From ac0c2378cac7039afb8c717ca9038b1f70681ff3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= Date: Mon, 25 Apr 2022 18:12:17 +0200 Subject: [PATCH] Add hyperlinks to dig/mdig/delv +options --- bin/delv/delv.rst | 12 ++--- bin/dig/dig.rst | 74 +++++++++++++++------------- bin/tools/mdig.rst | 6 +-- doc/dnssec-guide/troubleshooting.rst | 6 +-- doc/dnssec-guide/validation.rst | 6 +-- doc/man/delv.1in | 12 ++--- doc/man/dig.1in | 73 ++++++++++++++------------- doc/man/mdig.1in | 6 +-- 8 files changed, 102 insertions(+), 93 deletions(-) diff --git a/bin/delv/delv.rst b/bin/delv/delv.rst index 5fe6f32287..bf6cce1e8f 100644 --- a/bin/delv/delv.rst +++ b/bin/delv/delv.rst @@ -107,7 +107,7 @@ Options or more trust anchors for the root zone ("."). Keys that do not match the root zone name are ignored. An alternate - key name can be specified using the ``+root=NAME`` options. + key name can be specified using the :option:`+root` option. Note: When reading the trust anchor file, :program:`delv` treats ``trust-anchors``, ``initial-key``, and ``static-key`` identically. That is, for a managed key, @@ -134,7 +134,7 @@ Options This option sets the systemwide debug level to ``level``. The allowed range is from 0 to 99. The default is 0 (no debugging). Debugging traces from :program:`delv` become more verbose as the debug level increases. See the - ``+mtrace``, ``+rtrace``, and ``+vtrace`` options below for + :option:`+mtrace`, :option:`+rtrace`, and :option:`+vtrace` options below for additional debugging details. .. option:: -h @@ -148,7 +148,7 @@ Options server being queried is performing DNSSEC validation, then it does not return invalid data; this can cause :program:`delv` to time out. When it is necessary to examine invalid data to debug a DNSSEC problem, use - ``dig +cd``.) + :option:`dig +cd`.) .. option:: -m @@ -309,8 +309,8 @@ assign values to options like the timeout interval. They have the form .. option:: +all, +noall - This option sets or clears the display options ``+[no]comments``, - ``+[no]rrcomments``, and ``+[no]trust`` as a group. + This option sets or clears the display options :option:`+comments`, + :option:`+rrcomments`, and :option:`+trust` as a group. .. option:: +multiline, +nomultiline @@ -326,7 +326,7 @@ assign values to options like the timeout interval. They have the form *not* control whether to request DNSSEC records or to validate them. DNSSEC records are always requested, and validation always occurs unless suppressed by the use of :option:`-i` or - ``+noroot``. + :option:`+noroot`. .. option:: +root[=ROOT], +noroot diff --git a/bin/dig/dig.rst b/bin/dig/dig.rst index c2111a5201..a5bfb86556 100644 --- a/bin/dig/dig.rst +++ b/bin/dig/dig.rst @@ -224,8 +224,8 @@ Each query option is identified by a keyword preceded by a plus sign the string ``no`` to negate the meaning of that keyword. Other keywords assign values to options, like the timeout interval. They have the form ``+keyword=value``. Keywords may be abbreviated, provided the -abbreviation is unambiguous; for example, ``+cd`` is equivalent to -``+cdflag``. The query options are: +abbreviation is unambiguous; for example, :option:`+cd` is equivalent to +:option:`+cdflag`. The query options are: .. option:: +aaflag, +noaaflag @@ -280,7 +280,7 @@ abbreviation is unambiguous; for example, ``+cd`` is equivalent to ``B`` bytes. The maximum and minimum sizes of this buffer are 65535 and 0, respectively. ``+bufsize`` restores the default buffer size. -.. option:: +cdflag, +nocdflag +.. option:: +cd, +cdflag, +nocdflag This option sets [or does not set] the CD (checking disabled) bit in the query. This requests the server to not perform DNSSEC validation of responses. @@ -304,7 +304,7 @@ abbreviation is unambiguous; for example, ``+cd`` is equivalent to Other types of comments in the output are not affected by this option, but can be controlled using other command-line switches. These include - ``+[no]cmd``, ``+[no]question``, ``+[no]stats``, and ``+[no]rrcomments``. + :option:`+cmd`, :option:`+question`, :option:`+stats`, and :option:`+rrcomments`. .. option:: +cookie=####, +nocookie @@ -312,7 +312,7 @@ abbreviation is unambiguous; for example, ``+cd`` is equivalent to from a previous response allows the server to identify a previous client. The default is ``+cookie``. - ``+cookie`` is also set when ``+trace`` is set to better emulate the + ``+cookie`` is also set when :option:`+trace` is set to better emulate the default queries from a nameserver. .. option:: +crypto, +nocrypto @@ -326,13 +326,14 @@ abbreviation is unambiguous; for example, ``+cd`` is equivalent to .. option:: +defname, +nodefname - This option, which is deprecated, is treated as a synonym for ``+[no]search``. + This option, which is deprecated, is treated as a synonym for + :option:`+search`, :option:`+nosearch`. .. option:: +dns64prefix, +nodns64prefix Lookup IPV4ONLY.ARPA AAAA and print any DNS64 prefixes found. -.. option:: +dnssec, +nodnssec +.. option:: +dnssec, +do, +nodnssec, +nodo This option requests that DNSSEC records be sent by setting the DNSSEC OK (DO) bit in the OPT record in the additional section of the query. @@ -341,7 +342,7 @@ abbreviation is unambiguous; for example, ``+cd`` is equivalent to This option sets the search list to contain the single domain ``somename``, as if specified in a ``domain`` directive in ``/etc/resolv.conf``, and - enables search list processing as if the ``+search`` option were + enables search list processing as if the :option:`+search` option were given. .. option:: +dscp=value @@ -403,31 +404,31 @@ abbreviation is unambiguous; for example, ``+cd`` is equivalent to .. option:: +https-get[=value], +nohttps-get - Similar to ``+https``, except that the HTTP GET request mode is used + Similar to :option:`+https`, except that the HTTP GET request mode is used when sending the query. .. option:: +https-post[=value], +nohttps-post - Same as ``+https``. + Same as :option:`+https`. .. option:: +http-plain[=value], +nohttp-plain - Similar to ``+https``, except that HTTP queries will be sent over a + Similar to :option:`+https`, except that HTTP queries will be sent over a non-encrypted channel. When this option is in use, the port number defaults to 80 and the HTTP request mode is POST. .. option:: +http-plain-get[=value], +nohttp-plain-get - Similar to ``+http-plain``, except that the HTTP request mode is GET. + Similar to :option:`+http-plain`, except that the HTTP request mode is GET. .. option:: +http-plain-post[=value], +nohttp-plain-post - Same as ``+http-plain``. + Same as :option:`+http-plain`. .. option:: +identify, +noidentify This option shows [or does not show] the IP address and port number that - supplied the answer, when the ``+short`` option is enabled. If short + supplied the answer, when the :option:`+short` option is enabled. If short form answers are requested, the default is not to show the source address and port number of the server that provided the answer. @@ -478,7 +479,7 @@ abbreviation is unambiguous; for example, ``+cd`` is equivalent to statement is present. Names with fewer dots are interpreted as relative names, and are searched for in the domains listed in the ``search`` or ``domain`` directive in ``/etc/resolv.conf`` if - ``+search`` is set. + :option:`+search` is set. .. option:: +nsid, +nonsid @@ -533,19 +534,19 @@ abbreviation is unambiguous; for example, ``+cd`` is equivalent to .. option:: +rdflag, +nordflag - This option is a synonym for ``+[no]recurse``. + This option is a synonym for :option:`+recurse`, :option:`+norecurse`. .. option:: +recurse, +norecurse This option toggles the setting of the RD (recursion desired) bit in the query. This bit is set by default, which means :program:`dig` normally sends recursive queries. Recursion is automatically disabled when the - ``+nssearch`` or ``+trace`` query option is used. + :option:`+nssearch` or :option:`+trace` query option is used. .. option:: +retry=T This option sets the number of times to retry UDP and TCP queries to server to ``T`` - instead of the default, 2. Unlike ``+tries``, this does not include + instead of the default, 2. Unlike :option:`+tries`, this does not include the initial query. .. option:: +rrcomments, +norrcomments @@ -561,7 +562,7 @@ abbreviation is unambiguous; for example, ``+cd`` is equivalent to default. ``ndots`` from ``resolv.conf`` (default 1), which may be overridden by - ``+ndots``, determines whether the name is treated as relative + :option:`+ndots`, determines whether the name is treated as relative and hence whether a search is eventually performed. .. option:: +short, +noshort @@ -632,27 +633,30 @@ abbreviation is unambiguous; for example, ``+cd`` is equivalent to name servers. When this option is in use, the port number defaults to 853. -``+[no]tls-ca[=file-name]`` +.. option:: +tls-ca[=file-name], +notls-ca + This option enables remote server TLS certificate validation for DNS transports, relying on TLS. Certificate authorities certificates are loaded from the specified PEM file (``file-name``). If the file is not specified, the default certificates from the global certificates store are used. -``+[no]tls-certfile=file-name`` and ``+[no]tls-keyfile=file-name`` +.. option:: +tls-certfile=file-name, +tls-keyfile=file-name, +notls-certfile, +notls-keyfile + These options set the state of certificate-based client authentication for DNS transports, relying on TLS. Both certificate chain file and private key file are expected to be in PEM format. Both options must be specified at the same time. -``+[no]tls-hostname=hostname`` - This option makes ``dig`` use the provided hostname during remote +.. option:: +tls-hostname=hostname, +notls-hostname + + This option makes :program:`dig` use the provided hostname during remote server TLS certificate verification. Otherwise, the DNS server name - is used. This option has no effect if ``+tls-ca`` is not specified. + is used. This option has no effect if :option:`+tls-ca` is not specified. .. option:: +topdown, +notopdown - This feature is related to ``dig +sigchase``, which is obsolete and + This feature is related to :option:`dig +sigchase`, which is obsolete and has been removed. Use :iscman:`delv` instead. .. option:: +trace, +notrace @@ -667,7 +671,7 @@ abbreviation is unambiguous; for example, ``+cd`` is equivalent to If ``@server`` is also specified, it affects only the initial query for the root zone name servers. - ``+dnssec`` is also set when ``+trace`` is set, to better emulate the + :option:`+dnssec` is also set when :option:`+trace` is set, to better emulate the default queries from a name server. .. option:: +tries=T @@ -678,7 +682,7 @@ abbreviation is unambiguous; for example, ``+cd`` is equivalent to .. option:: +trusted-key=#### - This option formerly specified trusted keys for use with ``dig +sigchase``. This + This option formerly specified trusted keys for use with :option:`dig +sigchase`. This feature is now obsolete and has been removed; use :iscman:`delv` instead. .. option:: +ttlid, +nottlid @@ -689,7 +693,7 @@ abbreviation is unambiguous; for example, ``+cd`` is equivalent to This option displays [or does not display] the TTL in friendly human-readable time units of ``s``, ``m``, ``h``, ``d``, and ``w``, representing seconds, minutes, - hours, days, and weeks. This implies ``+ttlid``. + hours, days, and weeks. This implies :option:`+ttlid`. .. option:: +unknownformat, +nounknownformat @@ -700,12 +704,12 @@ abbreviation is unambiguous; for example, ``+cd`` is equivalent to .. option:: +vc, +novc This option uses [or does not use] TCP when querying name servers. This alternate - syntax to ``+[no]tcp`` is provided for backwards compatibility. The + syntax to :option:`+tcp` is provided for backwards compatibility. The ``vc`` stands for "virtual circuit." .. option:: +yaml, +noyaml - When enabled, this option prints the responses (and, if ``+qr`` is in use, also the + When enabled, this option prints the responses (and, if :option:`+qr` is in use, also the