Make dig and nslookup DNSSEC aware?

Sorry if this has already been hashed through, but I cannot find anything in the archive. Is there any chance someone can make dig and nslookup DNSSEC aware and force it to use DoT or DoH ports - TCP 443 or 853 only? RW -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe

Re: Make dig and nslookup DNSSEC aware?

> Sorry if this has already been hashed through, but I cannot > find anything in the archive. Is there any chance someone can > make dig and nslookup DNSSEC aware and force it to use DoT or > DoH ports - TCP 443 or 853 only? Not sure about that. However, the "kdig" utility from the "knot" name s

Re: Make dig and nslookup DNSSEC aware?

>> Sorry if this has already been hashed through, but I cannot >> find anything in the archive. Is there any chance someone can >> make dig and nslookup DNSSEC aware and force it to use DoT or >> DoH ports - TCP 443 or 853 only? > > Not sure about that. However, the "kdig" utility from the "knot"

Counters for DNS transports?

Hi, I recently had reason to enable BIND 9.18.27 to do DoT and DoH (done via unbound earlier), and it all appears to work well so far. I have configured statistics-channels { inet 127.0.0.1 port 8053 allow { 127.0.0.1; }; inet port 8053 allow { blah; }; }; The former for collec

Re: Make dig and nslookup DNSSEC aware?

> On 22. 5. 2024, at 17:02, Havard Eidnes via bind-users > wrote: > > And, no, I'm not aware of any such plans to incorporate a DNSSEC > validator in any of those tools. Not sure it makes technical > sense, as it's a fairly large task. That's what a validating > recursive resolver does; watch

Re: Make dig and nslookup DNSSEC aware?

forget about nslookup. deprecated in my mind. use dig like so: for DoT: $dig @1.1.1.1 -tA +dnssec +tls www.google.com for Doh: dig @1.1.1.1 -ta +https +dnssec www.google.com Make sure you have a more recent version of dig to supports this. If you need programmatic DNSSEC access use a library like

RE: Make dig and nslookup DNSSEC aware?

Doesn't dig already offer DoT using +tls and DoH using +https ? Don Friesen -Original Message- From: bind-users On Behalf Of Ondrej Surý Sent: Wednesday, May 22, 2024 8:09 AM To: Havard Eidnes Cc: bind-users@lists.isc.org Subject: Re: Make dig and nslookup DNSSEC aware? [EXTERNAL] T

Re: Make dig and nslookup DNSSEC aware?

> Doesn't dig already offer DoT using +tls and DoH using +https? You're right, it does. I need to sort out my $PATH... Regards, - Håvard -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support sub

Re: Counters for DNS transports?

I frontend DoH and DoT traffic with nginx and use that for analytics/statistics. Cheers, David On Wed, May 22, 2024 at 11:08 AM Havard Eidnes via bind-users < bind-users@lists.isc.org> wrote: > Hi, > > I recently had reason to enable BIND 9.18.27 to do DoT and DoH > (done via unbound earlier), a

Re: Make dig and nslookup DNSSEC aware?

https://www.isc.org/blogs/bind-doh-update-2021/ BIND DoH Update Status of DNS-over-HTTPS support in BIND 9 as of March, 2021 The latest development release of BIND 9 contains a significant number of improvements to DNS-over-HTTP (DoH). www.isc.org

Re: Counters for DNS transports?

> I frontend DoH and DoT traffic with nginx and use that for > analytics/statistics. Thanks, but I think that violates the KISS principle. Regards, - Håvard -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with

Re: Make dig and nslookup DNSSEC aware?

Odd numbers (9.17, 9.19…) are the development versions. Even numbers (9.18, 9.20 - soon…) are the production versions, based on the odd-numbered version before. So 9.18.27 (currently) would be the one to go for. Cheers, Greg > On 22 May 2024, at 16:53, Robert Wagner wrote: > > https://www.isc

Re: Counters for DNS transports?

Hi Havard, this has been planned, but unfortunately other stuff got into the way. It is still on our roadmap though. Ondřej -- Ondřej Surý (He/Him) ond...@isc.org My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.

Re: Counters for DNS transports?

> this has been planned, but unfortunately other stuff got into the way. > > It is still on our roadmap though. OK, thanks, it's reassuring that I hadn't overlooked something this time around, and it's good to see it's already thought about and on your roadmap. It's also on my wishlist, FWIW. :)