Provided by: dnsviz_0.9.3-1_all bug

NAME
       dnsviz-grok - assess diagnostic DNS queries


SYNOPSIS
       dnsviz grok [ options ] [ domain_name... ]


DESCRIPTION
       Process  the  results  of  diagnostic  DNS  queries previously performed, e.g., using dnsviz-probe(1), to
       assess the health of the associated DNS deployments for one or more domain names specified.  The  results
       of this processing are serialized into JSON format for further programmatic diagnostics or alerts.

       The source of the diagnostic query input is either a file specified with -r or standard input.

       Domain  names  to  be  processed  may be passed either as command-line arguments, in a file (using the -f
       option), or simply implied using the diagnostic query input.  The latter  is  the  preferred  methodology
       (and  the  simplest)  and  is  useful,  except  in  cases where the input contains diagnostic queries for
       multiple domain names, only a subset of which are to be processed.

       If -f is not used and no domain names are supplied on the command line,  then  the  domain  names  to  be
       processed are extracted from the diagnostic query input.  If the -f option is used, then names may not be
       specified on the command line.

       The  domain names passed as input are fully-qualified domain names, such as example.com, www.example.com,
       _443._tcp.example.com, 1.2.0.192.in-addr.arpa, or 8.b.d.0.1.0.0.2.ip6.arpa.  Because it is  implied  that
       specified domain names are fully qualified, no trailing dot is necessary.


OPTIONS
       -f, --names-file filename
              Read names from a file (one name per line), instead of from command line.

              If this option is used, then names may not be specified on the command line.

       -r, --input-file filename
              Read diagnostic query input from the specified file, instead of from standard input.

       -t, --trusted-keys-file filename
              Use  trusted  keys from the specified file when processing diagnostic queries.  This overrides the
              default behavior of using the installed keys for the root zone.

              The format of this file is master  zone  file  format  and  should  contain  DNSKEY  records  that
              correspond to one more trusted keys for one or more DNS zones.

              This option may be used multiple times on the command line.

       -a, --algorithms alg[,alg...]
              Support  only  the  DNSSEC  algorithms  specified.   If  this  option  is used, any algorithms not
              specified will appear as  "unsupported."   The  status  of  any  RRSIG  records  corresponding  to
              unsupported  algorithms  will  be  unknown.   Additionally,  when  a zone has only DS records with
              unsupported algorithms, the zone is treated as "insecure", assuming the DS  records  are  properly
              authenticated.

       -d, --digest-algorithms digest_alg[,digest_alg...]
              Support  only  the  DNSSEC  digest  algorithms  specified.   If  this  option  is used, any digest
              algorithms not specified will appear as "unsupported."  The status of any DS records corresponding
              to unsupported digest algorithms will be unknown.  Additionally, when a zone has only  DS  records
              with unsupported digest algorithms, the zone is treated as "insecure", assuming the DS records are
              properly authenticated.

       -b, --validate-prohibited-algs
              Validate  algorithms  for  which validation is otherwise prohibited.  Current DNSSEC specification
              prohibits validators from validating older,  weaker  algorithms  associated  with  DNSKEY  and  DS
              records (see RFC 8624).  If this option is used, then a warning will be still be issued for DNSSEC
              records  that  use  these  older  algorithms,  but  the code will still assess their cryptographic
              status, rather than ignoring them.

       -C, --enforce-cookies
              Enforce DNS cookies strictly. Require a server to return  a  "BADCOOKIE"  response  when  a  query
              contains a COOKIE option with no server cookie or with an invalid server cookie.

       -P, --allow-private
              Allow  private  IP  addresses  for  authoritative  DNS  servers.   By  default,  if the IP address
              corresponding to an authoritative server is in IP address space designated  as  "private",  it  is
              flagged  as  an  error.  However, there are some cases where this is allowed.  For example, if the
              diagnostic  queries  are  issued  to  servers  in  an  experimental  environment,  this  might  be
              permissible.

       -o, --output-file filename
              Write the output to the specified file instead of to standard output, which is the default.

       -c, --minimize-output
              Format JSON output minimally instead of "pretty" (i.e., with indentation and newlines).

       -l, --log-level level
              Display  only  information  at  the specified log priority or higher.  Valid values (in increasing
              order of priority) are: "error", "warning", "info", and "debug".  The default is "debug".

       -h, --help
              Display the usage and exit.


EXIT CODES
       The exit codes are:

       0      Program terminated normally.

       1      Incorrect usage.

       2      Required package dependencies were not found.

       3      There was an error processing the input or saving the output.

       4      Program execution was interrupted, or an unknown error occurred.


SEE ALSO
       dnsviz(1), dnsviz-probe(1), dnsviz-graph(1), dnsviz-print(1), dnsviz-query(1)

0.9.3                                              11 Mar 2021                                    dnsviz-grok(1)