We use DNSSEC validation when feasible, as that allows us to be sure the answers are correct and untampered with. The price of signature verifications is very low, as well as the probable discounts we get from intense destructive caching much more than make up for that. You can perspective https://lukaskzkvg.wikistatement.com/3992184/the_ultimate_guide_to_nginx_ssl_certificate_install