outgoing queries) in a detailed YAML format. .. option:: +zflag, +nozflag @@ -730,8 +734,8 @@ query. A global set of query options, which should be applied to all queries, can also be supplied. These global query options must precede the first tuple of name, class, type, options, flags, and query options supplied -on the command line. Any global query options (except ``+[no]cmd`` and -``+[no]short`` options) can be overridden by a query-specific set of +on the command line. Any global query options (except :option:`+cmd` and +:option:`+short` options) can be overridden by a query-specific set of query options. For example: :: @@ -741,8 +745,8 @@ query options. For example: shows how :program:`dig` can be used from the command line to make three lookups: an ANY query for ``www.isc.org``, a reverse lookup of 127.0.0.1, and a query for the NS records of ``isc.org``. A global query option of -``+qr`` is applied, so that :program:`dig` shows the initial query it made for -each lookup. The final query has a local query option of ``+noqr`` which +:option:`+qr` is applied, so that :program:`dig` shows the initial query it made for +each lookup. The final query has a local query option of :option:`+qr` which means that :program:`dig` does not print the initial query when it looks up the NS records for ``isc.org``. @@ -754,7 +758,7 @@ support, it can accept and display non-ASCII domain names. :program:`dig` appropriately converts character encoding of a domain name before sending a request to a DNS server or displaying a reply from the server. To turn off IDN support, use the parameters -``+noidnin`` and ``+noidnout``, or define the ``IDN_DISABLE`` environment +:option:`+idnin` and :option:`+idnout`, or define the ``IDN_DISABLE`` environment variable. Return Codes diff --git a/bin/tools/mdig.rst b/bin/tools/mdig.rst index 054984905b..27d34f3164 100644 --- a/bin/tools/mdig.rst +++ b/bin/tools/mdig.rst @@ -216,7 +216,7 @@ The global query options are: .. option:: +vc, +novc This option uses [or does not use] TCP when querying name servers. This alternate - syntax to ``+[no]tcp`` is provided for backwards compatibility. The + syntax to :option:`+tcp` is provided for backwards compatibility. The ``vc`` stands for "virtual circuit". Local Options @@ -249,7 +249,7 @@ The local query options are: .. option:: +aaflag, +noaaflag - This is a synonym for ``+[no]aaonly``. + This is a synonym for :option:`+aaonly`, :option:`+noaaonly`. .. option:: +aaonly, +noaaonly @@ -325,7 +325,7 @@ The local query options are: .. option:: +retry=T This sets the number of times to retry UDP queries to server to ``T`` - instead of the default, 2. Unlike ``+tries``, this does not include + instead of the default, 2. Unlike :option:`+tries`, this does not include the initial query. .. option:: +subnet=addr[/prefix-length], +nosubnet diff --git a/doc/dnssec-guide/troubleshooting.rst b/doc/dnssec-guide/troubleshooting.rst index b865a06f26..8d91f36a79 100644 --- a/doc/dnssec-guide/troubleshooting.rst +++ b/doc/dnssec-guide/troubleshooting.rst @@ -100,7 +100,7 @@ Visible DNSSEC Validation Symptoms After determining the query path, it is necessary to determine whether the problem is actually related to DNSSEC -validation. You can use the ``+cd`` flag in :iscman:`dig` to disable +validation. You can use the :option:`dig +cd` flag to disable validation, as described in :ref:`how_do_i_know_validation_problem`. @@ -318,9 +318,9 @@ shortened for ease of display): Next, we query for the DNSKEY and RRSIG of ``example.net`` to see if there's anything wrong. Since we are having trouble validating, we -can use the ``+cd`` option to temporarily disable checking and return +can use the :option:`dig +cd` option to temporarily disable checking and return results, even though they do not pass the validation tests. The -``+multiline`` option tells :iscman:`dig` to print the type, algorithm type, +:option:`dig +multiline` option causes :iscman:`dig` to print the type, algorithm type, and key id for DNSKEY