To turn on DNSSEC validation on your recusrsive resolver you only need to enable it and include the root trust anchor. For example on BIND /etc/namedb/named.conf you might look like below. This will set BIND to not only use the "root" keys specified in managed-keys but also track rollovers of the root key using RFC5011. Since this will necessitate BIND writing into the managed-keys-directory, that directory MUST have read/write access for user "bind". Make sure to remove or comment (//) out "recursion yes" and "dnssec-validation yes" and do a "service named restart" when done with this exercize to return your nameserver to authoritative server mode. Best practice is to never combine authoritative and resolver functions in the same server. Why? # cat /etc/bind/named.conf options { ... recursion yes; dnssec-validation yes; managed-keys-directory "/etc/bind/keys"; allow-query { any; }; .... }; zone "." { type hint; file "/etc/bind/db.root"; }; managed-keys { // real roots "." initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQ bSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh /RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWA JQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXp oY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3 LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGO Yl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGc LmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0="; "." initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTO iW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN 7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5 LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8 efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7 pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLY A4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws 9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU="; // class root "." initial-key 257 3 8 "AwEAAd48pv33mNzjgL+dT78CM9DouBVY2hUSOAIpVGpFN0c6jNaQOqO+ YZVBRmePsx2Pbn8SHpSJwJdEWv8GtwFx1pcn3UPP4jjGxKP/uue5uTmx BteLGfad2bK912e4xMJaou6LDeNKmh0CvnssKe8eI3gjvjQvRdRxakUB kAJ1xkTs03+7IEBFMk2XOsAaoTbTmUr3rmVzUtDLFAt/qs14iwPDQ1IN VYDjCOdJQ3Mh52t8qmktjH3njMJD7HQVOmlZdOkqCgzX55pXlhK5xtG3 UUOyQoVJeDPQwG9ZAdwsw9ZQYv9OBGLzgYBtN2EYM5q8TnkukoKwsfgn FjSzydcGXFU="; }; You may have to remove the BIND created file "managed-keys.bind" in /etc/bind/keys by doing # rm managed-keys* in that directory. Make sure that the BIND directory is writable by BIND so that it can automatically update this file when the root key rolls over. The contents of the root key can be obtained using # dig +multi -t dnskey . like we did in the previous lab. HOWEVER, in order for you and your relying parties to trust the root key, you must verify it by whatever mechanisms you see fit. This could include anything from matching the contents from https://www.iana.org/dnssec , confering with other trusted colleagues, computing DS records and matching, or relying on other tools or other out-of-band checks.