Check DNSsec results

[hildjj]

Process RRSIG results, etc.

[hildjj]

In https://github.com/hildjj/dohdec/issues/37#issuecomment-1326194032 @gnarea suggested a design, which I mostly like. I don't really believe in remote validation for dnssec, so I'd like the default to be local validation, unless there's some reason not to.

[gnarea]

If we integrate dnssec-js, I'd suggest to default to remote validation for a while just to allow enough time for the library to be (a) battle-tested in the wild (we'll be using it in Vera, which should be released to production in Q1/Q2 2023) and (b) independently audited by a reputable team (which our funder will be commissioning soon). Until then, as a user of this library, I'd feel safer sticking to Cloudflare or Google.

Another thing to bear in mind is that client-side validation could be much slower than remote validation depending on the user's connection. So if client-side validation becomes the default, I'd consider making a major release to make it more likely for developers to check the release notes.

[hildjj]

Your stated approach works for me. We will mark the option's default as likely to change so that people know to be explicit if they want consistent behavior.

[gnarea]

👍🏾

BTW, in addition to the docs, there's one more thing I want to do before integrating dnssec-js in the dohdec CLI.