diff -ur glibc-2.9/resolv/res_init.c glibc-2.9-do2/resolv/res_init.c
--- glibc-2.9/resolv/res_init.c	2008-04-07 19:20:25.000000000 +0200
+++ glibc-2.9-do2/resolv/res_init.c	2009-07-03 15:14:58.000000000 +0200
@@ -541,6 +541,8 @@
 			statp->options |= RES_NOCHECKNAME;
                 } else if (!strncmp(cp, "edns0", sizeof("edns0") - 1)) {
 			statp->options |= RES_USE_EDNS0;
+                } else if (!strncmp(cp, "dnssec-ok", sizeof("dnssec-ok") - 1)) {
+			statp->options |= RES_USE_DNSSEC;
 		} else {
 			/* XXX - print a warning here? */
 		}
diff -ur glibc-2.9/resolv/resolv.h glibc-2.9-do2/resolv/resolv.h
--- glibc-2.9/resolv/resolv.h	2007-06-19 00:01:45.000000000 +0200
+++ glibc-2.9-do2/resolv/resolv.h	2009-07-03 13:02:59.000000000 +0200
@@ -215,6 +215,7 @@
 #define RES_NOIP6DOTINT	0x00080000	/* Do not use .ip6.int in IPv6
 					   reverse lookup */
 #define RES_USE_EDNS0	0x00100000	/* Use EDNS0.  */
+#define RES_USE_DNSSEC	0x00200000	/* Use DO.  */
 
 #define RES_DEFAULT	(RES_RECURSE|RES_DEFNAMES|RES_DNSRCH|RES_NOIP6DOTINT)
 
diff -ur ../glibc-2.9/resolv/res_mkquery.c resolv/res_mkquery.c
--- glibc-2.9/resolv/res_mkquery.c	2008-08-12 08:56:53.000000000 +0200
+++ glibc-2.9-do2/resolv/res_mkquery.c	2009-07-03 19:20:35.000000000 +0200
@@ -248,6 +248,8 @@
 	*cp++ = NOERROR;	/* extended RCODE */
 	*cp++ = 0;		/* EDNS version */
 	/* XXX Once we support DNSSEC we change the flag value here.  */
+	if ((statp->options & RES_USE_DNSSEC) != 0U)
+		flags |= NS_OPT_DNSSEC_OK;
 	NS_PUT16(flags, cp);
 	NS_PUT16(0, cp);	/* RDLEN */
 	hp->arcount = htons(ntohs(hp->arcount) + 1);