On 2020-01-21, Dieter Rauschenberger <d.rausch...@gmail.com> wrote: > Hi misc, > > on my intranet i have unbound and nsd running, both on the same > machine. unbount is listening on port 53, nsd is listening on port > 5353 on 127.0.0.1. If i run > > dig @127.0.0.1 -p 53 foo.bar > > everything is fine. But if I want to query nsd direct with > > dig @127.0.0.1 -p 5353 foo.bar > > dig core dumps and I can read the following line in /var/log/messages: > > Jan 21 18:42:44 ws /bsd: dig[59239]: pledge "dns", syscall 28
The very old version of dig in 6.6 has recently been updated to a slightly less old version (the last ISC-licensed one - 9.10.8-P1) and work is currently ongoing to remove code that isn't used on OpenBSD. It uses the "dns" pledge which only permits port 53 connections. The version in 6.6 prints an error if you try to set a port other than 53 - the version in -current just gets killed by pledge - I'm not sure if a direction has been decided for what to do with this yet (there was a proposal to change the pledge string depending on what options were used - another option would be to reinstate 6.6 behaviour). For now if you need to lookup on an alternative port you can either add "inet" to the pledge string and recompile, or use the version of dig in the isc-bind package (which has used "inet" rather than "dns" since it first started using pledge). This is /usr/local/bin/dig or there's now (in -current) a symlink "edig" to make it easier to use without fiddling with the path.
