diff --git a/src/config.yaml b/src/config.yaml
index e1210e8..11b6f8a 100644
--- a/src/config.yaml
+++ b/src/config.yaml
@@ -38,3 +38,11 @@ options:
       BIND9. When using this option, ACLs should be used with
       allowed_nets and/or allowed_recursion_nets to prevent it from
       being a open resolver.
+  disable-dnssec-validation:
+    default: false
+    type: boolean
+    description: |
+      Whether or not to disable DNSSEC validation. This may be helpful
+      in a situation that upstream DNS servers do not support DNSSEC,
+      and BIND9 reports "Unable to fetch DNSKEY". For production
+      deployments, it's encouraged to keep DNSSEC enabled.
diff --git a/src/templates/named.conf.options b/src/templates/named.conf.options
index dd90811..ac58318 100644
--- a/src/templates/named.conf.options
+++ b/src/templates/named.conf.options
@@ -33,7 +33,11 @@ options {
         // If BIND logs error messages about the root key being expired,
         // you will need to update your keys.  See https://www.isc.org/bind-keys
         //========================================================================
+        {% if options.disable_dnssec_validation -%}
+        dnssec-validation no;
+        {%- else -%}
         dnssec-validation auto;
+        {%- endif %}
 
         auth-nxdomain no;    # conform to RFC1035
         listen-on-v6 { any; };