dnssec verification with dig

Need to validate a dnssec signed zone manually?
Here some howto:
First wie need the ROOT zone key. Dig searches for the file in /etc/trusted-key.key and in the current directory. Therefore we do:

dig +tcp +nocomments +nostats +nocmd +noquestion -t dnskey . > trusted-key.key

To verify a signed zone we do:

dig +multiline +sigchase paranoids.at

The last line of the output should be:

;; Ok this DNSKEY is a Trusted Key, DNSSEC validation is ok: SUCCESS

Have fun!