records. Again, some long strings are shortened for ease of display: diff --git a/doc/dnssec-guide/validation.rst b/doc/dnssec-guide/validation.rst index d02b359d52..d4a0dfcead 100644 --- a/doc/dnssec-guide/validation.rst +++ b/doc/dnssec-guide/validation.rst @@ -324,10 +324,10 @@ How Do I Know I Have a Validation Problem? Since all DNSSEC validation failures result in a general ``SERVFAIL`` message, how do we know if it was really a validation error? -Fortunately, there is a flag in :iscman:`dig`, (``+cd``, for "checking +Fortunately, there is a flag in :iscman:`dig`, ("CD" for "checking disabled") which tells the server to disable DNSSEC validation. If you receive a ``SERVFAIL`` message, re-run the query a second time -and set the ``+cd`` flag. If the query succeeds with ``+cd``, but +and set the :option:`dig +cd` flag. If the query succeeds with :option:`dig +cd`, but ends in ``SERVFAIL`` without it, you know you are dealing with a validation problem. So using the previous example of ``www.dnssec-failed.org`` and with DNSSEC validation enabled in the @@ -748,7 +748,7 @@ larger packets over UDP. To support EDNS, both the DNS server and the network need to be properly prepared to support the larger packet sizes and multiple fragments. -This is important for DNSSEC, since the ``+do`` bit that signals +This is important for DNSSEC, since the :option:`dig +do` bit that signals DNSSEC-awareness is carried within EDNS, and DNSSEC responses are larger than traditional DNS ones. If DNS servers and the network environment cannot support large UDP packets, it will cause retransmission over TCP, or the diff --git a/doc/man/delv.1in b/doc/man/delv.1in index c62c990218..71b1fad341 100644 --- a/doc/man/delv.1in +++ b/doc/man/delv.1in @@ -121,7 +121,7 @@ is \fB@sysconfdir@/bind.keys\fP, which is included with BIND 9 and contains one or more trust anchors for the root zone ("."). .sp Keys that do not match the root zone name are ignored. An alternate -key name can be specified using the \fB+root=NAME\fP options. +key name can be specified using the \fI\%+root\fP option. .sp Note: When reading the trust anchor file, \fBdelv\fP treats \fBtrust\-anchors\fP, \fBinitial\-key\fP, and \fBstatic\-key\fP identically. That is, for a managed key, @@ -151,7 +151,7 @@ This option sets the query class for the requested data. Currently, only class This option sets the systemwide debug level to \fBlevel\fP\&. The allowed range is from 0 to 99. The default is 0 (no debugging). Debugging traces from \fBdelv\fP become more verbose as the debug level increases. See the -\fB+mtrace\fP, \fB+rtrace\fP, and \fB+vtrace\fP options below for +\fI\%+mtrace\fP, \fI\%+rtrace\fP, and \fI\%+vtrace\fP options below for additional debugging details. .UNINDENT .INDENT 0.0 @@ -167,7 +167,7 @@ however, that this does not set the CD bit on upstream queries. If the server being queried is performing DNSSEC validation, then it does not return invalid data; this can cause \fBdelv\fP to time out. When it is necessary to examine invalid data to debug a DNSSEC problem, use -\fBdig +cd\fP\&.) +\fI\%dig +cd\fP\&.) .UNINDENT .INDENT 0.0 .TP @@ -347,8 +347,8 @@ multiline mode is active. .INDENT 0.0 .TP .B +all, +noall -This option sets or clears the display options \fB+[no]comments\fP, -\fB+[no]rrcomments\fP, and \fB+[no]trust\fP as a group. +This option sets or clears the display options \fI\%+comments\fP, +\fI\%+rrcomments\fP, and \fI\%+trust\fP as a group. .UNINDENT .INDENT 0.0 .TP @@ -366,7 +366,7 @@ The default is to do so. Note that (unlike in \fI\%dig\fP) this does \fInot\fP control whether to request DNSSEC records or to validate them. DNSSEC records are always requested, and validation always occurs unless suppressed by the use of \fI\%\-i\fP or -\fB+noroot\fP\&. +\fI\%+noroot\fP\&. .UNINDENT .INDENT 0.0 .TP diff --git a/doc/man/dig.1in b/doc/man/dig.1in index db86a1b2b9..d5f42ed852 100644 --- a/doc/man/dig.1in +++ b/doc/man/dig.1in @@ -258,8 +258,8 @@ Each query option is identified by a