diff --git a/etc/resolv.conf b/etc/resolv.conf
index ada25822..c86b8055 100644
--- a/etc/resolv.conf
+++ b/etc/resolv.conf
@@ -20,7 +20,9 @@ nameserver 9.9.9.9
 nameserver 2620:fe::9
 # CloudFlare IPv4 #1
 #nameserver 1.1.1.1
-options edns0 single-request-reopen
+# trust-ad option is required from glibc2.31+ to tell everything to trust
+# AD/DNSSEC in case there is a localhost DNS server that validates it
+options edns0 single-request-reopen #trust-ad
 # I am not entirely sure local is valid to use here. And this has a bad
 # habit of flooding nameserver with names I don't want it to know about
 # and in some cases there are _fun_ A/AAA responses to nonexistant domains.