Would rather DNSSEC validation be kept with getdns/stubby. Have not found that dnsmasq retrieves root keys dynamically where stubby does.
Dnsmasq is a more logical location for this to occur:
- Dnsmasq can cache results, so it improves performance as multiple queries can be required to validate a record
- Dnsmasq has been proven to work well, and has a stricter DNSSEC validation than getdns (AFAIK)
- Dnsmasq is intended as the multi-role service, Stubby is merely a bridge between dnsmasq and DoT servers, design-wise it makes little sense to also move some of the burden of validating results to Stubby.
- It makes debugging easier, as dnsmasq has extensive logging capabilities
- Automatic retrieval of keys is something I see as a potential security risk (they could get compromised, compared to built-in keys), or failure to retrieve the keys could break your whole network (if the key repository goes down / changes location / gets blocked by your ISP/Country).