keyword preceded by a plus sign the string \fBno\fP to negate the meaning of that keyword. Other keywords assign values to options, like the timeout interval. They have the form \fB+keyword=value\fP\&. Keywords may be abbreviated, provided the -abbreviation is unambiguous; for example, \fB+cd\fP is equivalent to -\fB+cdflag\fP\&. The query options are: +abbreviation is unambiguous; for example, \fI\%+cd\fP is equivalent to +\fI\%+cdflag\fP\&. The query options are: .INDENT 0.0 .TP .B +aaflag, +noaaflag @@ -325,7 +325,7 @@ This option sets the UDP message buffer size advertised using EDNS0 to .UNINDENT .INDENT 0.0 .TP -.B +cdflag, +nocdflag +.B +cd, +cdflag, +nocdflag This option sets [or does not set] the CD (checking disabled) bit in the query. This requests the server to not perform DNSSEC validation of responses. .UNINDENT @@ -351,7 +351,7 @@ the response section. The default is to print these comments. .sp Other types of comments in the output are not affected by this option, but can be controlled using other command\-line switches. These include -\fB+[no]cmd\fP, \fB+[no]question\fP, \fB+[no]stats\fP, and \fB+[no]rrcomments\fP\&. +\fI\%+cmd\fP, \fI\%+question\fP, \fI\%+stats\fP, and \fI\%+rrcomments\fP\&. .UNINDENT .INDENT 0.0 .TP @@ -360,7 +360,7 @@ This option sends [or does not send] a COOKIE EDNS option, with an optional valu from a previous response allows the server to identify a previous client. The default is \fB+cookie\fP\&. .sp -\fB+cookie\fP is also set when \fB+trace\fP is set to better emulate the +\fB+cookie\fP is also set when \fI\%+trace\fP is set to better emulate the default queries from a nameserver. .UNINDENT .INDENT 0.0 @@ -376,7 +376,8 @@ key ID is displayed as the replacement, e.g. \fB[ key id = value ]\fP\&. .INDENT 0.0 .TP .B +defname, +nodefname -This option, which is deprecated, is treated as a synonym for \fB+[no]search\fP\&. +This option, which is deprecated, is treated as a synonym for +\fI\%+search\fP, \fI\%+nosearch\fP\&. .UNINDENT .INDENT 0.0 .TP @@ -385,7 +386,7 @@ Lookup IPV4ONLY.ARPA AAAA and print any DNS64 prefixes found. .UNINDENT .INDENT 0.0 .TP -.B +dnssec, +nodnssec +.B +dnssec, +do, +nodnssec, +nodo This option requests that DNSSEC records be sent by setting the DNSSEC OK (DO) bit in the OPT record in the additional section of the query. .UNINDENT @@ -394,7 +395,7 @@ the OPT record in the additional section of the query. .B +domain=somename This option sets the search list to contain the single domain \fBsomename\fP, as if specified in a \fBdomain\fP directive in \fB/etc/resolv.conf\fP, and -enables search list processing as if the \fB+search\fP option were +enables search list processing as if the \fI\%+search\fP option were given. .UNINDENT .INDENT 0.0 @@ -466,36 +467,36 @@ query URI; the default is \fB/dns\-query\fP\&. So, for example, \fBdig .INDENT 0.0 .TP .B +https\-get[=value], +nohttps\-get -Similar to \fB+https\fP, except that the HTTP GET request mode is used +Similar to \fI\%+https\fP, except that the HTTP GET request mode is used when sending the query. .UNINDENT .INDENT 0.0 .TP .B +https\-post[=value], +nohttps\-post -Same as \fB+https\fP\&. +Same as \fI\%+https\fP\&. .UNINDENT .INDENT 0.0 .TP .B +http\-plain[=value], +nohttp\-plain -Similar to \fB+https\fP, except that HTTP queries will be sent over a +Similar to \fI\%+https\fP, except that HTTP queries will be sent over a non\-encrypted channel. When this option is in use, the port number defaults to 80 and the HTTP request mode is POST. .UNINDENT .INDENT 0.0 .TP .B +http\-plain\-get[=value], +nohttp\-plain\-get -Similar to \fB+http\-plain\fP, except that the HTTP request mode is GET. +Similar to \fI\%+http\-plain\fP, except that the HTTP request mode is GET. .UNINDENT .INDENT 0.0 .TP .B +http\-plain\-post[=value], +nohttp\-plain\-post -Same as \fB+http\-plain\fP\&. +Same as \fI\%+http\-plain\fP\&. .UNINDENT .INDENT 0.0 .TP .B +identify, +noidentify This option shows [or does not show] the IP address and port number that -supplied the