Gnutls' design for dane seems to be the right approach in general for
apps which want to do dnssec validation: provide options for whether
to respect resolv.conf and whether to cache results. Its libdane links
to libunbound but allows apps to choose whether to tell libunbound to
parse resolv.conf and whether to cache results.
Apps which have config file should make those options start-time configurable.
-JimC
--
James Cloos <cloos(a)jhcloos.com> OpenPGP: 1024D/ED7DAEA6