Lately I discovered that my DNSSEC resolvers where not enabled right. I took a look at the big internet and found a solution fairly quickly.

So in short, if you want to use it, edit your named.conf.options (or equivalent, I use Debian, YMMV) then add (note: managed-keys is for Bind 9.7 or above, for previous ones, you need trusted-keys instead):

managed-keys {
“.” initial-key 257 3 8
“AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
QxA+Uk1ihz0=”;
};
options {
dnssec-enable yes;
dnssec-validation yes; # enable DNSSEC validation
};

Issue a nice rndc reload and you’re all set 🙂