Re: dig and DNSSEC

2015-09-26 Thread Christian Weisgerber 
On 2015-09-26, "Todd C. Miller"  wrote:

>> As Unbound/nsd are in base now, perhaps it could be easier to get
>> drill in and drop dig ?
>
> That's a great idea.  We'd need to add nslookup(1) and host(1)
> wrappers though.

Vitaly Magerya wrote a ldns-based host(1):
http://hg.tx97.net/ldns-host

Imported by FreeBSD:
https://svnweb.freebsd.org/base/head/contrib/ldns-host/

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de

Re: dig and DNSSEC

2015-09-26 Thread Todd C. Miller 
On Sat, 26 Sep 2015 22:03:50 +0200, Denis Fondras wrote:

> As Unbound/nsd are in base now, perhaps it could be easier to get
> drill in and drop dig ?

That's a great idea.  We'd need to add nslookup(1) and host(1)
wrappers though.

 - todd

Re: dig and DNSSEC

2015-09-26 Thread Denis Fondras 
> dig and nslookup will remain in base.  Go look in our tree at the contortions
> required to keep them there, since ISC has created a mess of their own 
> libraries
> and makes the 800 lines of nslookup and 7000 lines of dig use them.  Hold your
> nose when you look, ok?
> 

As Unbound/nsd are in base now, perhaps it could be easier to get drill in and
drop dig ?

Re: dig and DNSSEC

2015-09-25 Thread Etienne 

On 2015-09-25 15:05, Stuart Henderson wrote:

Is there any chance that dig (src/usr.sbin/bind/bin/dig/) could be 
build

with -DDIG_SIGCHASE to enable dnssec verification in future releases?
Where would be a proper place to request that?


I've just added this to the ports version of BIND (ports/net/isc-bind), 
packages

for this will arrive in future snapshots. You'll probably want to do
something like
"alias dig=/usr/local/bin/dig" or similar to avoid finding the version 
from base

first in your shell path.


Terrific! Thank you so much.

By any chance, once the base version of bind is being phased out, do you 
know if there will still be a dig(1) in the base?


Cheers,

--
Étienne

Re: dig and DNSSEC

2015-09-25 Thread Theo de Raadt 
>By any chance, once the base version of bind is being phased out, do you 
>know if there will still be a dig(1) in the base?

dig and nslookup will remain in base.  Go look in our tree at the contortions
required to keep them there, since ISC has created a mess of their own libraries
and makes the 800 lines of nslookup and 7000 lines of dig use them.  Hold your
nose when you look, ok?

Re: dig and DNSSEC

2015-09-25 Thread Stuart Henderson 
On 2015-09-24, Etienne  wrote:
> Hello there,
>
> Is there any chance that dig (src/usr.sbin/bind/bin/dig/) could be build 
> with -DDIG_SIGCHASE to enable dnssec verification in future releases? 
> Where would be a proper place to request that?
>
> Cheers,
>

I've just added this to the ports version of BIND (ports/net/isc-bind), packages
for this will arrive in future snapshots. You'll probably want to do something 
like
"alias dig=/usr/local/bin/dig" or similar to avoid finding the version from base
first in your shell path.

dig and DNSSEC

2015-09-24 Thread Etienne 

Hello there,

Is there any chance that dig (src/usr.sbin/bind/bin/dig/) could be build 
with -DDIG_SIGCHASE to enable dnssec verification in future releases? 
Where would be a proper place to request that?


Cheers,

--
Étienne