11 dns updating
To test whether or not the resolver you operate is doing DNSSEC validation, you can use the special domain "dnssec-failed.org" that is operated as a public service by Comcast.This special domain will cause validating resolvers to purposely fail to give an answer.See discussion above. Verisign says this about their free DNS servers: "We will not sell your public DNS data to third parties nor redirect your queries to serve you any ads." Verisign offers IPv6 public DNS servers as well: 26:1b::1:1 and 26:1c::2:2. Quad9 uses real time information about what websites are malicious and blocks them completely.No content is filtered - only domains that are phishing, contain malware, and exploit kit domains will be blocked. An unsecure pubic DNS is also available from Quad9 at 220.127.116.11 but they do not recommend using that as the secondary domain in your router or computer setup. WATCH also has IPv6 DNS servers at 20::1c04:b12f and 20::9249:d69b. WATCH publishes live statistics for both of their free DNS servers.
will automatically route to the nearest DNS server operated by Level3 Communications, the company that provides most of the ISPs in the US their access to the internet backbone.
If you are running Unbound version 1.6.5 or later: Power DNS Recursor version 4 supports DNSSEC validation, but does not yet support DNSSEC validation using automatic RFC 5011 updating.
This means that for Power DNS Recursor, you need to get a new set of trust anchors every time the trust anchors change.
Version 4.0.5 and later of Power DNS Recursor come with KSK2017 as part of the installed trust anchors.
If you can update your software: Knot Resolver supports DNSSEC validation using automatic RFC 5011 updating in all versions.