> The purpose of unwind is to provide secure DNS services even when > the available nameservers are broken or filtered like in many hotels. > To do that, it prefers DNSSEC whenever possible and changes to do > resolving by itself if needed. > > DNSSEC only offers integrity and authenticity. To protect > eavesdropping on the requests in transit, encryption is needed, as > offered by e.g. DNS over TLS (DoT) and DNS over HTTP (DoT). unwind
Before I jump aboard with DNSSECs failings in mind on my own networks rather than the mentioned hotel scenario. I believe but I am still not certain that services like PowerDNS have secure channels to the main primary DNS servers that apparently do not scale for the rest of us? Otherwise I worry that the network security target is a more singular centralised target compared to e.g. unbound.