This may be obvious to some of you, but implementing DNSSEC validation is easy if you use a forwarding architecture (that is, if you resolve Internet domain names using forwarders). Only your forwarders need special configuration, and that configuration is simple.
First, you need to make sure those forwarders are running the latest code. The gov zone is signed using something called NSEC3 records, so you’ll want a name server that groks those. If you’re running BIND, that’s BIND 9.6.0 or better.
Next, you need to enable DNSSEC on those forwarders. Add these two substatements to your options statement:
Finally, configure trust anchors for the signed zones you’d like to validate. You can retrieve a list of the TLDs that are signed from IANA’s Interim Trust Anchor Respository, or ITAR. IANA helpfully provides a script, called anchors2keys, that you can use to convert the DS records published in the ITAR to the format BIND expects.
Done? Just reload your name server and you’re validating signed records!