DNSSEC is already a well established technology, which extends the DNS protocol to provide integrity and authenticity. This enables new types of applications and functionality like:
* Verify a remote server SSH fingerprint using SSHFP record in DNS (RFC 4255)
* Verify a TLS certificate offered by the remote server using DANE and TLSA record in DNS (RFC 6698)
* Get IPsec keys for a particular remote host automatically using IPSECKEY record in DNS (RFC 4025)
* Get X.509 or OpenPGP certificates using CERT record in DNS (RFC 4398)
* Verify that a specific Certification Authority is authorized to issue a certificate for a particular domain, using the CAA record in DNS (RFC 6844)
The DNSSEC configuration and deployment on the server side is a well understood and for most of the part already solved problem. The applications using DNS records mentioned above are mostly useful on the client side. While the client side configuration may seem trivial, it is non-trivial for mobile devices roaming across various networks (at the airport, local cafe or at work) which may be OK for DNSSEC, broken or misconfigured. These networks can also apply various policies, e.g. dropping DNS packets larger than 512 bytes. Therefore, on such mobile clients, there is a need for a software, that would test the network on each network configuration change and reconfigure a locally running validating DNS resolver in order to provide DNSSEC validation.