Algorithm to handle DNSSEC validation errors when there are multiple resovers?

[bortzmeyer]

When the DNS looking glas uses several resolvers, and when they have a different use of DNSSEC (for instance, some validate and some don't), the results are not perfect. Unfortunately, since there is no DNS response code "DNSSEC validation failure", I'm not sure there is a right solution, SERVFAIL is a very ambiguous response code.

Take for instance servfail.nl, which is deliberately broken. If the DNS looking glass uses only validating resolvers, we get:

http://dnslg.generic-nic.net/servfail.nl/SOA => "No server replies for domain servfail.nl" (because the program tries the next resolvers, after a SERVFAIL. Is it a good idea?)

If the DNS looking glass uses one validating resolver then ordinary resolvers, it "succeeds":

http://dns.bortzmeyer.org/servfail.nl/SOA => "Start Of Authority: Zone administrator hostmaster.forfun.net., master server li1.forfun.net., ..." Should it stop instead at the first SERVFAIL?

[bortzmeyer]

Since there is no "obviously right" algorithm, may be an option in the configuration file "when SERVFAIL or REFUSED, move to the next server: true/false"