diff -I '\$Id: ' -u -r -b -w -p -d --exclude-from=/home/rstory/.rcfiles/diff-ignore --new-file clean/wget-1.12/configure.ac wget-1.12/configure.ac
--- clean/wget-1.12/configure.ac	2009-09-22 12:39:49.000000000 -0400
+++ wget-1.12/configure.ac	2009-10-26 18:50:43.000000000 -0400
@@ -544,6 +544,36 @@ if test "X$iri" != "Xno"; then
   fi
 fi
 
+dnl 
+dnl Check for dnssec validator library if configured
+dnl
+AC_ARG_WITH(dnssec-local-validation,
+        [  --with-dnssec-local-validation Enable local DNSSEC validation using libval (default=no)], want_dnssec=$withval, want_dnssec=no)
+if test "x$want_dnssec" = "xyes"; then
+    AC_CHECK_HEADERS(validator/validator.h)
+    if test "$ac_cv_header_validator_validator_h" != yes; then
+        AC_MSG_ERROR(Can't find validator.h (from dnssec-tools))
+    fi
+    AC_CHECK_LIB(ssl, SHA1_Init)
+    AC_CHECK_LIB(sres, query_send)
+    if test "$ac_cv_lib_sres_query_send" != yes; then
+        AC_MSG_ERROR(Can't find libsres (from dnssec-tools))
+    fi
+    AC_CHECK_LIB(val, p_val_status,[LIBS="$LIBS -lval"])
+    if test "x$ac_cv_lib_val_p_val_status" = "xno"; then
+        AC_CHECK_LIB(pthread, pthread_rwlock_init)
+	AC_CHECK_LIB(val-threads, p_val_status,
+                [LIBS="$LIBS -lval-threads -lpthread" LIBVAL_SUFFIX="-threads"],
+                AC_MSG_ERROR(Can't find libval or libval-threads (from dnssec-tools)))
+    fi
+    if test "x$ac_cv_lib_val_p_val_status" = "xyes" -o "x$ac_cv_lib_val_threads_p_val_status" = "xyes"; then
+        AC_DEFINE(DNSSEC_LOCAL_VALIDATION, 1,
+              [Define if you want local DNSSEC validation support])
+    fi
+    AC_MSG_NOTICE([support for dnssec validator compiled in])
+fi
+
+
 
 dnl Needed by src/Makefile.am
 AM_CONDITIONAL([IRI_IS_ENABLED], [test "X$iri" != "Xno"])
diff -I '\$Id: ' -u -r -b -w -p -d --exclude-from=/home/rstory/.rcfiles/diff-ignore --new-file clean/wget-1.12/src/host.c wget-1.12/src/host.c
--- clean/wget-1.12/src/host.c	2009-09-21 23:00:05.000000000 -0400
+++ wget-1.12/src/host.c	2009-10-29 16:12:43.000000000 -0400
@@ -35,6 +35,11 @@ as that of the covered work.  */
 #include <string.h>
 #include <assert.h>
 
+/* Support for dnssec validation */
+#ifdef DNSSEC_LOCAL_VALIDATION
+#include <validator/validator.h>
+#endif /* DNSSEC_LOCAL_VALIDATION */
+
 #ifndef WINDOWS
 # include <sys/types.h>
 # include <sys/socket.h>
@@ -378,7 +383,19 @@ static void
 getaddrinfo_with_timeout_callback (void *arg)
 {
   struct gaiwt_context *ctx = (struct gaiwt_context *)arg;
+#ifndef DNSSEC_LOCAL_VALIDATION
   ctx->exit_code = getaddrinfo (ctx->node, ctx->service, ctx->hints, ctx->res);
+#else
+  int err = 0;
+  val_status_t vstatus;
+  err = val_getaddrinfo((val_context_t *)NULL, ctx->node, 
+                        ctx->service, ctx->hints, ctx->res, &vstatus);
+  if ((NULL != ctx->res) && (0 == val_istrusted(vstatus)))  { 
+      DEBUGP(("DNSSEC status: %s [%d]\n", p_val_error(vstatus), vstatus));
+      err = DNSSECAI_FAIL; 
+  }
+  ctx->exit_code = err;
+#endif
 }
 
 /* Just like getaddrinfo, except it times out after TIMEOUT seconds.
@@ -776,9 +793,15 @@ lookup_host (const char *host, int flags
     err = getaddrinfo_with_timeout (host, NULL, &hints, &res, timeout);
     if (err != 0 || res == NULL)
       {
-        if (!silent)
+          if (!silent) {
+#ifndef DNSSEC_LOCAL_VALIDATION
           logprintf (LOG_VERBOSE, _("failed: %s.\n"),
                      err != EAI_SYSTEM ? gai_strerror (err) : strerror (errno));
+#else
+          logprintf (LOG_VERBOSE, _("failed: %s.\n"),
+                     err != EAI_SYSTEM ? dnssec_strerror (err) : strerror (errno));
+#endif
+          }
         return NULL;
       }
     al = address_list_from_addrinfo (res);
@@ -904,3 +927,29 @@ host_cleanup (void)
       host_name_addresses_map = NULL;
     }
 }
+
+#ifdef DNSSEC_LOCAL_VALIDATION
+/* DNSSEC additional proecudures
+
+   dnssec_strerror - looks for dnssec errors (currently there is
+                     only one), passes back dnssec specific error
+                     string or calls the system gai_strerror.  */
+
+static const char* dnssecai_fail_string = "DNS resoloution not trusted";
+static const char* dnssecai_noerror_string = "No Error";
+
+const char   *dnssec_strerror(int ecode)  
+{
+  switch (ecode) {
+  case 0:
+    return (dnssecai_noerror_string);
+  case DNSSECAI_FAIL:
+    return (dnssecai_fail_string);
+  }
+  /* default response*/
+  return (gai_strerror(ecode));
+} /* denssec_strerror */
+
+
+/* End DNSSEC Additional procedures */
+#endif
diff -I '\$Id: ' -u -r -b -w -p -d --exclude-from=/home/rstory/.rcfiles/diff-ignore --new-file clean/wget-1.12/src/host.h wget-1.12/src/host.h
--- clean/wget-1.12/src/host.h	2009-09-04 12:31:54.000000000 -0400
+++ wget-1.12/src/host.h	2009-10-26 18:53:05.000000000 -0400
@@ -97,6 +97,11 @@ const char *print_address (const ip_addr
 bool is_valid_ipv6_address (const char *, const char *);
 #endif
 
+#ifdef DNSSEC_LOCAL_VALIDATION
+#define DNSSECAI_FAIL   -600  /* sharing number space with netdb.h errors */
+const char   *dnssec_strerror(int ecode);
+#endif
+
 bool accept_domain (struct url *);
 bool sufmatch (const char **, const char *);