Enabling DNSSEC validation with the root trust anchor in Unbound
----------------------------------------------------------------

You need to log in to your resolver (cache) machine, i.e. for group 1, you
would use resolv.grp1.ws.nsrc.org, as you did in the unbound config
exercise

1. Grab the root key

    NOTE: This is only for the purpose of this lab - on the Internet,
    you would simply use "unbound-anchor" to download the real root.key,
    and set "auto-trust-anchor-file:" in unbound.conf, and let unbound update
    the key when necessary.

    In this lab:

    # scp adm@a.root-servers.net:root.key  /usr/local/etc/unbound/root.key

    Edit the /usr/local/etc/unbound/unbound.conf file:

    Find the "trust-anchor-file:" line, and change it from:

    # trust-anchor-file: ""

    to

    trust-anchor-file: "/usr/local/etc/unbound/root.key"

2. Reload the nameserver

    # service unbound restart

3. dig @localhost +dnssec mytld. SOA

    What do you notice ?