"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<!--
+ SPDX-License-Identifier: LGPL-2.1+
+
This file is part of systemd.
Copyright 2016 Lennart Poettering
along with systemd; If not, see <http://www.gnu.org/licenses/>.
-->
-<refentry id="systemd-resolve"
+<refentry id="systemd-resolve" conditional='ENABLE_RESOLVE'
xmlns:xi="http://www.w3.org/2001/XInclude">
<refentryinfo>
<command>systemd-resolve</command>
<arg choice="opt" rep="repeat">OPTIONS</arg>
<command> --type=<replaceable>TYPE</replaceable></command>
- <arg choice="plain" rep="repeat"><replaceable>RRDOMAIN</replaceable></arg>
+ <arg choice="plain" rep="repeat"><replaceable>DOMAIN</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis>
<replaceable>TYPE</replaceable></arg> <replaceable>DOMAIN</replaceable></arg>
</cmdsynopsis>
+ <cmdsynopsis>
+ <command>systemd-resolve</command>
+ <arg choice="opt" rep="repeat">OPTIONS</arg>
+ <command> --openpgp</command>
+ <arg choice="plain"><replaceable>USER@DOMAIN</replaceable></arg>
+ </cmdsynopsis>
+
+ <cmdsynopsis>
+ <command>systemd-resolve</command>
+ <arg choice="opt" rep="repeat">OPTIONS</arg>
+ <command> --tlsa</command>
+ <arg choice="plain"><replaceable>DOMAIN<optional>:PORT</optional></replaceable></arg>
+ </cmdsynopsis>
+
<cmdsynopsis>
<command>systemd-resolve</command>
<arg choice="opt" rep="repeat">OPTIONS</arg>
and IPv6 addresses. If the parameters specified are formatted as IPv4 or IPv6 operation the reverse operation is
done, and a hostname is retrieved for the specified addresses.</para>
- <para>The <option>--type=</option> switch may be used to specify a DNS resource record type (A, AAAA, SOA, MX, ...) in
+ <para>The program's output contains information about the protocol used for the look-up and on which network
+ interface the data was discovered. It also contains information on whether the information could be
+ authenticated. All data for which local DNSSEC validation succeeds is considered authenticated. Moreover all data
+ originating from local, trusted sources is also reported authenticated, including resolution of the local host
+ name, the <literal>localhost</literal> host name or all data from <filename>/etc/hosts</filename>.</para>
+
+ <para>The <option>--type=</option> switch may be used to specify a DNS resource record type (A, AAAA, SOA, MX, …) in
order to request a specific DNS resource record, instead of the address or reverse address lookups.
The special value <literal>help</literal> may be used to list known values.</para>
is assumed to be a domain name, that is already prefixed with an SRV type, and an SRV lookup is done (no
TXT).</para>
+ <para>The <option>--openpgp</option> switch may be used to query PGP keys stored as
+ <ulink url="https://tools.ietf.org/html/rfc7929">OPENPGPKEY</ulink> resource records.
+ When this option is specified one or more e-mail address must be specified.</para>
+
+ <para>The <option>--tlsa</option> switch maybe be used to query TLS public
+ keys stored as
+ <ulink url="https://tools.ietf.org/html/rfc6698">TLSA</ulink> resource records.
+ When this option is specified one or more domain names must be specified.</para>
+
<para>The <option>--statistics</option> switch may be used to show resolver statistics, including information about
the number of successful and failed DNSSEC validations.</para>
<listitem><para>Specifies the network protocol for the query. May be one of <literal>dns</literal>
(i.e. classic unicast DNS), <literal>llmnr</literal> (<ulink
url="https://tools.ietf.org/html/rfc4795">Link-Local Multicast Name Resolution</ulink>),
- <literal>llmr-ipv4</literal>, <literal>llmnr-ipv6</literal> (LLMNR via the indicated underlying IP
- protocols). By default the lookup is done via all protocols suitable for the lookup. If used, limits the set of
+ <literal>llmnr-ipv4</literal>, <literal>llmnr-ipv6</literal> (LLMNR via the indicated underlying IP
+ protocols), <literal>mdns</literal> (<ulink url="https://www.ietf.org/rfc/rfc6762.txt">Multicast DNS</ulink>),
+ <literal>mdns-ipv4</literal>, <literal>mdns-ipv6</literal> (MDNS via the indicated underlying IP protocols).
+ By default the lookup is done via all protocols suitable for the lookup. If used, limits the set of
protocols that may be used. Use this option multiple times to enable resolving via multiple protocols at the
same time. The setting <literal>llmnr</literal> is identical to specifying this switch once with
<literal>llmnr-ipv4</literal> and once via <literal>llmnr-ipv6</literal>. Note that this option does not force
<option>--service</option> the TXT service metadata record is resolved as well.</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>--openpgp</option></term>
+
+ <listitem><para>Enables OPENPGPKEY resource record resolution (see above). Specified e-mail
+ addresses are converted to the corresponding DNS domain name, and any OPENPGPKEY keys are
+ printed.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--tlsa</option></term>
+
+ <listitem><para>Enables TLSA resource record resolution (see above).
+ A query will be performed for each of the specified names prefixed with
+ the port and family
+ (<literal>_<replaceable>port</replaceable>._<replaceable>family</replaceable>.<replaceable>domain</replaceable></literal>).
