SC-21(1) — Data Origin and Integrity

Perform data origin authentication and integrity verification on all DNS data at the recursive resolver level.

Example 1: Configure BIND to set "dnssec-validation auto;" in named.conf. This enables automatic DNSSEC validation using the built-in root trust anchors, verifying every signed DNS response.

Example 2: On Windows DNS servers acting as recursive resolvers, import trust anchors for zones you want to validate. Use the DNS Manager console to add trust points and verify that validation is working by querying a known DNSSEC-signed domain.