Provided by: dnsviz_0.11.0-1_all 
NAME
dnsviz-grok - assess diagnostic DNS queries
SYNOPSIS
dnsviz grok [ options ] [ domain_name... ]
DESCRIPTION
Process the results of diagnostic DNS queries previously performed, e.g., using dnsviz-probe(1), to
assess the health of the associated DNS deployments for one or more domain names specified. The results
of this processing are serialized into JSON format for further programmatic diagnostics or alerts.
The source of the diagnostic query input is either a file specified with -r or standard input.
Domain names to be processed may be passed either as command-line arguments, in a file (using the -f
option), or simply implied using the diagnostic query input. The latter is the preferred methodology
(and the simplest) and is useful, except in cases where the input contains diagnostic queries for
multiple domain names, only a subset of which are to be processed.
If -f is not used and no domain names are supplied on the command line, then the domain names to be
processed are extracted from the diagnostic query input. If the -f option is used, then names may not be
specified on the command line.
The domain names passed as input are fully-qualified domain names, such as example.com, www.example.com,
_443._tcp.example.com, 1.2.0.192.in-addr.arpa, or 8.b.d.0.1.0.0.2.ip6.arpa. Because it is implied that
specified domain names are fully qualified, no trailing dot is necessary.
OPTIONS
-f, --names-file filename
Read names from a file (one name per line), instead of from command line.
If this option is used, then names may not be specified on the command line.
-r, --input-file filename
Read diagnostic query input from the specified file, instead of from standard input.
-t, --trusted-keys-file filename
Use trusted keys from the specified file when processing diagnostic queries. This overrides the
default behavior of using the installed keys for the root zone.
The format of this file is master zone file format and should contain DNSKEY records that
correspond to one more trusted keys for one or more DNS zones.
This option may be used multiple times on the command line.
-a, --algorithms alg[,alg...]
Support only the DNSSEC algorithms specified. If this option is used, any algorithms not
specified will appear as "unsupported." The status of any RRSIG records corresponding to
unsupported algorithms will be unknown. Additionally, when a zone has only DS records with
unsupported algorithms, the zone is treated as "insecure", assuming the DS records are properly
authenticated.
-d, --digest-algorithms digest_alg[,digest_alg...]
Support only the DNSSEC digest algorithms specified. If this option is used, any digest
algorithms not specified will appear as "unsupported." The status of any DS records corresponding
to unsupported digest algorithms will be unknown. Additionally, when a zone has only DS records
with unsupported digest algorithms, the zone is treated as "insecure", assuming the DS records are
properly authenticated.
--ignore-rfc8624
Ignore errors associated with RFC 8624, DNSSEC algorithm implementation requirements. RFC 8624
designates some DNSSEC signing algorithms and some DS digest algorithms as prohibited ("MUST NOT")
or not recommended for validation and/or signing. If this option is used, then no warnings will
be issued, and the code will still assess their cryptographic status, rather than ignoring them.
--ignore-rfc9276
Ignore errors associated with RFC 9276, NSEC3 parameter settings. RFC 9276 specifies that if
NSEC3 is used, the iterations count must be 0 and the salt length must be 0. If this option is
used, then no warnings will be issued for NSEC3 records that violate this specification.
-C, --enforce-cookies
Enforce DNS cookies strictly. Require a server to return a "BADCOOKIE" response when a query
contains a COOKIE option with no server cookie or with an invalid server cookie.
-P, --allow-private
Allow private IP addresses for authoritative DNS servers. By default, if the IP address
corresponding to an authoritative server is in IP address space designated as "private", it is
flagged as an error. However, there are some cases where this is allowed. For example, if the
diagnostic queries are issued to servers in an experimental environment, this might be
permissible.
--trust-cdnskey-cds
Trust all CDNSKEY and CDS records, even if they are not "signed with a key that is represented in
both the current DNSKEY and DS RRsets" (RFC 7344). This is allowed if "the Parent uses the CDS or
CDNSKEY RRset for initial enrollment; in that case, the Parent validates the CDS/CDNSKEY through
some other means" (RFC 7344). Because there is no way for DNSViz to discover the out-of-band
means with which the parent might have validated the CDNSKEY and/or CDS records, this trust is
signaled with the use of the --trust-cdnskey-cds command-line option.
--multi-signer
Don't issue errors for missing KSKs with DS RRs. Typically an error is issued if a given DNSKEY
is not found in the DNSKEY RRset returned by one or more servers. If --multi-signer is specified,
then no error is issued, in the case that 1) the DNSKEY is not signing any non-DNSKEY RRsets
(i.e., is a zone-signing key or ZSK) and 2) the DNSKEY corresponds to a DS record in the parent.
This corresponds to the Model 2 use case in RFC 8901.
-o, --output-file filename
Write the output to the specified file instead of to standard output, which is the default.
-c, --minimize-output
Format JSON output minimally instead of "pretty" (i.e., with indentation and newlines).
-l, --log-level level
Display only information at the specified log priority or higher. Valid values (in increasing
order of priority) are: "error", "warning", "info", and "debug". The default is "debug".
-h, --help
Display the usage and exit.
EXIT CODES
The exit codes are:
0 Program terminated normally.
1 Incorrect usage.
2 Required package dependencies were not found.
3 There was an error processing the input or saving the output.
4 Program execution was interrupted, or an unknown error occurred.
SEE ALSO
dnsviz(1), dnsviz-probe(1), dnsviz-graph(1), dnsviz-print(1), dnsviz-query(1)
0.11.0 26 September 2024 dnsviz-grok(1)