Bug 1578128 - [RFE] Provide delv functionality
Summary: [RFE] Provide delv functionality
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: bind
Version: 7.5
Hardware: Unspecified
OS: Linux
Target Milestone: rc
: ---
Assignee: Petr Menšík
QA Contact: Petr Sklenar
Marie Dolezelova
URL: https://ftp.isc.org/isc/bind9/cur/9.1...
Depends On: bind911_rebase_el7
Blocks: 1663257 1630905 1630913
TreeView+ depends on / blocked
Reported: 2018-05-14 20:37 UTC by Tom Sorensen
Modified: 2019-08-06 12:40 UTC (History)
8 users (show)

Fixed In Version: bind-9.11.4-1.P2.el7
Doc Type: Enhancement
Doc Text:
Feature: A new tool called `delv` (domain entity lookup and validation) has been added. The tools is similar to `dig`, but includes also full DNS Security Extensions (DNSSEC) validation. Reason: dig +sigchase does not use the same logic as named daemon and is not officially supported. `delv` tool uses exactly the same validation algorithm as `named` daemon. Result: DNSSEC verification issues are much easier analyzed in a separate tool. Verification against different servers is much simpler now.
Clone Of:
Last Closed: 2019-08-06 12:39:40 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:2057 None None None 2019-08-06 12:40:09 UTC

Description Tom Sorensen 2018-05-14 20:37:14 UTC
Description of problem:
Customer is requesting that BIND be upgraded to a newer version in RHEL7 so that they can take advantage of DNS enhancements relying upon it.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Try to run "delv"

Actual results:
Command not found

Expected results:
Command should run and return proper results when given proper arguments.

Additional info:

Comment 9 Petr Menšík 2018-08-20 10:52:29 UTC
We have no delv command yet in RHEL 7, but there are some tools that could help with DNSSEC verification failures. Unlike delve, they do not have exactly the same algorithm of names verification as BIND. Most of common DNSSEC errors can be debugged with them easier than dig +sigchase.

- drill -S <domain> (from ldns package)
- unbound-host -vrD <domain> (from unbound package)

I think they are useful alternatives to missing delv, especially the first one.

Comment 16 Petr Menšík 2019-02-27 17:48:56 UTC
Commit provided in rebase bug, just providing fixed-in version.

Note, upstream does not support dig +sigchase anymore, delv is recommended replacement. Failures in +sigchase mode are unsupported by upstream, sigchase support was removed in more recent versions altogether.

Comment 25 errata-xmlrpc 2019-08-06 12:39:40 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.