DOH or DOT Forwarder in BIND and is DOH GA?

Walter H. Walter.H at mathemainzel.info
Sat Jun 12 13:21:40 UTC 2021


On 12.06.2021 14:24, Richard T.A. Neal wrote:
>
> Mainsh – I haven’t done any experimenting with DOT, but there’s a 
> guide for configuring DOH at the following page. It requires BIND 
> 9.17.10 or higher (DOH isn’t being backported to BIND 9.16): 
> https://www.isc.org/blogs/doh-talkdns/
>
> Walter – I’m not sure why you’d say DOH/DOT is dead and to instead use 
> DNSSEC. DOH/DOT and DNSSEC are two completely different things meant 
> for two completely different DNS functions – there is no overlap.
>
short explanation:

the requirement for using DOH is to allow HTTPS requests with a Host of 
just an IP,
which you would rather block;

and for both DOT and DOH are SSL-certificates with a IP address in its 
SAN, which you also rather reject;

and the overlap you don't see is the reason why one would use DOT or DOH;


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20210612/98f783c0/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3550 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20210612/98f783c0/attachment.bin>


More information about the bind-users mailing list