DIG command ";; +sigchase option is deprecated;; +trusted-key option is deprecated" on Linux

Why dig command says This feature is related to dig +sigchase, which is obsolete and has been removed. when I am following the https://www.cyberciti.biz/faq/unix-linux-test-and-validate-dnssec-using-dig-command-line/ tutorial?

My command:

dig +sigchase +trusted-key=./keys google.com. A @8.8.8.8 | less
;; +sigchase option is deprecated;; +trusted-key option is deprecated
; <> DiG 9.16.1-Ubuntu <> +sigchase +trusted-key google.com. A @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30856
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;google.com.                    IN      A

;; ANSWER SECTION:
google.com.             300     IN      A       142.250.192.110

;; Query time: 80 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Oct 14 11:24:42 IST 2021
;; MSG SIZE  rcvd: 55

See +sigchase option is deprecated;; +trusted-key option is deprecated. So how do I do it using dig?

Those command line features are now obsolete and has been removed from the dig command. Instead, use delv command. I will update my page later when I am free.

What is a delv command on Linux or Unix?

The delv is a command-line tool for sending DNS queries and validating the results, using the same internal resolver and validator logic as named.

The delv command will send to a specified name server all queries needed to fetch and validate the requested data; this includes the original requested query, subsequent queries to follow CNAME or DNAME chains, and queries for DNSKEY and DS records to establish a chain of trust for DNSSEC validation. It does not perform iterative resolution, but simulates the behavior of a name server configured for DNSSEC validating and forwarding.

By default, responses are validated using built-in DNSSEC trust anchor for the root zone (“.”). Records returned by delv are either fully validated or were not signed. If validation fails, an explanation of the failure is included in the output; the validation process can be traced in detail. Because delv does not rely on an external server to carry out validation, it can be used to check the validity of DNS responses in environments where local name servers may not be trustworthy.

Syntax

delv @dns-server name type

where:

  1. server - The name or IP address of the name server to query. This can be an IPv4 address in dotted decimal notation (e.g. @8.8.8.8) or an IPv6 address in colon-delimited notation. If no server argument is provided, delv consults /etc/resolv.conf file
  2. name - Is the domain name to be looked up such as google.com
  3. type - Indicates what type of query is required - ANY, A, MX, AAAA, TXT etc. Type can be any valid dns query type. If no type argument is supplied, delv will perform a lookup for an A record.

Examples

Try:

delv cyberciti.biz
delv  @1.1.1.1 cyberciti.biz
delv  @1.1.1.1 cyberciti.biz MX
delv  @1.1.1.1 cyberciti.biz TXT
delv  @1.1.1.1 google.co.in
delv  yahoo.com

Do read delv man page:

man delv

See updated FAQ:

https://www.cyberciti.biz/faq/unix-linux-test-and-validate-dnssec-using-dig-command-line/

1 Like

I see. delv is so easy to use. I love it.

So what is the equivalent of +sigchase and +trusted-key option with delv?

I mean equivalent delv command of:

dig +sigchase +trusted-key=./keys google.com. A @8.8.8.8 | less

You no longer needs that with the delv. The default is to perform lookaside validation using a trust anchor of “dlv.isc.org”, for which there is a built-in key. If specifying a different name, then -a must be used to specify a file containing the DLV key. The syntax for that is

delv -a anchor-file-name 

From the man page:

Keys that do not match the root or DLV trust-anchor names are ignored; these key names can be overridden using the +dlv=NAME or +root=NAME options.

Example:

delv @172.0.0.2 -a /tmp/your-trusted.key +root=your-example-com your-example-com. SOA +multiline