local DNSSEC validation

[adrelanos]

DoHoT currently doesn't seem to mention and not doing local DNSSEC validation?

DoHoT seems to be based on dnscrypt-proxy which apparently doesn't do local DNSSEC validation. References:

• https://github.com/DNSCrypt/dnscrypt-proxy/discussions/1954
• https://github.com/DNSCrypt/dnscrypt-proxy/issues/167#issuecomment-367689381

Also cloudflared apparently doesn't do local DNSSEC validation. References:

• https://github.com/cloudflare/cloudflared/issues/520
• https://community.cloudflare.com/t/does-the-cloudflared-dns-client-locally-verify-dnssec/335402

Thank you for all your work on DNS security!

BTW I am interested in documenting and including it in our security distro: https://www.kicksecure.com/wiki/DNS_Security