For what it's worth, I'd like to give my 2 cents. I develop on a DNS server so I often use the -p option to test new functionality on a different port than 53. It doesn't bother me that the base openbsd dig has a pledge restriction for only port 53. Just as long as I have the ports bind package dig in /usr/local/bin and I do use that for querying a port higher than 53. I'm aware of the risk, and sometimes I forget that -p is restricted in base which is embarrassing.
If anyone does the work to pledge base dig to use -p on a higher port, that's an added bonus but not necessarily needed as long as there is a workaround (the bind port). I have considered Stuarts recommendation to use another address for this, and that makes sense as well as a workaround. It's a bit more work because I have to log into the nameserver itself to reach that address but I do that anyhow to load up the newly changed code. Cheers, -peter
