>> Sorry if this has already been hashed through, but I cannot >> find anything in the archive. Is there any chance someone can >> make dig and nslookup DNSSEC aware and force it to use DoT or >> DoH ports - TCP 443 or 853 only? > > Not sure about that. However, the "kdig" utility from the "knot" > name server is able to do DoT and DoH (the latter only if > configured to use libnghttp2), and in my case that was the > shorter path to the goal of having a CLI tool to do DoT and DoH > testing.
I should perhaps make it clear that this only answers half of the question; "kdig" isn't any more "DNSSEC aware" than "dig". And, no, I'm not aware of any such plans to incorporate a DNSSEC validator in any of those tools. Not sure it makes technical sense, as it's a fairly large task. That's what a validating recursive resolver does; watch for the 'ad' flag from one such instead? Regards, - Håvard -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
