Missing root trust anchor

[WhyNotHugo]

I can't find any references to the root zone being checked.

Typically the signature of the root zone is validated with a trust anchor (e.g.: in /usr/share/dnssec-root/trusted-key.key).

By not validating the signature of the root zone, a misbehaving server can simply spoof the entire chain all the way up to the root, at which point this implementation will consider the entire chain to be valid.