Usually when I run dig commands, it hides the DNSSEC keys (the RRSIG, DS, and NSEC records).
Per the man page for dig, you can use this option to enable/disable DNSSEC validation:
+[no]dnssec
But when combined with +trace
it doesn't seem to work.
I just want a dig +trace
without all the long strings that DNSSEC key validation shows in the results.
Here's what the results looks like:
You'll find that the manual page specifically says DNSSEC is enabled when +trace is used:
So you can't disable it. You could pass the results through something like
awk '{ if ($4 != "RRSIG" && $4 != "DS") { print; } }'
to get rid of the rows you don't want in the answer. Note if you're querying non-existent domains you may wish to drop NSEC and NSEC3 too.(Other tools could be used as well, like
grep -e
but be careful about dropping rows that should be displayed with substrings in them)