DOH or DOT Forwarder in BIND and is DOH GA?

Tony Finch dot at
Sun Jun 13 20:26:49 UTC 2021

Walter H. via bind-users <bind-users at> wrote:
> DOH/DOT is dead;
> use DNSSEC instead and no troubles;


DNSSEC is about data integrity. It allows me to host my zones with a
collection of semi-trusted third parties without having to worry about
them changing my DNS records. It allows clients to be sure they got the
correct data when querying my zones. But DNSSEC does not provide any
confidentiality, and it doesn't protect the protocol parts of DNS packets
such as the RCODE and the EDNS options.

DoH and DoT are the opposite. They provide better confidentiality
(network middleboxes can't see your queries) and better transport
integrity (active attackers can't mess with things like EDNS options), but
they don't authenticate the contents of DNS records.

It is wrong to say that one is better than the other: they are orthogonal.
It's good to deploy either of them, and better to deploy both.

f.anthony.n.finch  <dot at>
Viking, North Utsire: Southwesterly, veering westerly later, 4 to 6.
Moderate, occasionally rough later. Rain, showers later. Good,
occasionally poor.

More information about the bind-users mailing list