Enabling DNSSEC validation with the root trust anchor in Unbound
----------------------------------------------------------------

You need to log in to your resolver (cache) machine, i.e. for group 1, you
would use resolv.grp1.dns.nsrc.org, as you did in the unbound config
exercise

1. Grab the root key

    NOTE: This is only for the purpose of this lab - on the Internet,
    you would simply use "unbound-anchor" to download the real root.key,
    and set "auto-trust-anchor-file:" in unbound.conf, and let unbound update
    the key when necessary.

    In this lab, ask your instructor if we are using the "RZM" or not.

	Grab the key from the root server:

    # scp sysadm@a.root-servers.net:root.key  /usr/local/etc/unbound/root.key

    Edit the /usr/local/etc/unbound/unbound.conf file and at the end of the server: section, set:

    trust-anchor-file: "/usr/local/etc/unbound/root.key"

2. Reload the nameserver

    # service unbound restart

3. dig @localhost +dnssec mytld. SOA

    What do you notice ?