Look, you're either recursing or you're not. If you're not recursing, you're not really validating DNSSEC records. If you are, you're not vulnerable to NXDOMAIN ads. The NXDOMAIN thing is in fact not a good use case for DNSSEC. That's all I'm saying here, I'm not making any broader claim than that. Of course you can just install a recursive resolver on your router. But then you don't need DNSSEC!
> If you're not recursing, you're not really validating DNSSEC records.
Nope, validating in stubs is a thing. systemd's resolved does it. Apple's high-level network frameworks do it if you ask as of a couple of years ago (they've been back and forth on DNSSEC in their lower level API for longer than that). I'm not sure how well they work but they're there.
A validating stub resolver is effectively a recursive resolver proxying through another recursor. At the point where you're going to do that, you might as well just run a recursive server. Either way: you don't have the NXDOMAIN problem. I really don't think there's a way to get around this. It's not dispositive of DNSSEC (other things are!), it's just not a real use case?
> A validating stub resolver is effectively a recursive resolver proxying through another recursor. At the point where you're going to do that, you might as well just run a recursive server.
Every iPhone on the planet might as well be a recursive resolver? Yeah, nah.
Stub resolver: A resolver that cannot perform all resolution itself.
Stub resolvers generally depend on a recursive resolver to
undertake the actual resolution function.
They literally have an animation of the client resolver making repeated requests up the tree. While saying they're making multiple requests. And calling it recursive.
