Resources:

• RHEL RPMs from http://people.redhat.com/atkac/bind/5.6-test/ – if someone finds a better source for BIND 9.7+ RHEL RPMs, I’d like to know.  I had no luck building from the Fedora SRPMs.
• http://www.isc.org/community/blog/201007/using-root-dnssec-key-bind-9-resolvers – instructions for setting up BIND to use the root key.
• http://fanf.livejournal.com/107310.html – A more thorough walk-through of setup.

One resource I would have liked to find and could not was a deliberately unvalidatable non-root zone/record that could be used to see a validation failure.  If anyone knows of or finds such a thing, please pass it along.  Now we get to wait for .com, .net, etc, to catch up to .bg and .uk in the publishing of DS glue for deeper validation.

UPDATE 7/22/10:  Just found the following site which makes available bad records for testing purposes: http://dnssec-tools.org/testzone/index.html