diff --git a/lib/dnssec/ta.c b/lib/dnssec/ta.c
index 9fabfb35dd24685703f85e97806b6cdf72648a88..fe3c0d5c07f660a79ad2b1103b0a5a6c53eb58f1 100644
--- a/lib/dnssec/ta.c
+++ b/lib/dnssec/ta.c
@@ -639,6 +639,11 @@ static int ta_get(knot_rrset_t **ta, struct trust_anchors_nolock *tan, const kno
 	return kr_ok();
 }
 
+int kr_ta_contains(struct trust_anchors *tas, const knot_dname_t *name)
+{
+	return ta_find(&tas->locked, name) != NULL;
+}
+
 int kr_ta_get(knot_rrset_t **ta, struct trust_anchors *tas, const knot_dname_t *name, mm_ctx_t *pool)
 {
 	if (!ta || !tas || !name) {
diff --git a/lib/dnssec/ta.h b/lib/dnssec/ta.h
index 5b8be8ede5abf7446feeb1a2986e8274c180676c..7d57d932c5992dfe59d6699c27d9abf7439ddaea 100644
--- a/lib/dnssec/ta.h
+++ b/lib/dnssec/ta.h
@@ -48,6 +48,8 @@ int kr_ta_reset(struct trust_anchors *tas, const char *ta_str);
 
 int kr_ta_add(struct trust_anchors *tas, const char *ta_str);
 
+int kr_ta_contains(struct trust_anchors *tas, const knot_dname_t *name);
+
 int kr_ta_get(knot_rrset_t **ta, struct trust_anchors *tas, const knot_dname_t *name, mm_ctx_t *pool);
 
 int kr_ta_rdlock(struct trust_anchors *tas);
diff --git a/lib/layer/validate.c b/lib/layer/validate.c
index f5bb333926b9e261cfd60c19960122f9a20466bb..e60252870bc467032bd36e174a1bdf5734faa601 100644
--- a/lib/layer/validate.c
+++ b/lib/layer/validate.c
@@ -393,11 +393,8 @@ static int validate(knot_layer_t *ctx, knot_pkt_t *pkt)
 	uint16_t qtype = knot_pkt_qtype(pkt);
 	if (qtype == KNOT_RRTYPE_DNSKEY) {
 		if (!qry->zone_cut.trust_anchor) {
-			DEBUG_MSG(qry, "Missing trust anchor.\n");
-#warning TODO: the trust anchor must be fetched from a configurable storage
-			if (qry->zone_cut.name[0] == '\0') {
-				kr_ta_get(&qry->zone_cut.trust_anchor, &global_trust_anchors, ROOT_NAME, qry->zone_cut.pool);
-			}
+			DEBUG_MSG(qry, ">< missing trust anchor\n");
+			kr_ta_get(&qry->zone_cut.trust_anchor, &global_trust_anchors, qry->zone_cut.name, qry->zone_cut.pool);
 		}
 
 		ret = validate_keyset(qry, pkt, has_nsec3);
@@ -423,7 +420,7 @@ static int validate(knot_layer_t *ctx, knot_pkt_t *pkt)
 	}
 
 	if ((qtype == KNOT_RRTYPE_DS) && (qry->parent != NULL) && (qry->parent->zone_cut.trust_anchor == NULL)) {
-		DEBUG_MSG(qry, "updating trust anchor in zone cut\n");
+		DEBUG_MSG(qry, "<= updating trust anchor in zone cut\n");
 		qry->parent->zone_cut.trust_anchor = knot_rrset_copy(qry->zone_cut.trust_anchor, qry->parent->zone_cut.pool);
 		if (!qry->parent->zone_cut.trust_anchor) {
 			return KNOT_STATE_FAIL;
@@ -434,7 +431,7 @@ static int validate(knot_layer_t *ctx, knot_pkt_t *pkt)
 	}
 
 	if ((qtype == KNOT_RRTYPE_DNSKEY) && (qry->parent != NULL) && (qry->parent->zone_cut.key == NULL)) {
-		DEBUG_MSG(qry, "updating keys in zone cut\n");
+		DEBUG_MSG(qry, "<= updating keys in zone cut\n");
 		qry->parent->zone_cut.key = knot_rrset_copy(qry->zone_cut.key, qry->parent->zone_cut.pool);
 		if (!qry->parent->zone_cut.key) {
 			return KNOT_STATE_FAIL;
diff --git a/lib/resolve.c b/lib/resolve.c
index ac023361a43750c6ecd6111f19259e32d04908b9..4d44fda619dfa5b11c52e3ddbf9225e072552012 100644
--- a/lib/resolve.c
+++ b/lib/resolve.c
@@ -25,6 +25,7 @@
 #include "lib/layer.h"
 #include "lib/rplan.h"
 #include "lib/layer/iterate.h"
+#include "lib/dnssec/ta.h"
 
 #define DEBUG_MSG(fmt...) QRDEBUG(kr_rplan_current(rplan), "resl",  fmt)
 
@@ -238,7 +239,7 @@ static int answer_prepare(knot_pkt_t *answer, knot_pkt_t *query, struct kr_reque
 		req->options |= QUERY_DNSSEC_WANT;
 	}
 	/* Handle EDNS in the query */
-	if (knot_pkt_has_edns(query) || (req->options & QUERY_DNSSEC_WANT)) {
+	if (knot_pkt_has_edns(query)) {
 		int ret = edns_create(answer, query, req);
 		if (ret != 0){
 			return ret;
@@ -483,6 +484,12 @@ int kr_resolve_produce(struct kr_request *request, struct sockaddr **dst, int *t
 	/* The query wasn't resolved from cache,
 	 * now it's the time to look up closest zone cut from cache.
 	 */
+	 /* Always try with DNSSEC if it finds island of trust. */
+	 /* @todo this interface is going to change */
+	if (kr_ta_contains(&global_trust_anchors, qry->zone_cut.name)) {
+		request->options |= QUERY_DNSSEC_WANT;
+		DEBUG_MSG(">< entered island of trust\n");
+	}
 	bool want_secured = (request->options & QUERY_DNSSEC_WANT);
 	if (qry->flags & QUERY_AWAIT_CUT) {
 		int ret = ns_fetch_cut(qry, request, want_secured);