...
The above command retrieves root zone keys and is the only public key you require for full chain of trust validation.
Wiki Markup dig \[@server_address\] <zone> dnskey +multiline +dnssec
The above command retrieves public keys from the zone you specify on the server and can be used if the parent zone is not signed.
Note that the aforementioned command provides you with a key you need to cross validate against other servers to ensure you have an identical key.
As an alternative, you can use http://data.iana.org/root-anchors/ to retrieve signed public keys. You can find the trust anchors in formats like XML and CSR. For more information, refer to http://data.iana.org/root-anchors/draft-icann-dnssec-trust-anchor.txt.
— Negative Trust Anchors: Configure negative trust anchors to suppress DNSSEC validation for certain domains. Click the Add icon to add the domain name to the list. You can define negative trust anchors at the Grid level and override them at the member and DNS view levels. For more information about negative trust anchors, see Defining Negative Trust Anchors .
To delete a negative trust anchor, select the check box adjacent to the Zone column and click the Delete icon.
...