IMO it's "fine" to give curl the ability to validate DNSSEC standalone, we
should just make sure the user can use their trusted DNSSEC-enabled
stub/recursive (if they have one) without having curl re-validate everything.
I expect this will be the mode used by most people anyhow.
The main issue with validating DNSSEC within curl would be the latency as we
won't have a cache of already-validated records across invocations; otherwise I
don't see anything wrong with having curl spin up its own trusted stub via e.g.
unbound.
--
Cheers,
~Ali Mohammad Pur
--
Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library
Etiquette: https://curl.se/mail/etiquette.html
