How to get delv working on macOS

Getting a recent version of delv working on macOS is as easy as "brew install bind".

How to get delv working on macOS

While reading this HN comment, I learnt of a CLI tool named delv.

delv's history paints it as the spiritual successor to dig, plus its name pays homage to a popular nursey rhyme. Interesting.

Similar to dig ,delv is a DNS lookup and validation utility. Apple shipped the delv binary with my machine running macOS Monterey (v12.3.1) but I had trouble getting it to work.

When I ran the first command in that HN comment: delv MX @ I got an inscrutable output:

delv MX @
;; none:29: no crypto support
delv: No trusted keys were loaded

Some Attempts to fix the Problem

I did a search on the error message and came across a mailing list discussion from 3 years ago which mentioned the -a anchor-file option from the man page.

Based on the explanation in that man entry, the default behavior of delv is to look for key information in a default location /etc/bind.keys, if no -a anchor-file option is specified, so I decided to create that file since it was non-existent on my machine.

Just to be sure, I first check to see what version of delv I have installed:

delv -v                                                        
delv 9.10.6

So, I use the term "/etc/bind.keys" to search for a valid copy of that file online and landed on the homepage of the ISC (Internet Systems Consortium). It is hosted on their FTP site and I was able to download a valid copy (v9.11) with the following commands:

cd /tmp
curl -LO
sudo mv /tmp/bind.keys.v9_11 /etc/bind.keys

With a valid /etc/bind.keys in place, I ran the delv command again and the error message was slightly different:

delv MX @ 
;; /private/etc/bind.keys:29: no crypto support
delv: No trusted keys were loaded

Based on additional searches, the real issue is the "no crypto support" part of the error message. This ServerFault answer suggests that the Apple-provided version of the delv binary was not set to support SSL when it was compiled.

Apple's inclusion of OSS network utilities can sometimes be half-hearted, so rather than play whack-a-mole trying to fix it, I decided to use Homebrew.

Fixing the Problem

bind is an OSS collection of network utilities (sometimes called bind-utils or bind-tools) from the ISC that includes CLI tools like dig, host, nslookup and of course delv.

So, I search for "homebrew bind" and the first result gave me a simple way to install it on macOS in only 2 steps.

Step 1: Install bind by executing brew install bind:

brew install bind
==> Caveats
==> bind
To restart bind after an upgrade:
  sudo brew services restart bind
Or, if you don't want/need a background service you can just run:
  /Users/mac/homebrew/opt/bind/sbin/named -f -L /Users/mac/homebrew/var/log/named/named.log

Step 2: Next, open a new terminal window, and check the version of delv that was installed is newer than the Apple-provided version of 9.10.6:

delv -v
delv 9.18.4

The newer delv binary can be found at this path: /Users/mac/homebrew/Cellar/bind/9.18.4/bin/delv on my Mac and because my Homebrew installation was setup to put Homebrew binaries ahead of Apple-provided binaries in my PATH, the shell found it before it found the older version provided by Apple.

You can read more about how I set this up towards the end of my article on using a newer version of rsync on macOS.

Using the new version of delv

Re-running the original command in the HN comment earlier–delv MX @  now works correctly:

delv MX @ 
; unsigned answer	300	IN	MX	10	300	IN	MX	20	300	IN	MX	20	300	IN	MX	30

The second command in the HN comment–delv NS @ also worked:

delv NS @
; unsigned answer	10267	IN	NS	10267	IN	NS	10267	IN	NS	10267	IN	NS