It’s come to my attention that the two servers operated by Fusl I mentioned above don’t seem to always validate DNSSEC queries properly.
You’re welcome to use the unlisted Tier 2 servers (OpenNIC DNS resolvers) I use for backend work across a lot of my OpenNIC related services (including Tier 1 operation) if you wish to add OpenNIC to your default options:
- 188.8.131.52 / 2604:a880:cad:d0::9a7:1
- 184.108.40.206 / 2604:a880:800:a1::1180:a001
These servers don’t log in any way and fully support DNSSEC with the following trust-anchor configuration:
root@nyc1:~# cat /etc/dnsmasq.d/02-trustanchor.conf
FWIW, I’m not just some random server operator, I run two of the ten root DNS servers for OpenNIC, a few DNS resolvers (including a primary anycast server and a newly created public Pi-hole instance), and some main organizational infrastructure including our homepage. Feel free to reply/PM me here if you have any questions/concerns.