How do I hide dnssec keys from results when doing 'dig +trace microsoft.com'

Question

Usually when I run dig commands, it hides the DNSSEC keys (the RRSIG, DS, and NSEC records).

Per the man page for dig, you can use this option to enable/disable DNSSEC validation:

+[no]dnssec

But when combined with +trace it doesn't seem to work.

I just want a dig +trace without all the long strings that DNSSEC key validation shows in the results.

Here's what the results looks like:

Answer 1

You'll find that the manual page specifically says DNSSEC is enabled when +trace is used:

+dnssec is also set when +trace is set to better emulate the default queries from a nameserver.

So you can't disable it. You could pass the results through something like awk '{ if ($4 != "RRSIG" && $4 != "DS") { print; } }' to get rid of the rows you don't want in the answer. Note if you're querying non-existent domains you may wish to drop NSEC and NSEC3 too.

(Other tools could be used as well, like grep -e but be careful about dropping rows that should be displayed with substrings in them)

Answer 2

Maybe you have misunderstood the manual: +[no]dnssec means that the no is optional, so you simply add +nodnssec to get what you want.