+ The port number may be specified after a colon
+ (<literal>:</literal>), otherwise <constant>443</constant> will be used
+ by default. The family may be specified as an argument after
+ <option>--tlsa</option>, otherwise <constant>tcp</constant> will be
+ used.</para></listitem>
+ </varlistentry>
+
<varlistentry>
<term><option>--cname=</option><replaceable>BOOL</replaceable></term>
logic is disabled.</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>--raw</option><optional>=payload|packet</optional></term>
+
+ <listitem><para>Dump the answer as binary data. If there is no argument or if the argument is
+ <literal>payload</literal>, the payload of the packet is exported. If the argument is
+ <literal>packet</literal>, the whole packet is dumped in wire format, prefixed by
+ length specified as a little-endian 64-bit number. This format allows multiple packets
+ to be dumped and unambiguously parsed.</para></listitem>
+ </varlistentry>
+
<varlistentry>
<term><option>--legend=</option><replaceable>BOOL</replaceable></term>
<listitem><para>Resets the statistics counters shown in <option>--statistics</option> to zero.</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>--flush-caches</option></term>
+
+ <listitem><para>Flushes all DNS resource record caches the service maintains locally. This is mostly equivalent
+ to sending the <constant>SIGUSR2</constant> to the <command>systemd-resolved</command>
+ service.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--reset-server-features</option></term>
+
+ <listitem><para>Flushes all feature level information the resolver learnt about specific servers, and ensures
+ that the server feature probing logic is started from the beginning with the next look-up request. This is
+ mostly equivalent to sending the <constant>SIGRTMIN+1</constant> to the <command>systemd-resolved</command>
+ service.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--status</option></term>
+
+ <listitem><para>Shows the global and per-link DNS settings in currently in effect.</para></listitem>
+ </varlistentry>
+
<xi:include href="standard-options.xml" xpointer="help" />
<xi:include href="standard-options.xml" xpointer="version" />
+ <xi:include href="standard-options.xml" xpointer="no-pager" />
</variablelist>
</refsect1>
<example>
<title>Retrieve the addresses of the <literal>www.0pointer.net</literal> domain</title>
- <programlisting>$ systemd-resolve www.0pointer.net</programlisting>
+ <programlisting>$ systemd-resolve www.0pointer.net
+www.0pointer.net: 2a01:238:43ed:c300:10c3:bcf3:3266:da74
+ 85.214.157.71
+
+-- Information acquired via protocol DNS in 611.6ms.
+-- Data is authenticated: no
+</programlisting>
</example>
<example>
<title>Retrieve the domain of the <literal>85.214.157.71</literal> IP address</title>
- <programlisting>$ systemd-resolve 85.214.157.71</programlisting>
+ <programlisting>$ systemd-resolve 85.214.157.71
+85.214.157.71: gardel.0pointer.net
+
+-- Information acquired via protocol DNS in 1.2997s.
+-- Data is authenticated: no
+</programlisting>
</example>
<example>
- <title>Retrieve the MX record of the <literal>0pointer.net</literal> domain</title>
+ <title>Retrieve the MX record of the <literal>yahoo.com</literal> domain</title>
- <programlisting>$ systemd-resolve -t MX 0pointer.net</programlisting>
+ <programlisting>$ systemd-resolve -t MX yahoo.com --legend=no
+yahoo.com. IN MX 1 mta7.am0.yahoodns.net
+yahoo.com. IN MX 1 mta6.am0.yahoodns.net
+yahoo.com. IN MX 1 mta5.am0.yahoodns.net
+</programlisting>
</example>
<example>
<title>Resolve an SRV service</title>
- <programlisting>$ systemd-resolve --service _xmpp-server._tcp gmail.com</programlisting>
+ <programlisting>$ systemd-resolve --service _xmpp-server._tcp gmail.com
+_xmpp-server._tcp/gmail.com: alt1.xmpp-server.l.google.com:5269 [priority=20, weight=0]
+ 173.194.210.125
+ alt4.xmpp-server.l.google.com:5269 [priority=20, weight=0]
+ 173.194.65.125
+ …
+</programlisting>
</example>
+ <example>
+ <title>Retrieve a PGP key</title>
+
+ <programlisting>$ systemd-resolve --openpgp zbyszek@fedoraproject.org
+d08ee310438ca124a6149ea5cc21b6313b390dce485576eff96f8722._openpgpkey.fedoraproject.org. IN OPENPGPKEY
+ mQINBFBHPMsBEACeInGYJCb+7TurKfb6wGyTottCDtiSJB310i37/6ZYoeIay/5soJjlMyf
+ MFQ9T2XNT/0LM6gTa0MpC1st9LnzYTMsT6tzRly1D1UbVI6xw0g0vE5y2Cjk3xUwAynCsSs
+ …
+</programlisting>
+ </example>
+
+ <example>
+ <title>Retrieve a TLS key (<literal>=tcp</literal> and
+ <literal>:443</literal> could be skipped)</title>
+
+ <programlisting>$ systemd-resolve --tlsa=tcp fedoraproject.org:443
+_443._tcp.fedoraproject.org IN TLSA 0 0 1 19400be5b7a31fb733917700789d2f0a2471c0c9d506c0e504c06c16d7cb17c0
+ -- Cert. usage: CA constraint
+ -- Selector: Full Certificate
+ -- Matching type: SHA-256
+</programlisting>
+ </example>
</refsect1>
<refsect1>
projects / thirdparty / systemd.git / blobdiff