This paper describes the problems with using both Domain Name System Security (DNSSEC) (security extension to domain name system) validating Domain Name System (DNS) resolvers and NAT64/DNS64 transition mechanism. In this paper we also propose a solution how to solve the problem of such combination. The foreign (synthesized) AAAA record as well as the broken trust chain in such records in secure way which doesn’t breach DNSSEC.A current widely used solution comes from RFC 7050 [1] with conjunction with RFC 6146 [2] and RFC 6147 [3]. In such case the end node will detect Domain Name System 6-to-4 (DNS64) by asking for well-known Internet Protocol version 4 (IPv4) only domain, if detected end node would disable DNSSEC validation. This solves previously mentioned problem of foreign AAAA record and such domain would be reachable. However this also brakes DNSSEC validation and it does not allow operator to control over the prefix preference.Our proposed solution supplies the end node with secondary DNSSEC chain to validate DNS64 synthesized records from information already presented to the node by Neighbor Discovery or Dynamic Host Configuration Protocol version 6 (DHCPv6), in the way that network operator can have a control over the prefixes and DNS resolvers used by the end node for NAT64/DNS64 transition mechanism.