DNSSEC validation indicates that a caching DNS server will attempt to validate replies from a signed zone.
Configure DNSSEC Validation by using the DNSSEC Validation and/or DNSSEC Trust Anchors deployment options. These deployment options can be set at the configuration, view, or server level, and should be set for any server to which signed zones are deployed.
By default, DNSSEC validation uses the built-in default trust anchor for the DNS root zone (automatic validation). Alternatively, DNSSEC validation can be set to use configured trust anchors (manual validation). BlueCat suggests using manual validation only if it's required to validate signed zones lower in the DNS namespace that can't be securely delegated from the signed root zone.