Enabling DNSSEC validation with the root trust anchor in Unbound
----------------------------------------------------------------

You need to log in to your resolver (cache) machine, i.e. for group 1, you
would use resolv.grp1.ws.nsrc.org, as you did in the unbound config
exercise

1. Grab the root key

    NOTE: This is only for the purpose of this lab - on the Internet,
    you would simply use "unbound-anchor" to download the real root.key,
    and set "auto-trust-anchor-file:" in unbound.conf, and let unbound update
    the key when necessary.

    In this lab:

    Go to https://rzm.dnssek.org/, and copy the trust-anchor
	statement (the ENTIRE line) from this page and paste it into
	your Unbound configuration file (/usr/local/etc/unbound/unbound.conf)

    Find the "trust-anchor-file:" line, and change it from:

    # trust-anchor:

    to

    trust-anchor: ". DNSKEY 257 3 8 Aw.... (the whole line)"

2. Reload the nameserver

    # service unbound restart

3. dig @localhost +dnssec mytld. SOA

    What do you notice ?