Hi Vladimir,

I appreciate your response and it's great to know you validate by default. I apologize for posting to the wrong list.

Best,
Henry

On Wed, Mar 12, 2025 at 9:14 AM Vladimír Čunát <vladimir.cunat@nic.cz> wrote:

Hello.

On 10/03/2025 17.01, birgelee--- via knot-dns-users wrote:
This ballot requires compliance with RFCs 4035 (specifically an implementation of a "security-aware" resolver as defined in Section 4) and 6840. To the best of my knowledge Knot would be a viable choice for conforming to this ballot particularly since there is a reference to RFCs 4035 in the config documentation and 6840 implements several key features of modern DNSSEC. Given the need for documentable compliance by CAs, a statement of intended support from the Knot team would be extremely helpful.

This is about resolvers apparently, so we're slightly off-topic here, as we have a split knot-resolver-users@lists.nic.cz - but I expect this thread to be very short.

Knot Resolver *does support* modern DNSSEC validation, as described in RFC 4035, 6840, and some others.  And we validate by default, etc.

--Vladimir