The most common setup is where a recursive DNS resolver does the DNSSEC validation. The nice thing about this approach in that existing applications do not require modifications.

However, an application cannot easily tell if the resolver is doing DNSSEC validation, and the path between the application and the resolver is unprotected.

The solution to this, is for applications to do local DNSSEC validation. This can be done using the getdns library. The getdns library provides other advantages as well, such as a modern interface to DNS resolution, support for event libraries (such as libevent).

In this presentation I will describe getdns and show two examples of how it can be used in practice.