To turn on DNSSEC validation on your recusrsive resolver you only need to enable it and include the root trust anchor. For example on BIND /etc/namedb/named.conf you might look like below. Make sure to remove or comment (//) out "recursion yes" and "dnssec-validation yes" and do a "service named restart" when done with this exercize to return your nameserver to authoritative server mode.
# cat /etc/bind/named.conf options { ... recursion yes; dnssec-validation yes; managed-keys-directory "/etc/bind/keys"; allow-query { any; }; .... }; zone "." { type hint; file "/etc/bind/db.root"; }; managed-keys { // real root "." initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQ bSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh /RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWA JQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXp oY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3 LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGO Yl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGc LmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0="; // class root "." initial-key 257 3 8 "AwEAAd48pv33mNzjgL+dT78CM9DouBVY2hUSOAIpVGpFN0c6jNaQOqO+ YZVBRmePsx2Pbn8SHpSJwJdEWv8GtwFx1pcn3UPP4jjGxKP/uue5uTmx BteLGfad2bK912e4xMJaou6LDeNKmh0CvnssKe8eI3gjvjQvRdRxakUB kAJ1xkTs03+7IEBFMk2XOsAaoTbTmUr3rmVzUtDLFAt/qs14iwPDQ1IN VYDjCOdJQ3Mh52t8qmktjH3njMJD7HQVOmlZdOkqCgzX55pXlhK5xtG3 UUOyQoVJeDPQwG9ZAdwsw9ZQYv9OBGLzgYBtN2EYM5q8TnkukoKwsfgn FjSzydcGXFU="; }; You may have to remove the BIND created file "managed-keys.bind" by doing # rm managed-keys* Make sure that the BIND directory is writable by BIND so that it can automatically update this file when the root key rolls over. The contents of the root key can be obtained using # dig +multi -t dnskey . like we did in the previous lab. HOWEVER, in order for you and your relying parties to trust the root key, you must verify it by whatever mechanisms you see fit. This could include anything from matching the contents from https://www.iana.org/dnssec , confering with other trusted colleagues, computing DS records and matching, or relying on other tools or other out-of-band checks.