diff --git a/hosts/falkenstein-1/modules/networks/default.nix b/hosts/falkenstein-1/modules/networks/default.nix
index 560aa99..7725623 100644
--- a/hosts/falkenstein-1/modules/networks/default.nix
+++ b/hosts/falkenstein-1/modules/networks/default.nix
@@ -14,6 +14,7 @@
     useNetworkd = true;
     enableIPv6 = true;
   };
+  services.resolved.dnssec = "true";
   systemd.network = {
     enable = true;
     networks."10-loopback" = {
diff --git a/hosts/nuc/modules/networks/default.nix b/hosts/nuc/modules/networks/default.nix
index 7e491d8..aee89eb 100644
--- a/hosts/nuc/modules/networks/default.nix
+++ b/hosts/nuc/modules/networks/default.nix
@@ -8,6 +8,7 @@
   };
   services.resolved = {
     enable = true;
+    dnssec = "yes";
     # make room for the adguard dns
     extraConfig = ''
       [Resolve]
diff --git a/hosts/thinkpad/modules/networks/default.nix b/hosts/thinkpad/modules/networks/default.nix
index 8dd0953..d40dfa3 100644
--- a/hosts/thinkpad/modules/networks/default.nix
+++ b/hosts/thinkpad/modules/networks/default.nix
@@ -11,6 +11,8 @@
       owner = config.users.users.systemd-network.name;
     };
   };
+  # allow downgrade since fritzbox at home doesn't support it (yet?)
+  services.resolved.dnssec = "allow-downgrade";
   networking = {
     useNetworkd = true;
     hostName = "thinkpad";