diff --git a/crates/server/src/store/recursor/authority.rs b/crates/server/src/store/recursor/authority.rs
index 56667689f..3211306f8 100644
--- a/crates/server/src/store/recursor/authority.rs
+++ b/crates/server/src/store/recursor/authority.rs
@@ -73,9 +73,13 @@ impl RecursiveAuthority {
             });
         }
 
-        let recursor = Recursor::new()
+        let mut recursor = Recursor::new();
+        recursor
             .ns_cache_size(config.ns_cache_size)
-            .record_cache_size(config.record_cache_size)
+            .record_cache_size(config.record_cache_size);
+        #[cfg(feature = "dnssec")]
+        recursor.security_aware(config.security_aware);
+        let recursor = recursor
             .build(roots)
             .map_err(|e| format!("failed to initialize recursor: {e}"))?;
 
diff --git a/crates/server/src/store/recursor/config.rs b/crates/server/src/store/recursor/config.rs
index 169700038..41843ef04 100644
--- a/crates/server/src/store/recursor/config.rs
+++ b/crates/server/src/store/recursor/config.rs
@@ -24,6 +24,7 @@ use crate::resolver::Name;
 
 /// Configuration for file based zones
 #[derive(Clone, Deserialize, Eq, PartialEq, Debug)]
+#[serde(deny_unknown_fields)]
 pub struct RecursiveConfig {
     /// File with roots, aka hints
     pub roots: PathBuf,
@@ -35,6 +36,11 @@ pub struct RecursiveConfig {
     /// Maximum DNS record cache size
     #[serde(default = "record_cache_size_default")]
     pub record_cache_size: usize,
+
+    /// Whether the recursor is security-aware (RFC4035 section 3.2)
+    #[cfg(feature = "dnssec")]
+    #[serde(default)]
+    pub security_aware: bool,
 }
 
 impl RecursiveConfig {