answer, when the \fB+short\fP option is enabled. If short +supplied the answer, when the \fI\%+short\fP option is enabled. If short form answers are requested, the default is not to show the source address and port number of the server that provided the answer. .UNINDENT @@ -553,7 +554,7 @@ the \fBndots\fP statement in \fB/etc/resolv.conf\fP, or 1 if no \fBndots\fP statement is present. Names with fewer dots are interpreted as relative names, and are searched for in the domains listed in the \fBsearch\fP or \fBdomain\fP directive in \fB/etc/resolv.conf\fP if -\fB+search\fP is set. +\fI\%+search\fP is set. .UNINDENT .INDENT 0.0 .TP @@ -618,7 +619,7 @@ QUERY. .INDENT 0.0 .TP .B +rdflag, +nordflag -This option is a synonym for \fB+[no]recurse\fP\&. +This option is a synonym for \fI\%+recurse\fP, \fI\%+norecurse\fP\&. .UNINDENT .INDENT 0.0 .TP @@ -626,13 +627,13 @@ This option is a synonym for \fB+[no]recurse\fP\&. This option toggles the setting of the RD (recursion desired) bit in the query. This bit is set by default, which means \fBdig\fP normally sends recursive queries. Recursion is automatically disabled when the -\fB+nssearch\fP or \fB+trace\fP query option is used. +\fI\%+nssearch\fP or \fI\%+trace\fP query option is used. .UNINDENT .INDENT 0.0 .TP .B +retry=T This option sets the number of times to retry UDP and TCP queries to server to \fBT\fP -instead of the default, 2. Unlike \fB+tries\fP, this does not include +instead of the default, 2. Unlike \fI\%+tries\fP, this does not include the initial query. .UNINDENT .INDENT 0.0 @@ -650,7 +651,7 @@ directive in \fBresolv.conf\fP, if any. The search list is not used by default. .sp \fBndots\fP from \fBresolv.conf\fP (default 1), which may be overridden by -\fB+ndots\fP, determines whether the name is treated as relative +\fI\%+ndots\fP, determines whether the name is treated as relative and hence whether a search is eventually performed. .UNINDENT .INDENT 0.0 @@ -734,28 +735,32 @@ to 853. .UNINDENT .INDENT 0.0 .TP -.B \fB+[no]tls\-ca[=file\-name]\fP +.B +tls\-ca[=file\-name], +notls\-ca This option enables remote server TLS certificate validation for DNS transports, relying on TLS. Certificate authorities certificates are loaded from the specified PEM file (\fBfile\-name\fP). If the file is not specified, the default certificates from the global certificates store are used. +.UNINDENT +.INDENT 0.0 .TP -.B \fB+[no]tls\-certfile=file\-name\fP and \fB+[no]tls\-keyfile=file\-name\fP +.B +tls\-certfile=file\-name, +tls\-keyfile=file\-name, +notls\-certfile, +notls\-keyfile These options set the state of certificate\-based client authentication for DNS transports, relying on TLS. Both certificate chain file and private key file are expected to be in PEM format. Both options must be specified at the same time. +.UNINDENT +.INDENT 0.0 .TP -.B \fB+[no]tls\-hostname=hostname\fP +.B +tls\-hostname=hostname, +notls\-hostname This option makes \fBdig\fP use the provided hostname during remote server TLS certificate verification. Otherwise, the DNS server name -is used. This option has no effect if \fB+tls\-ca\fP is not specified. +is used. This option has no effect if \fI\%+tls\-ca\fP is not specified. .UNINDENT .INDENT 0.0 .TP .B +topdown, +notopdown -This feature is related to \fBdig +sigchase\fP, which is obsolete and +This feature is related to \fI\%dig +sigchase\fP, which is obsolete and has been removed. Use \fI\%delv\fP instead. .UNINDENT .INDENT 0.0 @@ -771,7 +776,7 @@ lookup. If \fB@server\fP is also specified, it affects only the initial query for the root zone name servers. .sp -\fB+dnssec\fP is also set when \fB+trace\fP is set, to better emulate the +\fI\%+dnssec\fP is also set when \fI\%+trace\fP is set, to better emulate the default queries from a name server. .UNINDENT .INDENT 0.0 @@ -784,7 +789,7 @@ the number of tries is silently rounded up to 1. .INDENT 0.0 .TP .B +trusted\-key=#### -This option formerly specified trusted keys for use with \fBdig +sigchase\fP\&. This +This option