DOH or DOT Forwarder in BIND and is DOH GA?

Walter H. Walter.H at
Sat Jun 12 13:21:40 UTC 2021

On 12.06.2021 14:24, Richard T.A. Neal wrote:
> Mainsh – I haven’t done any experimenting with DOT, but there’s a 
> guide for configuring DOH at the following page. It requires BIND 
> 9.17.10 or higher (DOH isn’t being backported to BIND 9.16): 
> Walter – I’m not sure why you’d say DOH/DOT is dead and to instead use 
> DNSSEC. DOH/DOT and DNSSEC are two completely different things meant 
> for two completely different DNS functions – there is no overlap.
short explanation:

the requirement for using DOH is to allow HTTPS requests with a Host of 
just an IP,
which you would rather block;

and for both DOT and DOH are SSL-certificates with a IP address in its 
SAN, which you also rather reject;

and the overlap you don't see is the reason why one would use DOT or DOH;

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3550 bytes
Desc: S/MIME Cryptographic Signature
URL: <>

More information about the bind-users mailing list