xref: /freebsd/contrib/unbound/doc/unbound-host.rst (revision b2efd602aea8b3cbc3fb215b9611946d04fceb10) 
1..
2    WHEN EDITING MAKE SURE EACH SENTENCE STARTS ON A NEW LINE
3
4..
5    IT HELPS RENDERERS TO DO THE RIGHT THING WRT SPACE
6
7..
8    IT HELPS PEOPLE DIFFING THE CHANGES
9
10..
11    WHEN EDITING MAKE SURE EACH SENTENCE STARTS ON A NEW LINE
12
13..
14    IT HELPS RENDERERS TO DO THE RIGHT THING WRT SPACE
15
16..
17    IT HELPS PEOPLE DIFFING THE CHANGES
18
19..
20    WHEN EDITING MAKE SURE EACH SENTENCE STARTS ON A NEW LINE
21
22..
23    IT HELPS RENDERERS TO DO THE RIGHT THING WRT SPACE
24
25..
26    IT HELPS PEOPLE DIFFING THE CHANGES
27
28..
29    WHEN EDITING MAKE SURE EACH SENTENCE STARTS ON A NEW LINE
30
31..
32    IT HELPS RENDERERS TO DO THE RIGHT THING WRT SPACE
33
34..
35    IT HELPS PEOPLE DIFFING THE CHANGES
36
37.. program:: unbound-host
38
39unbound-host(1)
40===============
41
42Synopsis
43--------
44
45**unbound-host** [``-C configfile``] [``-vdhr46D``] [``-c class``]
46[``-t type``] [``-y key``] [``-f keyfile``] [``-F namedkeyfile``] hostname
47
48Description
49-----------
50
51``unbound-host`` uses the Unbound validating resolver to query for the hostname
52and display results.
53With the :option:`-v` option it displays validation status: secure, insecure,
54bogus (security failure).
55
56By default it reads no configuration file whatsoever.
57It attempts to reach the internet root servers.
58With :option:`-C` an unbound config file and with :option:`-r` ``resolv.conf``
59can be read.
60
61The available options are:
62
63.. option:: hostname
64
65       This name is resolved (looked up in the DNS).
66       If a IPv4 or IPv6 address is given, a reverse lookup is performed.
67
68.. option:: -h
69
70       Show the version and commandline option help.
71
72.. option:: -v
73
74       Enable verbose output and it shows validation results, on every line.
75       Secure means that the NXDOMAIN (no such domain name), nodata (no such
76       data) or positive data response validated correctly with one of the
77       keys.
78       Insecure means that that domain name has no security set up for it.
79       Bogus (security failure) means that the response failed one or more
80       checks, it is likely wrong, outdated, tampered with, or broken.
81
82.. option:: -d
83
84       Enable debug output to stderr.
85       One :option:`-d` shows what the resolver and validator are doing and may
86       tell you what is going on.
87       More times, :option:`-d` :option:`-d`, gives a lot of output, with every
88       packet sent and received.
89
90.. option:: -c <class>
91
92       Specify the class to lookup for, the default is IN the internet
93       class.
94
95.. option:: -t <type>
96
97       Specify the type of data to lookup.
98       The default looks for IPv4, IPv6 and mail handler data, or domain name
99       pointers for reverse queries.
100
101.. option:: -y <key>
102
103       Specify a public key to use as trust anchor.
104       This is the base for a chain of trust that is built up from the trust
105       anchor to the response, in order to validate the response message.
106       Can be given as a DS or DNSKEY record.
107       For example:
108
109       .. code-block:: text
110
111            -y "example.com DS 31560 5 1 1CFED84787E6E19CCF9372C1187325972FE546CD"
112
113.. option:: -D
114
115       Enables DNSSEC validation.
116       Reads the root anchor from the default configured root anchor at the
117       default location, :file:`@UNBOUND_ROOTKEY_FILE@`.
118
119.. option:: -f <keyfile>
120
121       Reads keys from a file.
122       Every line has a DS or DNSKEY record, in the format as for :option:`-y`.
123       The zone file format, the same as ``dig`` and ``drill`` produce.
124
125.. option:: -F <namedkeyfile>
126
127       Reads keys from a BIND-style :file:`named.conf` file.
128       Only the ``trusted-key {};`` entries are read.
129
130.. option:: -C <configfile>
131
132       Uses the specified unbound.conf to prime :doc:`libunbound(3)</manpages/libunbound>`.
133       Pass it as first argument if you want to override some options from the
134       config file with further arguments on the commandline.
135
136.. option:: -r
137
138       Read :file:`/etc/resolv.conf`, and use the forward DNS servers from
139       there (those could have been set by DHCP).
140       More info in *resolv.conf(5)*.
141       Breaks validation if those servers do not support DNSSEC.
142
143.. option:: -4
144
145       Use solely the IPv4 network for sending packets.
146
147.. option:: -6
148
149       Use solely the IPv6 network for sending packets.
150
151Examples
152--------
153
154Some examples of use.
155The keys shown below are fakes, thus a security failure is encountered.
156
157.. code-block:: text
158
159       $ unbound-host www.example.com
160
161       $ unbound-host -v -y "example.com DS 31560 5 1 1CFED84787E6E19CCF9372C1187325972FE546CD" www.example.com
162
163       $ unbound-host -v -y "example.com DS 31560 5 1 1CFED84787E6E19CCF9372C1187325972FE546CD" 192.0.2.153
164
165Exit Code
166---------
167
168The ``unbound-host`` program exits with status code 1 on error, 0 on no error.
169The data may not be available on exit code 0, exit code 1 means the lookup
170encountered a fatal error.
171
172See Also
173--------
174
175:doc:`unbound.conf(5)</manpages/unbound.conf>`,
176:doc:`unbound(8)</manpages/unbound>`.
177