formerly specified trusted keys for use with \fI\%dig +sigchase\fP\&. This feature is now obsolete and has been removed; use \fI\%delv\fP instead. .UNINDENT .INDENT 0.0 @@ -797,7 +802,7 @@ This option displays [or does not display] the TTL when printing the record. .B +ttlunits, +nottlunits This option displays [or does not display] the TTL in friendly human\-readable time units of \fBs\fP, \fBm\fP, \fBh\fP, \fBd\fP, and \fBw\fP, representing seconds, minutes, -hours, days, and weeks. This implies \fB+ttlid\fP\&. +hours, days, and weeks. This implies \fI\%+ttlid\fP\&. .UNINDENT .INDENT 0.0 .TP @@ -810,13 +815,13 @@ presentation format. .TP .B +vc, +novc This option uses [or does not use] TCP when querying name servers. This alternate -syntax to \fB+[no]tcp\fP is provided for backwards compatibility. The +syntax to \fI\%+tcp\fP is provided for backwards compatibility. The \fBvc\fP stands for "virtual circuit." .UNINDENT .INDENT 0.0 .TP .B +yaml, +noyaml -When enabled, this option prints the responses (and, if \fB+qr\fP is in use, also the +When enabled, this option prints the responses (and, if \fI\%+qr\fP is in use, also the outgoing queries) in a detailed YAML format. .UNINDENT .INDENT 0.0 @@ -841,8 +846,8 @@ query. A global set of query options, which should be applied to all queries, can also be supplied. These global query options must precede the first tuple of name, class, type, options, flags, and query options supplied -on the command line. Any global query options (except \fB+[no]cmd\fP and -\fB+[no]short\fP options) can be overridden by a query\-specific set of +on the command line. Any global query options (except \fI\%+cmd\fP and +\fI\%+short\fP options) can be overridden by a query\-specific set of query options. For example: .INDENT 0.0 .INDENT 3.5 @@ -858,8 +863,8 @@ dig +qr www.isc.org any \-x 127.0.0.1 isc.org ns +noqr shows how \fBdig\fP can be used from the command line to make three lookups: an ANY query for \fBwww.isc.org\fP, a reverse lookup of 127.0.0.1, and a query for the NS records of \fBisc.org\fP\&. A global query option of -\fB+qr\fP is applied, so that \fBdig\fP shows the initial query it made for -each lookup. The final query has a local query option of \fB+noqr\fP which +\fI\%+qr\fP is applied, so that \fBdig\fP shows the initial query it made for +each lookup. The final query has a local query option of \fI\%+qr\fP which means that \fBdig\fP does not print the initial query when it looks up the NS records for \fBisc.org\fP\&. .SH IDN SUPPORT @@ -869,7 +874,7 @@ support, it can accept and display non\-ASCII domain names. \fBdig\fP appropriately converts character encoding of a domain name before sending a request to a DNS server or displaying a reply from the server. To turn off IDN support, use the parameters -\fB+noidnin\fP and \fB+noidnout\fP, or define the \fBIDN_DISABLE\fP environment +\fI\%+idnin\fP and \fI\%+idnout\fP, or define the \fBIDN_DISABLE\fP environment variable. .SH RETURN CODES .sp diff --git a/doc/man/mdig.1in b/doc/man/mdig.1in index 9b27e6cb10..0f7794e5c9 100644 --- a/doc/man/mdig.1in +++ b/doc/man/mdig.1in @@ -248,7 +248,7 @@ hours, days, and weeks. This implies +ttlid. .TP .B +vc, +novc This option uses [or does not use] TCP when querying name servers. This alternate -syntax to \fB+[no]tcp\fP is provided for backwards compatibility. The +syntax to \fI\%+tcp\fP is provided for backwards compatibility. The \fBvc\fP stands for "virtual circuit". .UNINDENT .SH LOCAL OPTIONS @@ -283,7 +283,7 @@ The local query options are: .INDENT 0.0 .TP .B +aaflag, +noaaflag -This is a synonym for \fB+[no]aaonly\fP\&. +This is a synonym for \fI\%+aaonly\fP, \fI\%+noaaonly\fP\&. .UNINDENT .INDENT 0.0 .TP @@ -372,7 +372,7 @@ recursive queries. .TP .B +retry=T This sets the number of times to retry UDP queries to server to \fBT\fP -instead of the default, 2. Unlike \fB+tries\fP, this does not include +instead of the default, 2. Unlike \fI\%+tries\fP, this does not include the initial query. .UNINDENT .INDENT 0.0