> One thing to note: I've also completely changed the way the trust
> anchors are specified, from DNSKEYS to DS records.
Very nice and, yes, it works. :)
All that's left is to find a way to obtain those securely when dnsmasq
starts up, somewhat in the way unbound-anchor(1) from Unbound does.
-JP