Am 28.09.20 um 17:56 schrieb Paul Wouters:
Because DNSSEC is a disaster area and if you try and use it on random networks you're going to get failed lookups on a reasonable number - it's fine if you're on a known network with decent upstream servers but once you start going out and using random WiFi hotspots and things it's a very different story.
And that's why DNS-Over-TLS (DoT) and DNS-over-HTTPS (DoH) are now being deployed. And why browsers are, contrary to Michael Catanzaro's wrong claim, overriding the system DNS already. See Mozilla's TRR program https://wiki.mozilla.org/Trusted_Recursive_Resolver and Google's chrome https://www.chromium.org/developers/dns-over-https
It's always a bad idea for a programm to do the dns itself, instead of using the dns anyone on the host does. You get a inconsistent behaviour at best, and a security nightmare at worse. DOx in a browser or any other programm is wrong anyhow.
best regards, Marius