To turn on DNSSEC validation on your recusrsive resolver you only
need to enable it and include the root trust anchor.  For example 
on BIND /etc/namedb/named.conf you might look like below. 
This will set BIND to not only use the "root" keys specified in
managed-keys but also track rollovers of the root key using RFC5011.
Since this will necessitate BIND writing into the managed-keys-directory,
that directory MUST have read/write access for user "bind".

Make sure to remove or comment (//) out "recursion yes" and 
"dnssec-validation yes" and do a "service named restart" when
done with this exercize to return your nameserver to authoritative
server mode.

Best practice is to never combine authoritative and resolver functions 
in the same server.  Why?

# cat /etc/bind/named.conf

options {
        ...
	recursion yes;

        dnssec-validation yes;
	managed-keys-directory "/etc/bind/keys";

        allow-query { any; };
        ....
};
zone "." {
        type hint;
        file "/etc/bind/db.root";
};

managed-keys {
// real roots
"." initial-key 257 3 8
    "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQ
    bSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh
    /RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWA
    JQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXp
    oY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3
    LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGO
    Yl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGc
    LmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=";
"." initial-key 257 3 8
    "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTO
    iW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN
    7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5
    LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8
    efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7
    pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLY
    A4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws
    9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=";

// class root
"." initial-key 257 3 8 
    "AwEAAd48pv33mNzjgL+dT78CM9DouBVY2hUSOAIpVGpFN0c6jNaQOqO+ 
     YZVBRmePsx2Pbn8SHpSJwJdEWv8GtwFx1pcn3UPP4jjGxKP/uue5uTmx 
     BteLGfad2bK912e4xMJaou6LDeNKmh0CvnssKe8eI3gjvjQvRdRxakUB 
     kAJ1xkTs03+7IEBFMk2XOsAaoTbTmUr3rmVzUtDLFAt/qs14iwPDQ1IN 
     VYDjCOdJQ3Mh52t8qmktjH3njMJD7HQVOmlZdOkqCgzX55pXlhK5xtG3 
     UUOyQoVJeDPQwG9ZAdwsw9ZQYv9OBGLzgYBtN2EYM5q8TnkukoKwsfgn 
     FjSzydcGXFU=";
};



You may have to remove the BIND created file "managed-keys.bind" in 
/etc/bind/keys by doing

  # rm managed-keys*

in that directory.
Make sure that the BIND directory is writable by BIND so that it can
automatically update this file when the root key rolls over.

The contents of the root key can be obtained using 

  # dig +multi -t dnskey .

like we did in the previous lab. HOWEVER, in order for you and your
relying parties to trust the root key, you must verify it by 
whatever mechanisms you see fit.  This could include anything from
matching the contents from https://www.iana.org/dnssec , confering 
with other trusted colleagues, computing DS records and matching, or 
relying on other tools or other out-of-band checks.