is DNSSEC enabled in the current glibc DNS resolver?

[r16]

I just set up DNSSEC on my home test domain, and I would like to verify that my DNS lookups, on both windows 10 and other up to date gentoo boxes are using the extra security. MSDN claims that as of windows 7, the windows DNS resolver is "security enabled" - I assume that means DNSSEC enabled. I actually pulled up a power shell and verified that the lookups ran properly. I guess I just have to trust microsoft - which is another topic entirely.

On my gentoo boxes I can run +dnssec digs all day long and they work great, however, I was not able to determine if the current default glibc resolver getaddrinfo() does DNSSEC by default, and if not what I have to do to make my gentoo boxes do DNSSEC by default. From a few years back (~2012) I was able to find a libval library and a function val_getaddrinfo() which did DNSSEC but it looks kinda antiquated and its usage doesn't look widespread. I'm not a linux developer so I'm not intimately familiar with the nuts and bolts of glibc.

Getting DNSSEC working is important, because ultimately I would like to use DNS lookups to securely push kerberos and PKI data to the network with minimal per-client configuration.

Any info / thoughts / ideas on this?

[Ant P.]

glibc's resolver doesn't do much of anything, you'll need to run Unbound or BIND if you want DNSSEC.