DIG command ";; +sigchase option is deprecated;; +trusted-key option is deprecated" on Linux

Why dig command says This feature is related to dig +sigchase, which is obsolete and has been removed. when I am following the How to test and validate DNSSEC using dig command line tutorial?

My command:

dig +sigchase +trusted-key=./keys google.com. A @ | less
;; +sigchase option is deprecated;; +trusted-key option is deprecated
; <> DiG 9.16.1-Ubuntu <> +sigchase +trusted-key google.com. A @
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30856
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

; EDNS: version: 0, flags:; udp: 512
;google.com.                    IN      A

google.com.             300     IN      A

;; Query time: 80 msec
;; WHEN: Thu Oct 14 11:24:42 IST 2021
;; MSG SIZE  rcvd: 55

See +sigchase option is deprecated;; +trusted-key option is deprecated. So how do I do it using dig?

Those command line features are now obsolete and has been removed from the dig command. Instead, use delv command. I will update my page later when I am free.

What is a delv command on Linux or Unix?

The delv is a command-line tool for sending DNS queries and validating the results, using the same internal resolver and validator logic as named.

The delv command will send to a specified name server all queries needed to fetch and validate the requested data; this includes the original requested query, subsequent queries to follow CNAME or DNAME chains, and queries for DNSKEY and DS records to establish a chain of trust for DNSSEC validation. It does not perform iterative resolution, but simulates the behavior of a name server configured for DNSSEC validating and forwarding.

By default, responses are validated using built-in DNSSEC trust anchor for the root zone ("."). Records returned by delv are either fully validated or were not signed. If validation fails, an explanation of the failure is included in the output; the validation process can be traced in detail. Because delv does not rely on an external server to carry out validation, it can be used to check the validity of DNS responses in environments where local name servers may not be trustworthy.


delv @dns-server name type


  1. server - The name or IP address of the name server to query. This can be an IPv4 address in dotted decimal notation (e.g. @ or an IPv6 address in colon-delimited notation. If no server argument is provided, delv consults /etc/resolv.conf file
  2. name - Is the domain name to be looked up such as google.com
  3. type - Indicates what type of query is required - ANY, A, MX, AAAA, TXT etc. Type can be any valid dns query type. If no type argument is supplied, delv will perform a lookup for an A record.



delv cyberciti.biz
delv  @ cyberciti.biz
delv  @ cyberciti.biz MX
delv  @ cyberciti.biz TXT
delv  @ google.co.in
delv  yahoo.com

Do read delv man page:

man delv
1 Like

I see. delv is so easy to use. I love it.

Linux sysadmin blog - Linux/Unix Howtos and Tutorials - Linux bash shell scripting wiki