On a side-note, I'd like to make people aware of the upcoming release of BIND 9.7 -- it is currently at "rc2" and should be a full release shortly.
The primary reason for BIND 9.7 is the ease of configuration of DNSSEC (we are calling it the "DNSSEC for Humans" release).
There are a number of things that make 9.7 better on the authoritative server (automatic re-signing of zones, simpler key management, etc).
There are also a couple of things that allow you to configure validation on recursive servers very easily.
Adding this:
Code:
dnssec-enable yes;
dnssec-lookaside auto;
to your options section on a recursive server running BIND 9.7 will "do the right thing" with the trust anchors for dlv.isc.org and therefore allow your system to do validation based on the trust anchors available in the ISC DLV registry - aim your browser at dlv.isc.org for more information.
Knobee