the usage and exit.
The exit codes are:
- 0
- Program terminated normally.
- 1
- Incorrect usage.
- 2
- Required package dependencies were not found.
- 3
- There was an error processing the input or saving the output.
- 4
- Program execution was interrupted, or an unknown error occurred.