> One thing to note: I've also completely changed the way the trust > anchors are specified, from DNSKEYS to DS records. Very nice and, yes, it works. :) All that's left is to find a way to obtain those securely when dnsmasq starts up, somewhat in the way unbound-anchor(1) from Unbound does. -JP