Need to validate a dnssec signed zone manually?
Here some howto:
First wie need the ROOT zone key. Dig searches for the file in /etc/trusted-key.key and in the current directory. Therefore we do:
dig +tcp +nocomments +nostats +nocmd +noquestion -t dnskey . > trusted-key.key
To verify a signed zone we do:
dig +multiline +sigchase paranoids.at
The last line of the output should be:
;; Ok this DNSKEY is a Trusted Key, DNSSEC validation is ok: SUCCESS