> Thanks to everyone for the info and recommendations. I need to figure out > how to alert on validation failures, and then enable validation.
You may want to investigate PowerDNS Recursor and its "log-fail" setting: "In this mode, the recursor will attempt to validate all data it retrieves from authoritative servers, regardless of the client's DNSSEC desires, and will log the validation result." See https://doc.powerdns.com/recursor/dnssec.html Steinar Haug, AS2116 _______________________________________________ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy