With recent version of BIND, enabling DNSSec for dns resolution and verification is simple and has little impact to your server's performance. This is for recursive name servers. Enabling on authoritative name servers is much more complex. For authoritative name servers, see DNS Sec in 6 minutes.

DNS can be a weak link in internet security. Someone who can forge DNS entries in your server can use that to leverage his way further into your systems. DNSSec (mostly) solves this problem.

options {
...
dnssec-enable yes;
dnssec-validation auto;
managed-keys-directory "/etc/namedb/dynamic/";
...
};

The above 3 lines are specifically for FreeBSD so modify the directory as needed to a directory owned by user BIND. /etc/namedb on FreeBSD is generally owned by ROOT. Without that 3rd line, you will get errors such as this:

May 23 16:18:49 tethys named[88671]: managed-keys.bind.jnl: create: permission denied
May 23 16:18:49 tethys named[88671]: managed-keys-zone ./IN: sync_keyzone:dns_journal_open -> unexpected error
May 23 16:36:26 tethys named[90097]: managed-keys.bind.jnl: create: permission denied
May 23 16:36:26 tethys named[90097]: managed-keys-zone ./IN: sync_keyzone:dns_journal_open -> unexpected error

Restart named and you're done. You?re done. If a domain is protected with DNSSec, your DNS server will reject forged entries. To test everything at once, configure your desktop to use your newly DNSSec-aware resolver and browse to http://test.dnssec-or-not.org/. This gives you a simple yes or no answer. Verified DNSSec is indicated in dig(1) output by the presence of the ad (authenticated data) flag.