diff --git a/crates/proto/src/xfer/dns_handle.rs b/crates/proto/src/xfer/dns_handle.rs
index d41385e3..874ecc85 100644
--- a/crates/proto/src/xfer/dns_handle.rs
+++ b/crates/proto/src/xfer/dns_handle.rs
@@ -85,7 +85,8 @@ fn build_message(query: Query, options: DnsRequestOptions) -> Message {
             .extensions_mut()
             .get_or_insert_with(Edns::new)
             .set_max_payload(MAX_PAYLOAD_LEN)
-            .set_version(0);
+            .set_version(0)
+            .set_dnssec_ok(options.edns_set_dnssec_ok);
     }
     message
 }
diff --git a/crates/proto/src/xfer/dns_request.rs b/crates/proto/src/xfer/dns_request.rs
index 2d93c9b9..a20a5b60 100644
--- a/crates/proto/src/xfer/dns_request.rs
+++ b/crates/proto/src/xfer/dns_request.rs
@@ -25,6 +25,8 @@ pub struct DnsRequestOptions {
     // TODO: add EDNS options here?
     /// When true, will add EDNS options to the request.
     pub use_edns: bool,
+    /// When true, sets the DO bit in the EDNS options
+    pub edns_set_dnssec_ok: bool,
     /// Specifies maximum request depth for DNSSEC validation.
     pub max_request_depth: usize,
     /// set recursion desired (or not) for any requests
@@ -38,6 +40,7 @@ impl Default for DnsRequestOptions {
             max_request_depth: 26,
             expects_multiple_responses: false,
             use_edns: false,
+            edns_set_dnssec_ok: false,
             recursion_desired: true,
         }
     }
diff --git a/crates/recursor/src/lib.rs b/crates/recursor/src/lib.rs
index 9488b472..c9a4b94f 100644
--- a/crates/recursor/src/lib.rs
+++ b/crates/recursor/src/lib.rs
@@ -35,3 +35,7 @@ pub use hickory_proto as proto;
 pub use hickory_resolver as resolver;
 pub use hickory_resolver::config::NameServerConfig;
 pub use recursor::Recursor;
+
+fn is_security_aware() -> bool {
+    cfg!(feature = "dnssec")
+}
diff --git a/crates/recursor/src/recursor_pool.rs b/crates/recursor/src/recursor_pool.rs
index 2611324c..06abd280 100644
--- a/crates/recursor/src/recursor_pool.rs
+++ b/crates/recursor/src/recursor_pool.rs
@@ -90,8 +90,8 @@ where
                 info!("querying {} for {}", self.zone, query_cpy);
 
                 let mut options = DnsRequestOptions::default();
-                options.use_edns = false; // TODO: this should be configurable
-                options.recursion_desired = false;
+                options.use_edns = crate::is_security_aware();
+                options.edns_set_dnssec_ok = crate::is_security_aware();
 
                 // convert the lookup into a shared future
                 let lookup = ns
diff --git a/crates/server/Cargo.toml b/crates/server/Cargo.toml
index e4da6f82..79c701ff 100644
--- a/crates/server/Cargo.toml
+++ b/crates/server/Cargo.toml
@@ -48,7 +48,7 @@ dnssec-ring = [
     "hickory-proto/dnssec-ring",
     "hickory-resolver/dnssec-ring",
 ]
-dnssec = []
+dnssec = ["hickory-recursor?/dnssec"]
 # Recursive Resolution is Experimental!
 recursor = ["hickory-recursor"]
 resolver = ["hickory-resolver"]