diff --git a/applications/dns.nix b/applications/dns.nix
index 3a77e5c..44003af 100644
--- a/applications/dns.nix
+++ b/applications/dns.nix
@@ -88,9 +88,9 @@ in {
       '';
 
       # piles of no valid RRSIG resolving 'com/DS/IN' errors
-      #extraOptions = ''
-      #  dnssec-validation auto;
-      #'';
+      extraOptions = ''
+        dnssec-validation yes;
+      '';
 
       # set the upstream dns servers
       # overrides the default dns servers
@@ -126,7 +126,12 @@ in {
         */
 
         "skynet.ie" = {
-          extraConfig = "allow-update { key rfc2136key.skynet.ie.; };";
+          extraConfig = ''
+            allow-update { key rfc2136key.skynet.ie.; };
+
+            dnssec-policy default;
+            inline-signing yes;
+          '';
           # really wish teh nixos config didnt use master/slave
           master = true;
           slaves = [ ];