---
title: "DNSSEC Validation the Easy Way"
slug: "aa-01182"
description: "Instructions on activating DNSSEC validation in a BIND resolver. In later versions of BIND, validation becomes the default."
tags: ["KSK", "ZSK", "resolver", "dnssec"]
updated: 2021-07-22T20:43:18Z
published: 2021-07-22T20:43:18Z
stale: true
---

> ## Documentation Index
> Fetch the complete documentation index at: https://kb.isc.org/llms.txt
> Use this file to discover all available pages before exploring further.

# DNSSEC Validation the Easy Way

### Problem:

You want your recursive BIND server to perform DNSSEC validation, but you don't have much time to invest.

### Solution:

ISC BIND 9 (in all currently supported versions at the time of this writing) contains a built-in copy of the [root zone KSK](https://www.iana.org/dnssec) (key signing key). To activate validation using this trust anchor requires only one non-default setting in your `named.conf` options statement:

```
options { ... dnssec-validation auto; ... };
```

With that added, `rndc reconfig` and you are done.

Note when using multiple views
 The `dnssec-validation auto;` option may also be set per view, where a view is providing recursive service. When sharing a cache among views with `attach-cache`, the option must be the same for all affected views.

                         
How do I override the built-in trust anchor?
 Simply download this file: [https://ftp.isc.org/isc/bind9/keys/9.11/bind.keys.v9_11](https://ftp.isc.org/isc/bind9/keys/9.11/bind.keys.v9_11). Save it as your `bindkeys-file` (default path/filename is "/etc/bind.keys"). If you have an incorrect or outdated managed-keys database in your **named** working directory (or as changed with the `managed-keys-directory` option), delete the files called `managed-keys.bind` and `managed-keys.bind.jnl` before starting **named**. (Yes, the 9.11 file version works for all later versions of BIND 9.)