diff --git a/manifests/init.pp b/manifests/init.pp
index d10d08e..c7ab120 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -2,6 +2,7 @@ class bind (
 	$confdir    = $bind::params::confdir,
 	$cachedir   = $bind::params::cachedir,
 	$forwarders = [],
+	$dnssec     = true,
 ) inherits bind::params {
 
 	$auth_nxdomain = false
diff --git a/templates/named.conf.erb b/templates/named.conf.erb
index 4fb0b0b..f2ed75f 100644
--- a/templates/named.conf.erb
+++ b/templates/named.conf.erb
@@ -14,4 +14,7 @@ options {
 <%- end -%>
 	auth-nxdomain <%= auth_nxdomain ? 'yes' : 'no' %>;
 	listen-on-v6 { any; };
+	dnssec-enable <%= dnssec ? 'yes' : 'no' %>;
+	dnssec-validation <%= dnssec ? 'yes' : 'no' %>;
+	dnssec-lookaside <%= dnssec ? 'auto' : 'no' %>;
 };