Make dig and nslookup DNSSEC aware?
Havard Eidnes
he at uninett.no
Wed May 22 15:02:42 UTC 2024
>> Sorry if this has already been hashed through, but I cannot
>> find anything in the archive. Is there any chance someone can
>> make dig and nslookup DNSSEC aware and force it to use DoT or
>> DoH ports - TCP 443 or 853 only?
>
> Not sure about that. However, the "kdig" utility from the "knot"
> name server is able to do DoT and DoH (the latter only if
> configured to use libnghttp2), and in my case that was the
> shorter path to the goal of having a CLI tool to do DoT and DoH
> testing.
I should perhaps make it clear that this only answers half of the
question; "kdig" isn't any more "DNSSEC aware" than "dig".
And, no, I'm not aware of any such plans to incorporate a DNSSEC
validator in any of those tools. Not sure it makes technical
sense, as it's a fairly large task. That's what a validating
recursive resolver does; watch for the 'ad' flag from one such
instead?
Regards,
- Håvard
More information about the bind-users
mailing list