according to README, blocky supports DNSSEC. This is only "half-true". Blocky support RRSIG/etc records, but doesn't validate DNSSEC trust chain at all. It just trust validation done by upstream resolver, which is not secure enough.
Used dns library doesn't do validation per-se (confirmed by author), but it can be added. For inspiration how to do validation correctly, see sdns which uses same dns library.
Hi,
according to README, blocky supports DNSSEC. This is only "half-true". Blocky support RRSIG/etc records, but doesn't validate DNSSEC trust chain at all. It just trust validation done by upstream resolver, which is not secure enough.
Used dns library doesn't do validation per-se (confirmed by author), but it can be added. For inspiration how to do validation correctly, see sdns which uses same dns library.