Evaluation of validating resolvers on Linux: Unbound and Knot Resolver recommended
"Systemd-resolved and Dnsmasq have serious bugs"
Tore Anderson, Senior Systems Consultant at Redpill Linpro, has evaluated six widely used DNSSEC-validating resolvers: Bind, Dnsmasq, Knot Resolver, PowerDNS Recursor, systemd-resolved and Unbound. He considered how well (strictly) the software worked, as well as support for recursion (as opposed to stub resolvers), private domains and negative trust anchors (NTAs). Because his evaluation was performed using the Linux platform (Fedora 30 and Ubuntu 19.04), he additionally looked at integration with NetworkManager.
One of Anderson's most significant findings was serious bugs in the basic functionality (validation results) of systemd-resolved and Dnsmasq. Unbound and the Knot Resolver emerged as highly recommended. Anderson reported that the latest versions of PowerDNS Recursor and Bind worked well too, but had no advantages over Unbound or the Knot Resolver. Read Anderson's full evaluation report.